[Cryptography] BLAKE2: "Harder, Better, Faster, Stronger" Than MD5
Jerry Leichter
leichter at lrw.com
Mon Mar 24 19:29:57 EDT 2014
On Mar 24, 2014, at 4:36 PM, Bear <bear at sonic.net> wrote:
>> There are plenty of other potential contenders (Blowfish, RC5), though
>> the great grand-daddy appears to be IDEA: Initial patent proposal in
>> 1990, full patent proposal in 1991, no known attacks to date. That
>> puts it at 24 years or so.
>
> http://www.cs.bris.ac.uk/eurocrypt2012/Program/Tues/Rechberger.pdf
>
> Almost true, but not quite completely true anymore. At Eurocrypt
> in 2012, Reschberger published an attack on full IDEA. It
> exploits narrow bicliques in order to get an attack with complexity
> of 2^126.1 against a 128-bit key - a 2-bit break. Not nearly
> enough for practical deployment against a 128-bit key, but it
> demonstrates a tiny chink in the armor.
The same attack (and resulting complexity) is reported for AES - you get about two bits for all of AES-128, 192, and 256. http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf
I found a reference to a paper - http://eprint.iacr.org/2012/011.pdf - applying the biclique attack to a Korean standard algorithm known as ARIA-256. (It gets about 1 bit of advantage with 2^80 chosen plaintexts - hardly a realistic attack right now.)
Who knows, the biclique technique may get broadened into a whole new class of attacks on block ciphers, to add to our toolkit along with differential and linear cryptanalysis and a few lesser-known ones. Or it may prove unable to go beyond the tiny advantages it can get today. It should stand as a warning, though, that new analytic techniques are always "just around the corner".
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140324/72f6cb63/attachment.bin>
More information about the cryptography
mailing list