Kristian Gjøsteen wrote:


>> http://www.schneier.com/twofish-analysis-shiho.pdf
>
> It's mischaracterisation, then. It's quite amazing that, even when
> the paper does not claim attacks against Twofish, you claim that it has
> attacks against Twofish.


Aside from the fact that it attacks a generalized version of TwoFish and is
the second or three parts of a cryptoanalysis on TwoFish by Moriai and Yin...

> And furthermore, it's the same reference you

> provided last time. This isn't even funny.


And my opinion hasn't changed. It is some serious work by some serious
people, and Mr. Schneier still fails to give any reason why he thinks this
attack doesn't apply to TwoFish.

>>> PS. I'm still waiting for a reference to the claim that AES-256 with 16
>>> rounds is vulnerable to differential cryptanalysis.
>> I didn't claim it vulnerable; the attack is just a space-time-tradeoff.
>
> Quoting <61iqi2F1v5avoU1@mid.dfncis.de>:
>
> Par example AES-256 has 14 rounds with no known differential
> or linear attack, but if you raise it to 16 rounds there's a
> differential attack with 2^64 chosen plaintexts and 2^192 steps.
>
> So you didn't claim it vulnerable?


No. Can't you read?

> And it's not a differential attack, it's a space-time-tradeoff.


Yes, due to a differential attack. A cryptographically secure cipher
shouldn't omit such characteristics. The reason why it doesn't matter is
that 2^64 is still much beyond practical, and will probably stay so for the
supposed time of usage for AES.