Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)

[David Shaw <dshaw@xxxxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, May 30, 2003 at 03:57:14PM -0400, Derek Atkins wrote:
> 
> I beg to differ, but extra rounds do not necessarily improve
> the security.  You still have a 2^128 brute-force attack
> against the cipher if you use a 128-bit key.  It doesn't matter
> what happens to the other bits.
> 
> Regardless, I believe that AES-128 has had significantly more
> peer review than the larger elements, and "bigger is not necessarily
> better".  As a security engineer you need to use prudence in
> choosing which tools to use in which situation.   Based on the
> state-of-the-art in 2003, and forseeable for the next few years,
> I believe that AES-128 is sufficient for our needs.
> 
> Adding additional ciphers will just decrease interoperability, which
> will reduce security because people wont use it.  "The perfect is
> the enemy of the good".  Let's get it out there, get it deployed,
> make it ubiquitous.  Until that happens, I don't feel we should
> be entertaining additional ciphers.

Just to clarify what I thought I was reading: are you suggesting that
AES-256 (and presumably AES-192) be dropped from OpenPGP, or is that
just a general comment?

I was in favor of dropping TIGER, MD2, SAFER, etc, but AES-192 and 256
are already widely implemented and deployed (PGP 7 and later, GnuPG
1.0.4 and later).  Removing those two ciphers now would cause pretty
serious interoperability problems.

Perhaps I misunderstood your thrust, in which case, my apologies.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+2AZD4mZch0nhy8kRAuxFAJ9W2XXEbJVO7VEYerXJsK9FtwunWQCgmkG7
EnaQn5QSpZoVLZjja6He7HQ=
=aEtu
-----END PGP SIGNATURE-----