Hi Hilarie, On May 3, 2006, at 7:36 PM, The Purple Streak, Hilarie Orman wrote:
The large customer behind Suite B can't provide much guidance to us re AES 256. Do they want more rounds or more entropy? Or just something different?
I believe that the best motivation for AES-256 is as a hedge, as Steve put it, in case of unforeseen advances in cryptanalysis (quantum computers, new attack algorithms, and so on).
Signup for zero crypto growth --- stop at 128!
Ha! I like that. For sure a 128-bit security level is a suitable goal. But the hedging is intended to provide us with protection in case AES-128 doesn't actually meet that security goal. That's my understanding anyway.
But I think that your main point is that we don't need to implement AES-256 in order for it to have value as a hedge. This is valid.
Perhaps the real motivation for the use of AES-256 by the high- assurance community is that, considering that their crypto gear is quite expensive due to their stringent development and manufacturing processes, the additional cost for supporting bigger key sizes is inconsequential ;-)
David
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.