[Ach] AES

David Durvaux david.durvaux at gmail.com
Wed Dec 4 13:18:21 CET 2013

Dear All,

I asked Vincent Rijmen and Joan Daemen.  They both agree.  Here is the

-----Original Message-----

Now, to your questions. The attacks on AES are all quite academic in
nature. They start from certain assumptions on what an attacker can do
easily, and then show that the security of AES is for example not 128 bits,
but only 127, under this assumption. In many other fields of science and
technology, people always write positively (e.g.: this car is so safe that
it keeps you unhurt up to the speed of 100 km/h, and this for all types of
accident that we could think of), but in cryptology we tend to write
negatively (e.g.: if you drive 101 km/h, then this car doesn't guarantee
your safety). We never say "secure" but always say "attack".

Anyway, if your assumption is that an attacker can force you to use secret
keys with a certain mathematical relation between them, then AES256 is
weaker than AES128. That's the result that Bruce Schneier was writing
about. It is still unclear whether under this assumption on the power of an
attacker, it is theoretically possible to make secure ciphers at all.

Furthermore, if an attacker has this power, then perhaps it's easier for
him to force you to use secret keys starting with 100 zeroes.

As far as anyone can tell, these academic attacks have no impact on any
practical situation. Of course you should never say never, but there is at
the moment no encryption method that gives you better guarantees than AES.

The recommendation by ENISA was co-authored by me. The report mentions the
existing academic work on AES. The report also clearly recommends to
continue using AES (all versions).

On the choice between AES256 and AES128: I would never consider using
AES256, just like I don't wear a helmet when I sit inside my car. It's too
much bother for the epsilon improvement in security.

Finally, for the assistance with the writing of the guide, I would
recommend to contact the people of IAIK in Graz.

Best greetings,


2013/11/27 Adi Kriegisch <adi at kriegisch.at>

> Hi!
> > To follow the discussion of yesterday per Skype.
> > Can we group all AES questions together?
> >
> > I will ask a specialist for answers.
> Great! Thank you very much!
> The ENISA paper mentions some attacks against AES128 and AES192/256 (pages
> 21-23). In what way do they affect the use of AES in SSL/TLS? Are those
> attacks possible? Is AES128 more secure than AES256 and if so, by what
> margin?
> -- Adi
> Version: GnuPG v1.4.6 (GNU/Linux)
> wnlVKLAg9cnYnpQUqpW5qTBsTSk+6F4WTGiV8Z9eLrKpLAbVbYCu37rckKjw2SwA
> ohdagBUHWySq7mprztT9z4jBwpFskSz/G+PUS6yWKKj1YfXMgjs5yoKjZUg9q0OK
> p+aJeG4JCpk4XuLuZDmatGpa6uN2hmAUKZIjrywoqUz8TtzUMVw6GFuryt/+v1Y7
> fuaooE5xCuBrUfezwX56Y7ns7MgoNby71fTee50r9BQ2uCv8H0FnBpeKpi4PNr1g
> fdPR0ScxSS7wh0aFyu4yvEATL0U33ag6aa5/xVhIDbojNkWD4vGNJQksnqbj3fIp
> brwZqOl5z4g6DfQm7xhhwvZUOW5VeElfPFYMqfGxySMRqJi2PQvA37tg4CV64doo
> kLaurgZo1DoV74oST+ix6cG9om30FAlEtzH//lSWgQc3jnsXowgn0OD8fT7bjLoP
> HgN/uacgz7cxRMs96xg5N6tSU5BFwz3t8tP6HwAES2uvNiISYQVqaX3HycIpWSgN
> fSRFyD11KbiXlrOS6rlv+vuah7R1kj+BzHuhY1KADWFEE/imLm/tPl2bc8yYzgcI
> EGhTcYWJEag=
> =vuZa
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20131204/f5fdb823/attachment.html>

More information about the Ach mailing list