1

Related-key attacks can break AES-192 and AES-256 with complexities 2^176 and 2^99.5, respectively.

Quote from: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

It seems that more bits/key length doesn't necessarily mean more (confidence in) security (At least above a certain minimum key length).

user40602
  • 517
  • 4
  • 12
  • No they're not. A well designed protocol uses uniformly distributed (pseudo) random keys. So related-key attacks only affect protocols that abused AES. – CodesInChaos Mar 09 '15 at 16:10
  • I've seen reports that AES-192 had a specific weakness that made it worse than AES-128 but I can't find it now. Perhaps just rumor. – Joshua Mar 09 '15 at 16:21
  • WRT the implication that all well-designed protocols do not involve related keys, there is at least one exceptional group. In Yao-style garbled circuits you can reduce the costs (xor's for free etc) by designing the garbled circuit scheme to take advantage of related keys. This is done by the majority of the cryptography/GC community in numerous protocols with careful designs. – Thomas M. DuBuisson Mar 09 '15 at 16:52
  • @ThomasM.DuBuisson But do they use primitives designed as PRP/PRF for that? Of course there are primitives that work fine with related keys, in particular most constructions build from cryptographic hashes. – CodesInChaos Mar 09 '15 at 17:35

0 Answers0