[147481] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: [Cryptography] AES-256- More NIST-y? paranoia

daemon@ATHENA.MIT.EDU (ianG)
Thu Oct 3 09:49:16 2013

X-Original-To: cryptography@metzdowd.com
Date: Thu, 03 Oct 2013 11:01:11 +0300
From: ianG <iang@iang.org>
To: cryptography@metzdowd.com, Peter Fairbrother <zenadsl6186@zen.co.uk>
In-Reply-To: <524B4594.8000808@zen.co.uk>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com

I know others have already knocked this one down, but we are now in an 
area where conspiracy theories are real, so for avoidance of doubt...


On 2/10/13 00:58 AM, Peter Fairbrother wrote:
> AES, the latest-and-greatest block cipher, comes in two main forms -
> AES-128 and AES-256.
>
> AES-256 is supposed to have a brute force work factor of 2^256  - but we
> find that in fact it actually has a very similar work factor to that of
> AES-128, due to bad subkey scheduling.

This might relate to the related-key discoveries in 2009.  Here's an 
explanation from Dani Nagy that might reach the non-cryptographer:

http://financialcryptography.com/mt/archives/001180.html


> Thing is, that bad subkey scheduling was introduced by NIST ... after
> Rijndael, which won the open block cipher competition with what seems to
> be all-the-way good scheduling, was transformed into AES by NIST.
>
>
> So, why did NIST change the subkey scheduling?


I don't think they did.  Our Java code was submitted as part of the 
competition, and it only got renamed after the competition.  No crypto 
changes that I recall.



iang
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

home help back first fref pref prev next nref lref last post