[Cryptography] AES-256- More NIST-y? paranoia

Peter Fairbrother zenadsl6186 at zen.co.uk
Tue Oct 1 17:58:44 EDT 2013


AES, the latest-and-greatest block cipher, comes in two main forms - 
AES-128 and AES-256.

AES-256 is supposed to have a brute force work factor of 2^256  - but we 
find that in fact it actually has a very similar work factor to that of 
AES-128, due to bad subkey scheduling.

Thing is, that bad subkey scheduling was introduced by NIST ... after 
Rijndael, which won the open block cipher competition with what seems to 
be all-the-way good scheduling, was transformed into AES by NIST.


So, why did NIST change the subkey scheduling?

I don't know.

Inquiring minds ...



NIST have previously changed cipher specs under NSA guidance, most 
famously for DES, with apparently good intentions then - but with NSA 
and it's two-faced mission, we always have to look at capabilities, not 
intentions.


-- Peter Fairbrother


[and why doesn't AES-256 have 256-bit blocks???]



More information about the cryptography mailing list