Just wondering about this little piece.  How did we get to 256-bit
AES as a requirement?  Just what threat out there justifies it?
There's no conceivable brute-force attack against 128-bit AES as far
out as we can see, so we're presumably begin paranoid about an analytic
attack.  But is there even the hint of an analytic attack against AES
that would (a) provide a practical way in to AES-128; (b) would not
provide a practical way into AES-256?  What little I've seen in the
way of proposed attacks on AES all go after the algebraic structure
(with no real success), and that structure is the same in both
AES-128 and AES-256.

There is no requirement for it. However, as others have noticed, to the casual observer, 256 is twice as good as 128. You don't want to end up with a product review saying, "Product X is solid with 128-bit encryption, but for the ultra-paranoid, product Y is using 256!"

Moreover, AES-256 is 20-ish percent slower than AES-128. That difference can be completely irrelevant in the context of the entire system. That means that there is coolness pressure pushing to 256, and relatively little performance backpressure. The result is that you use AES-256 except where the performance is so tetchy that you really need to back off to 128.

I've been spouting off about how 128 is enough, but not fighting the trend even an iota. It's not worth the bother. Besides, I find the irony that AES is pushing us from debates about how 56 oughta be good enough to why 256 is just inevitable in less than a decade to be amusing.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to