Re: The AES 256 2^119 attack
- From: Tom St Denis <tom@xxxxxxx>
- Date: Fri, 17 Jul 2009 19:04:02 -0700 (PDT)
On Jul 17, 2:06 pm, Jean-Marc Desperrier <jmd...@xxxxxxxxxxxxx> wrote:
Hi,
Until now, I really couldn't understand how the AES attack could be more
effective for AES 256 than for AES 128.
There's a comment on Schneier blog that starts to offer an explanation :
AES-192 & 256 are 'intentionally' weakened in the key expansion
phase... The original Rijndael versions use 192-bit and 256 bit
block sizes (a 192b key MATCHes with a 192b block & the 256b
key MATCHes with a 256b block)
So the trouble is that AES 128's key size matches it's block size, so
there' no adaptation to do, but for AES 192 and 256 there's an
adaptation needed to use a 192/256 key with a 128 bits block size, and
that's the part that's broken ?
No what is broken is the key schedule. A stronger schedule would fix
this problem.
In reality it's not much a problem because it requires 2^61 chosen
plaintexts to be encrypted by a victim. Even if you could get
unfettered chosen texts 2^61 of them is hard to come by. And that's
even if you could at all to start with.
What this means is you can't use AES-192/256 in a hash construction
which is fine because you'd use AES-128 anyways to get a 1:1 ratio.
Tom
.
- Follow-Ups:
- Re: The AES 256 2^119 attack
- From: Simon Johnson
- Re: The AES 256 2^119 attack
- References:
- The AES 256 2^119 attack
- From: Jean-Marc Desperrier
- The AES 256 2^119 attack
- Prev by Date: Re: The Randomness Saga.
- Next by Date: Re: The AES 256 2^119 attack
- Previous by thread: Re: The AES 256 2^119 attack
- Next by thread: Re: The AES 256 2^119 attack
- Index(es):
Relevant Pages
|
