On 8/7/09 19:52, Eddy Nigg wrote:
On 07/08/2009 08:35 PM, Paul Hoffman:
At 8:08 PM +0300 7/8/09, Eddy Nigg wrote:
Funny that today it's better to use AES-128.
Why do you say that? It's the opposite of what the people who wrote
the paper say.
I've not read it today, but IIRC AES-128 remained 2^128 because the
attack doesn't work on AES-128?
Although I haven't read it at all, normally what happens is that the
strength of an algorithm of X bits is X/2. So the strength of AES 256
is 128, and this attack suggests they can drop it down 9 bits to 119.
For cryptographers that is a significant issue, but for the rest of us,
not, because AES was built with substantial surplus.
(Alternatively, if it was 256 -> 119, then that would cause a revolution
in affairs. But I feel we can rule that out simply by observing the
lack of panic in the cryptographic community.)
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
