Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)2003-05-30 19:11:03Steve, I appreciate your comments, and while I acknowledge that the differing key schedules between AES-128 and AES-256 could, in theory, make AES-256 weaker than AES-128, IMHO, the reverse is more likely true. It bears repeating that I don't think it makes much difference, since, in practice, both are likely to remain unbroken for at least a few decades. If one recoveres a single round key from AES-128, one can calculate all the other round keys, and the primary key. This is by design, to conserve on memory, since the expanded key does not need to be stored. With AES-256, one has to recover two (consecutive?) round keys to recover the other round keys or the primary key. So, I respectfully disagree that AES-256 suffers from the problem of trying to spread "twice as many bits over less than twice as many operations."
|
|
||||||||||||||||