This is interesting news, but even if your software uses AES, there's nothing actionable in it for you.
You are 10,000x more likely to get busted up by a flaw in how you use a cipher than you are by a flaw in what your cipher is. You could use TEA, and it would still be overwhelmingly likely that your code would fail before the algorithm did.
In fact, anything you did to react to news like this would probably make you less secure. That's because AES has overwhelming library support, and whatever "stronger" cipher you might think of adopting won't. That means you'll have more DIY code, and more poorly reviewed library code, all with a bunch of implementation flaws lurking under the surface.
I skimmed the paper and they don't mention AES-128, and I assume that if it worked on AES-128 they would have mentioned it, but they don't. So maybe. Probably would need to email the authors and ask.
If I'm reading the paper right, this is largely an attack on the AES key schedule -- so as far as this attack is concerned, AES-256 might indeed be weaker than AES-192.
Remember that the complexity to brute force AES-128 is 2^64 due to the birthday paradox. The complexity to break AES-256 is 2^119 and thus it is still harder to break than AES-128.
I'm pretty sure the cryptanalysis is equally applicable. The summary (and maybe the paper) don't mention AES-128, but the attack uses "boomerang attacks, which are based on the recent idea of finding local collisions in block ciphers". This might affect AES-256 more than AES-128 because there are more chances for local collisions, but it will still be stronger.
[+] [-] tptacek|16 years ago|reply
You are 10,000x more likely to get busted up by a flaw in how you use a cipher than you are by a flaw in what your cipher is. You could use TEA, and it would still be overwhelmingly likely that your code would fail before the algorithm did.
In fact, anything you did to react to news like this would probably make you less secure. That's because AES has overwhelming library support, and whatever "stronger" cipher you might think of adopting won't. That means you'll have more DIY code, and more poorly reviewed library code, all with a bunch of implementation flaws lurking under the surface.
[+] [-] j2d2|16 years ago|reply
[+] [-] brl|16 years ago|reply
[+] [-] ars|16 years ago|reply
I skimmed the paper and they don't mention AES-128, and I assume that if it worked on AES-128 they would have mentioned it, but they don't. So maybe. Probably would need to email the authors and ask.
[+] [-] cperciva|16 years ago|reply
[+] [-] pavel|16 years ago|reply
[+] [-] sp332|16 years ago|reply