On Tue 2015-06-02 12:41:40 -0400, Robert J. Hansen wrote: > Right now pretty much everyone is content with RSA-3072, which has an > estimated work factor comparable to AES-128. So if 128-bit crypto is > enough, I don't understand the motivation behind jumping to AES-256. > There needs to be something motivating this besides "bigger is better".
I agree with you that these comparisons are a decent rough estimate when considering attacking a single ciphertext. But i don't think the argument holds looking at the bigger picture. Let's consider an adversary that can store as many OpenPGP-encrypted messages as it has access to. Maybe it sniffs SMTP traffic as well? If the attacker is interested in breaking the crypto of any *one* of these messages, it can reduce the amount of work it has to do significantly. As djb put it: >> There are standard attacks that break _all_ of 2^50 AES-128 keys using a >> _total_ of 2^128 easy computations. Even worse, there are standard >> attacks that find _at least one_ of the keys using just 2^78 easy >> computations, a feasible computation today. -- http://thread.gmane.org/gmane.ietf.irtf.cfrg/3427 Note that he's describing a known-plaintext attack; this might be relevant, for example, if there is a standard prefix of the data being encrypted (perhaps a common MIME header? or if you're doing regular backups of a standard filesystem, the beginning of the tar format?). Of course, there aren't 2^50 AES-128-encrypted known-plaintext OpenPGP messages today that such an attack would work on. but why would we want to leave users open to this? > Let me turn the question around, dkg. (Completely serious here, not > snark.) What problem do we have with AES-128 that switching to AES-256 > will solve? Is the above argument enough for you? Remember that these AES128 ciphertexts are likely to exist well into the future, and attacks only get better with time. Regards, --dkg
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
