[Cryptography] BLAKE2: "Harder, Better, Faster, Stronger" Than MD5
Russell L. Carter
rcarter at pinyon.org
Mon Mar 24 23:02:57 EDT 2014
On Mar 24, 2014, at 4:36 PM, Bear <bear at sonic.net> wrote:
>> There are plenty of other potential contenders (Blowfish, RC5), though
>> the great grand-daddy appears to be IDEA: Initial patent proposal in
>> 1990, full patent proposal in 1991, no known attacks to date. That
>> puts it at 24 years or so.
>
> http://www.cs.bris.ac.uk/eurocrypt2012/Program/Tues/Rechberger.pdf
>
> Almost true, but not quite completely true anymore. At Eurocrypt
> in 2012, Reschberger published an attack on full IDEA. It
> exploits narrow bicliques in order to get an attack with complexity
> of 2^126.1 against a 128-bit key - a 2-bit break. Not nearly
> enough for practical deployment against a 128-bit key, but it
> demonstrates a tiny chink in the armor.
The same attack (and resulting complexity) is reported for AES - you get
about two bits for all of AES-128, 192, and 256.
http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf
I found a reference to a paper - http://eprint.iacr.org/2012/011.pdf -
applying the biclique attack to a Korean standard algorithm known as
ARIA-256. (It gets about 1 bit of advantage with 2^80 chosen plaintexts
- hardly a realistic attack right now.)
Who knows, the biclique technique may get broadened into a whole new
class of attacks on block ciphers, to add to our toolkit along with
differential and linear cryptanalysis and a few lesser-known ones. Or
it may prove unable to go beyond the tiny advantages it can get today.
It should stand as a warning, though, that new analytic techniques are
always "just around the corner".
-- Jerry
-------------- next part --------------
_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list