On Wed, Nov 28, 2007 at 12:17:15PM +0100, Ian G wrote:
Werner Koch wrote:
On Tue, 27 Nov 2007 17:33, iang(_at_)systemics(_dot_)com said:
To me, this doesn't argue for 128 bit keys. You can achieve the same
effect by taking 128 bits of randomness and adding 128 0's on the end.
I just wonder whether Camellia been analyzed for such an "abuse" of the
key length. It is common practise to use random session key or use a
KDF to have a uniform distribution of the key bits.
Yes, use a key expansion function. I didn't mean to literally tempt the
gods.
What I am trying to do here is suggest ways to reduce the work for
implementors and maintainers, and also reduce possibilities for confusion
by users.
I don't know that this is really reducing work all that much.
Camellia supports a 128-bit key. If we want to have the equivalent of
a 128-bit key, why not just use what Camellia already provides? Sure,
we could do some trickery with key expansion, but then we have to
specify it, code it, and explain to people for a long time why we did
it that way.
David