AES Algorithm Coming Soon

← Back to Stories (view on slashdot.org)

Posted by michael on Friday September 29, 2000 @09:43PM from the cracking-attempts-coming-soon-after dept.

Anonymous Coward writes: "The National Institute of Standards and Technology (NIST) will announce the winner of the Advanced Encryption Standard competition on Oct. 2 at 11:00 am (Eastern Standard Time). This algorithm is going to be the new government standard, so it's worth checking the page out. Following the announcement a report on the AES development efforts will be released on the NIST AES webpage. The NIST Advanced Encryption Standard page can be found at http://www.nist.gov/aes."

21 of 41 comments (clear)

Min score:

Reason:

Sort:

Re:Twofish by nweaver · 2000-09-29 23:01 · Score: 3

Correct, the formal winner is requried to give up all patent rights. It was not stated what would be the case with multiple winners (dear God NO, that would be worse than selecting Mars), but I would imagine that if NIST selected multiple winners, they would be from the set of Rijndael, serpent, and Twofish which are all unencumbered by patent restrictons. Bruce Schneier put it well during the panel presentation: "Take Rijndael with extra rounds [1], Serpent, and Twofish, and flip a three sided coin, and you will have a good AES algorithm". All of the 3 have good subkey generation properties, are fast in hardware (although serpent is bigger), have good software properties, etc. Also, serpent seems to be getting faster and faster in software, as the s-boxes are tweaked for specific architectures. Both Mars and RC6 have some VERY bad properties: They rely on 32 bit multiplication, and run very poorly on any other device (including the IA64 when/if it gets built) and require way too much in hardware. The both have very poor subkey generation mechanisms. And MARS has the most baroque structure: I don't think anyone has actually succeded in doing subkey generation independenty of the reference code. As for power attacks on smartcards, those should be solved at the system, not the circuit level, making the algorithm moot. Note: I am not completely independant. I had a paper at the 3rd aes conference, where I advocated rijndael, serpent, or twofish. Although having an office down the hall from David Wagner's old office does make me a little biased.

Nicholas C Weaver
nweaver@cs.berkeley.edu

--
Test your net with Netalyzr
Why they are replacing DES by DragonHawk · 2000-09-30 07:43 · Score: 2

Triple DES will be around for a (long) while.

Of this I have no doubt. DES will be around for a long time, simply because it is so common, and common things are slow to become replaced.

But Triple DES is probably considered the most secure algorithm currently available...

This isn't saying much. In many government circles, you either use 3DES or... DES.

(again, because it has stood up to extreme pressure to "crack it)

As you noted, the problems with 3DES are more with the unwieldiness of it then with the security properties of the algorithm itself.

3DES is basically a hack to work around the limitations of a crummy algorithm by running it through the process multiple times. This makes it an expensive algorithm to implement. Cycles spent running DES multiple times would be better spent on a more secure algorithm.

It is like saying your '57 Cadillac still runs fine. Even if it does, a newer car will be much easier to deal with and much cheaper to operate.

--

dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Re:AES in OpenPGP by booch · 2000-10-01 22:00 · Score: 2

Actually, the standard will not be complete after they select the algorithm. Once they make the selection, they have to draft the standard and then submit it for public review. It will take almost a year before it officially becomes a standard.

Still, it would be cool to put it in GPG before anyone else implements it.

--
Software sucks. Open Source sucks less.
Re:Algorithm(s) - MARS? by Mike+Connell · 2000-09-29 18:28 · Score: 2

Totally irrational reasons ;)

Well, not really. I'm not a fan of MARS because I think it's big and slow. I don't mind the slow too much, but the *big* I do mind. IIRC the sample hgardware implementation of MARS was like 2x the size of the other candiates.

I guess this is mainly an aesthetic complaint: I dont like MARS because it looks ugly to me, but the uglyness is actually based upon a real property of the algorithm. At the end of the day, the simpler algorithm will be more likely to be correctly implemented. I like clear and simple - MARS seems to be the least clear and simple of all the 2nd round algorithms.

That being said, if MARS wins, I'll use it: I don't think it's without merit, it just seems worse than the other finalists.

best wishes,
Mike.

--
Tales from behind the Lagom Curtain
They forgot one... by Mike1024 · 2000-09-29 18:44 · Score: 3

Hey,

They forgot one encryption stansard: Slashdot trolls!

It is an exciting new algorithm that automatically selects a random number from 1 to 5 then maps a phrase to it from memory:

1 - Natalie Portman
2 - Hot grits
3 - Beowulf cluster
4 - Penis bird
5 - F1rst P057!

Because it uses the innovative security precaution of making the output irrelevent to the input data, there is absolutely no risk of decryption, even if nobody intercepts the message in transit, and the recipient has the passphrase. Here is an example:

INPUT: AES algorithm coming soon!
OUTPUT: F1rst P057!

INPUT: Alpha system with 256GB Ram!
OUTPUT: But how meny Penis birds does it support?

etc, etc...

Michael

...another comment from Michael Tandy.

--
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
Re:How fast will DES be phased out? by ChadN · 2000-09-29 23:26 · Score: 2

Triple DES will be around for a (long) while. It has stood the test of time, and has not been shown to be breakable, after all these years. Any new AES cipher will still have to prove itself in the real world, which Triple DES has done.

Triple DES is slow (in software), and has some cumbersome key properties, as well as only 64 bit blocks. So they are replacing it with something that MIGHT be more secure (most likely). But Triple DES is probably considered the most secure algorithm currently available (again, because it has stood up to extreme pressure to "crack it)

--
"It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
Re:How fast will DES be phased out? by Matt_Bennett · 2000-09-29 20:19 · Score: 2

I don't think DES will be phased out anytime soon, especially in the military. They may be fewer new implementations of it though. DES is built into many systems that are extremely hard and/or expensive to replace, such as the encrypted precise GPS code P(Y). I don't believe that it would be possible to upgrade the satellites remotely, and there is already a huge installed base of users that rely on the technology.

I think it boils down to this- you have to find out about your customers migration plan first. DES will be around for a while longer, yet.
Re:Unchristian algorithm by Hobbex · 2000-09-29 20:40 · Score: 2

Um, the cipher they selected for DES was originally called Lucifer...
Re:My bet... by SEWilco · 2000-09-29 20:59 · Score: 2

NDij 8mxOmf8 mnD*md sslcmv KD nfd dfmsoimvdl nm09mlj mdfeim.
THE CHOICE WAS RIJNDAEL by ssimpson · 2000-10-01 23:06 · Score: 2

Erm, that's all......

--
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
Rijndael was chosen by milkman1 · 2000-10-01 23:09 · Score: 2

http://www.esat.kuleuven.ac.be/cosic/press/pr_aes_ english.html
My bet... by Admiral+Burrito · 2000-09-29 16:55 · Score: 2

I'll bet it's Rijndael.

Any takers?
Open Standards Seting Activity by Cire+LePueh · 2000-09-29 16:56 · Score: 3

As it was reported before and the notice is big and bold....

NIST reminds all interested parties that the adoption of AES is being conducted as an open standards-setting activity....it may seek redress under the antitrust laws of the United States against any party in the future who might seek to exercise patent rights against any user of AES that have not been disclosed to NIST in response to this request for information.
Algorithm(s) by Mike+Connell · 2000-09-29 17:01 · Score: 3

NIST appears to have left the possibility of multiple algorithms, so there may be more than one winner. General opinion seems to be that this is unlikely to occur though (thankfully).

Likely winners:
Twofish (fast in s/w)
Serpent (solid)
Rijndael

Unlikely (IMHO)
MARS (eugh!)
RC6 (weak)

Whoever wins *should* be a net win for us all. These are all meant to be free and exportable (importable in some cases as they aren't all US ciphers ;). However, despite the fact that all entries are meant to be free of restrictions, note that Hitatchi (and perhaps others), have claimed patent right that cover a number of the entries...

best wishes,
Mike.

--
Tales from behind the Lagom Curtain
1. Re:Algorithm(s) by Mike+Connell · 2000-09-29 17:25 · Score: 2
  
  I've just looked at the Hitatchi documents again. They claim that they are used in MARS, RC6, Serpent and Blowfish.
  
  OTOH, I expect whatever wins to be attacked by anyone that has a vaguely related patent. It'll be worth a lot of money...
  
  best wishes,
  Mike.
  
  --
  Tales from behind the Lagom Curtain
Re:Twofish by Mike+Connell · 2000-09-29 17:16 · Score: 2

According to the Twofish team, Rijndal is far too close to broken to be chosen (9 rounds) and subsequently has a low safety factor. It may need more rounds.

> Serpent would be my third choice, but it's too slow compared to the others.

Serpent OTOH still looks very secure. Serpent is indeed slow in software, but damn fast in hardware. I would trade the increasingly less-of-a-problem software speed for the increase in known security.

best wishes,
Mike

--
Tales from behind the Lagom Curtain
Re:Twofish by Anonymous Coward · 2000-09-29 21:33 · Score: 2

"According to the Twofish team..."
That's not exactly an unbiased source. 128-bit Rijndael (with 10 rounds) can be attacked faster than brute force, distinguished from a random permutation, in is respectively 6, 7, rounds, while 256-bit Rijndael (with 14 rounds) can be distinguished from a random permutation faster than brute force in 9 rounds. Rijndael is extremely hardware friendly and paralizable in software, so increasing the number of rounds by 2 (10,12,14) -> (12,14,16) or over (14,16,18) should be more than enough to alleviate any concerns.
Re:Twofish by Admiral+Burrito · 2000-09-29 17:06 · Score: 5

Twofish seems a nice system.

It is. That would be my second choice, after Rijndael.

From what I've read, Twofish doesn't stand up do differential power analysis as well as Rijndael does, and is not quite as smartcard-friendly. Rijndael may also work better on future parallel computers. Rijndael is slightly smaller, faster, etc, etc. AFAICS Rijndael slightly edges out Twofish in nearly every category.

Twofish is American though, which may make a difference.

Serpent would be my third choice, but it's too slow compared to the others. Mars is too complex. RC6 is too dependant on rotations.

Its good that it is completely open, so there can be no patenting problems.

I can't remember the details, but whoever wins is not allowed to milk it even if they have patents. It's one of the stipulations for all AES candidates (but it only applies to the one that wins).

Of course, it's possible they might select more than one algorithm...
AES in OpenPGP by XNormal · 2000-09-29 21:53 · Score: 4

An algorithm ID is already defined for AES in OpenPGP (RFC2440).

It might be nice publicity stunt to release a special version of GnuPG (1.0.4?) with AES support within seconds of the official announcement.

----

--
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Note to Digital Convergence by blogan · 2000-09-29 21:53 · Score: 3

Your entry is not winning. You have no need to free up your calendar.
Re:Twofish by Mike+Connell · 2000-09-29 21:56 · Score: 4

> That's not exactly an unbiased source.

It's completely irrelevant how biased they are - I wasn't referencing their work as a groundless opinion. I was reference their paper "The Twofish Team's Final Comments on AES Selection" submitted in the round 2 comments stage which you should read. This isn't a question of the Blowfish team saying "la la la - Rijndael sucks", it's a case of them doing the analysis and showing why they think it has problems and publishing the results and the reasoning.

I agree that with modifications Rijndael can be made more secure. In fact, why not just scrap all the entries and say "let's start all over again with more secure versions"? it could go on forever. I think NIST should be choosing the most secure algorithms *entered*, and that isn't Rijndal.

my 0.02,
Mike.

--
Tales from behind the Lagom Curtain