AES256 & AES192. (Was: Can I revitalise an old key-pair?)

Pete Stephenson pete at
Tue Sep 3 11:07:24 CEST 2013

On Mon, Sep 2, 2013 at 8:28 PM, Nicholas Cole <nicholas.cole at> wrote:
> On Mon, Sep 2, 2013 at 5:04 AM, Henry Hertz Hobbit
> <hhhobbit at> wrote:
> [snip]
>>  Paradoxically, AES256 & AES192 had
>> weaknesses that made them less safe than AES (AES-128) several
>> years back.  May I humbly suggest TWOFISH or one of the
>> CAMELLLIA ciphers as a first choice UNTIL you determine whether
>> or not the fixes for AES-256 and AES-192 are retroactive?  DID
>> THEY GET THEM FIXED?  I am just assuming they did but that means
>> I HOPE the older implementation and the newer one can easily be
>> discerned when you do the decipher.
> [snip]
> I was curious about this. The wikipedia page mentions the "Related Key
> Attack" on these cyphers, but is vague about whether they were ever
> fixed.
> Does anyone know?
> And did fixes make it into the version used by Gnupg?

Even more importantly, were they ever an issue with GnuPG in the first place?

That is, does GnuPG generate related keys?

I was always under the impression that GnuPG randomly generated
session keys rather than creating related session keys; if true,
wouldn't this mean that the related-key attack doesn't apply?

In regards to fixing the cipher, I'm not really sure that one can just
issue a patch that would update the cipher itself (as opposed to a
specific implementation of it): the cipher is standardized and is
implemented in both hardware and software in zillions of devices and
programs around the world. Adding more rounds or changing its
functionality in some way to counter this attack would cause that
changed version to diverge from the standard and it presumably not
interoperate with standard AES.


Pete Stephenson

More information about the Gnupg-users mailing list