512/N-Bit Key AES

Question

I am implementing the Advanced Encryption Standard from scratch, but I came up with a question that I was unable to answer.

Why does no one implement AES with other sizes?

I've searched about that, and some people say it is only because it is not in the standard (which is understandable), but other's says that it was never proved that other numbers (512 for example) were ever cryptographically verified.

Personally, the later one does not make sense to me, as the only things that change from key sizes are some values, not the algorithm itself. Is that really a possibility/concern?

You might be interested After 20 years of AES, what are the retrospective changes that should have been made? and Has AES-128 been fully broken? In short, 256 bits of key is enough for all. for GCM, 256-bit blocks size turns out better candidate. — kelalaka, Sep 30 '22 at 16:50

kodlu · Accepted Answer · 2022-09-30T17:15:03.237

2

The original Rijndael cipher NIST Submission had more flexible blocklengths and keylengths. These were restricted once it became AES.

it was never proved that other numbers (512 for example) were ever cryptographically verified

Unsure what you are saying above.

However, there are a dependencies between blocklength, keylength, number of rounds.

If you have longer keys you need more rounds to get the entropy "mixed" into the round keys.

Longer blocks than 128 bits would slow things down with no appreciable security benefit.

One reason 192 and 256 bit keys are an option in addition to 128 bits is to avoid birthday paradox type attacks (against which the strength would be 128 bits) for some modes of operation.

Edit: One point I didn't mention is the impact of quantum attacks, which are not as devastating as Shor is against RSA (for example) since the improvement is only polynomial. Nevertheless, since we are not in the asymptotic regime, Grover search essentially halves your effective keylength. Also GCM mode would be better with 256 blocks. Thanks @poncho and @kelalaka

edited Sep 30 '22 at 17:15

answered Sep 30 '22 at 15:51

kodlu

22,423
2
27
57

1

I believe the reason NIST originally asked for 192 and 256 bit key sizes was specifically because of potential Quantum Attacks (and Grover's algorithm) – poncho Sep 30 '22 at 16:54
2

well, 256 bits of key was safe against Grover circa 1995. Also, as we see now, GCM would be better with 256-bit block sizes. – kelalaka Sep 30 '22 at 16:55
Now there's a reason for 512-bit classical security. https://www.ambit.inc/pdf/KyberDrive.pdf , it says: Kyber-1024 is known to have 254 bits of classical security and 230 bits of quantum security (coreSVP hardness). Kyber is a Lattice-based post-quantum cipher, it provides an option for 230-bit quantum security. But AES can only provide 128-bit quantum security due to Grover's algorithm. So 512-bit symmetric encryption is needed. – Flan1335 Apr 16 '23 at 11:35

512/N-Bit Key AES

1 Answers1