Can you keep a secret? This encrypted drive can...

Jon Callas jon at
Wed Nov 8 14:17:09 EST 2006

> Just wondering about this little piece.  How did we get to 256-bit
> AES as a requirement?  Just what threat out there justifies it?
> There's no conceivable brute-force attack against 128-bit AES as far
> out as we can see, so we're presumably begin paranoid about an  
> analytic
> attack.  But is there even the hint of an analytic attack against AES
> that would (a) provide a practical way in to AES-128; (b) would not
> provide a practical way into AES-256?  What little I've seen in the
> way of proposed attacks on AES all go after the algebraic structure
> (with no real success), and that structure is the same in both
> AES-128 and AES-256.

There is no requirement for it. However, as others have noticed, to  
the casual observer, 256 is twice as good as 128. You don't want to  
end up with a product review saying, "Product X is solid with 128-bit  
encryption, but for the ultra-paranoid, product Y is using 256!"

Moreover, AES-256 is 20-ish percent slower than AES-128. That  
difference can be completely irrelevant in the context of the entire  
system. That means that there is coolness pressure pushing to 256,  
and relatively little performance backpressure. The result is that  
you use AES-256 except where the performance is so tetchy that you  
really need to back off to 128.

I've been spouting off about how 128 is enough, but not fighting the  
trend even an iota. It's not worth the bother. Besides, I find the  
irony that AES is pushing us from debates about how 56 oughta be good  
enough to why 256 is just inevitable in less than a decade to be  


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list