[147471] in cryptography@c2.net mail archive
Re: [Cryptography] AES-256- More NIST-y? paranoia
daemon@ATHENA.MIT.EDU (Brian Gladman)
Wed Oct 2 17:18:42 2013
X-Original-To: cryptography@metzdowd.com
Date: Wed, 02 Oct 2013 22:13:47 +0100
From: Brian Gladman <brg@gladman.plus.com>
To: John Kelsey <crypto.jmk@gmail.com>
In-Reply-To: <FBB85115-CC9C-43EA-BEFC-50D76FEB6DDB@gmail.com>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>,
Peter Fairbrother <zenadsl6186@zen.co.uk>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 02/10/2013 13:58, John Kelsey wrote:
> On Oct 1, 2013, at 5:58 PM, Peter Fairbrother <zenadsl6186@zen.co.uk> wrote:
>
>> AES, the latest-and-greatest block cipher, comes in two main forms - AES-128 and AES-256.
>>
>> AES-256 is supposed to have a brute force work factor of 2^256 - but we find that in fact it actually has a very similar work factor to that of AES-128, due to bad subkey scheduling.
>>
>> Thing is, that bad subkey scheduling was introduced by NIST ... after Rijndael, which won the open block cipher competition with what seems to be all-the-way good scheduling, was transformed into AES by NIST.
>
> What on Earth are you talking about? AES' key schedule wasn't designed by NIST. The only change NIST made to Rijndael was not including some of the alternative block sizes. You can go look up the old Rijndael specs online if you want to verify this.
As someone who was heavily involved in writing the AES specification as
eventually used by NIST, I can confirm what John is saying.
The NIST specification only eliminated Rijndael options - none of the
Rijndael options included in AES were changed in any way by NIST.
Brian Gladman
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
