|
> They also describe an attack against 11-round AES-256 that requires
> 2^70 time—almost practical.
But... nobody uses 11-round AES-256. And, crucially, these are related-key attacks, not practical for, say, breaking TLS. In 2009, a new related-key attack was discovered that exploits the
simplicity of AES's key schedule and has a complexity of 2^119. In
December 2009 it was improved to 2^99.5... However, related-key attacks
are not of concern in any properly designed cryptographic protocol, as
a properly designed protocol (i.e., implementational software) will
take care not to allow related keys, essentially by constraining an
attacker's means of selecting keys for relatedness.
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#K...(Note that the attack with time complexity 2^99.5 also requires 77 bits of memory, or ~16 ZiB, which is, um, billions of terabytes of RAM? edit: actually, this is 2^77 blocks worth of memory, so add a couple more orders of magnitude.) To date, the best unconditional attack on any full variant of AES provides a factor of ~4 speedup, although it requires 9 PB of data just for AES-128. |