Content deleted Content added
Revert to revision 79235823 dated 2006-10-03 12:41:17 by RobertG using popups |
Fudoreaper (talk | contribs) →Security: Update wording of this paragraph to include less weasle words. Use references to cite specific opinions. Neutralize opening wording. |
||
Line 72:
Some cryptographers worry about the security of AES. They feel that the margin between the number of rounds specified in the cipher and the best known attacks is too small for comfort. The risk is that some way to improve these attacks might be found and that, if so, the cipher could be broken. In this meaning, a [[cryptanalysis|cryptographic]] "break" is anything faster than an [[brute force attack|exhaustive search]], so an attack against 128-bit key AES requiring 'only' 2<sup>120</sup> operations would be considered a break even though it would be, now, quite unfeasible. In practical application, any break of AES which is only this 'good' would be irrelevant. For the moment, such concerns can be ignored. The largest publicly-known brute-force attack has been against a 64 bit [[RC5]] key by [[distributed.net]] (finishing in 2002; [[Moore's Law]] implies that this is roughly equivalent to an attack on a 66-bit key today).
In [[2002]], a theoretical attack, termed the "[[XSL attack]]", was announced by [[Nicolas Courtois]] and [[Josef Pieprzyk]], showing a potential weakness in the AES algorithm. Several cryptography experts have found problems in the underlying mathematics of the proposed attack, suggesting that the authors may have made a mistake in their estimates. Whether this line of attack can be made to work against AES remains an open question. For the moment, the XSL attack against AES appears speculative; it is unlikely that anyone could carry out the current attack in practice.
| |||