Content deleted Content added
Citation bot (talk | contribs) Alter: template type, pages, title. Add: isbn, pages, volume, series, chapter, chapter-url, date, authors 1-1. Removed or converted URL. Removed parameters. Formatted dashes. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by Abductive | Category:Cryptography | #UCB_Category 80/220 |
m →Security: moved a sentence to be more chronological |
||
Line 126:
AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys.
By 2006, the best known attacks were on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys.<ref name="improved">[[John Kelsey (cryptanalyst)|John Kelsey]], [[Stefan Lucks]], [[Bruce Schneier]], [[Mike Stay]], [[David A. Wagner|David Wagner]], and [[Doug Whiting]], ''Improved Cryptanalysis of Rijndael'', [[Fast Software Encryption]], 2000 pp213–230 {{cite web |title=Academic: Improved Cryptanalysis of Rijndael - Schneier on Security |url=http://www.schneier.com/paper-rijndael.html |url-status=live |archive-url=https://web.archive.org/web/20070223215007/http://www.schneier.com/paper-rijndael.html |archive-date=2007-02-23 |access-date=2007-03-06}}</ref>▼
=== Known attacks ===
Line 137:
During the AES selection process, developers of competing algorithms wrote of Rijndael's algorithm "we are concerned about [its] use ... in security-critical applications."<ref name="rijndael-algebraic">
{{cite conference |author=Niels Ferguson |author-link=Niels Ferguson |author2=Richard Schroeppel |author2-link=Richard Schroeppel |author3=Doug Whiting |title=A simple algebraic representation of Rijndael |book-title=Proceedings of Selected Areas in Cryptography, 2001, Lecture Notes in Computer Science |pages=103–111 |publisher=[[Springer-Verlag]] |date=2001 |url=http://www.macfergus.com/pub/rdalgeq.html |format=PDF/[[PostScript]] |access-date=2006-10-06 |archive-url=https://web.archive.org/web/20061104080748/http://www.macfergus.com/pub/rdalgeq.html |archive-date=4 November 2006 |citeseerx=10.1.1.28.4921}}</ref> In October 2000, however, at the end of the AES selection process, [[Bruce Schneier]], a developer of the competing algorithm [[Twofish]], wrote that while he thought successful academic attacks on Rijndael would be developed someday, he "did not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic."<ref>Bruce Schneier, [http://www.schneier.com/crypto-gram-0010.html AES Announced] {{webarchive|url=https://web.archive.org/web/20090201005720/http://www.schneier.com/crypto-gram-0010.html |date=2009-02-01 }}, October 15, 2000</ref>
▲By 2006, the best known attacks were on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys.<ref name="improved">[[John Kelsey (cryptanalyst)|John Kelsey]], [[Stefan Lucks]], [[Bruce Schneier]], [[Mike Stay]], [[David A. Wagner|David Wagner]], and [[Doug Whiting]], ''Improved Cryptanalysis of Rijndael'', [[Fast Software Encryption]], 2000 pp213–230 {{cite web |title=Academic: Improved Cryptanalysis of Rijndael - Schneier on Security |url=http://www.schneier.com/paper-rijndael.html |url-status=live |archive-url=https://web.archive.org/web/20070223215007/http://www.schneier.com/paper-rijndael.html |archive-date=2007-02-23 |access-date=2007-03-06}}</ref>
Until May 2009, the only successful published attacks against the full AES were [[side-channel attack]]s on some specific implementations. In 2009, a new [[related-key attack]] was discovered that exploits the simplicity of AES's key schedule and has a complexity of 2<sup>119</sup>. In December 2009 it was improved to 2<sup>99.5</sup>.<ref name=relkey /> This is a follow-up to an attack discovered earlier in 2009 by [[Alex Biryukov]], [[Dmitry Khovratovich]], and Ivica Nikolić, with a complexity of 2<sup>96</sup> for one out of every 2<sup>35</sup> keys.<ref>{{cite book |volume=5677 |chapter=Distinguisher and Related-Key Attack on the Full AES-256 |last1=Nikolić |first1=Ivica |title=Advances in Cryptology - CRYPTO 2009 |date=2009 |publisher=Springer Berlin / Heidelberg |isbn=978-3-642-03355-1 |pages=231–249 |doi=10.1007/978-3-642-03356-8_14 |series=Lecture Notes in Computer Science}}</ref> However, related-key attacks are not of concern in any properly designed cryptographic protocol, as a properly designed protocol (i.e., implementational software) will take care not to allow related keys, essentially by [[Related-key attack#Preventing related-key attacks|constraining]] an attacker's means of selecting keys for relatedness.
| |||