I know others have already knocked this one down, but we are now in an
area where conspiracy theories are real, so for avoidance of doubt...
On 2/10/13 00:58 AM, Peter Fairbrother wrote:
AES, the latest-and-greatest block cipher, comes in two main forms -
AES-128 and AES-256.
AES-256 is supposed to have a brute force work factor of 2^256 - but we
find that in fact it actually has a very similar work factor to that of
AES-128, due to bad subkey scheduling.
This might relate to the related-key discoveries in 2009. Here's an
explanation from Dani Nagy that might reach the non-cryptographer:
http://financialcryptography.com/mt/archives/001180.html
Thing is, that bad subkey scheduling was introduced by NIST ... after
Rijndael, which won the open block cipher competition with what seems to
be all-the-way good scheduling, was transformed into AES by NIST.
So, why did NIST change the subkey scheduling?
I don't think they did. Our Java code was submitted as part of the
competition, and it only got renamed after the competition. No crypto
changes that I recall.
iang
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
