Strongest Key, Hash, and Cypher Algorithms
Atom Smasher
atom at smasher.org
Mon Feb 7 22:37:09 CET 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, 7 Feb 2005, Ryan Malayter wrote:
> [From Atom Smasher]
>> i don't like AES...
>
> None of the papers I've read suggest anything close to an attack that is
> better than brute-force on full-round AES. Although, I have seen some in
> the crypto field complain Rijndael is just "too simple" to be secure. Of
> course, the same was said about RC4 many years ago, and AFAIK there are
> still no attacks better than brute force against the RC4 algorithm
> itself (protocol issues in WEP don't count).
===================
there have been several succesful attacks against against RC4, but only
when it's incorectly implemented. the lesson here is that some good
algorithms are weakly implemented... some algorithms are difficult to
implement correctly. i think elgamal for signatures falls into that
category.
> Just to edjumacate myself, as W. would say, what are your reasons for
> disliking AES? I've been using it more and more frequently for VPNs I
> set up when there is no hardware crypto assist available, since the CPU
> utilization is so much lower than with 3DES.
================
http://en.wikipedia.org/wiki/AES#Security
Some cryptographers worry about the security of AES. They feel
that the margin between the number of rounds specified in the cipher and
the best known attacks is too small for comfort. The risk is that some way
to improve these attacks might be found and that, if so, the cipher could
be broken. In this meaning, a cryptographic "break" is anything faster
than an exhaustive search, so an attack against 128-bit key AES requiring
'only' 2120 operations would be considered a break even though it would
be, now, quite infeasible. In practical application, any break of AES
which is only this 'good' would be irrelevant. For the moment, such
concerns can be ignored. The largest publically-known brute-force attack
has been against a 64 bit RC5 key by distributed.net.
Another concern is the mathematical structure of AES. Unlike most
other block ciphers, AES has a very neat mathematical description [2]
(http://www.macfergus.com/pub/rdalgeq.html), [3]
(http://www.isg.rhul.ac.uk/~sean/). This has not yet led to any attacks,
but some researchers are worried that future attacks may find a way to
exploit this structure.
In 2002, a theoretical attack, termed the "XSL attack", was
announced by Nicolas Courtois and Josef Pieprzyk, showing a potential
weakness in the AES algorithm. It seems that the attack, if the
mathematics is correct, is not currently practical as it would have a
prohibitively high "work factor". There have been claims of considerable
work factor improvement, however, so the attack technique might become
practical in the future. On the other hand, several cryptography experts
have found problems in the underlying mathematics of the proposed attack,
suggesting that the authors have made a mistake in their estimates.
Whether this line of attack can be made to work against AES remains an
open question. For the moment, as far as is publicly known, the XSL attack
against AES is speculative; it is unlikely that anyone could carry out the
current attack in practice.
- --
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"There is no such thing at this date of the world's history in
America as an independent press. You know it, and I know it.
There is not one of you who dares to write his honest
opinion, and if you did, you know beforehand it would never
appear in print. I am paid weekly for keeping my honest
opinion out of the paper. Others of you are paid similar
salaries for similar things. And any of you who would be so
foolish as to write honest opinions would be out on the
streets looking for another job.
"If I allow my honest opinions to appear in one issue of my
paper, before 24 hours, my occupation would be gone. The
business of the journalist is to destroy the truth, to lie
outright, to pervert, to vilify, to fawn at the feet of
Mammon and to sell his country and his race for his daily
bread. You know it, and I know it, and what folly is this
toasting an independent press? We are the tools and the
vassals of rich men behind the scenes. We are the jumping
jacks. They pull the strings, and we dance. Our talents, our
possibilities and our lives are all the property of other men.
"We are intellectual prostitutes."
-- John Swinden, 1953, then head of the New York
Times, when asked to toast an independent press
in a gathering at the National Press Club.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJCB9+NAAoJEAx/d+cTpVcitjgH/3OVMpY8QXblFfvrmeaG86/A
ZJ7H+eqbMKKtIWexYpcthlNdbm2le9TNdx0b5BhiWVJot0R+8XncMYvLtP5z/dMR
WdowPoZ2f1EzpXDOwLS4rTEQG7GgcJnSYTBch9ow7A3D03z4XG8Q6wVla2Gn1Sum
JpmnL2Wm/aC6y/iK+JCy1s9Psq3yka+yuo+8vPJd4t3vZnwKZFMLs2TuJUqpMHiT
ocooXsjKPIPADxvg+0b5W+iDUs/dBvX3Y/Q+wG5HoD/x34pcyBTnaib/XEqF7N0I
OH/Gw16DB7CA69dzOtikE0dyvBaFENkFNbHxytls043DI89cRSAiu+EYL+fZPq4=
=CfPS
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list