“…A successful RKA is universally viewed by cryptanalysts as a break of the cipher. The recent attention-grabbing attacks on AES-192 and AES-256 [17,16,15] were RKAs, and far from unique in this regard: a look at the literature shows that RKAs abound [38,42,19,9,10,12,11,49,54,29,36,13,39,34]. Several higher-level cryptographic constructs, including HMAC [3,2], the 3GPP confidentiality and integrity algorithms f8,f9 [35], and RMAC [37,41], use related keys and thus rely for their (standard, not RKA) security on RKA-security of the underlying compression function or blockcipher.…”