On Oct 1, 2013, at 5:58 PM, Peter Fairbrother wrote:
> [and why doesn't AES-256 have 256-bit blocks???]
Because there's no security advantage, but a practical disadvantage.
When blocks are small enough, the birthday paradox may imply repeated blocks
after too short a time to be comfortable. Whether this matters to you actually
depends on how you use the cipher. If you're using CBC, for example, you don't
want to ever see a repeated block used with a single key. With 64-bit blocks
(as in DES), you expect to see a repetition after 2^32 blocks or 2^38 bytes,
which in a modern network is something that might actually come up.
A 128-bit block won't see a collision for 2^64 blocks or 2^71 bytes, which is
unlikely to be an issue any time in the foreseeable future.
Note that many other modes are immune to this particular issue. For example,
CTR mode with a 64-bit block won't repeat until you've used it for 2^64 blocks
(though you would probably want to rekey earlier just to be safe).
I know of no other vulnerability that are related to the block size, though
they may be out there; I'd love to learn about them.
On the other hand, using different block sizes keeps you from easily
substituting one cipher for another. Interchanging AES-128 and AES-256 - or
substituting in some entirely different cipher with the same block size - is
straightforward. (The changed key length can be painful, but since keys are
fairly small anyway you can just reserve key space large enough for any cipher
you might be interested int.) Changing the block size affects much more code
and may require changes to the protocol (e.g., you might need to reserve more
bits to represent the length of a short final block).
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
