[Ach] Vote for new Cipherstring B [Was: Issue with OpenSSL >0.9.8l]

ianG iang at iang.org
Thu May 15 22:00:28 CEST 2014

On 15/05/2014 19:39 pm, Joe St Sauver wrote:

> That said, I also totally get folks who might want something more "just
> in case."

I don't.  When was an attack ever launched against a strong crypto
algorithm?  We never even heard of DES being crunched in a real attack.

Those folks who need something stronger than AES-128 need to stop using
TLS ;-)

Strawman Hypothesis:  If we had accepted a single 40 bit algorithm in
1995 instead of fighting the Empire, we'd have covered more of the
planet in crypto, have defeated mass surveillance, and be in a far
better position in say 2005 to replace a 40 bit with 128 bit.

> Conservatively choosing AES-256 doesn't strike me as being
> at all crazy (at least if you worry about quantum crypto, or you just
> like running with a safety margin, or the unknowns are overwhelming
> folks, or it's more about the optics than the math, etc.)

There have been some older disturbing results coming out that attacked
AES-256, although I haven't followed it.  The suggestion has been that
probably AES-128 is sufficient for all purposes.

If it comes down it, I'd ask what the major compatibility win was, and
if it errs in favour of AES-128, I'd go for that.

As, in the future, we're going to be drifting towards another set of
algorithms entirely.  First ChaCha and then likely CAESAR.

> All that said, I'm not sure I see a lot driving folks towards doing 
> AES-196.

Right... Every algorithm needs to be justified, and being an older
less-famous brother doesn't get an invite to my party.


More information about the Ach mailing list