<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 27, 2018 at 8:49 PM, Peter Gutmann <span dir="ltr"><<a href="mailto:pgut001@cs.auckland.ac.nz" target="_blank">pgut001@cs.auckland.ac.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Natanael <<a href="mailto:natanael.l@gmail.com">natanael.l@gmail.com</a>> writes:<br>
<br>
>Notable new features:<br>
<br>
Another interesting feature is the fact that this may be the first encryption<br>
system that goes to 10 1/2:<br>
<br>
"offers the equivalent of 192-bit cryptographic strength"<br>
<br>
Since 128 bits is the benchmark 10 and going to 11 is 256 bits for when you<br>
really need that factor of 340,282,366,920,938,463,463,<wbr>374,607,431,768,211,456<br>
extra safety margin, this one goes to 10 1/2.<br>
<br>
Peter.<br></blockquote><div><br></div><div><div class="gmail_default" style="font-size:small">There is a good argument to be made for 256 and 128 bits. I have never seen a good case for 192.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">The case for 128 is that it is the bare minimum required to make the brute force work factor infeasible on traditional machines. The case for 256 bits is that it provides a safety margin for quantum resistance.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">The number of rounds is 10,12 and 14. for 128, 192 and 256 bit keys. At an RSA, Adi Shamir suggested that NIST increase the number of rounds in 128 bit AES to provide something of a safety margin. Which is why I always use 256 for my work.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I cannot imagine anyone using a quantum computer to break link layer encryption (which is what WPA3 is) but then neither can I imagine the range of uses and abuses people will put WPA3 to.</div></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I would have gone to 11. Even on the smallest devices, I don't know of a situation where 128 bit AES is acceptable but 256 is not. I know plenty of cases where AES won't work at all but none so close to the edge that 40% extra time is significant.</div><div> </div></div></div></div>