Re: [Cfrg] Re: AES-based hash function

[daw at taverner.cs.berkeley.edu (David Wagner)]

John Viega  wrote:
>So when designing a new cipher you would not try to have it resist
>related key attacks?  I hope that you would... there are going to be
>uses besides modes of operation with proofs of security relying on
>only the PRP assumption.  Maybe there shouldn't be, but there are
>still entity authentication schemes, etc. that people will/do use that
>don't have "modern" proofs of security.

Well, I guess I'd probably do what I could, but what I would do doesn't
count for much.  If the question is, can we and should we use AES as a
building block, then I believe it is relevant that AES's key schedule
has not been as well-studied, and doesn't seem to have as much mixing and
nonlinearity, as its main round structure.  Put another way, I don't have
quite as much confidence in the security of AES against related-key attacks
as I do in its security against chosen-plaintext/ciphertext attacks.

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg