On Thu, 2014-02-27 at 10:58 -0700, Andrew Lutomirski wrote: > >> For reference, there isn't a well-established, widely accepted > >> symmetric cipher with 256-bit security. AES-256 is weak [1] and > >> should probably not be used at all, let alone by anyone who wants a > >> 256-bit security level. > > > > AES-128 is broken too: > > http://www.kuleuven.be/english/newsletter/newsflash/encryption_standard.html > > > > (in short it provides 126-bit security instead of 128). > > > > _However_, this and the attacks your describe on AES-256 don't matter > > for practical purposes. Schneier explains in the blog you quote, but I > > recap: > > > > 1. Related key attacks are nice for publishing papers, but they have > > almost no practical relevance (AES or any other modern cipher isn't > > designed to resist related key attacks). > > 2. Attacking on reduced round variants of ciphers, doesn't matter either > > except for academics and for getting the future trend of security of the > > cipher. We use the full-round variants that resist the published > > attacks. > > 3. Breaking a cipher in the academic term means finding an attack that > > is faster than brute force. The brute force level of AES-256 is terribly > > high so "breaking" AES-256 in 2^245 steps is still very reassuring. > > So, in summary: > > - LEVEL-256 provides well under 256-bit security. > - This is fine because no one actually needs 256-bit security. > > So *why on earth* would it make sense to implement this proposal? It > sounds like we'd be offering options that (a) don't perform as > advertised and (b) don't serve any purpose anyway. I don't really understand what you are arguing about. Are you complaining that AES-256 doesn't offer the advertized 256-bit security, or that a consistent security policy isn't required? regards, Nikos -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
