On 5/30/03 4:48 PM, "John Wilkinson" <jwilkinson(_at_)attbi(_dot_)com> wrote:
With all due respect, Jon, I would like to see a quote from a recognized
crypto expert who feels that AES-128 is "safer" than AES-256.
I think you misunderstand what I'm saying.
In crypto circles, there's a subtle difference between being conservative
and being insecure. Safety is like wine. It ages over years. We tend to use
the word "safe" informally.
What I said was that the 256 bit ciphers make two changes, and that makes
them daring. I did say that I did not share the concerns I've heard, but I
still value them as the opinions of colleagues.
As for "recognized crypto experts" -- well, there are a lot of them here,
even if a number of us crypto experts aren't cipher designers. You've heard
from recognized crypto experts, and note that there's a variation of
opinion, and some of them say that yes, AES-256 is more daring than AES-128.
When I was at Counterpane, we used Blowfish over either AES or Twofish,
despite the fact that we thought that AES and Twofish both were better
designs. It was all a matter of aging, and it was at that time that
Schneier, Ferguson, and Kelsey (all Twofish designers) opined precisely what
I said -- that all of the AES candidates should be used in 128-bit mode, as
that was better understood.
Now Ferguson and Schneier have a new book out, "Practical Cryptography" and
their opinions are well worth paying close attention to, even if you don't
completely agree.
Personally, I stick with 128-bit keys, but that's because I think too many
people want more bits in their keys without understanding what's going on.
The question, "Will a key with more bits give me better security?" is a lot
like the question, "Will more cylinders in my car engine make me go faster?"
The answer to both is, "Ummm, well, maybe. Usually yes, but too many can
actually cause all sorts of troubles." It's not what people want to hear.
Jon