Changes between Version 14 and Version 15 of OneHundredYearCryptography


Ignore:
Timestamp:
2011-08-17T19:27:30Z (13 years ago)
Author:
zooko
Comment:

suggest AES-256 instead of AES-128 (changed my mind)

Legend:

Unmodified
Added
Removed
Modified

  • OneHundredYearCryptography

    v14 v15  
    1212
    1313Open questions:
    14   * Should we use AES-128, AES-192, or AES-256? //Zooko says: maybe AES-128 because it wastes fewer CPU cycles and is plenty secure. Indeed, if you worry too much about the related key model (which I don't since we never use related keys in Tahoe-LAFS) then AES-128 is arguably safer than AES-256! //
     14  * Should we use AES-128, AES-192, or AES-256? //Zooko says: I guess it is worth the added CPU cycles to use AES-256. The added CPU cycles on ARM, according to bench.cr.yp.to, is about 40 cycles per byte for AES-256 compared to about 28 cycles per byte for AES-128. See recent attacks on AES-128: http://eprint.iacr.org/2011/449 //
    1515  * What KDF is used to generate the keys/IVs? //Zooko says: per [http://tahoe-lafs.org/pipermail/tahoe-dev/2010-June/004424.html this mailing list thread] HKDF might be a good choice for KDF.//
    1616  * Samuel Neves had an alternate proposal for encryption to use the same or similar mechanisms as we use for hashing: [http://tahoe-lafs.org/pipermail/tahoe-dev/2010-June/004487.html Samuel Neves proposal]. //Zooko says: Samuel Neves's hash-based encryption proposal could be used in addition to AES and XSalsa20, or in place of XSalsa20.//