Werner Koch wrote:
On Tue, 27 Nov 2007 17:33, iang(_at_)systemics(_dot_)com said:
To me, this doesn't argue for 128 bit keys. You can achieve the same
effect by taking 128 bits of randomness and adding 128 0's on the end.
I just wonder whether Camellia been analyzed for such an "abuse" of the
key length. It is common practise to use random session key or use a
KDF to have a uniform distribution of the key bits.
Yes, use a key expansion function. I didn't mean to
literally tempt the gods.
What I am trying to do here is suggest ways to reduce the
work for implementors and maintainers, and also reduce
possibilities for confusion by users.
There is a view that OpenPGP is a fine way to experiment
with lots of different algorithms and lengths and modes and
colours. I once had that view as a developer, and once even
published a Java kit with lots of algorithms in it...
because it was so much fun to do all these algorithms!
But it is a conceit. The maintainer in me rejected that
approach within a month, and the architect in me now says
that there is only one true cipher suite:
http://iang.org/ssl/h1_the_one_true_cipher_suite.html
iang