On 2015-11-30 12:47, Robert Relyea wrote:
I've always found the 128 bit prioritized over 256 a silly
recommendation, I support reordering.
Can you expand on why you think it is silly?
The original thread  had a long discussion on this topic. The DJB
batch attack redefines the landscape, but does not address the original
concerns around AES-256 resistance. To me, the main question is to
verify whether AES-256 implementations are at least as resistant as
AES-128 ones, in which case the doubled key size provides a net benefit,
and preferring it is a no-brainer.
dev-tech-crypto mailing list