Although I'm not concerned about 128-bit keys being too short -- I
don't think there will *ever* be a brute-force attack on 128 bits --
there are some points to think about. In Rich Schroeppel's comments on
AES (see http://csrc.nist.gov/CryptoToolkit/aes/round2/comments/R2comments.txt)
he notes that
Except for RC6 and perhaps Mars, all the ciphers have the property that
recovering the expanded key will translate into recovering the primary
key. More seriously, the key schedules of Rijndael, and to some extent
Serpent, allow an attacker who recovers (or guesses) some of the
expanded key to compute additional bits of the expanded key. Recall
that both differential and linear attacks on DES benefited from
replicated subkey bits -- as soon as an attack finds a few subkey bits,
the game is over.
If the additional rounds for AES256 are not enough to properly mix in
the extra key bits -- we're spreading twice as many bits over less than
twice as many operations -- it might (repeat, *might*) make it easier
to recover some key bits.
But -- no, I don't think that AES256 is less secure than AES128. I
also don't think it's needed. Remember that if you're worried about
O(2^128) attacks, you really need a much larger public key, too.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)