[Cryptography] AES-256- More NIST-y? paranoia

John Kelsey crypto.jmk at gmail.com
Wed Oct 2 08:58:46 EDT 2013


On Oct 1, 2013, at 5:58 PM, Peter Fairbrother <zenadsl6186 at zen.co.uk> wrote:

> AES, the latest-and-greatest block cipher, comes in two main forms - AES-128 and AES-256.
> 
> AES-256 is supposed to have a brute force work factor of 2^256  - but we find that in fact it actually has a very similar work factor to that of AES-128, due to bad subkey scheduling.
> 
> Thing is, that bad subkey scheduling was introduced by NIST ... after Rijndael, which won the open block cipher competition with what seems to be all-the-way good scheduling, was transformed into AES by NIST.

What on Earth are you talking about?  AES' key schedule wasn't designed by NIST.  The only change NIST made to Rijndael was not including some of the alternative block sizes.  You can go look up the old Rijndael specs online if you want to verify this.

> -- Peter Fairbrother

--John



More information about the cryptography mailing list