> "The weakness was discovered when we looked at AES as a hash function, > and tried to find weaknesses that are specific for hash functions. We > think that most cryptographers used only blockcipher-oriented > techniques, against which AES was well protected by the designers." >
All this quote says, I think, is that they approached the algorithm using attacks normally applied against hash functions, while cryptanalysts used attacks normally used against block ciphers. > So as a hash, birthday paradox applies, and 2^119 should be compared to > 2^128. (I guess.) The attack is clearly to recover a key uses for AES-256 and not to find collisions. Since this is supposedly the first known attack against full AES-256 (other than brute force search), they would be comparing to 2^256. 2^119 should be the worst-case complexity, even though the authors do not say so. AFAIK, the convention in theory papers is to report worst-time complexity unless stated otherwise. This paper is currently submitted to a conference and not yet published. We'll see of the theory community verifies the authors' statements :)
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
