[OTR-dev] [OTR-users] otr dh key encryption

Gregory Maxwell gmaxwell at gmail.com
Tue Feb 19 18:06:52 EST 2013


On Tue, Feb 19, 2013 at 2:42 PM, Ileana <ileana at fairieunderground.info> wrote:
> #define CIPHER_IV_LEN 16

To be fair— AES 256 has certificational weaknesses with a lower work
factor then the best attacks on 128 bit AES. They don't appear to
matter in practice, but I'm not aware of a threat model where 256 bit
AES would make a material improvement, except perhaps the
attacker-has-arbitrarily-good-quantum-computers model... and under
that model all the key derivation (curve25519 and DHKE) fails
completely in any case.



More information about the OTR-dev mailing list