And still 128bit is soooooo secure. There is no reason to not use 128bit, or?
Well, for starters, handle's question isn't about the security of 128-bit vs 256-bit AES. It's a question about a discrepancy between what BitTorrent Sync's web site describes versus what's actually in the code. So this entire discussion is a bit of a red herring. That said...
Yes, there is a reason to use 256-bit keys over 128-bit ones: because 256-bit keys are stronger. This is an attack against a 10-round variant of AES-256. The real version is 14 rounds.
It is mildly alarming that there are attacks on AES-256 (even with 10 rounds) don't work on AES-128, and that 10-round AES-256 can be broken with a lower computational complexity than 10-round AES-128. However, we don't use 10 round AES-256, we use 14 round AES-256.
Will there be a successful cryptanalysis of 14-round AES-256 which lowers its computational complexity to below 10-round AES-128? I don't know, I don't have the crystal ball to tell me that. Nor can my nonexistent crystal ball tell me if there will be future attacks on AES-128 which don't work on AES-256.
tl;dr: you're making a slippery slope argument. In the meantime 14-round AES-256 still provides a higher computational complexity than 10-round AES-128.
BTSync uses AES128 in CTR mode, which is good (was: Bittorrent Sync is using 128-bit AES in ECB mode!)
in Sync General Discussion
Posted
Yes, but apparently you didn't.
Well, for starters, handle's question isn't about the security of 128-bit vs 256-bit AES. It's a question about a discrepancy between what BitTorrent Sync's web site describes versus what's actually in the code. So this entire discussion is a bit of a red herring. That said...
Yes, there is a reason to use 256-bit keys over 128-bit ones: because 256-bit keys are stronger. This is an attack against a 10-round variant of AES-256. The real version is 14 rounds.
It is mildly alarming that there are attacks on AES-256 (even with 10 rounds) don't work on AES-128, and that 10-round AES-256 can be broken with a lower computational complexity than 10-round AES-128. However, we don't use 10 round AES-256, we use 14 round AES-256.
Will there be a successful cryptanalysis of 14-round AES-256 which lowers its computational complexity to below 10-round AES-128? I don't know, I don't have the crystal ball to tell me that. Nor can my nonexistent crystal ball tell me if there will be future attacks on AES-128 which don't work on AES-256.
tl;dr: you're making a slippery slope argument. In the meantime 14-round AES-256 still provides a higher computational complexity than 10-round AES-128.