Robert J. Hansen rjh at
Tue Mar 17 22:33:48 CET 2015

> I remember reading about an attack that works better against AES-256 
> than AES-128:

That one's a related-key attack, which requires the attacker to have a
significant number of keys that have some mathematical relationship to
each other.

OpenPGP uses random nonces for symmetric keys (or iterated hashing,
which does a pretty good job of destroying mathematical relationships),
so this attack is a complete nonissue for OpenPGP.  :)

> I am not qualified to argue for or against either cipher, but I
> wonder if this advice from 2009 is still valid today.

The biggest reason, IMO, to move to 256-bit ciphers is because it will
hopefully quell the voices who are screaming that 128-bit crypto is
somehow insufficient.  It's not, and no one has ever presented any
serious evidence that it is, but these arguments crop up with great
regularity nevertheless.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150317/1e9f3e18/attachment.sig>

More information about the Gnupg-users mailing list