[Cryptography] BLAKE2: "Harder, Better, Faster, Stronger" Than MD5

Jerry Leichter leichter at lrw.com
Mon Mar 24 19:29:57 EDT 2014

On Mar 24, 2014, at 4:36 PM, Bear <bear at sonic.net> wrote:
>> There are plenty of other potential contenders (Blowfish, RC5), though
>> the great grand-daddy appears to be IDEA:  Initial patent proposal in
>> 1990, full patent proposal in 1991, no known attacks to date.  That
>> puts it at 24 years or so.
> http://www.cs.bris.ac.uk/eurocrypt2012/Program/Tues/Rechberger.pdf
> Almost true, but not quite completely true anymore.  At Eurocrypt 
> in 2012, Reschberger published  an attack on full IDEA.  It 
> exploits narrow bicliques in order to get an attack with complexity 
> of  2^126.1 against a 128-bit key - a 2-bit break.  Not nearly 
> enough for practical deployment against a 128-bit key, but it
> demonstrates a tiny chink in the armor. 
The same attack (and resulting complexity) is reported for AES - you get about two bits for all of AES-128, 192, and 256.  http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf

I found a reference to a paper - http://eprint.iacr.org/2012/011.pdf - applying the biclique attack to a Korean standard algorithm known as ARIA-256.  (It gets about 1 bit of advantage with 2^80 chosen plaintexts - hardly a realistic attack right now.)

Who knows, the biclique technique may get broadened into a whole new class of attacks on block ciphers, to add to our toolkit along with differential and linear cryptanalysis and a few lesser-known ones.  Or it may prove unable to go beyond the tiny advantages it can get today.  It should stand as a warning, though, that new analytic techniques are always "just around the corner".

                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140324/72f6cb63/attachment.bin>

More information about the cryptography mailing list