[147489] in cryptography@c2.net mail archive
Re: [Cryptography] AES-256- More NIST-y? paranoia
daemon@ATHENA.MIT.EDU (Tony Arcieri)
Thu Oct 3 15:28:53 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <524CE0DE.3090507@sonic.net>
From: Tony Arcieri <bascule@gmail.com>
Date: Thu, 3 Oct 2013 10:40:01 -0700
To: Ray Dillinger <bear@sonic.net>
Cc: Crypto <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============0330632041245674776==
Content-Type: multipart/alternative; boundary=089e012953ac8bdc1204e7d9afbc
--089e012953ac8bdc1204e7d9afbc
Content-Type: text/plain; charset=ISO-8859-1
On Wed, Oct 2, 2013 at 8:13 PM, Ray Dillinger <bear@sonic.net> wrote:
> Leaving aside the question of whether anyone "weakened" it, is it
> true that AES-256 provides comparable security to AES-128?
No, there's a common misconception that the related key attacks make
AES-256 worse than AES-128 because AES-128 is not susceptible to these
attacks. The alleged source of this information is a Bruce Schneier blog
post (which is fine in and of itself, it's being misinterpreted).
In Schneier et al's book Cryptography Engineering he recommends AES-256
over AES-128, despite the flaws, but suggests we might consider looking for
a better cipher at this point. The rationale is that AES-256 still provides
a wider security margin.
--
Tony Arcieri
--089e012953ac8bdc1204e7d9afbc
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">On Wed, Oct 2, 2013 at 8:13 PM, Ray Dillinger <span dir=3D=
"ltr"><<a href=3D"mailto:bear@sonic.net" target=3D"_blank">bear@sonic.ne=
t</a>></span> wrote:<br><div class=3D"gmail_extra"><div class=3D"gmail_q=
uote"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-l=
eft:1px #ccc solid;padding-left:1ex">
<div><span style=3D"color:rgb(34,34,34)">Leaving aside the question of whet=
her anyone "weakened" it, is it</span><br></div>
true that AES-256 provides comparable security to AES-128?</blockquote><div=
><br></div><div>No, there's a common misconception that the related key=
attacks make AES-256 worse than AES-128 because AES-128 is not susceptible=
to these attacks. The alleged source of this information is a Bruce Schnei=
er blog post (which is fine in and of itself, it's being misinterpreted=
).</div>
<div><br></div><div>In Schneier et al's book Cryptography Engineering h=
e recommends AES-256 over AES-128, despite the flaws, but suggests we might=
consider looking for a better cipher at this point. The rationale is that =
AES-256 still provides a wider security margin.</div>
</div><div><br></div>-- <br>Tony Arcieri<br>
</div></div>
--089e012953ac8bdc1204e7d9afbc--
--===============0330632041245674776==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============0330632041245674776==--
