Can you keep a secret? This encrypted drive can...
Jon Callas
jon at callas.org
Wed Nov 8 14:17:09 EST 2006
> Just wondering about this little piece. How did we get to 256-bit
> AES as a requirement? Just what threat out there justifies it?
> There's no conceivable brute-force attack against 128-bit AES as far
> out as we can see, so we're presumably begin paranoid about an
> analytic
> attack. But is there even the hint of an analytic attack against AES
> that would (a) provide a practical way in to AES-128; (b) would not
> provide a practical way into AES-256? What little I've seen in the
> way of proposed attacks on AES all go after the algebraic structure
> (with no real success), and that structure is the same in both
> AES-128 and AES-256.
There is no requirement for it. However, as others have noticed, to
the casual observer, 256 is twice as good as 128. You don't want to
end up with a product review saying, "Product X is solid with 128-bit
encryption, but for the ultra-paranoid, product Y is using 256!"
Moreover, AES-256 is 20-ish percent slower than AES-128. That
difference can be completely irrelevant in the context of the entire
system. That means that there is coolness pressure pushing to 256,
and relatively little performance backpressure. The result is that
you use AES-256 except where the performance is so tetchy that you
really need to back off to 128.
I've been spouting off about how 128 is enough, but not fighting the
trend even an iota. It's not worth the bother. Besides, I find the
irony that AES is pushing us from debates about how 56 oughta be good
enough to why 256 is just inevitable in less than a decade to be
amusing.
Jon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list