Slashdot Mirror
AES Algorithm Coming Soon
Anonymous Coward writes: "The National Institute of Standards and Technology (NIST) will announce the winner of the Advanced Encryption Standard competition on Oct. 2 at 11:00 am (Eastern Standard Time). This algorithm is going to be the new government standard, so it's worth checking the page out. Following the announcement a report on the AES development efforts will be released on the NIST AES webpage. The NIST Advanced Encryption Standard page can be found at http://www.nist.gov/aes."
Because secure cryptosystems are in the best interest of all but a few parties in the US government (*cough* 1/2 of the NSA *cough* CIA *cough*). The Federal Reserve, for example, depends on a secure banksystem, and DES and 3DES isn't cutting it.
Also, part of the point of this algorithm is that custom (read NSA designed) cryptographic hardware is expensive to make. Since the AES winner will be blessed by the NSA for secure governmental transactions in nonclassified systems, it is expected/hoped that the US government will be able to get secure cryptosystems for much lower costs.
Remember that 1/2 of the NSA is in charge of insuring that US Government communications ARE secure, they are greatly interested in AES being a success.
Nicholas C Weaver
nweaver@cs.berkeley.edu
Test your net with Netalyzr
... and thanks to some extremely valuable last-minute input by our friends at NSA, the AES algorithm will be... ROT-13!
"Serpent should be chosen as the Advanced Encryption Standard. It's the fastest
algorithm in hardware, and the second fastest in software on the IA-64 archi-
tecture. Above all, Serpent should be chosen because it's the most secure of the
candidates."
I belive they are right
serpent has already been implemented in hardware and your palm/phone/watch is where you want it as well as big hulking systems yes two fish is nice but then how about geting it into everything umm hardware
my hope is serpent
regards
john jones
(a deltic so please dont moan about spelling but the content)
Correct, the formal winner is requried to give up all patent rights. It was not stated what would be the case with multiple winners (dear God NO, that would be worse than selecting Mars), but I would imagine that if NIST selected multiple winners, they would be from the set of Rijndael, serpent, and Twofish which are all unencumbered by patent restrictons. Bruce Schneier put it well during the panel presentation: "Take Rijndael with extra rounds [1], Serpent, and Twofish, and flip a three sided coin, and you will have a good AES algorithm". All of the 3 have good subkey generation properties, are fast in hardware (although serpent is bigger), have good software properties, etc. Also, serpent seems to be getting faster and faster in software, as the s-boxes are tweaked for specific architectures. Both Mars and RC6 have some VERY bad properties: They rely on 32 bit multiplication, and run very poorly on any other device (including the IA64 when/if it gets built) and require way too much in hardware. The both have very poor subkey generation mechanisms. And MARS has the most baroque structure: I don't think anyone has actually succeded in doing subkey generation independenty of the reference code. As for power attacks on smartcards, those should be solved at the system, not the circuit level, making the algorithm moot. Note: I am not completely independant. I had a paper at the 3rd aes conference, where I advocated rijndael, serpent, or twofish. Although having an office down the hall from David Wagner's old office does make me a little biased.
Nicholas C Weaver
nweaver@cs.berkeley.edu
Test your net with Netalyzr
Given that the NSA compromises effective keylengths by twisting implementors arms to introduce 'bugs' (see cryptome article: nsa sabotage), my question is; what can the NSA do to ensure a compromised choice? or can they only rely on implementation errors and back doors?
-he who laughs last, is a bit slow.
journal
Triple DES will be around for a (long) while.
Of this I have no doubt. DES will be around for a long time, simply because it is so common, and common things are slow to become replaced.
But Triple DES is probably considered the most secure algorithm currently available...
This isn't saying much. In many government circles, you either use 3DES or... DES.
(again, because it has stood up to extreme pressure to "crack it)
As you noted, the problems with 3DES are more with the unwieldiness of it then with the security properties of the algorithm itself.
3DES is basically a hack to work around the limitations of a crummy algorithm by running it through the process multiple times. This makes it an expensive algorithm to implement. Cycles spent running DES multiple times would be better spent on a more secure algorithm.
It is like saying your '57 Cadillac still runs fine. Even if it does, a newer car will be much easier to deal with and much cheaper to operate.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Agreed, I attended the AES show in Los Angelos was just last week so that acronym has been on my mind.
Actually, the standard will not be complete after they select the algorithm. Once they make the selection, they have to draft the standard and then submit it for public review. It will take almost a year before it officially becomes a standard.
Still, it would be cool to put it in GPG before anyone else implements it.
Software sucks. Open Source sucks less.
Why is MARS less likely in your opinion? Could you elaborate on "eugh!"? ;)
"a powerful and unexpected ally..."
Totally irrational reasons ;)
Well, not really. I'm not a fan of MARS because I think it's big and slow. I don't mind the slow too much, but the *big* I do mind. IIRC the sample hgardware implementation of MARS was like 2x the size of the other candiates.
I guess this is mainly an aesthetic complaint: I dont like MARS because it looks ugly to me, but the uglyness is actually based upon a real property of the algorithm. At the end of the day, the simpler algorithm will be more likely to be correctly implemented. I like clear and simple - MARS seems to be the least clear and simple of all the 2nd round algorithms.
That being said, if MARS wins, I'll use it: I don't think it's without merit, it just seems worse than the other finalists.
best wishes,
Mike.
Tales from behind the Lagom Curtain
They forgot one encryption stansard: Slashdot trolls!
It is an exciting new algorithm that automatically selects a random number from 1 to 5 then maps a phrase to it from memory:
1 - Natalie Portman
2 - Hot grits
3 - Beowulf cluster
4 - Penis bird
5 - F1rst P057!
Because it uses the innovative security precaution of making the output irrelevent to the input data, there is absolutely no risk of decryption, even if nobody intercepts the message in transit, and the recipient has the passphrase. Here is an example:
INPUT: AES algorithm coming soon!
OUTPUT: F1rst P057!
INPUT: Alpha system with 256GB Ram!
OUTPUT: But how meny Penis birds does it support?
etc, etc...
Michael
...another comment from Michael Tandy.
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
Triple DES will be around for a (long) while. It has stood the test of time, and has not been shown to be breakable, after all these years. Any new AES cipher will still have to prove itself in the real world, which Triple DES has done.
Triple DES is slow (in software), and has some cumbersome key properties, as well as only 64 bit blocks. So they are replacing it with something that MIGHT be more secure (most likely). But Triple DES is probably considered the most secure algorithm currently available (again, because it has stood up to extreme pressure to "crack it)
"It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
I don't think DES will be phased out anytime soon, especially in the military. They may be fewer new implementations of it though. DES is built into many systems that are extremely hard and/or expensive to replace, such as the encrypted precise GPS code P(Y). I don't believe that it would be possible to upgrade the satellites remotely, and there is already a huge installed base of users that rely on the technology.
I think it boils down to this- you have to find out about your customers migration plan first. DES will be around for a while longer, yet.
Um, the cipher they selected for DES was originally called Lucifer...
Just because we don't want anyone to be able to use good crypto, doesn't mean we're bad guys. We just want you to use our systems..."
Coincidence is the Superstition of Science
What's that smell? Ah, that's my karma burning...
NDij 8mxOmf8 mnD*md sslcmv KD nfd dfmsoimvdl nm09mlj mdfeim.
So, if AES means Advanced Encryption Standard, does DES now mean Dumb Encryption Standard?
Of course, there's no way for them to address patents that are granted after AES has already been selected, and given the stupidity of the patent office these days, you can bet that this will happen...
--
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
Erm, that's all......
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
I took an encryption class last semester, and it was good, but this grad student came in to talk to us one time, and she said she worked for Counterpane and she was working on Twofish. She had really pale skin and big black hair and she dressed all in black, so she looked like Elvira, Mistress of the Dark. She laughed a lot, really loudly, at times when it didn't make sense to laugh. I'm scared of Twofish.
grep -ri 'should work'
http://www.esat.kuleuven.ac.be/cosic/press/pr_aes_ english.html
If it's meant to be exportable then you can bet that the algorithm that gets selected will be one that the NSA knows how to crack with minimal effort. There's no way in hell they'd allow a standard that they couldn't crack to be approved by the U.S. Government.
As for the patent issue, the statement issued by NIST seems to imply that they won't initiate antitrust proceedings against anyone who has disclosed patent interests in the selected algorithm. I have a strong suspicion that the algorithm selected will have at least one big, disclosed patent against it. As with RSA, such a patent will hamper the standard from being adopted universally, which will be "good for National Security"...
--
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
http://www.esat.kuleuven.ac.be/cosic/#press
Twofish seems a nice system.
Its good that it is completely open, so there can be no patenting problems.
This is good news if the winner becomes all round accepted
I'll bet it's Rijndael.
Any takers?
As it was reported before and the notice is big and bold....
NIST reminds all interested parties that the adoption of AES is being conducted as an open standards-setting activity....it may seek redress under the antitrust laws of the United States against any party in the future who might seek to exercise patent rights against any user of AES that have not been disclosed to NIST in response to this request for information.
NIST appears to have left the possibility of multiple algorithms, so there may be more than one winner. General opinion seems to be that this is unlikely to occur though (thankfully).
;). However, despite the fact that all entries are meant to be free of restrictions, note that Hitatchi (and perhaps others), have claimed patent right that cover a number of the entries...
Likely winners:
Twofish (fast in s/w)
Serpent (solid)
Rijndael
Unlikely (IMHO)
MARS (eugh!)
RC6 (weak)
Whoever wins *should* be a net win for us all. These are all meant to be free and exportable (importable in some cases as they aren't all US ciphers
best wishes,
Mike.
Tales from behind the Lagom Curtain
I mean isn't the religious right going to protest over the name (which, obviously, a sign of an unchristian algorithm as well) and you know how much political weight they carry -- especially now before the elections?
after your private information is treated with CmdrTaco's spelling, timothy's grammar, and Jon Katz's writing style, who could possibly hope to understand it?
Bruce
Bruce
You are the real Bruce Perens.
See the following paper by Schneier and co:
The Twofish Team's Final Comments on AES Selection, http://www.counterpane.com/twofish-final.html
Rijndael is faster than both Twofish and Serpent, but this is mostly attributable to the reduced number of rounds it implements.
For the AES to remain dependable over the next 20 years+, given projected advances in cryptanalysis, this presents a significant risk. Rijndael with more rounds will be safer, but much slower (80% slower at 18 rounds than at the current 10).
Serpent is a very conservative design, but is also quite slow. Twofish presents the middle ground in most people's estimation.
An algorithm ID is already defined for AES in OpenPGP (RFC2440).
It might be nice publicity stunt to release a special version of GnuPG (1.0.4?) with AES support within seconds of the official announcement.
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
The big question on my mind is how fast will the AES replace DES algorityms? Obviously as fast as practical in govt. because that's going to be *their* standard, but what about in industry? We could certainly use whatever one of these functions we want for symetric encryption, they all work...
Problem is... I am desigining some hardware right now to enable hardware assist to SSL and 3DES is still considered a strong encryption. Depending on the AES selected, I may have the chance of replacing the DES engine with an AES one. Depends on the area required to implement in silicon, and the how fast it can run.
However, if DES will still be useful once this choice is made, I've already put a lot into this design. Your insights are appreciated.
"a powerful and unexpected ally..."
Your entry is not winning. You have no need to free up your calendar.
Why would the US government want to promote the use of an encryption algorithm it couldn't crack? Haven't been following the candidates, but the winner should be interesting.