[Cryptography] AES-256- More NIST-y? paranoia
Ray Dillinger
bear at sonic.net
Fri Oct 4 12:20:22 EDT 2013
On 10/03/2013 06:59 PM, Watson Ladd wrote:
> On Thu, Oct 3, 2013 at 3:25 PM,<leichter at lrw.com> wrote:
>
>> On Oct 3, 2013, at 12:21 PM, Jerry Leichter<leichter at lrw.com> wrote:
>>> As *practical attacks today*, these are of no interest - related key
>> attacks only apply in rather unrealistic scenarios, even a 2^119 strength
>> is way beyond any realistic attack, and no one would use a reduced-round
>> version of AES-256.
>>
>> Expanding a bit on what I said: Ideally, you'd like a cryptographic
>> algorithm let you build a pair of black boxes. I put my data and a key
>> into my black box, send you the output; you put the received data and the
>> same key (or a paired key) into your black box; and out comes the data I
>> sent you, fully secure and authenticated. Unfortunately, we have no clue
>> how to build such black boxes. Even if the black boxes implement just the
>> secrecy transformation for a stream of blocks (i.e., they are symmetric
>> block ciphers), if there's a related key attack, I'm in danger if I haven't
>> chosen my keys carefully enough.
So, it seems that instead of AES256(key) the cipher in practice should be
AES256(SHA256(key)).
Is it not the case that (assuming SHA256 is not broken) this defines a cipher
effectively immune to the related-key attack?
Bear
More information about the cryptography
mailing list