On 9/7/09 17:33, Peter Djalaliev wrote:
AFAIK, 2^119 is the worst-time complexity of the attack. Breaking a
256-bit key through a brute-force attack takes 2^256 operations in the
worst case. The 'X/2' you are talking about is the average case,
right? We are not looking for collisions here, so the birthday paradox
doesn't apply...
Yeah, I wondered about that too. So I skimmed their paper just now (no
clues, just crypto bla bla) and found their faq:
https://cryptolux.org/FAQ_on_the_attacks
"The weakness was discovered when we looked at AES as a hash function,
and tried to find weaknesses that are specific for hash functions. We
think that most cryptographers used only blockcipher-oriented
techniques, against which AES was well protected by the designers."
So as a hash, birthday paradox applies, and 2^119 should be compared to
2^128. (I guess.)
Although they say careful things like the above, they are (typical of
all cryptographers and all techies and all professions and also all
children and all grandmamas and all ...) not being too careful to reduce
the size and scope of the marketing around their product. They are not
explaining very carefully how to interpret these numbers. They are
allowing us to be hyper-impressed, potentially by making a mistake.
In order to gain the maximum press, of course. This is their career,
and no cryptographer will call them on it, because they all play the
same game, because funding comes from publicity.
The attack is still notable for cryptographic reasons.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
