ietf-openpgp
[Top] [All Lists]

Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)

2003-05-30 17:46:40

Although I'm not concerned about 128-bit keys being too short -- I 
don't think there will *ever* be a brute-force attack on 128 bits -- 
there are some points to think about.  In Rich Schroeppel's comments on 
AES (see http://csrc.nist.gov/CryptoToolkit/aes/round2/comments/R2comments.txt)
he notes that

        Except for RC6 and perhaps Mars, all the ciphers have the property that
        recovering the expanded key will translate into recovering the primary
        key.  More seriously, the key schedules of Rijndael, and to some extent
        Serpent, allow an attacker who recovers (or guesses) some of the
        expanded key to compute additional bits of the expanded key.  Recall
        that both differential and linear attacks on DES benefited from
        replicated subkey bits -- as soon as an attack finds a few subkey bits,
        the game is over.

If the additional rounds for AES256 are not enough to properly mix in 
the extra key bits -- we're spreading twice as many bits over less than 
twice as many operations -- it might (repeat, *might*) make it easier 
to recover some key bits.

But -- no, I don't think that AES256 is less secure than AES128.  I 
also don't think it's needed.  Remember that if you're worried about 
O(2^128) attacks, you really need a much larger public key, too.


                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com (2nd edition of "Firewalls" book)



<Prev in Thread] Current Thread [Next in Thread>