[Top] [All Lists]

Re: I-D ACTION:draft-ietf-openpgp-camellia-00.txt

2007-11-27 10:06:04

Werner Koch wrote:
On Tue, 27 Nov 2007 00:25, jon(_at_)callas(_dot_)org said:

One last question is why only 256-bit keys? Why not 128 and 256 (I don't see the point of 192-bit keys, myself)? There are many good answers to the question. For example, if Rijndael were not the AES

An argument pro 128 bit is that you can do double as many independed
encryption with a given amount of random numbers.  This is an advantage
on small systems and those where entropy is a scarce resource.

To me, this doesn't argue for 128 bit keys. You can achieve the same effect by taking 128 bits of randomness and adding 128 0's on the end.

Same comments I think apply to Dani's email.

Unless there is a marked speed difference, I think it reasonable to specify 256 bit key ciphers and expand shorter keys out.

Jon mentioned that with AES, there is a 20% slow down from 128 to 256, in AES not Camelia. That to me suggests that, in principle, we only specify 256 bit keys, and drop the 128 bit cipher (*). If there is a speed issue, then likely 20% isn't going to solve it and there should be a "mobile profile" or proper "cipher suite".


PS: (*) I am not arguing to drop 128 bit AES, just the principle of the thing.