On 19/03/12 12:31 PM, ianG wrote:

... So after a lot of colour, it is not clear if they can break AES. Yet. OK. But that is their plan. And they think they can do it, within their foreseeable future.

So, step into NSA's shoes. If there is a timeline here we (NSA) worked out we can break AES "soon" ... what would we do? Would we impress everyone in the world as to how strong it was and push NIST to standardise it as much as possible? Plausible given that everyone follows NIST's lead without question. The Suite B sweetener is aptly named, nobody seems to have missed the sour taste of Suite A ;-) Would we propose or advance some modes or protocols above others? Where I'm getting at here is things like CTR mode. It seems that this mode reduces the obfuscations of CBC to make AES the sole and only fulcrum of strength. Nice, clear and simple. But, assuming a predictable counter, we have lots of ciphertext with a clear relationship. So CTR is easier to crack assuming a big machine that makes the local county brown-out every time someone wants to read a conversation. Or, is the advantage that CBC and other modes have - obfuscation of the ciphertext with variation stolen from the plaintext - of such low value in the scheme of things that these things make no difference? Is the choice of mode irrelevant if AES has a weakness? iang (context here is that I am examining an older protocol of mine with thought of replacing it, and wonder which mode to prefer...) (thinking about it more, my normal rule of "ignore the NSA always" should answer this :) ) _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE