On 2/1/17 12:41 PM, Sergey Smitienko wrote:
А AES-256 не нужен. AES-256 на самом деле слабее, чем AES-128. "Assuming you're talking about AES 128 versus AES 256, there is a known weakness in the key expansion function that affects AES256. Fundamentally, the weakness reduces the complexity of AES256 to that lower than AES128." http://eprint.iacr.org/2009/374 http://crypto.stackexchange.com/questions/5118/is-aes-256-weaker-than-192-an...
"Related-key attacks are not a problem when the encryption algorithm is used for encryption, because they work only when the victim uses several distinct keys, such that the differences (bitwise XOR) between the keys are known to the attacker and follow a very definite pattern. This is not the kind of thing which often occurs in protocols where AES is used; correspondingly, resistance to related-key attacks was not a design criterion for the AES competition." "No. AES-256 is not weaker than AES-128. Absolutely not. And I disagree with the the advice that you should avoid AES-256. The attack against AES-256 is a related-key attack, which is irrelevant to most real-world uses of AES-256. Related-key attacks only become relevant if you use the block cipher improperly, which is not something that you ought to be doing. [ ... ] So, basically, pay no attention to those claimed attacks on AES-256. They are a theoretical curiousity with little or no relevance to practice at the moment." " Note, that related-key scenarios are very academical. Here, cryptographers assume that an adversary can 'partially control' some relations among keys used in the computation." Как-то так. Атака возможна, если атакующий либо обладает доступом к вычислительной системе, либо "жертва" генерирует related keys по определенному алгоритму и *цепочка *некоторых из них доступна атакующей стороне. Иными словами - *это то, с чем в реальной жизни столкнуться практически невероятно*. -- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison