AES isn't broken
Oct. 3rd, 2002 05:39 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
ciphergothI wrote a longer entry on this that LogJam threw away, but in summary, it now looks like the XSL attack on AES, which was always an academic attack anyway, won't even work in theory, according to Moh and Coppersmith. I don't understand the attack well enough to discuss the detail of all this though.
On that subject, I just read this article attacking Schneier's treatment of the whole issue, and wrote this response:
On that subject, I just read this article attacking Schneier's treatment of the whole issue, and wrote this response:
I think you are quite unfair on Schneier.
Schneier is discussing possible problems with AES not because his candidate lost, but because he's taken on the role of explaining crypto issues to the press and the public. I'm glad he has, since he's very good at it and it badly needs doing.
He has consistently recommended the use of the winning candidate over Twofish since the winner was announced. He predicted when Rijndael won that there might be a theoretical attack on it, and still recommended its use. And in discussing possible flaws with it now, he's making it clear that they do not amount to a practical attack.
And he *did* harsh RC4 when it was called for, but it's not the same sort of issue, because RC4 is not a national standard.
