[Cryptography] AES state of the art...
Perry E. Metzger
perry at piermont.com
Mon Sep 9 18:09:40 EDT 2013
On Mon, 9 Sep 2013 14:18:41 +0300 Alexander Klimov
<alserkli at inbox.ru> wrote:
> On Sun, 8 Sep 2013, Perry E. Metzger wrote:
> > What's the current state of the art of attacks against AES? Is the
> > advice that AES-128 is (slightly) more secure than AES-256, at
> > least in theory, still current?
>
> I am not sure what is the exact attack you are talking about, but I
> guess you misunderstood the result that says: "the attack works
> against AES-256, but not against AES-128" as meaning that AES-128
> is more secure. It can be the case that to break AES-128 the attack
> needs 2^240 time, while to break AES-256 it needs 2^250 time. Here
> AES-128 is not technically broken, since 2^240 > 2^128, but AES-256
> is broken, since 2^250 < 2^256, OTOH, AES-256 is still more secure
> against the attack.
>
There is a related key attack against AES-256 that breaks it in order
2^99.5, far worse than 2^250!
However, several people seem to have assured me (in private email)
that they think such related key attacks are not important in
practice.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list