[147481] in cryptography@c2.net mail archive
Re: [Cryptography] AES-256- More NIST-y? paranoia
daemon@ATHENA.MIT.EDU (ianG)
Thu Oct 3 09:49:16 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 03 Oct 2013 11:01:11 +0300
From: ianG <iang@iang.org>
To: cryptography@metzdowd.com, Peter Fairbrother <zenadsl6186@zen.co.uk>
In-Reply-To: <524B4594.8000808@zen.co.uk>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
I know others have already knocked this one down, but we are now in an
area where conspiracy theories are real, so for avoidance of doubt...
On 2/10/13 00:58 AM, Peter Fairbrother wrote:
> AES, the latest-and-greatest block cipher, comes in two main forms -
> AES-128 and AES-256.
>
> AES-256 is supposed to have a brute force work factor of 2^256 - but we
> find that in fact it actually has a very similar work factor to that of
> AES-128, due to bad subkey scheduling.
This might relate to the related-key discoveries in 2009. Here's an
explanation from Dani Nagy that might reach the non-cryptographer:
http://financialcryptography.com/mt/archives/001180.html
> Thing is, that bad subkey scheduling was introduced by NIST ... after
> Rijndael, which won the open block cipher competition with what seems to
> be all-the-way good scheduling, was transformed into AES by NIST.
>
>
> So, why did NIST change the subkey scheduling?
I don't think they did. Our Java code was submitted as part of the
competition, and it only got renamed after the competition. No crypto
changes that I recall.
iang
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography