s2k-cipher-mode default

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jun 3 16:01:27 CEST 2015

On Tue 2015-06-02 18:15:21 -0400, NdK wrote:

> IIRC, I read (some years ago...) that AES-256 could be *weaker* than
> AES-128 because some mathematical structures express some properties
> only with the longer keys. I don't have the paper handy ATM, but I
> vaguely remember that shocking conclusion.

I think you're referring to:






These describe so-called "related-key" attacks, where the attacker knows
that two AES keys are related to one another in a specific way
(e.g. they know the XOR of the two keys), and can force operation of the
cipher with these two keys:


OpenPGP in general (and GnuPG in specific) does not have any mechanism
whereby an attacker can force a user to use two symmetric keys that it
knows to be related to one another.  I don't think these attacks are


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150603/1ea30a80/attachment.sig>

More information about the Gnupg-users mailing list