Is there any compelling or logical reason to use AES-192 over AES-128 but not use AES-256?

Question

I have been trying to find a case where AES-192 is used over AES-128 but AES-256 is not used. There are many questions about AES here (I liked this one AES-128/192/256), but from the actual application side, I was unable to determine any cases where AES-192 was used over AES-128.

AES-192 seems to exist because levels of security were desired, but hardware implementations seem to be AES-128 or AES-256. I did a literature survey on the IEEE and I couldn't find any applications in the hardware space that used AES-192 instead of AES-256, and I could not find anything in the software space, but I did not dive into specific implementations.

Is there any compelling or logical reason to use AES-192 over AES-128 but not use AES-256?

Maybe you can even point me to an example – meaning: some application or implementation where AES-192 is used over AES-128 instead of AES-256?

Answer 1

There is no reason to use a AES-192 if you have access to AES-256 (or AES-128).

This question is completely in line with the following thread:
[Cfrg] A little room for AES-192 in TLS? which resulted in this somewhat conclusion:

Dear all,

the related-key attacks against AES were interesting from an academic point of view as they broke the security claim we made for Rijndael.

However, the attacks require very sophisticated manipulations of the secret key by the attacker. For example, even a protocol that would allow an attacker to add (or XOR) a value of her choice to the key before being used in AES would not allow mounting the attack. If you are interested, you can read the paper Vincent and I wrote "On the related-key attacks against AES" available at e.g. http://jda.noekeon.org/

As for including AES-192 in TLS, I don't see any benefits.

Kind regards,

Joan Daemen

TL;DR: To sum up the only real advantage of AES-192 is the insignificant gain of speed compared to AES-256.

Answer 2

Speaking formally:

• Performance: 2 rounds less for AES 192.
• Risk: less risk for related key attack (https://www.schneier.com/blog/archives/2009/07/another_new_aes.html) for AES-192 vs AES-256 ("The new attack does not extend to AES-192, but some of the attacks from the previous few months -- still wildly infeasible -- do.")

Speaking realistically:

• Related key attack requires several unrealistic assumptions (access to plaintext.
• It breaks 11 rounds of AES-256 out of 14, so attacker will still need to brute the rest.

However, cryptographers frequently think about theoretical security, and, yes, there are cases where AES-256 is weaker in regard to some attacks than AES-192. Which isn't something I'd worry about, and, if performance is not a question, just double the number of rounds.