On Oct 3, 2013, at 10:09 AM, Brian Gladman <b...@gladman.plus.com> wrote:
>> Leaving aside the question of whether anyone "weakened" it, is it
>> true that AES-256 provides comparable security to AES-128?
>
> I may be wrong about this, but if you are talking about the theoretical
> strength of AES-256, then I am not aware of any attacks against it that
> come even remotely close to reducing its effective key length to 128
> bits. So my answer would be 'no'.
There are *related key* attacks against full AES-192 and AES-256 with
complexity 2^119. http://eprint.iacr.org/2009/374 reports on improved
versions of these attacks against *reduced round variants" of AES-256; for a
10-round variant of AES-256 (the same number of rounds as AES-128), the attacks
have complexity 2^45 (under a "strong related sub-key" attack).
None of these attacks gain any advantage when applied to AES-128.
As *practical attacks today*, these are of no interest - related key attacks
only apply in rather unrealistic scenarios, even a 2^119 strength is way beyond
any realistic attack, and no one would use a reduced-round version of AES-256.
As a *theoretical checkpoint on the strength of AES* ... the abstract says the
results "raise[s] serious concern about the remaining safety margin offered by
the AES family of cryptosystems".
The contact author on this paper, BTW, is Adi Shamir.
> But, having said that, I consider the use of AES-256 in place of AES-128
> to be driven more by marketing hype than by reality. The theoreticaal
> strength of modern cryptographic algorithms is the least of our worries
> in producing practical secure systems.
100% agreement.
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
