[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes)

Although I'm not concerned about 128-bit keys being too short -- I 
don't think there will *ever* be a brute-force attack on 128 bits -- 
there are some points to think about.  In Rich Schroeppel's comments on 
AES (see http://csrc.nist.gov/CryptoToolkit/aes/round2/comments/R2comments.txt)
he notes that

	Except for RC6 and perhaps Mars, all the ciphers have the property that
	recovering the expanded key will translate into recovering the primary
	key.  More seriously, the key schedules of Rijndael, and to some extent
	Serpent, allow an attacker who recovers (or guesses) some of the
	expanded key to compute additional bits of the expanded key.  Recall
	that both differential and linear attacks on DES benefited from
	replicated subkey bits -- as soon as an attack finds a few subkey bits,
	the game is over.

If the additional rounds for AES256 are not enough to properly mix in 
the extra key bits -- we're spreading twice as many bits over less than 
twice as many operations -- it might (repeat, *might*) make it easier 
to recover some key bits.

But -- no, I don't think that AES256 is less secure than AES128.  I 
also don't think it's needed.  Remember that if you're worried about 
O(2^128) attacks, you really need a much larger public key, too.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)