Hi, On 18-06-18 00:53, David Sommerseth wrote: > On 17/06/18 23:21, Alex K wrote: > [...snip...] >> >> Seems that I can use AES-256-GCM since it gives same encapsulation overhead >> with slight decease of bandwidth compared to AES-128-CBC I was using and it >> will provide some extra security to avoid any surprises from the quantum >> computers :) > > Let me just correct a potential misunderstanding. AES-256 makes it a bit > _harder_ to attack compared to AES-128 in the post-quantum scenario. > > I'm fuzzy on the details (and the crypto geeks need to correct or confirm > this) ... but IIRC, the strength of AES-256 today is comparable to AES-128 in > a PQ scenario. And like wise, today's strength of AES-128 today would be > roughly half that in a PQ world.
As rule of thumb, yes. That's a safe way to think about it. (In reality, it's likely more secure than "half the exponent", because there are all sorts of inefficiencies involved.) > So AES-256 _does_ _not_ _protect_ you. It just _increases_ the difficulty of > breaking it. Of course AES itself could be broken, but when we assume that AES128 is sufficiently secure now, we may assume that AES256 is secure in a post-quantum world. That said: in the PQ scenario AES is the least of you worries. The (EC)DH part in TLS is. You can use tls-crypt to work remedy that somewhat. Bottom line: AES-256-GCM was chosen as the default because it's a safe bet. If you really need the extra bit of performance, using AES-128-GCM probably fine too. -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users