Jon Callas wrote:
I discussed our previous conversation, and he said that his doubt is merely
that he is not convinced that the 256-bit keys are fully exponentially
stronger than 128. I think this is reasonable, and have the same doubts
myself about all the present generation 256 bit cyphers.
Quite. We have a precedent in our requirement of 3DES which is
vulnerable to a meet-in-the-middle attack, so we don't expect it to
be fully exponentially stronger than a modern 128 bit cipher.