[Cryptography] AES-256- More NIST-y? paranoia
ianG
iang at iang.org
Thu Oct 3 04:01:11 EDT 2013
I know others have already knocked this one down, but we are now in an
area where conspiracy theories are real, so for avoidance of doubt...
On 2/10/13 00:58 AM, Peter Fairbrother wrote:
> AES, the latest-and-greatest block cipher, comes in two main forms -
> AES-128 and AES-256.
>
> AES-256 is supposed to have a brute force work factor of 2^256 - but we
> find that in fact it actually has a very similar work factor to that of
> AES-128, due to bad subkey scheduling.
This might relate to the related-key discoveries in 2009. Here's an
explanation from Dani Nagy that might reach the non-cryptographer:
http://financialcryptography.com/mt/archives/001180.html
> Thing is, that bad subkey scheduling was introduced by NIST ... after
> Rijndael, which won the open block cipher competition with what seems to
> be all-the-way good scheduling, was transformed into AES by NIST.
>
>
> So, why did NIST change the subkey scheduling?
I don't think they did. Our Java code was submitted as part of the
competition, and it only got renamed after the competition. No crypto
changes that I recall.
iang
More information about the cryptography
mailing list