On 02/10/2013 13:58, John Kelsey wrote:
> On Oct 1, 2013, at 5:58 PM, Peter Fairbrother <zenadsl6...@zen.co.uk> wrote:
>> AES, the latest-and-greatest block cipher, comes in two main forms - AES-128 
>> and AES-256.
>> AES-256 is supposed to have a brute force work factor of 2^256  - but we 
>> find that in fact it actually has a very similar work factor to that of 
>> AES-128, due to bad subkey scheduling.
>> Thing is, that bad subkey scheduling was introduced by NIST ... after 
>> Rijndael, which won the open block cipher competition with what seems to be 
>> all-the-way good scheduling, was transformed into AES by NIST.
> What on Earth are you talking about?  AES' key schedule wasn't designed by 
> NIST.  The only change NIST made to Rijndael was not including some of the 
> alternative block sizes.  You can go look up the old Rijndael specs online if 
> you want to verify this.

As someone who was heavily involved in writing the AES specification as
eventually used by NIST, I can confirm what John is saying.

The NIST specification only eliminated Rijndael options - none of the
Rijndael options included in AES were changed in any way by NIST.

   Brian Gladman

The cryptography mailing list

Reply via email to