On Oct 3, 2013, at 10:09 AM, Brian Gladman <b...@gladman.plus.com> wrote: >> Leaving aside the question of whether anyone "weakened" it, is it >> true that AES-256 provides comparable security to AES-128? > > I may be wrong about this, but if you are talking about the theoretical > strength of AES-256, then I am not aware of any attacks against it that > come even remotely close to reducing its effective key length to 128 > bits. So my answer would be 'no'. There are *related key* attacks against full AES-192 and AES-256 with complexity 2^119. http://eprint.iacr.org/2009/374 reports on improved versions of these attacks against *reduced round variants" of AES-256; for a 10-round variant of AES-256 (the same number of rounds as AES-128), the attacks have complexity 2^45 (under a "strong related sub-key" attack).
None of these attacks gain any advantage when applied to AES-128. As *practical attacks today*, these are of no interest - related key attacks only apply in rather unrealistic scenarios, even a 2^119 strength is way beyond any realistic attack, and no one would use a reduced-round version of AES-256. As a *theoretical checkpoint on the strength of AES* ... the abstract says the results "raise[s] serious concern about the remaining safety margin offered by the AES family of cryptosystems". The contact author on this paper, BTW, is Adi Shamir. > But, having said that, I consider the use of AES-256 in place of AES-128 > to be driven more by marketing hype than by reality. The theoreticaal > strength of modern cryptographic algorithms is the least of our worries > in producing practical secure systems. 100% agreement. -- Jerry _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography