Werner Koch <wk(_at_)gnupg(_dot_)org>:
On Fri, 30 May 2003 19:48:34 -0400, John Wilkinson said:
If the choice for standardization is between AES-128 and AES-256, and
the sole criterion is algorithm strength, I would recommend AES-256,
It doesn't get you anything to double the length of the key if at the
same time you need to make tradeoffs in choosing the quality of the
random numbers. Entropy is a scare resource and one should take
caution for what to spend it.
This is not quite true. If you have N bits of unpredictable entropy
and feed this and some "random" but predictable data into an
appropriate hash function to generate a 2N-bit key, then this will
provide more security against brute force and quantum brute force
attacks than directly using a cipher with N-bit keys. (Not much more
security, but some: a brute force attack against the cipher with N-bit
keys can directly cover all of the keyspace; for the attack against
the 2N-bit cipher, the hash preprocessing step has to be included into
the brute-force design, which will slow down the attack.)
Also if one of the ciphers is slower than the other, it is a bit more
secure (literally a bit if it runs at half the speed).
Of course arguably 128 bits are by far enough so that you don't really
have to worry about anything of this -- unless you think that quantum
attacks might become realistic.
--
Bodo Möller <moeller(_at_)cdc(_dot_)informatik(_dot_)tu-darmstadt(_dot_)de>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036