Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)

[Adam Back <adam@xxxxxxxxxxxxxxx>]

Not sure if this is what you were referring to about their comments in
Practical Cryptography, but in that book they argue for use of 256-bit
keys on the basis that protocols and algorithms more frequently than
we'd like fall victim to variants of the meet-in-the-middle attack
where the key space ends up being half as many bits as you thought it
might.

So personally I'm not sure I buy that particular argument, but I
happen to share the conclusion: 256-bit keys are a good idea.

Also I'd think the most suspect aspect of a 256-bit keyed cipher is
whether it truly achieves 256-bits of strength.  I'd say it's much
less controversial however to say 256-bit AES provides a better margin
of security than 128-bit AES.

Adam

On Sun, Jun 01, 2003 at 03:27:24AM -0700, Jon Callas wrote:
> Now Ferguson and Schneier have a new book out, "Practical Cryptography" and
> their opinions are well worth paying close attention to, even if you don't
> completely agree. 
> 
> Personally, I stick with 128-bit keys, but that's because I think too many
> people want more bits in their keys without understanding what's going on.
> 
> The question, "Will a key with more bits give me better security?" is a lot
> like the question, "Will more cylinders in my car engine make me go faster?"
> The answer to both is, "Ummm, well, maybe. Usually yes, but too many can
> actually cause all sorts of troubles." It's not what people want to hear.
> 
>     Jon
>