<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Nov 12, 2013 at 2:15 PM, David Durvaux <span dir="ltr"><<a href="mailto:david.durvaux@autopsit.org" target="_blank">david.durvaux@autopsit.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">[...]<br>
<div><br></div><div><br></div><div>I would like to discuss briefly the AES key length. I found back this reference on Bruce Schneier blog: <a href="https://www.schneier.com/blog/archives/2009/07/another_new_aes.html" target="_blank">https://www.schneier.com/blog/archives/2009/07/another_new_aes.html</a>. It's from 2009 (so, what's the latest status on this?) but basically state that some attack where only affecting AES258 and broke up to 11 of the 14 rounds. AES256 is still safe but MAYBE that the key size in that particular example COULD BE counter effective. As say in french "avec des si on met Paris en bouteille" ("With IF, you put Paris in a bottle"), there a a lot of conditions and open questions but maybe something we need to keep in mind.</div>
<div><br></div></div></blockquote><div><br></div><div><br></div><div>The main idea behind this is that when doing crypto, basically everything that's faster than brute-force is considered a more or less "sucessful" attack, so the longer the key the more leeway there is of still being 2better than brute-force", while still being computationally infeasible. </div>
<div><br></div><div>Due to the Key-Schedule in AES (which was optimised for the 128-Bit version), the 256-bit variant is in fact easier to break than the 128-bit version using related-key attacks (but still practically infeasible with a complexity of around 2^100).</div>
<div>But it doesnt't look like any variant of AES is currently even close to being broken. [1]</div><div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div></div><div><br></div><div><br></div><div>As an extra reference, the Hanbook of Applied Cryptography (<a href="http://cacr.uwaterloo.ca/hac/" target="_blank">http://cacr.uwaterloo.ca/hac/</a>) which is freely available was (still the case) considered as an excellent reference during my studies (finished 6 years ago :'().</div>
<div><br></div><div><br></div></div></blockquote><div><br></div><div><br></div><div>Basically it still is for the underlying mathematics, some of the recommendations regarding key-sizes or algorithms are of course a little outdated by now...</div>
<div><br></div><div><br></div><div>Best regards</div><div>Manuel </div><div><br></div><div><br></div><div>[1] <a href="http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf">http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf</a> <br>
</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div></div></div>_______________________________________________<br>
Ach mailing list<br>
<a href="mailto:Ach@lists.cert.at">Ach@lists.cert.at</a><br>
<a href="http://lists.cert.at/cgi-bin/mailman/listinfo/ach" target="_blank">http://lists.cert.at/cgi-bin/mailman/listinfo/ach</a><br>
<br></blockquote></div><br></div></div>