[147453] in cryptography@c2.net mail archive
Re: [Cryptography] AES-256- More NIST-y? paranoia
daemon@ATHENA.MIT.EDU (John Kelsey)
Wed Oct 2 10:30:32 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <524B4594.8000808@zen.co.uk>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Wed, 2 Oct 2013 08:58:46 -0400
To: Peter Fairbrother <zenadsl6186@zen.co.uk>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Oct 1, 2013, at 5:58 PM, Peter Fairbrother <zenadsl6186@zen.co.uk> wrote:
> AES, the latest-and-greatest block cipher, comes in two main forms - AES-128 and AES-256.
>
> AES-256 is supposed to have a brute force work factor of 2^256 - but we find that in fact it actually has a very similar work factor to that of AES-128, due to bad subkey scheduling.
>
> Thing is, that bad subkey scheduling was introduced by NIST ... after Rijndael, which won the open block cipher competition with what seems to be all-the-way good scheduling, was transformed into AES by NIST.
What on Earth are you talking about? AES' key schedule wasn't designed by NIST. The only change NIST made to Rijndael was not including some of the alternative block sizes. You can go look up the old Rijndael specs online if you want to verify this.
> -- Peter Fairbrother
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
