[cryptography] New related key attack on 13-round AES-256 in 2**76 time, memory, data

Jack Lloyd lloyd at randombit.net
Wed May 5 10:41:32 EDT 2010

New paper on eprint by Alex Biryukov and Dmitry Khovratovich,
"Feasible Attack on the 13-round AES-256"

Abstract: In this note we present the first attack with feasible
complexity on the 13-round AES-256. The attack runs in the
related-subkey scenario with four related keys, in 2**76 time, data,
and memory.


I'm not sure that I would consider 2**76 chosen plaintexts to be
particularly practical or feasible; even with a 100 gigabits/second
channel it would still take centuries to collect that much data. But
an interesting result and certainly a reminder to systems designers to
be careful in avoiding related keys (for any algorithm).

More information about the cryptography mailing list