On 10/03/2013 06:59 PM, Watson Ladd wrote:
On Thu, Oct 3, 2013 at 3:25 PM,<leich...@lrw.com> wrote:
On Oct 3, 2013, at 12:21 PM, Jerry Leichter<leich...@lrw.com> wrote:
As *practical attacks today*, these are of no interest - related key
attacks only apply in rather unrealistic scenarios, even a 2^119 strength
is way beyond any realistic attack, and no one would use a reduced-round
version of AES-256.
>>
Expanding a bit on what I said: Ideally, you'd like a cryptographic
algorithm let you build a pair of black boxes. I put my data and a key
into my black box, send you the output; you put the received data and the
same key (or a paired key) into your black box; and out comes the data I
sent you, fully secure and authenticated. Unfortunately, we have no clue
how to build such black boxes. Even if the black boxes implement just the
secrecy transformation for a stream of blocks (i.e., they are symmetric
block ciphers), if there's a related key attack, I'm in danger if I haven't
chosen my keys carefully enough.
So, it seems that instead of AES256(key) the cipher in practice should be
AES256(SHA256(key)).
Is it not the case that (assuming SHA256 is not broken) this defines a cipher
effectively immune to the related-key attack?
Bear
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
