John Kelsey <kelsey.j@ix.netcom.com> writes:

Probably not too much, in terms of worrying about known-plaintext vs. chosen-plaintext attacks. Though honestly, I think designing your PES is like providing really effective padlocks for screen doors. (But you could say the same thing about AES with 256-bit keys.)

I agree on both counts. But I can see another use for larger keys than resisting brute force attack: they increase the difficulty of attacks on protocols and constructions based on inducing collisions in keys. -- __ \/ o\ paul@cluefactory.org.uk /\__/ http://www.cluefactory.org.uk/paul/