Closed paulmillr closed 7 months ago
The confidentiality of AES-GCM is far below 128-bit security ^1.
Confidentiality advantage for an attacker is < $\sigma^2/2^{129}$ where $\sigma$ is the number of encrypted 128-bit chunks.
Rijndael to AES is what keccak is to SHA3: previous, unstandardized version. The idea is to support 256-bit blocks instead of 128-bit blocks of AES.
The confidentiality of AES-GCM is far below 128-bit security ^1.
Confidentiality advantage for an attacker is < $\sigma^2/2^{129}$ where $\sigma$ is the number of encrypted 128-bit chunks.
Rijndael to AES is what keccak is to SHA3: previous, unstandardized version. The idea is to support 256-bit blocks instead of 128-bit blocks of AES.