[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)

To: Derek Atkins <derek@xxxxxxxxx>
Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)
From: Adam Back <adam@xxxxxxxxxxxxxxx>
Date: Fri, 30 May 2003 22:35:23 +0100
Cc: ietf-openpgp@xxxxxxx, Adam Back <adam@xxxxxxxxxxxxxxx>
In-reply-to: <>; from derek@ihtfp.com on Fri, May 30, 2003 at 03:57:14PM -0400
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
References: <> <> <> <>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Mutt/1.2.2i

On Fri, May 30, 2003 at 03:57:14PM -0400, Derek Atkins wrote:
> You still have a 2^128 brute-force attack against the cipher if you
> use a 128-bit key.  It doesn't matter what happens to the other
> bits.

If the cipher retains 128 bits of security in both configurations
AES-128 and AES-256 with a 128 bit key then the security is equal.

But the point at which the security margin of the cipher becomes
interesting is when someone starts to make in-roads into reduced-round
variants, and starts to find attacks with work-factors sub-exponential
in the key-size.

> I beg to differ, but extra rounds do not necessarily improve
> the security.  

One common method of heuristically measuring the strength of a cipher
is to attack reduced-round variants, clearly indicating that less
rounds is less secure.

I take this to mean that practically more rounds IS more secure.

Consider that the cipher state goes through a state analogous to a
state it would go through in a reduced round version on it's way to
the longer round version.  Unless the later rounds somehow _undo_ some
of the security provided by the earlier rounds it will not be less
secure.

Clearly the AES designers consider more rounds adds more security or
AES-256 would not have more rounds than AES-128.

> As a security engineer you need to use prudence in
> choosing which tools to use in which situation.   Based on the
> state-of-the-art in 2003, and forseeable for the next few years,
> I believe that AES-128 is sufficient for our needs.

Some people may need security beyond the "next few years".  I'd argue
for standardizing on AES-256.  The computational cost of a few extra
rounds is negligible.

> Adding additional ciphers will just decrease interoperability, which
> will reduce security because people wont use it.  "The perfect is
> the enemy of the good".  Let's get it out there, get it deployed,
> make it ubiquitous.  Until that happens, I don't feel we should
> be entertaining additional ciphers.

Having a smaller choice of options is generally a good thing I agree.

Adam

Follow-Ups:
- Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)
  - From: John Wilkinson

References:
- Re: Suggested DER Prefixes
  - From: Jeroen C. van Gelderen
- Re: Suggested DER Prefixes
  - From: Derek Atkins
- AES-256 vs AES-128 (Re: Suggested DER Prefixes)
  - From: Adam Back
- Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)
  - From: Derek Atkins

Prev by Date: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)
Next by Date: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)
Previous by thread: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)
Next by thread: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)
Index(es):
- Date
- Thread