Re: [Cfrg] A little room for AES-192 in TLS?

John Mattsson <> Mon, 16 January 2017 15:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4BF6312958A for <>; Mon, 16 Jan 2017 07:59:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TpnD2SGOSmAJ for <>; Mon, 16 Jan 2017 07:59:56 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8F925129586 for <>; Mon, 16 Jan 2017 07:59:56 -0800 (PST)
X-AuditID: c1b4fb2d-db0c19800000646e-24-587cedfab0f5
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id 46.07.25710.AFDEC785; Mon, 16 Jan 2017 16:59:54 +0100 (CET)
Received: from ([]) by ([]) with mapi id 14.03.0319.002; Mon, 16 Jan 2017 17:00:03 +0100
From: John Mattsson <>
To: Leonard den Ottolander <>, "" <>
Thread-Topic: [Cfrg] A little room for AES-192 in TLS?
Thread-Index: AQHSb3JElGWDey8IokmATVEDzKxmUaE7HjAAgAAl34A=
Date: Mon, 16 Jan 2017 15:59:13 +0000
Message-ID: <>
References: <> <1484577818.5104.1.camel@quad>
In-Reply-To: <1484577818.5104.1.camel@quad>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMIsWRmVeSWpSXmKPExsUyM2K7hO6vtzURBnu/KVl0/zjIZLFj6X5m ByaPg8uOsntM3niYLYApissmJTUnsyy1SN8ugSvjzvlOloI1IhXTmrrYGhhfCHcxcnJICJhI 7O1ZwtzFyMUhJLCOUaJ/wUV2CGcJo8Sqm7uZQarYBAwk5u5pYAOxRQTiJfoutzOB2MICphIL 1l9jhIibSRy80QxVYyXxatZasBoWAVWJlUsPg8V5BcwlTu49ywpiCwlESyx7swKsl1NAW+LM iedgNYwCYhLfT60B62UWEJe49WQ+E8SlAhJL9pxnhrBFJV4+/gc2R1RAT2L58zVQcSWJFdsv Ac3kAOrVlFi/Sx9ijLXE7V2nmCFsRYkp3Q/ZIc4RlDg58wnLBEaxWUi2zULonoWkexaS7llI uhcwsq5iFC1OLS7OTTcy1kstykwuLs7P08tLLdnECIyqg1t+6+5gXP3a8RCjAAejEg/vh/s1 EUKsiWXFlbmHGCU4mJVEeONfAIV4UxIrq1KL8uOLSnNSiw8xSnOwKInzmq28Hy4kkJ5Ykpqd mlqQWgSTZeLglGpg1JWRe/vPK/rT3aUHotJDnrCK13z47HJm658t3TqGq01WZZYKzan9qyt/ 4tiSM9YLl/N96+4/fFxWL+4X+/I5q9oChbbtbjMuL1KW+XGN5Y7MPb5VAZpSByS2fXRhP5iv H9UoX2UXHlYQ42XwhfH67Mwcf4lGZsMZ33xa88/6WCzYbcBQeMVaiaU4I9FQi7moOBEAufr9 raYCAAA=
Archived-At: <>
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Jan 2017 15:59:58 -0000

Note that there are trivial generic related-key attacks on AES-192 with #K
= D = T = M = 2^96


On 2017-01-16, 15:43, "Cfrg on behalf of Leonard den Ottolander"
< on behalf of> wrote:

>On Sun, 2017-01-15 at 20:59 +0000, Taylor R Campbell wrote:
>> Only very unusual protocols ever use related keys.  In sensible
>> protocols, every key is drawn independently uniformly at random.
>Protocols that are designed to use related keys? I hope not!
>Compare 4.1 Related-key attack model:
>"Compared to other cryptanalytic attacks in which the attacker can manipu-
>late only the plaintexts and/or the ciphertexts the choice of the
>relation between
>secret keys gives additional degree of freedom to the attacker. The
>downside of
>this freedom is that such attacks might be harder to mount in practice.
>designers usually try to build "ideal" primitives which can be
>automatically used
>without further analysis in the widest possible set of applications,
>protocols, or
>modes of operation. Thus resistance to such attacks is an important
>design goal
>for block ciphers, and in fact it was one of the stated design goals of
>the Rijndael
>algorithm, which was selected as the Advanced Encryption Standard."
>So the question remains if indeed AES-192 is inherently more resistant
>to this kind of attack (more of an "ideal primitive" in this respect)
>than AES-256 or do I read too much in the remark "the key schedule of
>AES-192 has better diffusion" in 6 Attack on AES-192?
>mount -t life -o ro /dev/dna /genetic/research
>Cfrg mailing list