[147433] in cryptography@c2.net mail archive
[Cryptography] AES-256- More NIST-y? paranoia
daemon@ATHENA.MIT.EDU (Peter Fairbrother)
Tue Oct 1 22:43:11 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 01 Oct 2013 22:58:44 +0100
From: Peter Fairbrother <zenadsl6186@zen.co.uk>
To: Cryptography Mailing List <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
AES, the latest-and-greatest block cipher, comes in two main forms -
AES-128 and AES-256.
AES-256 is supposed to have a brute force work factor of 2^256 - but we
find that in fact it actually has a very similar work factor to that of
AES-128, due to bad subkey scheduling.
Thing is, that bad subkey scheduling was introduced by NIST ... after
Rijndael, which won the open block cipher competition with what seems to
be all-the-way good scheduling, was transformed into AES by NIST.
So, why did NIST change the subkey scheduling?
I don't know.
Inquiring minds ...
NIST have previously changed cipher specs under NSA guidance, most
famously for DES, with apparently good intentions then - but with NSA
and it's two-faced mission, we always have to look at capabilities, not
intentions.
-- Peter Fairbrother
[and why doesn't AES-256 have 256-bit blocks???]
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography