
New Attack on AES - gthank
http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html
======
tptacek
This is interesting news, but even if your software uses AES, there's nothing
actionable in it for you.

You are 10,000x more likely to get busted up by a flaw in _how_ you use a
cipher than you are by a flaw in _what_ your cipher is. You could use TEA, and
it would still be overwhelmingly likely that your code would fail before the
algorithm did.

In fact, anything you did to react to news like this would probably make you
less secure. That's because AES has overwhelming library support, and whatever
"stronger" cipher you might think of adopting won't. That means you'll have
more DIY code, and more poorly reviewed library code, all with a bunch of
implementation flaws lurking under the surface.

~~~
j2d2
This is good advice, but don't let it talk you out of upgrading a library.
System administration is still actionable in these cases.

~~~
tptacek
Agreed. Moreover. If your software requires a source code change because
something happened in cryptography research, you've probably done something
wrong.

------
brl
Maybe I'm not interpreting the results correctly, but does this mean that
published attacks place AES-256 in a weaker position than AES-128?

~~~
ars
2^119 certainly seems less than 2^128.

I skimmed the paper and they don't mention AES-128, and I assume that if it
worked on AES-128 they would have mentioned it, but they don't. So maybe.
Probably would need to email the authors and ask.

~~~
brl
They describe that the attack depends on "minimizing the number of active
S-boxes in the key-schedule" and that AES-192 is harder to attack than AES-256
because the key schedule has "better diffusion".

I'm guessing that they don't mention AES-128 because the attack simply doesn't
work against the 128 bit key schedule for reasons related to the increased
difficulty of attacking AES-192 with this technique.

