[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-crypto
Subject:    Re: (AES) loopback crypto questions
From:       Mike Touloumtzis <miket () bluemug ! com>
Date:       2001-07-11 23:21:13
[Download RAW message or body]

On Thu, Jul 12, 2001 at 12:00:16AM +0200, peter k. wrote:
> 
> > If your cipher is vulnerable to a known plaintext attack much
> > faster than brute force, you should be using a better cipher.
> > Such an attack would be considered by cryptographers to be a
> > "break" of the cipher.
> > 
> > Computatational immunity to _chosen_ plaintext attacks is a
> > sine qua non of a good cipher.
> 
> is AES immune to chosen plaintext attacks?

Yes, as far as anyone knows :-).  There are attacks
on reduced round variants (IIRC there is a 2^32 space,
2^63 time attack on 6-round AES, which may be the best
yet presented).  The original paper presenting Rijndael
as an AES candidate described the "Square attack" (Square
is an earlier cipher by Daemen and Rijmen), which is a
chosen-plaintext attack against 6 rounds in 2^32 space
and 2^72 time.

Full AES uses 10, 12, or 14 rounds depending on the length
of key and block sizes; there is no known attack on it.
Rijndael/AES is not the strongest-seeming of the historical
AES candidates; I think Bruce Schneier's prediction was
that a successful attack (i.e. better than brute force)
would be found on at least 10-round Rijndael before its
expected 30 year lifetime is up, but that the attack would
have no practical significance (e.g. it would be a chosen
plaintext attack requiring 2^96 plaintexts or something
like that).

miket

Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

[prev in list] [next in list] [prev in thread] [next in thread]