[Cryptography] Time to move to 256bit blocks?

[Phillip Hallam-Baker]

I am almost done implementing OCB mode in C#. I have the encryption test
vectors working for full blocks. All I need to do now is decrypt (which
people might want to do).

While working on this, I started to think that maybe we have got to the
point where we should move past the 128 bit block size of AES. This was a
fine choice when it was made and arguably a decent choice today for
hardware encryption. But it still represents a compromise that I would
rather eliminate rather than work around.

The obvious replacement choice is 256 bits. While Rijndael offers 192 bits,
that is a poor match to modern computer architecture where data moves in
2^n bit increments.

So the next question would be which 256 bit block cipher to use.  Rijndael?
Something else? If Rijndael, how many rounds for a 256 bit key?

While I get that  Rijndael is a flexible cipher, I don't agree with all the
choices on offer. I have never seen the point of 192 bit keys, I don't use
them, I don't support them in the Mesh. Anyone using a 256 bit block size
is going to go for a 256 bit key. I can't see a justification for keys
larger than 256 bits but I can see a case for using more than 14 rounds.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210319/15af27ce/attachment.htm>