[Cryptography] block size / block cipher versus stream cipher

Kristian Gjøsteen kristian.gjosteen at ntnu.no
Sun Mar 21 18:49:10 EDT 2021 

> On 3/19/21 9:38 AM, Phillip Hallam-Baker wrote:
> 
>> I started to think that maybe we have got to the
>> point where we should move past the 128 bit block size of AES.

Depending on your mode of operation, the block size of the underlying block cipher may not be functionally visible to you.

Security-wise, birthday-bound attacks typically limit the amount of data you can safely encrypt using a single key to 2^30-2^40-ish blocks. (This depends on a bunch of details and your exact security requirements, keeping in mind that you are dealing with a statistical distance which you as a designer controls, that is, it is not under adversarial control. This limit tends to appear in your mode's security theorem, though translating it into engineering-useful numbers may be non-trivial.)

>> The obvious replacement choice is 256 bits.

256 bit blocks would do the job nicely, but there are few such ciphers that are as well-studied as AES. In particular, I believe the large-block Rijndael variants are less well-studied than the AES variants.

Besides larger blocks, there are other design options that are practical for many applications, such as rekeying etc. Personally, I would investigate those options before I go hunting for new block ciphers.


20. mar. 2021 kl. 06:54 skrev John Denker via cryptography <cryptography at metzdowd.com>:
> Some very smart people whom I respect have told me I'm wrong
> about this, and may be I am ... but maybe not.

While I do not count myself as very smart, and in particular I don’t know anything about symmetric cryptography, I agree that you are wrong.

> […]
> So ... what am I missing?


The block cipher design paradigm has been a roaring success. We are in a position where an idiot like me can safely use block cipher to design cryptosystems and prove solid theorems about their security.

There are other design strategies for symmetric cryptosystems, but I am not aware of any that give plebs like me the ability to do anything remotely comparable to what I can do with block ciphers.

-- 
Kristian Gjøsteen

More information about the cryptography mailing list