Comments: What-the-heck happened to AES-256?

Uhh, I think you've missed a key point. The new attack is a related-key attack. Related-key attacks are not relevant to most uses of AES. They're basically relevant only to: (a) people who use a block cipher improperly, (b) people who try to build a hash function out of a block cipher. (a) is poor practice anyway. So the main practical import of the new paper, in my opinion, is that AES is not a good basis for a hash function. But the smart money already suspected that already: people have been talking about how the AES key schedule is not the strongest part of the cipher since, oh, it was introduced.

It is NOT the case that AES-256 is only as good as a cipher with a 119-bit key. That's just not true.

And it is NOT the case that all it takes to break AES-256 is 2^119 steps of computation and 2^119 space. That's just not true, either. (You need the ability to mount related-key chosen-plaintext queries, which most well-designed systems do not permit.)

I think the practical import of this attack is much less than has been widely reported.

Posted by David Wagner at September 6, 2009 11:54 PM


True, it must have been emphasized that we are looking at a related-key attack scenario. But look at WPA's key packing...

Posted by Daniel Nagy at September 20, 2009 04:38 AM
Post a comment

Remember personal info?

Hit Preview to see your comment.
MT::App::Comments=HASH(0x55b3749bea08) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/ line 125.