LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

AES security

AES security

Posted Oct 15, 2009 8:25 UTC (Thu) by job (guest, #670)
In reply to: Howto fix the problem: by drag
Parent article: Ubuntu to store copies of all users' address books

If you are paranoid you should use AES128 instead of 256 as there are indications that the larger key isn't diffused properly.

(Log in to post comments)

AES security

Posted Oct 16, 2009 7:40 UTC (Fri) by brouhaha (subscriber, #1698) [Link]

I'm sufficiently paranoid that I much prefer 3DES to either AES128 or AES256. AES hasn't been subjected to anywhere near the amount of cryptanalysis as DES. If I didn't think 112 bits of key was enough to withstand brute-force attacks, I'd use two rounds of 3DES with different sets of keys (6DES).

AES security

Posted Oct 16, 2009 13:02 UTC (Fri) by pharm (guest, #22305) [Link]

Just using the same encryption algorithm twice with two different keys of size N does not increase
the exhaustive search time from 2^n to 2^2n, thanks to meet-in-the-middle attacks, which reduce
the time to 4^n. IOW in return for doubling your key size you've increased the search time by a
factor of 2: That doesn't seem a good tradeoff.

Leave designing encryption algorithms to the experts: Personally, I know just enough to know that I
don't know anything like enough to start designing my own encryption schemes.

AES security

Posted Oct 16, 2009 19:22 UTC (Fri) by brouhaha (subscriber, #1698) [Link]

The meet in the middle attack reduces the time from 2^(2n) to 2^(n+1). This is why 3DES (even with 168 bits of keying) only effectively gives 112 bits of security. That's why I didn't propose 4DES, which wouldn't have any improvement in security over 3DES. However, my proposed 6DES would give 168 bits of security, or 8DES sould give 224, etc. 6DES has the advantage that you can use an existing 3DES implementation twice.

However, that's just the time complexity. The meet in the middle attack also requires storage for 2^n blocks, which is obviously not available for n=112, let alone larger values of n.

AES security

Posted Oct 16, 2009 20:08 UTC (Fri) by ABCD (subscriber, #53650) [Link]

> Just using the same encryption algorithm twice with two different keys of
> size N does not increase the exhaustive search time from 2^n to 2^2n,
> thanks to meet-in-the-middle attacks, which reduce the time to 4^n.

I think there is a mistake somewhere in there, because 2^(2n) = (2^2)^n = 4^n.

AES security

Posted Oct 18, 2009 16:08 UTC (Sun) by pharm (guest, #22305) [Link]

Yes, a thinko on my part.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds