Posted by
michael
on from the crackers-get-new-target dept.
^BR writes "Rijndael the Belgian algorithm candidate to being AES won the competition. It has just been announced by NIST. The scoop. Too bad for Twofish and Serpent." More info should appear at the NIST AES website soon.
It's quite likely that the reason for the selection has nothing to do with cryptography or any other technically relevent reason.
Hitachi has a patent which all finalists but Rijndael appear to infringe. Given the fact that Twofish, Serpent and Rijndael are all very secure, efficient to implement on all relevant platforms and are more or less the same on all other technical issues the determining factor is probably the patent issue.
Quite depressing, actually.
(BTW, it's not just me saying that all three would have made a great AES- many of the contenstants themselves have said so).
----
--
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Re:I think Rijndael is the best candidate
by
ryanr
·
· Score: 2
DES is also very fast in hardware, and absolutely sucks in software. It's one of the big reasons a replacement is being sought, rather than just continuing on with DESX.
Nobody cares how fast the crypto is in hardware, really.
For crying out loud - shut up about backdoors
by
ruebarb
·
· Score: 3
The whole purpose of this open standard competition was to expose the algorithims to everyone. This isn't just the NSA - Every development team that developed an algorithim was composed of some of the best cryptographers around (inclding guys like Bruce Schneier)
Then, after developing their algorithims, all these developers spent their spare time trying to break everyone else's implementation. The algorithims were open to everyone, and in some cases, they were effectively knocked out of the competition by weaknesses in their implementation.
I realize there are exceptions and the the NSA has behaved badly in the past, but read what this competition was about and how it was run. This was probably the best peer-reviewed encryption scheme/contest/implementation ever run, and anyone with a decent knowledge of encryption can look at the algorithim and decide for themselves how secure it is. (trolls talking out of their ass won't know it, but the experts will) -
And if you're still hung up about it, I'll bet Twofish and Serpent are going to be around for awhile. I might look at Twofish anyway for stuff I mess with.
--
----------
ah honey, we're all resplendent - Bill Mallonee
Re:why twofish lost & rjindael won
by
konstant
·
· Score: 2
I didn't mean to imply that those algorithms were any the worse for their corporate backing. I only wanted to point out that the selection of Rjindael puts cryptography in the realm where it really belongs: academia and the public domain. Any one of the algorithms would have been a decent choice, but I found it pleasing that the non-corporate offering won out.
You don't have to be nasty about it. "Gratuitous drivel"??? What do you think Slashdot's all about man?
-konstant
Yes! We are all individuals! I'm not!
-- -konstant Yes! We are all individuals! I'm not!
NIST is just down the street from where I work, so a co-worker and I crashed the press conference. After navigating the sprawling government expanse, we arrived at the lecture room only to be interrogated as to what press organization we are from.
Mind you, showing up in t-shirts and shorts probably didn't help our credibility much, so I claimed that we were from Slashdot and we were allowed in with a shiny press kit.
The small audience was divided up between press people and stiff jaw types in conservative suits and ties. (spooks) I can't decide, though, which group decided to stare more at our hacker apparel, wondering who let the 2 techies in.
To NIST's credit, the evaluation of the various algorithms seems to have been done totally in the public eye. The analysis of the various candidate algorithms is supposedly posted publically and the algorithms are royalty-free. Plus, no modifications were allowed to the algorithms, so it's fairly unlikely that the NSA got their fingers into it.
To give props to SecurityFocus, a representative questioned the involvement of the NSA and asked why we should trust the government.
Plus, no modifications were allowed to the algorithms, so it's fairly unlikely that the NSA got their fingers into it. To give props to SecurityFocus, a representative questioned the involvement of the NSA and asked why we should trust the government.
And that's good? The NSA had their fingers in DES and from all accounts, including Coppersmith's, they made it stronger.
-- This is my signature. There are many signatures like it but this one is mine..
But there's also stories that they modified the initial values of DES in such a way as to weaken them.
There have been lots of stories like that. However there is the fact that DES-with-NSA changes is resistant to diffrentional cryptoanalsis, and DES-without-NSA-changes falls to a DA attack much faster then brute force keysearches.
So if the NSA weakened DES they accidentally also strengthened it. More likely they "just" strengthened it. It does show that they (use to) have at least a 15 year lead. Probbably shortened a bit by now, but who knows?
Re:why twofish lost & rjindael won
by
david614
·
· Score: 2
>Twofish, RC6, Mars, etc were basically all ego-gratification projects intended to maintain corporate visibility in the cryptography market
This is, to be polite, bs. Different cryptographic approaches merely reflect different "scientific" schools or preferences.
Pluses and minuses can exist in different proposals without the them being easily attributable to gratuitous drivel from the peanut gallery.
-- ELITISM:
It's always lonely at the top. Uninvited company is rarely welcome.
Smart card applications the key consideration?
by
BitMan
·
· Score: 5
In addition to the open-ended key size of Rijndael, after reading the AES Round 1 report, it looks like smart card applications were a key consideration (possible THE key?).
With smart cards, the issue is two fold. One, you need small code footprint, which both Rijndael and TwoFish did satisfy. And, two, the main means to hack smart cards is via power/EMI analysis.
Any circuit draws power and puts out EMI with the switching of its gates. Since there are power draws when they switch, the two are usually intertwined. I am familar with these because this because Theseus Logic's (my employer's) NCL (null convention logic) technology is ideal for smartcards because of its
more uniform power (gates switch independently so they are not switching and drawing power at the same time) further resulting in a
drastically reduced EMI signature compared to CBL (clocked boolean
logic). In addition to being reduced, the power/EMI signature it
looks nothing like CBL and those years of learning what CBL
circuits look like from a power/EMI standpoint are not applicable
to NCL at all.
TwoFish uses a very predictable addition subroutine that would
put out a reguarly timed power/EMI signature. Rijndael seems to
reduce its use of such easily identifyable operations (at least when analyzed under [6] in the report).
[ BTW, one thing I didn't understand was this statement about TwoFish: "During Round 1, there were a few concerns regarding the
overall complexity of its design." Anyone know what they meant by this? ]
-- Bryan "TheBS" Smith
-- -- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
Re:Smart card applications the key consideration?
by
nconway
·
· Score: 2
With smart cards, the issue is two fold. One, you need small code footprint, which both Rijndael and TwoFish did satisfy.
And RC6 and MARS did not. In fact, MARS takes up more than 200 bytes of RAM : more than is on most 'smart' cards. Although you might be able to adjust to algorithm to get this down the ~100 (the same as RC6), Twofish, Serpent, and Rijndael are all 50-60.
Re:Smart card applications the key consideration?
by
proxy2
·
· Score: 2
In addition to the open-ended key size of Rijndael, after reading the AES Round 1 report, it looks like smart card applications were a key consideration (possible THE key?).
This shouldn't come as a surprise because John Daemen is currently working for ProtonWorld, a Belgian smart card company. Millions of people here in Belgium are using their e-purse smartcards daily to make small payments. I wouldn't be surprised if RijnDael is the main algorithm behind Proton.
Re:Smart card applications the key consideration?
by
BitMan
·
· Score: 2
Yes, that is just "one" portion of the benefits. Just like when dealing with security, obscurity is NOT the "main" one.
-- Bryan "TheBS" Smith
-- -- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
Public domain Java implementation
by
iXus
·
· Score: 3
Cryptix releases it's Java implementation of Rijndael in the public domain. The BSD licensed Cryptix is also the first crypto toolkit that officially supports the AES.
Open source rules!
plenty secure (how was this interesting?)
by
kaisyain
·
· Score: 2
Rijndael is just as secure as the other finalists. Every other finalist also had published attacks versus reduced round versions. The paper you refer to talks about attacks on reduced round variants. In particular, the 9 round attack on Rijndael requires not only encryption of chosen plaintexts, but also encryptions under 255 other keys related to the secret key in a manner chosen by the adversary.
However, the AES paper talks about these reduced round variants saying,
It is difficult, however, to extrapolate the data for reduced-round variants to the actual algorithms. The attacks on reduced round variants are generally not even practical at this time...As noted earlier, no general attacks against any of the finalists is known. Hence, the determination of the level of security provided by the finalists is largely guesswork.
They also note that since Rijndael had one of the simplest structures that it received a disproportionate amount of review downward biasing its security relative to other contenders. Twofish, for instance, on the other hand is very complicated, making analysis difficult during the timeframe of the AES development process.
Do you have any rational reason for preferring an algorithm that received very little cryptanalysis over one that received tons of it and was found that nothing short of a brute force search over its keyspace would suffice?
Government agencies and contracts are going to require AES. Large businesses are going to use AES. Everyone will use AES. That is why the AES panel had a vested interest in choosing the best algorithm. And they picked Rijndael. Having read their final report, unless you're a competent cryptanalyst (I don't know about you, but I'm not) I don't see any reason to doubt the competence of the AES selection panel or their final selection.
According to the paper, for the number of rounds specified, there is no known attack that is stronger than exhaustive key search. Hence, adding rounds will add nothing to security. You have to increase the key length to achieve this.
Although NIST is reasonably certain that Rijndael is secure with the specified number of rounds, this is no guarantee that it is this strong against future attacks. No proofs of it's security were made, only assertions. It is possible that increasing the number of rounds would provide protection against future attacks.
-- <sigh>
Re:let the cracking begin...
by
Apotsy
·
· Score: 2
Yes, but as someone else pointed out, in two-way communication, RSA (or something like it) is still typically used to pass the "session" keys that are used to do the block ciphering. No matter how good your block cipher is, it is still at the mercy of whatever you use to exchange the keys.
For those who are interested in technical analysis, the NIST Report is online.
The basic gist of the report is that all algorithms are secure to NIST's comfort, with a large number of various details. The main reason for selecting Rinjdael over the other algorithms came down to performance.
Whereas the other algorithms either ran well or poorly depending on the platform (Serpent poor in register-poor software and a large initial requirement for hardware, Twofish being very slow for software subkey generation, MARS requiring 32 bit multiply and having awful subkey generation, and RC6 also requiring 32 bit multiply and poor subkey generation), Rijndael runs well regardless of platform, be it hardware or software, smartcard microcontroller or IA64.
I also seriously doubt that the Hitachi patent claim had anything to do with the selection. IT was not even mentioned in the report on the IP section, and was incredably vague (Hitachi was claiming a patent on rotation in encryption. The Caesar cypher could probably be claimed as 2000 year old prior art).
From the Rijndael FAQ: Can't you give it another name ? (Propose it as a tweak !)
[snip]
I second the call for "bob"! (although I would've supported "peter", too)
Or you could just call it "AES". At least, you can now.:)
It will probably be called "AES". Just as people call it "DES" instead of "Lucifer" (although in that case they really are different algorithms).
The guy I talked to who worked for the NSA on math/crypto said the NSA would not disclose any weakness they found, but they would advise NIST whether a given algorithm was good or bad. So, if you trust them (I do on this count), they would keep NIST from choosing a code they could crack, but not reveal how to do so.
It was supposed to go something like:
NIST: We have these 6 finalists. We think we would like to use #2.
NSA: You really don't want to do that.
NIST: Ok, how about #6?
NSA: Sounds good.
NIST: #6 it is!
Hitachi patented bit shifting in encryption.
by
kbonin
·
· Score: 2
The Hitachi patent claim basically covers combining the output of one stage with a bit shitfed copy of that same output to create a new output, in a reversable format.
i.e., they patented: a2 = a1 ^ ( a1 << 1 );
The patent examiner should be fired. His boss should be fired, and his boss, ad nauseum.
'course this is how things work today, so now we have a, AES cipher with weaknesses especially suited to hardware cryptanalysis. Sure that was entirely coincidental.
Re:What about non-bruce force attacks?
by
ChadN
·
· Score: 2
Maybe the key 2^84-1 is equivalent to rot13?
Then don't use that key. If there are only a "few" (say 10 billion), the chance of selecting one of them randomly, is almost nil. Presumably the reviewers focused on checking for weak keys, among all the candidates.
--
"It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
Good commentary from Counterpane
by
Eck
·
· Score: 3
The commentary by folks over at Counterpane (Bruce Schneier, et al) seems quite good. They say good things about Rijndael, regardless of whether they really wanted their own Twofish to win out.
Now that No Such Agency has found a way to crack it.;-)
-- "On second thought, let's not go there. 'Tis a silly place."
--
-- "On second thought, let's not go there. Camelot is a silly place."
report claims IP was not an issue
by
_|()|\|
·
· Score: 2
It will be interesting to see whether the final announcement mentions the patent.
Oops, I should have kept reading.
The Report on the Development of the AES does have a statement that seems to indirectly reference Hitachi's patent claim: "After comments were analyzed, and the review process was completed, IP was not a factor in NIST's selection of the proposed AES algorithm."
Do you really think the NSA would tell the outside world if they discovered a weakness?
People thought the same thing about DES. It turned out that the NSA had indeed tweaked the algorithm: they made it stronger!, so it could resist an attack the outside world had not discovered yet.
As a tool, code for the new AES algorithm is less than 10,000 bytes, and thus cryptography slips into the average application with less implication on costs than the price of a new PC.
This is a good point. NSA paranoia is all good and proper, but moderated with some common sense, please.
I seriously doubt the security establishment would allow the finalist to have a weakness that they discovered in what is really quite a short amount of time. If they disovered it, then so could someone else. The 'national security' danger is actually much higher with a compromised AES candidate, than with one that the NSA can break. [insert rant on infrastructural warfare]
Strong crypto is here to stay, and I think finally the NSA realises this. The US and others are all better off with strong crypto than without it.
As others have pointed out at other times, most crypto schemes fail due to weaknesses in implementation or human protocol reasons, not due to weaknesses in the underlying cypher, so there is still plenty of latitude for the NSA. Have you tempest hardened your PC lately? Checked your keyboard for surreptitious key-logging gear? Installed 24/7 armed security guards in the server room?
Is factoring numbers that useful for symmetric key encryption? I thought that this was mostly useful for breaking RSA and related public key encryption systems.
Re:let the cracking begin...
by
milkman1
·
· Score: 3
Does no one read the errata for books before quoting them as truth. See:
http://www.counterpane.com/ac2errv30.html
* Page 157: The section on "Thermodynamic Limitations" is not quite correct. It requires kT energy to set or clear a single bit because these are irreversible operations. However,
complementing a bit is reversible and hence has no minimum required energy. It turns out that it is theoretically possible to do any computation in a reversible manner except for copying
out the answer. At this theoretical level, energy requirements for exhaustive cryptanalysis are therefore linear in the key length, not exponential.
..people working for government are no gods. They understand very well that if for any reason they discovered a weakness in the algorythm, they may very well expect somebody (probably some whiz kids in ex-KGB lab) will find it out as well. They have no interest to offer a weak algorythm for a standard - well, if they do, they are dumber than I thought..
To spy on us there are many more methods than an encryption backdoor.
-- <^>_<(ô ô)>_<^>
Re: increasing security
by
__aawsxp7741
·
· Score: 4
Secondly, if you increase the number of rounds in Rjindael you can effectively double the security, and even then it is still one of the fastest candidates in software.
Where did you get this? According to the
paper,
for the number of rounds specified, there is no known attack that is stronger than exhaustive key search. Hence, adding rounds will add nothing to security. You have to increase the key length to achieve this.
As others have pointed out at other times, most crypto schemes fail due to weaknesses in implementation or human protocol reasons, not due to weaknesses in the underlying cypher, so there is still plenty of latitude for the NSA. Have you tempest hardened your PC lately? Checked your keyboard for surreptitious key-logging gear? Installed 24/7 armed security guards in the server room?
Of course, the armed guards have to be sufficiently well-paid (and well-vetted). It's often even easier to compromise people than hardware.
I think Rijndael is the best candidate
by
Kiwi
·
· Score: 4
I feel that Rijndael (Google mirror, main page slashdotted) is the best candidate because it has the following advantages over the more populsr Twofish:
Rijndael has better performance on hardware than Twofish.
Rijndael is more extensible. In addition to a variable key size, Rijndael has a variable block size.
I am very pleased to see Rijndael become the new AES standard.
BTW, you pronounce it "Rain Doll".
- Sam
--
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
Re:I think Rijndael is the best candidate
by
Tower
·
· Score: 2
>BTW, you pronounce it "Rain Doll".
As opposed to ridg-en-dale or free-beer?
--
--
"It's tough to be bilingual when you get hit in the head."
Have a look at this table from a paper by Arjen Lenstra and Eric Verheul. 128 bits of security should be more than enough until way beyound the year 2040 according to them.
Distributed.net would need 2^64 more times processor power to crack Rijndael than it needs to crack RC5-64... so don't expect that to happen soon.
More information can be found on the Rijndael algorithm here. This link includes a copy of the white paper on the algorithm in PDF format, as well as the source code.
Date sent: Mon, 2 Oct 2000 12:36:00 -0400 (AST)
From: Ian Grigg
To: cryptix-users@cryptix.org
Subject: Rijndael is GREEN
Copies to: coderpunks@toad.com, cryptography@c2.net, cypherpynks@cyberpass.net,
dbs@philodox.com, iang@systemics.com
Send reply to: iang@systemics.com
For Release 11.00 EDT Monday 2nd October 2000
Rijndael is GREEN
NIST chooses Rijndael as the Advanced Encryption Standard
Announced today in Washington, DC, the National Institute of
Standards and Technology (NIST) has chosen Rijndael as the
Advanced Encryption Algorithm for the 21st century.
Rijndael -- pronounced Rhine-Dahl -- is the creation of two
Belgian cryptographers, Joan Daemen and Vincent Rijmen.
The Cryptix Development Team congratulates Vincent and Joan on
their extraordinary achievement and announces the immediate
release of the Cryptix JCE and Cryptix 3.2, both enabled with
AES as Rijndael.
International Cryptoplumbing
An international team of open source crypto volunteers from
The Cryptix Development Team supported the cryptographers
participating in the NIST contest, efforts that were recognised
with the award of a Certificate Of Appreciation from the United
States Department Of Commerce.
Raif S. Naffah, from Australia, led the Cryptix AES Support
Project which provided the Java code and tools for most
finalists, including Rijndael, for submission to NIST.
Paulo Barreto, Brazilian mathematician and programmer, provided
coding support for optimising Rijndael implementations; he has
been coding and reviewing algorithms for the Belgian team for
many years, including the predecessor to Rijndael, the Square
cipher.
Free Crypto
Under the terms of the NIST contest, Rijndael is free and
unencumbered for all purposes and all peoples. Cryptix
developers have agreed to match this condition, and hereby
place their Rijndael code in the public domain.
Normally, all Cryptix code is free for all purposes, but requires
acknowledgement of The Cryptix Foundation as owners under an
extremely liberal "BSD licence." Even this condition is now
dropped for the Rijndael code, so that all commercial providers
of Java cryptography, including Sun, Baltimore, RSA Labs, and
IAIK, may quickly offer their customers the best code.
No Arms Race Need Apply
Cryptography has long been treated as a munition by the US
government. Today's decision marks the end of an era stretching
back to the days of Enigma and Magic intercepts. The new
algorithm and the accompanying code base is absolutely unimpaired
by political or commercial limitations.
As a science, cryptography is the special domain of
mathematicians; formulas flow across borders as fast as emails.
As an idea, the Rijndael cipher can be written out in 10 or so
pages of paper, making it impermeable to regulations.
Fuel For The Revolution
As a tool, code for the new AES algorithm is less than 10,000
bytes, and thus cryptography slips into the average application
with less implication on costs than the price of a new PC. As a
building block, AES will help to fuel the new industrial
revolution in electronic commerce. Ciphers such as Rijndael will
keep valuable messages secure in the wild west of the Internet
far better than the old methods of obscurity and regulation.
Released by The Cryptix Foundation Limited, a Nevis corporation
dedicated to the spread of strong crypto.
Links:
NIST announces the winner of AES as Rijndael:
http://www.nist.gov/aes/
The Rijndael page of the Cryptography team, Joan Daemen and
Vincent Rijmen:
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
Cryptix places Rijndael code in public domain:
http://www.cryptix.org/aes/
Cryptix products JCE and Cryptix 3 now released with Rijndael
as AES:
http://www.cryptix.org/news/02102000.html
http://www.cryptix.org/products/jce/index.html
http://www.cryptix.org/products/cryptix31/index. html
http://www.cryptix.org/products/aes/index.html
About The Rijndael Team
Dr Joan Daemen is currently employed by Proton World
International. Dr Vincent Rijmen is a cryptography researcher
with Katholieke Universiteit Leuven in Belgium.
About Cryptix
Java cryptography was first provided under the label of Cryptix
in 1996. The Cryptix Development Team now includes crypto-
plumbers -- programmers who work with the algorithms and ciphers
of cryptographers to produce code and applications -- from 8
countries and publishes the most popular Java cryptography suite.
Cryptix products are generally published under the BSD licence,
making them free for all purposes when used with due
acknowledgement as to source. The Cryptix implementations of
Rijndael, written as part of our AES support project, are now
placed in the public domain so that all commercial suppliers
can proceed to support the AES without having to give any
acknowledgement.
About National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST), an
agency of the U.S. Department Of Commerce, is charged by the US
Congress with developing standards for industry. Many of its
standards achieve world-wide acceptance, and the predecessor DES
has been accepted as the de facto standard for encryption for
three decades, albeit with much controversy.
About the Advanced Encryption Standard
In order to allay concerns of interference, NIST sponsored the
open competition for the new algorithm, encouraging entries from
around the world. Some 21 submissions were narrowed down to five
finalists.
NIST encouraged competing cryptographers and the NSA (the world's
largest employer of cryptographers and mathematicians) to
critique the algorithms, building up a body of review that led
to today's choice of the new standard.
End.
Re:let the cracking begin...
by
Fizgig
·
· Score: 2
Of course, perhaps Quantum computing may change some or all of this, but I am not qualified to comment on that.
I'm not either, but that won't stop me:)
Factoring a 256-bit number using Shor's algorithm for a quantum computer should take up to 769 qubits (we have, what, 5 or 7 so far?) and runs in O((lg n)^2 * lg lg n), which is O(really fast). For a 256-bit n the inner part works out to 524288, which doesn't tell you much but at least you can see it doesn't grow that fast.
Re:let the cracking begin...
by
Anonymous Coward
·
· Score: 5
The usual thermodynamic argument is simply incorrect. There is no lower limit to the energy required to perform an operation, as long as the operation is reversible. Ralph C. Merkle (from XEROX PARC) has done very recent work on this that raises the possibility of actually constructing such a computer, as opposed to the theoretical possibility of designing a computer that requires no energy to operate. You might also try the work of Samuel Olesky, Victor Chung, and W. Toynston, but their work tends to be much more technical. Schneier might be a good cryptographer, but he isn't a very good physicist (nor should he be expected to be). QC has nothing to do with this at all; an entirely classical computer can be made reversible.
To quote from Merkle's conclusion: "In summary, reversible computations are consistent with the basic laws of physics at a microscopic scale, while irreversible computations are in some sense fundamentally incompatible. The price we must pay for this incompatibility is heat. If we don't want to pay the price then we must learn to compute in harmony with the natural laws of physics, e.g., we must learn how to design reversible computers."
Quantum computing won't change this
by
nestler
·
· Score: 2
Quantum computing won't change this (in the
forseeable future) for two reasons:
# of Qubits
The current state of the art quantum computer
does not have enough qubits to really do
anything useful. The progress rate (how often
the number of qubits is upped) is not fast,
and I suspect it will slow at the larger numbers
as it gets much harder to make sure that some
cosmic ray doesn't hit your machine screwing
it all up ("measuring" the state).
No quantum keysearch algorithm
Quantum computing isn't some silver bullet
that solves every crypto problem instantly.
Quantum computers are very fast at factoring
and at taking discrete logarithms, which most
modern public key algorithms are based on.
However, to this day there aren't any general
quantum algorithms for exhausting a keyspace
quickly. Don't believe the inaccurate "does
everything but in parallel" descriptions that
the tech media keeps spouting off. It's
not telling the whole story on how quantum
algorithms work. To do things in parallel,
the bogus answers (keys here) must cancel
each other out (like in vector addition),
leaving the real answer. You can't just
say, "try all keys at once". It's not that
simple.
Feynman wrote about reversible computing, too. (I really enjoyed reading a collection of his work called "The Physics of Computation.") From what I remember, reversible computing has no energy requirements as long as you're willing to wait arbitrarily long for the result. Since the computation is reversible, the computing process is as likely to go backwards as forwards without any driving force. So, if you actually want an answer within the lifetime of a universe, you do in fact need to use some energy. But IANA physicist, just married to one.
Re:Hooray for open source, but proceed cautiously
by
CaseyB
·
· Score: 2
I think this may have been falsely identified as a troll.
While most technically savvy readers know that public code review is more important for cryptographic systems than any other kind of software, I think that Froid is simply still in the "security through obscurity" frame of mind.
Rijndael -- pronounced Rhine-Dahl -- is the creation of two Belgian cryptographers, Joan Daemen and Vincent Rijmen.
Sounds like it's named that way to get Rijmen and Daemen in there.
Zombies heersen over Belgie!
(Zombies rule Belgium!) -- Zippy the Pinhead.
Re:let the cracking begin...
by
Crixus
·
· Score: 2
Any predictions on how long it will take someone to crack this encryption method? You can sure bet people will start trying!
Ciphers should always be attacked for weaknesses, and attacks on the 5 AES finalists began the moment they were submitted, and they will (and should) continue.
In it's securist implementation it's likely that key exhaustion is the only way to crack this one.
Rich...
-- Ignore Alien Orders
The NSA DID strengthen DES
by
nweaver
·
· Score: 5
The NSA tinkered with DES in two manners: Changing the S-boxes and reducing the key length. Both of these actually were done to strengthen the algorithm.
The S-box changes were rather mysterious, and were the origin of major speculation on the NSAs motives. However, when differential cryptoanalysis was discovered (about 15-20 years later), it was discovered that the S-box tweaks were specifically to strengthen DES against differential attacks. The NSA specifically modified the cypher to defend against a then publically unknown attack.
The second, reducing the key size, happened to also coincide to the differential behavior of DES. The core of the algorithm itself is really only about 2^56, not 2^64 in terms of work to cryptoanalyze. The key length was reduced to accuratly reflect the other cost of breaking the algorithm.
Remember, the NSA has a STRONG interest in insuring that the AES winner is a quality algorithm, since it will be used for secure but unclassified US government communications.[1] Also, while at the AES conference, talking with one of the NSA representatives, he was very happy with the security of all 5 algorithms and the process, that all the algorithms the NSA didn't like were eliminated in the first round.
[1] For classified systems, the NSA will still probably use their own algorithms, although this isn't suprising since the entire systems tend to be much more sophisticated in terms of system security. COTS solutions don't work for that market.
1.Rijndael is harder to implement than, say Serpent, in my opinion.
I don't understand why you would say this: The Rijndael algorithm (Just call it "rain-doll") is probably the second simplest AES algorithm to implement[1]. True, the paper can be a little bit confusing for an implementer (since it begins with the mathematical motivation), the algorithm itself is incredably easy: The S-box is a table lookup. The key addition is XOR. The row shift is just a byte manipulation. And the column mixing is simply 4 table lookups and XORs.
Compare this to Serpent, which requires a rather arcane set of sbox optimizations to run well, or the very complicated structures of Twofish or, glod forbid, MARS.
[1] The only easier one is RC6, which has been described as something you can specify on a cocktail napkin.
From the Rijndael FAQ:
Can't you give it another name ? (Propose it as a tweak !) Dutch is a wonderful language. Currently we are debating about the names "Herfstvrucht", "Angstschreeuw" and "Koeieuier". Other suggestions are welcome of course. Derek Brown, Toronto, Ontario, Canada, proposes "bob".
I second the call for "bob"! (although I would've supported "peter", too)
why twofish lost & rjindael won
by
konstant
·
· Score: 5
I'm really gratified by these results. Recently I was implementing all the major AES candidates (in C++) in order to find one that might solve a problem I was running up against at work. Of them all, the only one I really could understand was Rjindael (pronounced "Rhine Dale" btw).
For all the respect Schneier gets and deserves, Twofish is a horribly convoluted algorithm. They even had to publish a 200 page book explaining the damn thing, for gods sake, and even then the supposed experts who evaluated it for AES stated that they weren't confident they understood all its ins and outs.
Basically Rjindael is secure for two good reasons. The first is that mere humans like me can understand it, and that sort of simplicity means more probing minds, more redundant testing, and higher confidence of security. Not to mention easier implementation. Secondly, if you increase the number of rounds in Rjindael you can effectively double the security, and even then it is still one of the fastest candidates in software.
Twofish, RC6, Mars, etc were basically all ego-gratification projects intended to maintain corporate visibility in the cryptography market. There really is no better advertisement for your services than saying that you wrote AES. Rjindael on the other hand was an act of love - some hacker in Europe figured he knew crypto as well as all the suits. Looks like he proved it, too.
-konstant
Yes! We are all individuals! I'm not!
-- -konstant Yes! We are all individuals! I'm not!
Ok, NO brute force attack will crack a 256 bit key.
I resort once again to quoting Schneier, Applied Cryptography, Second Edition, pp157, 158: (slightly edited)
"One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. ... an ideal computer running at 3.2deg Kelvin [temperature of the cosmic background radiation of the universe] would consume 4.4*10^-16 ergs every time it set or cleared a bit.
If we built a Dyson sphere around the sun and captured all of its energy for 32 years, without any loss, we could power a computer to count up to 2^192.
These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than mattter and occupy something other than space."
Of course, perhaps Quantum computing may change some or all of this, but I am not qualified to comment on that.
Slashdot Mirror
It's quite likely that the reason for the selection has nothing to do with cryptography or any other technically relevent reason.
Hitachi has a patent which all finalists but Rijndael appear to infringe. Given the fact that Twofish, Serpent and Rijndael are all very secure, efficient to implement on all relevant platforms and are more or less the same on all other technical issues the determining factor is probably the patent issue.
Quite depressing, actually.
(BTW, it's not just me saying that all three would have made a great AES- many of the contenstants themselves have said so).
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
The press release says to pronounce it /Rhine-Dahl/
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
DES is also very fast in hardware, and absolutely sucks in software. It's one of the big reasons a replacement is being sought, rather than just continuing on with DESX.
Nobody cares how fast the crypto is in hardware, really.
The whole purpose of this open standard competition was to expose the algorithims to everyone. This isn't just the NSA - Every development team that developed an algorithim was composed of some of the best cryptographers around (inclding guys like Bruce Schneier)
Then, after developing their algorithims, all these developers spent their spare time trying to break everyone else's implementation. The algorithims were open to everyone, and in some cases, they were effectively knocked out of the competition by weaknesses in their implementation.
I realize there are exceptions and the the NSA has behaved badly in the past, but read what this competition was about and how it was run. This was probably the best peer-reviewed encryption scheme/contest/implementation ever run, and anyone with a decent knowledge of encryption can look at the algorithim and decide for themselves how secure it is. (trolls talking out of their ass won't know it, but the experts will) -
And if you're still hung up about it, I'll bet Twofish and Serpent are going to be around for awhile. I might look at Twofish anyway for stuff I mess with.
----------
ah honey, we're all resplendent - Bill Mallonee
I didn't mean to imply that those algorithms were any the worse for their corporate backing. I only wanted to point out that the selection of Rjindael puts cryptography in the realm where it really belongs: academia and the public domain. Any one of the algorithms would have been a decent choice, but I found it pleasing that the non-corporate offering won out.
You don't have to be nasty about it. "Gratuitous drivel"??? What do you think Slashdot's all about man?
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
NIST is just down the street from where I work, so a co-worker and I crashed the press conference. After navigating the sprawling government expanse, we arrived at the lecture room only to be interrogated as to what press organization we are from. Mind you, showing up in t-shirts and shorts probably didn't help our credibility much, so I claimed that we were from Slashdot and we were allowed in with a shiny press kit. The small audience was divided up between press people and stiff jaw types in conservative suits and ties. (spooks) I can't decide, though, which group decided to stare more at our hacker apparel, wondering who let the 2 techies in. To NIST's credit, the evaluation of the various algorithms seems to have been done totally in the public eye. The analysis of the various candidate algorithms is supposedly posted publically and the algorithms are royalty-free. Plus, no modifications were allowed to the algorithms, so it's fairly unlikely that the NSA got their fingers into it. To give props to SecurityFocus, a representative questioned the involvement of the NSA and asked why we should trust the government.
>Twofish, RC6, Mars, etc were basically all ego-gratification projects intended to maintain corporate visibility in the cryptography market
This is, to be polite, bs. Different cryptographic approaches merely reflect different "scientific" schools or preferences.
Pluses and minuses can exist in different proposals without the them being easily attributable to gratuitous drivel from the peanut gallery.
ELITISM: It's always lonely at the top. Uninvited company is rarely welcome.
In addition to the open-ended key size of Rijndael, after reading the AES Round 1 report, it looks like smart card applications were a key consideration (possible THE key?).
With smart cards, the issue is two fold. One, you need small code footprint, which both Rijndael and TwoFish did satisfy. And, two, the main means to hack smart cards is via power/EMI analysis.
Any circuit draws power and puts out EMI with the switching of its gates. Since there are power draws when they switch, the two are usually intertwined. I am familar with these because this because Theseus Logic's (my employer's) NCL (null convention logic) technology is ideal for smartcards because of its more uniform power (gates switch independently so they are not switching and drawing power at the same time) further resulting in a drastically reduced EMI signature compared to CBL (clocked boolean logic). In addition to being reduced, the power/EMI signature it looks nothing like CBL and those years of learning what CBL circuits look like from a power/EMI standpoint are not applicable to NCL at all.
TwoFish uses a very predictable addition subroutine that would put out a reguarly timed power/EMI signature. Rijndael seems to reduce its use of such easily identifyable operations (at least when analyzed under [6] in the report).
[ BTW, one thing I didn't understand was this statement about TwoFish: "During Round 1, there were a few concerns regarding the overall complexity of its design." Anyone know what they meant by this? ]
-- Bryan "TheBS" Smith
-- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
Cryptix releases it's Java implementation of Rijndael in the public domain. The BSD licensed Cryptix is also the first crypto toolkit that officially supports the AES.
Open source rules!
However, the AES paper talks about these reduced round variants saying,
They also note that since Rijndael had one of the simplest structures that it received a disproportionate amount of review downward biasing its security relative to other contenders. Twofish, for instance, on the other hand is very complicated, making analysis difficult during the timeframe of the AES development process.
Do you have any rational reason for preferring an algorithm that received very little cryptanalysis over one that received tons of it and was found that nothing short of a brute force search over its keyspace would suffice?
Government agencies and contracts are going to require AES. Large businesses are going to use AES. Everyone will use AES. That is why the AES panel had a vested interest in choosing the best algorithm. And they picked Rijndael. Having read their final report, unless you're a competent cryptanalyst (I don't know about you, but I'm not) I don't see any reason to doubt the competence of the AES selection panel or their final selection.
Although NIST is reasonably certain that Rijndael is secure with the specified number of rounds, this is no guarantee that it is this strong against future attacks. No proofs of it's security were made, only assertions. It is possible that increasing the number of rounds would provide protection against future attacks.
<sigh>
Yes, but as someone else pointed out, in two-way communication, RSA (or something like it) is still typically used to pass the "session" keys that are used to do the block ciphering. No matter how good your block cipher is, it is still at the mercy of whatever you use to exchange the keys.
Free Hans!
For those who are interested in technical analysis, the NIST Report is online.
The basic gist of the report is that all algorithms are secure to NIST's comfort, with a large number of various details. The main reason for selecting Rinjdael over the other algorithms came down to performance.
Whereas the other algorithms either ran well or poorly depending on the platform (Serpent poor in register-poor software and a large initial requirement for hardware, Twofish being very slow for software subkey generation, MARS requiring 32 bit multiply and having awful subkey generation, and RC6 also requiring 32 bit multiply and poor subkey generation), Rijndael runs well regardless of platform, be it hardware or software, smartcard microcontroller or IA64.
I also seriously doubt that the Hitachi patent claim had anything to do with the selection. IT was not even mentioned in the report on the IP section, and was incredably vague (Hitachi was claiming a patent on rotation in encryption. The Caesar cypher could probably be claimed as 2000 year old prior art).
Nicholas C Weaver
nweaver@cs.berkeley.edu
Test your net with Netalyzr
How does it work? Does it translate everything into Dutch?
Or you could just call it "AES". At least, you can now. :)
It will probably be called "AES". Just as people call it "DES" instead of "Lucifer" (although in that case they really are different algorithms).
The guy I talked to who worked for the NSA on math/crypto said the NSA would not disclose any weakness they found, but they would advise NIST whether a given algorithm was good or bad. So, if you trust them (I do on this count), they would keep NIST from choosing a code they could crack, but not reveal how to do so.
It was supposed to go something like:
NIST: We have these 6 finalists. We think we would like to use #2.
NSA: You really don't want to do that.
NIST: Ok, how about #6?
NSA: Sounds good.
NIST: #6 it is!
The Hitachi patent claim basically covers combining the output of one stage with a bit shitfed copy of that same output to create a new output, in a reversable format.
i.e., they patented: a2 = a1 ^ ( a1 << 1 );
The patent examiner should be fired. His boss should be fired, and his boss, ad nauseum.
'course this is how things work today, so now we have a, AES cipher with weaknesses especially suited to hardware cryptanalysis. Sure that was entirely coincidental.
Maybe the key 2^84-1 is equivalent to rot13?
Then don't use that key. If there are only a "few" (say 10 billion), the chance of selecting one of them randomly, is almost nil. Presumably the reviewers focused on checking for weak keys, among all the candidates.
"It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
The commentary by folks over at Counterpane (Bruce Schneier, et al) seems quite good. They say good things about Rijndael, regardless of whether they really wanted their own Twofish to win out.
-- "On second thought, let's not go there. 'Tis a silly place."
-- "On second thought, let's not go there. Camelot is a silly place."
Oops, I should have kept reading. The Report on the Development of the AES does have a statement that seems to indirectly reference Hitachi's patent claim: "After comments were analyzed, and the review process was completed, IP was not a factor in NIST's selection of the proposed AES algorithm."
Do you really think the NSA would tell the outside world if they discovered a weakness?
People thought the same thing about DES. It turned out that the NSA had indeed tweaked the algorithm: they made it stronger!, so it could resist an attack the outside world had not discovered yet.
wtf?
I seriously doubt the security establishment would allow the finalist to have a weakness that they discovered in what is really quite a short amount of time. If they disovered it, then so could someone else. The 'national security' danger is actually much higher with a compromised AES candidate, than with one that the NSA can break. [insert rant on infrastructural warfare]
Strong crypto is here to stay, and I think finally the NSA realises this. The US and others are all better off with strong crypto than without it.
As others have pointed out at other times, most crypto schemes fail due to weaknesses in implementation or human protocol reasons, not due to weaknesses in the underlying cypher, so there is still plenty of latitude for the NSA. Have you tempest hardened your PC lately? Checked your keyboard for surreptitious key-logging gear? Installed 24/7 armed security guards in the server room?
Does no one read the errata for books before quoting them as truth. See:
http://www.counterpane.com/ac2errv30.html
* Page 157: The section on "Thermodynamic Limitations" is not quite correct. It requires kT energy to set or clear a single bit because these are irreversible operations. However,
complementing a bit is reversible and hence has no minimum required energy. It turns out that it is theoretically possible to do any computation in a reversible manner except for copying
out the answer. At this theoretical level, energy requirements for exhaustive cryptanalysis are therefore linear in the key length, not exponential.
urgh.. koeieuier.. it's even worse than zeeeend.
;) I wonder how english speakers would pronounce it...
it's also misspelt, and should be koeienuier in the new spelling.
//rdj.
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
... by the Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure which chooses to refer to itself as "Bob" rather than "TACDFIPSFKMI". See here if you don't believe me. As they both have something to do with Federal crypto standards, it would be too confusing to have them both named "Bob".
To a Lisp hacker, XML is S-expressions in drag.
..people working for government are no gods. They understand very well that if for any reason they discovered a weakness in the algorythm, they may very well expect somebody (probably some whiz kids in ex-KGB lab) will find it out as well. They have no interest to offer a weak algorythm for a standard - well, if they do, they are dumber than I thought.. To spy on us there are many more methods than an encryption backdoor.
<^>_<(ô ô)>_<^>
Of course, the armed guards have to be sufficiently well-paid (and well-vetted). It's often even easier to compromise people than hardware.
- Rijndael has better performance on hardware than Twofish.
- Rijndael is more extensible. In addition to a variable key size, Rijndael has a variable block size.
I am very pleased to see Rijndael become the new AES standard.BTW, you pronounce it "Rain Doll".
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
Have a look at this table from a paper by Arjen Lenstra and Eric Verheul. 128 bits of security should be more than enough until way beyound the year 2040 according to them.
Distributed.net would need 2^64 more times processor power to crack Rijndael than it needs to crack RC5-64... so don't expect that to happen soon.
More information can be found on the Rijndael algorithm here. This link includes a copy of the white paper on the algorithm in PDF format, as well as the source code.
From: Ian Grigg
To: cryptix-users@cryptix.org
Subject: Rijndael is GREEN
Copies to: coderpunks@toad.com, cryptography@c2.net, cypherpynks@cyberpass.net, dbs@philodox.com, iang@systemics.com
Send reply to: iang@systemics.com
For Release 11.00 EDT Monday 2nd October 2000
Rijndael is GREEN
NIST chooses Rijndael as the Advanced Encryption Standard
Announced today in Washington, DC, the National Institute of Standards and Technology (NIST) has chosen Rijndael as the Advanced Encryption Algorithm for the 21st century.
Rijndael -- pronounced Rhine-Dahl -- is the creation of two Belgian cryptographers, Joan Daemen and Vincent Rijmen.
The Cryptix Development Team congratulates Vincent and Joan on their extraordinary achievement and announces the immediate release of the Cryptix JCE and Cryptix 3.2, both enabled with AES as Rijndael.
International Cryptoplumbing
An international team of open source crypto volunteers from The Cryptix Development Team supported the cryptographers participating in the NIST contest, efforts that were recognised with the award of a Certificate Of Appreciation from the United States Department Of Commerce.
Raif S. Naffah, from Australia, led the Cryptix AES Support Project which provided the Java code and tools for most finalists, including Rijndael, for submission to NIST.
Paulo Barreto, Brazilian mathematician and programmer, provided coding support for optimising Rijndael implementations; he has been coding and reviewing algorithms for the Belgian team for many years, including the predecessor to Rijndael, the Square cipher.
Free Crypto
Under the terms of the NIST contest, Rijndael is free and unencumbered for all purposes and all peoples. Cryptix developers have agreed to match this condition, and hereby place their Rijndael code in the public domain.
Normally, all Cryptix code is free for all purposes, but requires acknowledgement of The Cryptix Foundation as owners under an extremely liberal "BSD licence." Even this condition is now dropped for the Rijndael code, so that all commercial providers of Java cryptography, including Sun, Baltimore, RSA Labs, and IAIK, may quickly offer their customers the best code.
No Arms Race Need Apply
Cryptography has long been treated as a munition by the US government. Today's decision marks the end of an era stretching back to the days of Enigma and Magic intercepts. The new algorithm and the accompanying code base is absolutely unimpaired by political or commercial limitations.
As a science, cryptography is the special domain of mathematicians; formulas flow across borders as fast as emails. As an idea, the Rijndael cipher can be written out in 10 or so pages of paper, making it impermeable to regulations.
Fuel For The Revolution
As a tool, code for the new AES algorithm is less than 10,000 bytes, and thus cryptography slips into the average application with less implication on costs than the price of a new PC. As a building block, AES will help to fuel the new industrial revolution in electronic commerce. Ciphers such as Rijndael will keep valuable messages secure in the wild west of the Internet far better than the old methods of obscurity and regulation.
Released by The Cryptix Foundation Limited, a Nevis corporation dedicated to the spread of strong crypto.
Links:
NIST announces the winner of AES as Rijndael:
http://www.nist.gov/aes/
The Rijndael page of the Cryptography team, Joan Daemen and Vincent Rijmen:
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
Cryptix places Rijndael code in public domain:
http://www.cryptix.org/aes/
Cryptix products JCE and Cryptix 3 now released with Rijndael as AES:
http://www.cryptix.org/news/02102000.html
http://www.cryptix.org/products/jce/index.html
http://www.cryptix.org/products/cryptix31/index. html
http://www.cryptix.org/products/aes/index.html
About The Rijndael Team
Dr Joan Daemen is currently employed by Proton World International. Dr Vincent Rijmen is a cryptography researcher with Katholieke Universiteit Leuven in Belgium.
About Cryptix
Java cryptography was first provided under the label of Cryptix in 1996. The Cryptix Development Team now includes crypto- plumbers -- programmers who work with the algorithms and ciphers of cryptographers to produce code and applications -- from 8 countries and publishes the most popular Java cryptography suite.
Cryptix products are generally published under the BSD licence, making them free for all purposes when used with due acknowledgement as to source. The Cryptix implementations of Rijndael, written as part of our AES support project, are now placed in the public domain so that all commercial suppliers can proceed to support the AES without having to give any acknowledgement.
About National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST), an agency of the U.S. Department Of Commerce, is charged by the US Congress with developing standards for industry. Many of its standards achieve world-wide acceptance, and the predecessor DES has been accepted as the de facto standard for encryption for three decades, albeit with much controversy.
About the Advanced Encryption Standard
In order to allay concerns of interference, NIST sponsored the open competition for the new algorithm, encouraging entries from around the world. Some 21 submissions were narrowed down to five finalists.
NIST encouraged competing cryptographers and the NSA (the world's largest employer of cryptographers and mathematicians) to critique the algorithms, building up a body of review that led to today's choice of the new standard.
End.
Of course, perhaps Quantum computing may change some or all of this, but I am not qualified to comment on that.
:)
I'm not either, but that won't stop me
Factoring a 256-bit number using Shor's algorithm for a quantum computer should take up to 769 qubits (we have, what, 5 or 7 so far?) and runs in O((lg n)^2 * lg lg n), which is O(really fast). For a 256-bit n the inner part works out to 524288, which doesn't tell you much but at least you can see it doesn't grow that fast.
The usual thermodynamic argument is simply incorrect. There is no lower limit to the energy required to perform an operation, as long as the operation is reversible. Ralph C. Merkle (from XEROX PARC) has done very recent work on this that raises the possibility of actually constructing such a computer, as opposed to the theoretical possibility of designing a computer that requires no energy to operate. You might also try the work of Samuel Olesky, Victor Chung, and W. Toynston, but their work tends to be much more technical. Schneier might be a good cryptographer, but he isn't a very good physicist (nor should he be expected to be). QC has nothing to do with this at all; an entirely classical computer can be made reversible.
To quote from Merkle's conclusion: "In summary, reversible computations are consistent with the basic laws of physics at a microscopic scale, while irreversible computations are in some sense fundamentally incompatible. The price we must pay for this incompatibility is heat. If we don't want to pay the price then we must learn to compute in harmony with the natural laws of physics, e.g., we must learn how to design reversible computers."
The current state of the art quantum computer does not have enough qubits to really do anything useful. The progress rate (how often the number of qubits is upped) is not fast, and I suspect it will slow at the larger numbers as it gets much harder to make sure that some cosmic ray doesn't hit your machine screwing it all up ("measuring" the state).
Quantum computing isn't some silver bullet that solves every crypto problem instantly. Quantum computers are very fast at factoring and at taking discrete logarithms, which most modern public key algorithms are based on. However, to this day there aren't any general quantum algorithms for exhausting a keyspace quickly. Don't believe the inaccurate "does everything but in parallel" descriptions that the tech media keeps spouting off. It's not telling the whole story on how quantum algorithms work. To do things in parallel, the bogus answers (keys here) must cancel each other out (like in vector addition), leaving the real answer. You can't just say, "try all keys at once". It's not that simple.
Feynman wrote about reversible computing, too. (I really enjoyed reading a collection of his work called "The Physics of Computation.") From what I remember, reversible computing has no energy requirements as long as you're willing to wait arbitrarily long for the result. Since the computation is reversible, the computing process is as likely to go backwards as forwards without any driving force. So, if you actually want an answer within the lifetime of a universe, you do in fact need to use some energy. But IANA physicist, just married to one.
While most technically savvy readers know that public code review is more important for cryptographic systems than any other kind of software, I think that Froid is simply still in the "security through obscurity" frame of mind.
From the cryptix release:
Sounds like it's named that way to get Rijmen and Daemen in there.
Zombies heersen over Belgie!
(Zombies rule Belgium!) -- Zippy the Pinhead.
Ciphers should always be attacked for weaknesses, and attacks on the 5 AES finalists began the moment they were submitted, and they will (and should) continue.
In it's securist implementation it's likely that key exhaustion is the only way to crack this one.
Rich...
Ignore Alien Orders
The NSA tinkered with DES in two manners: Changing the S-boxes and reducing the key length. Both of these actually were done to strengthen the algorithm.
The S-box changes were rather mysterious, and were the origin of major speculation on the NSAs motives. However, when differential cryptoanalysis was discovered (about 15-20 years later), it was discovered that the S-box tweaks were specifically to strengthen DES against differential attacks. The NSA specifically modified the cypher to defend against a then publically unknown attack.
The second, reducing the key size, happened to also coincide to the differential behavior of DES. The core of the algorithm itself is really only about 2^56, not 2^64 in terms of work to cryptoanalyze. The key length was reduced to accuratly reflect the other cost of breaking the algorithm.
Remember, the NSA has a STRONG interest in insuring that the AES winner is a quality algorithm, since it will be used for secure but unclassified US government communications.[1] Also, while at the AES conference, talking with one of the NSA representatives, he was very happy with the security of all 5 algorithms and the process, that all the algorithms the NSA didn't like were eliminated in the first round.
[1] For classified systems, the NSA will still probably use their own algorithms, although this isn't suprising since the entire systems tend to be much more sophisticated in terms of system security. COTS solutions don't work for that market.
Nicholas C Weaver
nweaver@cs.berkeley.edu
Test your net with Netalyzr
1.Rijndael is harder to implement than, say Serpent, in my opinion.
I don't understand why you would say this: The Rijndael algorithm (Just call it "rain-doll") is probably the second simplest AES algorithm to implement[1]. True, the paper can be a little bit confusing for an implementer (since it begins with the mathematical motivation), the algorithm itself is incredably easy: The S-box is a table lookup. The key addition is XOR. The row shift is just a byte manipulation. And the column mixing is simply 4 table lookups and XORs.
Compare this to Serpent, which requires a rather arcane set of sbox optimizations to run well, or the very complicated structures of Twofish or, glod forbid, MARS.
[1] The only easier one is RC6, which has been described as something you can specify on a cocktail napkin.
Nicholas C Weaver
nweaver@cs.berkeley.edu
Test your net with Netalyzr
Square was the predecesor to Rijndael: It had some vulnerabilities which Rijndael was designed to correct.
Nicholas C Weaver
nweaver@cs.berkeley.edu
Test your net with Netalyzr
Can't you give it another name ? (Propose it as a tweak !)
Dutch is a wonderful language. Currently we are debating about the names "Herfstvrucht", "Angstschreeuw" and "Koeieuier". Other suggestions are welcome of course. Derek Brown, Toronto, Ontario, Canada, proposes "bob".
I second the call for "bob"! (although I would've supported "peter", too)
I'm really gratified by these results. Recently I was implementing all the major AES candidates (in C++) in order to find one that might solve a problem I was running up against at work. Of them all, the only one I really could understand was Rjindael (pronounced "Rhine Dale" btw).
For all the respect Schneier gets and deserves, Twofish is a horribly convoluted algorithm. They even had to publish a 200 page book explaining the damn thing, for gods sake, and even then the supposed experts who evaluated it for AES stated that they weren't confident they understood all its ins and outs.
Basically Rjindael is secure for two good reasons. The first is that mere humans like me can understand it, and that sort of simplicity means more probing minds, more redundant testing, and higher confidence of security. Not to mention easier implementation. Secondly, if you increase the number of rounds in Rjindael you can effectively double the security, and even then it is still one of the fastest candidates in software.
Twofish, RC6, Mars, etc were basically all ego-gratification projects intended to maintain corporate visibility in the cryptography market. There really is no better advertisement for your services than saying that you wrote AES. Rjindael on the other hand was an act of love - some hacker in Europe figured he knew crypto as well as all the suits. Looks like he proved it, too.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
I resort once again to quoting Schneier, Applied Cryptography, Second Edition, pp157, 158: (slightly edited)
"One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information.
... an ideal computer running at 3.2deg Kelvin [temperature of the cosmic background radiation of the universe] would consume 4.4*10^-16 ergs every time it set or cleared a bit.
If we built a Dyson sphere around the sun and captured all of its energy for 32 years, without any loss, we could power a computer to count up to 2^192.
These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than mattter and occupy something other than space."
Of course, perhaps Quantum computing may change some or all of this, but I am not qualified to comment on that.