21

this wikipedia article describing AES says:

Related-key attacks can break AES-192 and AES-256 with complexities 2^176 and 2^99.5, respectively.

Does this mean that AES-256 is actually a weaker form of encryption than AES-192? I’m currently writing a small password-manager program, which one should I use? It would also be cool if someone could explain the weakness of AES-256 compared to AES-192.

James
  • 321
  • 2
  • 4

2 Answers2

22

Related-key attacks are interesting mathematical properties of algorithms, but have no practical impact on security of encryption systems, as long as they are used for what they were designed, i.e. encryption (and not, for instance, as building blocks for hash functions).

Bigger is not necessarily better. There is no practical need for using a 256-bit key over a 192-bit key or a 128-bit key. However, AES with a 128-bit key is slightly faster (this is not significant in most applications) so there can be an objective reason not to use bigger keys. Also, AES-128 is more widely supported than the other key sizes (for instance, outside of USA, AES-128 is available by default with Java, while bigger key sizes must be explicitly activated).

None of AES-128, AES-192 or AES-256 is breakable with today's (or tomorrow's) technology (if they are applied properly, that is). Try to work out what 299.5 is: it is... somewhat large.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Doesn't the greater number of rounds used increase the security? If an attack was found that breaks 10 rounds of AES (god forbid), then 128-bit AES would be broken but 192 and 256-bit AES would not. – forest Mar 07 '18 at 10:08
5

Thomas is correct (as usual), but there are also other, non-technical reasons for using particular 'grades' of encryption.

At certain classifications you are obligated to use a particular type and key bit-length. The reason for it is providing assurance that the data is going to be protected for at least 30yrs instead of 10yrs. Yes, there will be attacks on algorithms, and they will diminish the level of effort needed to bruteforce it. While 2^167 and 2^99.5 bit keys both fall squarely in the 'ludicrous' territory, given enough time, Moore's law, and possibly even more/better attacks further reducing the effective keylength, we might get to the point in near future where bruteforcing AES-128 might be possible, but 256 variety might still be way out of anyone's computational ability.

That's the bet you're making with going for longer key bit-lengths: it might be breakable in 30yrs but not in 10yrs, and by then, the information protected won't carry as much impact if decrypted by the attackers.

Marcin
  • 2,508
  • 1
  • 15
  • 14