[Cryptography] AES state of the art...

Perry E. Metzger perry at piermont.com
Mon Sep 9 18:09:40 EDT 2013

On Mon, 9 Sep 2013 14:18:41 +0300 Alexander Klimov
<alserkli at inbox.ru> wrote:
> On Sun, 8 Sep 2013, Perry E. Metzger wrote:
> > What's the current state of the art of attacks against AES? Is the
> > advice that AES-128 is (slightly) more secure than AES-256, at
> > least in theory, still current?
> I am not sure what is the exact attack you are talking about, but I 
> guess you misunderstood the result that says: "the attack works 
> against AES-256, but not against AES-128" as meaning that AES-128
> is more secure. It can be the case that to break AES-128 the attack
> needs 2^240 time, while to break AES-256 it needs 2^250 time. Here
> AES-128 is not technically broken, since 2^240 > 2^128, but AES-256
> is broken, since 2^250 < 2^256, OTOH, AES-256 is still more secure
> against the attack.

There is a related key attack against AES-256 that breaks it in order
2^99.5, far worse than 2^250!

However, several people seem to have assured me (in private email)
that they think such related key attacks are not important in

Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list