I beg to differ, but extra rounds do not necessarily improve
the security. You still have a 2^128 brute-force attack
against the cipher if you use a 128-bit key. It doesn't matter
what happens to the other bits.
Regardless, I believe that AES-128 has had significantly more
peer review than the larger elements, and "bigger is not necessarily
better". As a security engineer you need to use prudence in
choosing which tools to use in which situation. Based on the
state-of-the-art in 2003, and forseeable for the next few years,
I believe that AES-128 is sufficient for our needs.
Adding additional ciphers will just decrease interoperability, which
will reduce security because people wont use it. "The perfect is
the enemy of the good". Let's get it out there, get it deployed,
make it ubiquitous. Until that happens, I don't feel we should
be entertaining additional ciphers.
-derek
Adam Back <adam(_at_)cypherspace(_dot_)org> writes:
On Thu, May 29, 2003 at 12:55:29PM -0400, Derek Atkins wrote:
"Jeroen C. van Gelderen" <jeroen(_at_)vangelderen(_dot_)org> writes:
In fact, there are those who feel safer with AES
at 128 than at256.
[...]
I certainly did not say "less secure", did I? It's certainly
much SLOWER, and certainly is not MORE secure...
Actually it may be more secure; AES-256 has more rounds to offer a
more conservative security margin because the key is longer. If half
of the key is unused, the extra rounds can only help.
So it is either as strong (if AES-128 truly offers 128 bits of
security), or stronger; but not "certainly is not MORE secure..."
Adam
--
Derek Atkins
Computer and Internet Security Consultant
derek(_at_)ihtfp(_dot_)com www.ihtfp.com