

Schneier on Security : Another New AES Attack - billswift
http://www.schneier.com/blog/archives/2009/07/another_new_aes.html

======
neilc
I think it's interesting that there are attacks against AES-256 that don't
work against AES-128. Apparently, "the key schedule for 256-bit version is
pretty lousy." Surprising, to me at least.

------
jncraton
I don't know a lot about cryptography, but I have read a little about it and
I've used it in projects. Could someone explain why a 256 bit key seems to
crack more easily than a 128 bit key according to this paper? It seems to me
that the opposite should be true.

~~~
dfranke
Because they're keys to different algorithms. The bit-length in AES is not an
arbitrarily tunable parameter. AES-256, AES-192, and AES-128 are related but
nonetheless different algorithms. The recent attacks on AES-256 and AES-192
have exploited the key schedules, which is one component that's different
between the three algorithms. AES-128's key schedule is better-designed.

