On Fri, May 30, 2003 at 03:57:14PM -0400, Derek Atkins wrote:
You still have a 2^128 brute-force attack against the cipher if you
use a 128-bit key. It doesn't matter what happens to the other
bits.
If the cipher retains 128 bits of security in both configurations
AES-128 and AES-256 with a 128 bit key then the security is equal.
But the point at which the security margin of the cipher becomes
interesting is when someone starts to make in-roads into reduced-round
variants, and starts to find attacks with work-factors sub-exponential
in the key-size.
I beg to differ, but extra rounds do not necessarily improve
the security.
One common method of heuristically measuring the strength of a cipher
is to attack reduced-round variants, clearly indicating that less
rounds is less secure.
I take this to mean that practically more rounds IS more secure.
Consider that the cipher state goes through a state analogous to a
state it would go through in a reduced round version on it's way to
the longer round version. Unless the later rounds somehow _undo_ some
of the security provided by the earlier rounds it will not be less
secure.
Clearly the AES designers consider more rounds adds more security or
AES-256 would not have more rounds than AES-128.
As a security engineer you need to use prudence in
choosing which tools to use in which situation. Based on the
state-of-the-art in 2003, and forseeable for the next few years,
I believe that AES-128 is sufficient for our needs.
Some people may need security beyond the "next few years". I'd argue
for standardizing on AES-256. The computational cost of a few extra
rounds is negligible.
Adding additional ciphers will just decrease interoperability, which
will reduce security because people wont use it. "The perfect is
the enemy of the good". Let's get it out there, get it deployed,
make it ubiquitous. Until that happens, I don't feel we should
be entertaining additional ciphers.
Having a smaller choice of options is generally a good thing I agree.
Adam