1

I am implementing the Advanced Encryption Standard from scratch, but I came up with a question that I was unable to answer.

Why does no one implement AES with other sizes?

I've searched about that, and some people say it is only because it is not in the standard (which is understandable), but other's says that it was never proved that other numbers (512 for example) were ever cryptographically verified.

Personally, the later one does not make sense to me, as the only things that change from key sizes are some values, not the algorithm itself. Is that really a possibility/concern?

Rui Gonçalves
  • 13
  • 2

1 Answers1

2

The original Rijndael cipher NIST Submission had more flexible blocklengths and keylengths. These were restricted once it became AES.

it was never proved that other numbers (512 for example) were ever cryptographically verified

Unsure what you are saying above.

However, there are a dependencies between blocklength, keylength, number of rounds.

If you have longer keys you need more rounds to get the entropy "mixed" into the round keys.

Longer blocks than 128 bits would slow things down with no appreciable security benefit.

One reason 192 and 256 bit keys are an option in addition to 128 bits is to avoid birthday paradox type attacks (against which the strength would be 128 bits) for some modes of operation.

Edit: One point I didn't mention is the impact of quantum attacks, which are not as devastating as Shor is against RSA (for example) since the improvement is only polynomial. Nevertheless, since we are not in the asymptotic regime, Grover search essentially halves your effective keylength. Also GCM mode would be better with 256 blocks. Thanks @poncho and @kelalaka

kodlu
  • 25,146
  • 2
  • 30
  • 63