[Cryptography] AES-256- More NIST-y? paranoia
Brian Gladman
brg at gladman.plus.com
Wed Oct 2 17:13:47 EDT 2013
On 02/10/2013 13:58, John Kelsey wrote:
> On Oct 1, 2013, at 5:58 PM, Peter Fairbrother <zenadsl6186 at zen.co.uk> wrote:
>
>> AES, the latest-and-greatest block cipher, comes in two main forms - AES-128 and AES-256.
>>
>> AES-256 is supposed to have a brute force work factor of 2^256 - but we find that in fact it actually has a very similar work factor to that of AES-128, due to bad subkey scheduling.
>>
>> Thing is, that bad subkey scheduling was introduced by NIST ... after Rijndael, which won the open block cipher competition with what seems to be all-the-way good scheduling, was transformed into AES by NIST.
>
> What on Earth are you talking about? AES' key schedule wasn't designed by NIST. The only change NIST made to Rijndael was not including some of the alternative block sizes. You can go look up the old Rijndael specs online if you want to verify this.
As someone who was heavily involved in writing the AES specification as
eventually used by NIST, I can confirm what John is saying.
The NIST specification only eliminated Rijndael options - none of the
Rijndael options included in AES were changed in any way by NIST.
Brian Gladman
More information about the cryptography
mailing list