On Thu, Jul 12, 2001 at 12:00:16AM +0200, peter k. wrote: > > > If your cipher is vulnerable to a known plaintext attack much > > faster than brute force, you should be using a better cipher. > > Such an attack would be considered by cryptographers to be a > > "break" of the cipher. > > > > Computatational immunity to _chosen_ plaintext attacks is a > > sine qua non of a good cipher. > > is AES immune to chosen plaintext attacks? Yes, as far as anyone knows :-). There are attacks on reduced round variants (IIRC there is a 2^32 space, 2^63 time attack on 6-round AES, which may be the best yet presented). The original paper presenting Rijndael as an AES candidate described the "Square attack" (Square is an earlier cipher by Daemen and Rijmen), which is a chosen-plaintext attack against 6 rounds in 2^32 space and 2^72 time. Full AES uses 10, 12, or 14 rounds depending on the length of key and block sizes; there is no known attack on it. Rijndael/AES is not the strongest-seeming of the historical AES candidates; I think Bruce Schneier's prediction was that a successful attack (i.e. better than brute force) would be found on at least 10-round Rijndael before its expected 30 year lifetime is up, but that the attack would have no practical significance (e.g. it would be a chosen plaintext attack requiring 2^96 plaintexts or something like that). miket Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
