<div dir="ltr">Dear All,<div><br></div><div>I asked Vincent Rijmen and Joan Daemen. They both agree. Here is the answer:</div><div>
<p>-----Original Message-----</p>
<p>Now, to your questions. The attacks on AES are all quite academic in nature. They start from certain assumptions on what an attacker can do easily, and then show that the security of AES is for example not 128 bits, but only 127, under this assumption. In many other fields of science and technology, people always write positively (e.g.: this car is so safe that it keeps you unhurt up to the speed of 100 km/h, and this for all types of accident that we could think of), but in cryptology we tend to write negatively (e.g.: if you drive 101 km/h, then this car doesn't guarantee your safety). We never say "secure" but always say "attack". <br>
</p>
<p><br></p>
<p>Anyway, if your assumption is that an attacker can force you to use secret keys with a certain mathematical relation between them, then AES256 is weaker than AES128. That's the result that Bruce Schneier was writing about. It is still unclear whether under this assumption on the power of an attacker, it is theoretically possible to make secure ciphers at all.</p>
<p>Furthermore, if an attacker has this power, then perhaps it's easier for him to force you to use secret keys starting with 100 zeroes.</p>
<p>As far as anyone can tell, these academic attacks have no impact on any practical situation. Of course you should never say never, but there is at the moment no encryption method that gives you better guarantees than AES.</p>
<p><br></p>
<p>The recommendation by ENISA was co-authored by me. The report mentions the existing academic work on AES. The report also clearly recommends to continue using AES (all versions).</p>
<p><br></p>
<p>On the choice between AES256 and AES128: I would never consider using AES256, just like I don't wear a helmet when I sit inside my car. It's too much bother for the epsilon improvement in security.</p>
<p><br></p>
<p>Finally, for the assistance with the writing of the guide, I would recommend to contact the people of IAIK in Graz.</p>
<p><br></p>
<p>Best greetings,</p>
<p>Vincent</p></div><div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/11/27 Adi Kriegisch <span dir="ltr"><<a href="mailto:adi@kriegisch.at" target="_blank">adi@kriegisch.at</a>></span><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi!<br>
<div><br>
> To follow the discussion of yesterday per Skype.<br>
> Can we group all AES questions together?<br>
><br>
> I will ask a specialist for answers.<br>
</div>Great! Thank you very much!<br>
<br>
The ENISA paper mentions some attacks against AES128 and AES192/256 (pages<br>
21-23). In what way do they affect the use of AES in SSL/TLS? Are those<br>
attacks possible? Is AES128 more secure than AES256 and if so, by what margin?<br>
<span><font color="#888888"><br>
-- Adi<br>
</font></span><br>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.6 (GNU/Linux)<br>
<br>
iQIVAwUBUpYXN3REfA6phVy/AQJ55BAAhIAFELi3TUQTdLNSXPFlynblw6ZdMGCD<br>
wnlVKLAg9cnYnpQUqpW5qTBsTSk+6F4WTGiV8Z9eLrKpLAbVbYCu37rckKjw2SwA<br>
ohdagBUHWySq7mprztT9z4jBwpFskSz/G+PUS6yWKKj1YfXMgjs5yoKjZUg9q0OK<br>
p+aJeG4JCpk4XuLuZDmatGpa6uN2hmAUKZIjrywoqUz8TtzUMVw6GFuryt/+v1Y7<br>
fuaooE5xCuBrUfezwX56Y7ns7MgoNby71fTee50r9BQ2uCv8H0FnBpeKpi4PNr1g<br>
fdPR0ScxSS7wh0aFyu4yvEATL0U33ag6aa5/xVhIDbojNkWD4vGNJQksnqbj3fIp<br>
brwZqOl5z4g6DfQm7xhhwvZUOW5VeElfPFYMqfGxySMRqJi2PQvA37tg4CV64doo<br>
kLaurgZo1DoV74oST+ix6cG9om30FAlEtzH//lSWgQc3jnsXowgn0OD8fT7bjLoP<br>
hvJkS0F7KL7aMMsiXe63qIMUZSm4FUNq3WZsOo+D8t0VCDXXANMm5uSNguLGFYL/<br>
HgN/uacgz7cxRMs96xg5N6tSU5BFwz3t8tP6HwAES2uvNiISYQVqaX3HycIpWSgN<br>
fSRFyD11KbiXlrOS6rlv+vuah7R1kj+BzHuhY1KADWFEE/imLm/tPl2bc8yYzgcI<br>
EGhTcYWJEag=<br>
=vuZa<br>
-----END PGP SIGNATURE-----<br>
<br>_______________________________________________<br>
Ach mailing list<br>
<a href="mailto:Ach@lists.cert.at" target="_blank">Ach@lists.cert.at</a><br>
<a href="http://lists.cert.at/cgi-bin/mailman/listinfo/ach" target="_blank">http://lists.cert.at/cgi-bin/mailman/listinfo/ach</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>David DURVAUX
</div></div>