Folks: I've already been investigating for a long time the possibility of switching from AES-256 to XSalsa20 for future versions of Tahoe-LAFS. Today's announcement that AES-256 is weaker than we previously thought makes the issue more urgent. Here's a blog entry I just posted about this (also appended):
http://testgrid.allmydata.org:3567/uri/URI:DIR2-RO:j74uhg25nwdpjpacl6rkat2yhm:kav7ijeft5h7r7rxdp5bgtlt3viv32yabqajkrdykozia5544jqa/wiki.html Regards, Zooko ------- begin appended blog entry Wow! Cryptographers have devised even more effective ways to crack a weakened variant of ~AES-256: [[Schneier's blog entry|http://www.schneier.com/blog/archives/2009/07/another_new_aes.html]]. This doesn't mean that anyone who is current relying on AES is vulnerable, but it does increase the likelihood that in the future someone will come up with a way to crack the full-strength AES. This means that for long-term storage (such as in [[the Tahoe-LAFS storage system|http://allmydata.org]]), it might be better to encrypt with a stronger cipher such as Salsa20 (actually ~XSalsa20, which is just Salsa20 with a larger initialization vector) or, as Bruce Schneier suggests, AES with extra rounds. It is ironic that ~AES-256 is the only algorithm approved for TOP SECRET by the U.S. government (~AES-128 is approved for SECRET but not for TOP SECRET). ~AES-256 has now been revealed as being weaker than ~AES-128. The other issue is that large-scale practical quantum computers (if they existed) could crack any cipher with a mere 128-bit key, but not a good cipher with a 256-bit key. This might mean that ~AES-256 would be vulnerable if there were a sufficiently powerful quantum computer. That would mean there is now no encryption algorithm which is both secure against quantum computers and approved by the U.S. government for TOP SECRET. I was recently pondering whether the next iteration of ~Tahoe-LAFS should switch from ~AES-256 to ~XSalsa20. The benefits I was considering were that ~XSalsa20 is probably more secure than ~AES-256 (see [[the Tahoe-LAFS Bibliography|http://allmydata.org/trac/tahoe/wiki/Bibliography]], especially the practical issue of side-channel attacks) and is certainly much faster. The drawbacks were that ~XSalsa20 is newer and less widely studied and that it wasn't approved for U.S. government usage. This new attack on ~AES-256 makes my dilemma all the more pointed. _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
