On 02/10/2013 13:58, John Kelsey wrote: > On Oct 1, 2013, at 5:58 PM, Peter Fairbrother <zenadsl6...@zen.co.uk> wrote: > >> AES, the latest-and-greatest block cipher, comes in two main forms - AES-128 >> and AES-256. >> >> AES-256 is supposed to have a brute force work factor of 2^256 - but we >> find that in fact it actually has a very similar work factor to that of >> AES-128, due to bad subkey scheduling. >> >> Thing is, that bad subkey scheduling was introduced by NIST ... after >> Rijndael, which won the open block cipher competition with what seems to be >> all-the-way good scheduling, was transformed into AES by NIST. > > What on Earth are you talking about? AES' key schedule wasn't designed by > NIST. The only change NIST made to Rijndael was not including some of the > alternative block sizes. You can go look up the old Rijndael specs online if > you want to verify this.
As someone who was heavily involved in writing the AES specification as eventually used by NIST, I can confirm what John is saying. The NIST specification only eliminated Rijndael options - none of the Rijndael options included in AES were changed in any way by NIST. Brian Gladman _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography