(A few funsters are interested in crypto.) This note is not about a security weakness, but it is a minor theoretical blemish on the long-key (256 bit) version of AES. An ideal cipher should behave as a (keyed) random permutation on the input space. It should not be statistically different from random, so related keys should still produce unrelated permutations. This note announces a minor defect. The security of the cipher is unaffected (in proper use), because your keys should always be chosen as unrelated random numbers anyway. Rich ----- Forwarded message from lloyd@randombit.net ----- Date: Fri, 22 May 2009 11:06:23 -0400 From: Jack Lloyd <lloyd@randombit.net> Reply-To: Jack Lloyd <lloyd@randombit.net> Subject: Distinguisher and Related-Key Attack on the Full AES-256 To: cryptography@metzdowd.com Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic gave a talk at the Eurocrypt rump session, 'Distinguisher and Related-Key Attack on the Full AES-256', with the full paper accepted to Crypto. Slides from Eurocrypt are here: http://eurocrypt2009rump.cr.yp.to/410b0c56029d2fa1d686823e3a059af8.pdf The q-multicollisions attack they describe may be a practical way of breaking a hash function based on AES. So this could have some interesting ramifications to SHA-3 candidates which use the AES round function; I'm not sufficiently familiar with those designs yet for it to be clear one way or another if they would in fact be vulnerable. (via zooko's blog) --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com ----- End forwarded message -----