Uma recente quebra de AES-256 descrita por Bruce Schneier em seu post de 30 de julho de 2009,
There are three reasons not to panic:
- The attack exploits the fact that the key schedule for 256-bit version
is pretty lousy -- something we pointed out in our 2000 paper -- but doesn't extend
to AES with a 128-bit key.
- It's a related-key attack, which requires the cryptanalyst to have access to
plaintexts encrypted with multiple keys that are related in a specific way.- The attack only breaks 11 rounds of AES-256. Full AES-256 has 14 rounds.
Not much comfort there, I agree. But it's what we have. Cryptography is all about safety margins. If you can break n rounds of a cipher, you design it with 2n or 3n rounds. What we're learning is that the safety margin of AES is much less than previously believed. And while there is no reason to scrap AES in favor of another algorithm, NIST should increase the number of rounds of all three AES variants. At this point, I suggest AES-128 at 16 rounds, AES-192 at 20 rounds, and AES-256 at 28 rounds. Or maybe even more; we don't want to be revising the standard again and again.
And for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the forseeable future. But if you're already using AES-256, there's no reason to change.
The paper I have is still a draft. It is being circulated among cryptographers, and should be online in a couple of days. I will post the link as soon as I have it (paper ref).
A citação acima tem destaques relevantes para a pergunta e para o
mudanças tipográficas suaves que fiz.
Schneier provavelmente estava digitando mais devagar, então ele pensa ...
A referência original está vinculada para os puristas.
Por fim, se você quiser ver o que alguns usuários do Stackoverflow querem dizer,