| Thread Links | Date Links | ||||
|---|---|---|---|---|---|
| Thread Prev | Thread Next | Thread Index | Date Prev | Date Next | Date Index |
On Aug 6, 2009, at 8:55 AM, Matt Ball wrote: Hi Folks, If the base security of the algorithm is flawed, any mode that uses the algorithm is flawed because the proofs that XTS is secure rests on the assumption that AES is secure. I believe that the general answer is 'no', but I'd like to hear from some cryptographers who have read the papers more closely to confirm this suspicion. Let me know your thoughts. The general answer is that, while AES is slowing some weaknesses, it is not broken (yet). These attacks are not feasible for recovering plaintext. The fact is that there are no replacements for AES. Action by this working group regarding the insecurity of AES is premature. The usual progression of a flaw like this is to open a fissure that only gets wider. It is my suggestion that the group watch the actions of NIST, and if NIST abandons AES (maybe to suggest an AES2 variant or some other improvements) the group should take immediate action to follow their lead. Saying P1619 is secure because of some cryptanalysis of our modes is just incorrect. The statement is that "The P1619 working group is following the progress of the cryptanalysis of AES closely, and will ultimately follow and NIST recommendations regarding AES's security" is correct. Jim |