2048 or 4096 for new keys? aka defaults vs. Debian

Pete Stephenson pete at heypete.com
Thu Oct 31 22:17:42 CET 2013

On Thu, Oct 31, 2013 at 10:02 PM, Hauke Laging
<mailinglisten at hauke-laging.de> wrote:
> Am Do 31.10.2013, 16:31:02 schrieb Daniel Kahn Gillmor:
>> http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverable
>> s/algorithms-key-sizes-and-parameters-report
> There is one point I don't understand:
> [3.6 Recommendations]
> "there is general agreement this should be above the 100-bit level"
> "for long term use AES-256"
> But this http://eprint.iacr.org/2009/317 (mentioned by the German Wikipedia
> article for AES) claims that AES-256 was down to 99.5 bits.

That attack is only valid if different messages have related keys. If
the keys are chosen randomly, the attack does not apply. I'm not aware
of any crypto system that implements AES with related keys (though if
anyone knows of some, I'd like to know so I can avoid it).

See https://en.wikipedia.org/wiki/Related-key_attack and
for details .

According to the Wiki, the best attack on full-round AES-256 not using
related keys requires 254.4 operations (see


Pete Stephenson

More information about the Gnupg-users mailing list