[Cryptography] AES-256- More NIST-y? paranoia

Jerry Leichter leichter at lrw.com
Wed Oct 2 00:27:11 EDT 2013


On Oct 1, 2013, at 5:58 PM, Peter Fairbrother wrote:
> [and why doesn't AES-256 have 256-bit blocks???]
Because there's no security advantage, but a practical disadvantage.

When blocks are small enough, the birthday paradox may imply repeated blocks after too short a time to be comfortable.  Whether this matters to you actually depends on how you use the cipher.  If you're using CBC, for example, you don't want to ever see a repeated block used with a single key.  With 64-bit blocks (as in DES), you expect to see a repetition after 2^32 blocks or 2^38 bytes, which in a modern network is something that might actually come up.

A 128-bit block won't see a collision for 2^64 blocks or 2^71 bytes, which is unlikely to be an issue any time in the foreseeable future.

Note that many other modes are immune to this particular issue.  For example, CTR mode with a 64-bit block won't repeat until you've used it for 2^64 blocks (though you would probably want to rekey earlier just to be safe).

I know of no other vulnerability that are related to the block size, though they may be out there; I'd love to learn about them.

On the other hand, using different block sizes keeps you from easily substituting one cipher for another.  Interchanging AES-128 and AES-256 - or substituting in some entirely different cipher with the same block size - is straightforward.  (The changed key length can be painful, but since keys are fairly small anyway you can just reserve key space large enough for any cipher you might be interested int.)  Changing the block size affects much more code and may require changes to the protocol (e.g., you might need to reserve more bits to represent the length of a short final block).

                                                        -- Jerry



More information about the cryptography mailing list