Werner Koch wrote:
On Tue, 27 Nov 2007 00:25, jon(_at_)callas(_dot_)org said:
One last question is why only 256-bit keys? Why not 128 and 256 (I
don't see the point of 192-bit keys, myself)? There are many good
answers to the question. For example, if Rijndael were not the AES
An argument pro 128 bit is that you can do double as many independed
encryption with a given amount of random numbers. This is an advantage
on small systems and those where entropy is a scarce resource.
To me, this doesn't argue for 128 bit keys. You can achieve
the same effect by taking 128 bits of randomness and adding
128 0's on the end.
Same comments I think apply to Dani's email.
Unless there is a marked speed difference, I think it
reasonable to specify 256 bit key ciphers and expand shorter
keys out.
Jon mentioned that with AES, there is a 20% slow down from
128 to 256, in AES not Camelia. That to me suggests that,
in principle, we only specify 256 bit keys, and drop the 128
bit cipher (*). If there is a speed issue, then likely 20%
isn't going to solve it and there should be a "mobile
profile" or proper "cipher suite".
iang
PS: (*) I am not arguing to drop 128 bit AES, just the
principle of the thing.