Consider implementing Rijndael-256

[paulmillr]

The confidentiality of AES-GCM is far below 128-bit security ¹.

Confidentiality advantage for an attacker is < $\sigma^2/2^{129}$ where $\sigma$ is the number of encrypted 128-bit chunks.

Rijndael to AES is what keccak is to SHA3: previous, unstandardized version. The idea is to support 256-bit blocks instead of 128-bit blocks of AES.

Footnotes

1. https://csrc.nist.gov/csrc/media/Presentations/2023/proposal-for-standardization-of-encryption-schemes/images-media/sess-4-mattsson-bcm-workshop-2023.pdf ↩