On Thu, 2014-02-27 at 10:58 -0700, Andrew Lutomirski wrote:
>> For reference, there isn't a well-established, widely
accepted
>> symmetric cipher with 256-bit security. AES-256 is weak [1] and
>> should probably not be used at all, let alone by anyone who wants a
>> 256-bit security level.
>
> AES-128 is broken too:
>
http://www.kuleuven.be/english/newsletter/newsflash/encryption_standard.html
>
> (in short it provides 126-bit security instead of 128).
>
> _However_, this and the attacks your describe on AES-256 don't matter
> for practical purposes. Schneier explains in the blog you quote, but I
> recap:
>
> 1. Related key attacks are nice for publishing papers, but they have
> almost no practical relevance (AES or any other modern cipher isn't
> designed to resist related key attacks).
> 2. Attacking on reduced round variants of ciphers, doesn't matter either
> except for academics and for getting the future trend of security of the
> cipher. We use the full-round variants that resist the published
> attacks.
> 3. Breaking a cipher in the academic term means finding an attack that
> is faster than brute force. The brute force level of AES-256 is terribly
> high so "breaking" AES-256 in 2^245 steps is still very reassuring.
So, in summary:
- LEVEL-256 provides well under 256-bit security.
- This is fine because no one actually needs 256-bit security.
So *why on earth* would it make sense to implement this proposal? It
sounds like we'd be offering options that (a) don't perform as
advertised and (b) don't serve any purpose anyway.
I don't really understand what you are arguing about. Are you
complaining that AES-256 doesn't offer the advertized 256-bit security,
or that a consistent security policy isn't required?
regards,
Nikos