Posted by
michael
on from the crackers-get-new-target dept.
^BR writes "Rijndael the Belgian algorithm candidate to being AES won the competition. It has just been announced by NIST. The scoop. Too bad for Twofish and Serpent." More info should appear at the NIST AES website soon.
It's quite likely that the reason for the selection has nothing to do with cryptography or any other technically relevent reason.
Hitachi has a patent which all finalists but Rijndael appear to infringe. Given the fact that Twofish, Serpent and Rijndael are all very secure, efficient to implement on all relevant platforms and are more or less the same on all other technical issues the determining factor is probably the patent issue.
Quite depressing, actually.
(BTW, it's not just me saying that all three would have made a great AES- many of the contenstants themselves have said so).
----
--
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
For crying out loud - shut up about backdoors
by
ruebarb
·
· Score: 3
The whole purpose of this open standard competition was to expose the algorithims to everyone. This isn't just the NSA - Every development team that developed an algorithim was composed of some of the best cryptographers around (inclding guys like Bruce Schneier)
Then, after developing their algorithims, all these developers spent their spare time trying to break everyone else's implementation. The algorithims were open to everyone, and in some cases, they were effectively knocked out of the competition by weaknesses in their implementation.
I realize there are exceptions and the the NSA has behaved badly in the past, but read what this competition was about and how it was run. This was probably the best peer-reviewed encryption scheme/contest/implementation ever run, and anyone with a decent knowledge of encryption can look at the algorithim and decide for themselves how secure it is. (trolls talking out of their ass won't know it, but the experts will) -
And if you're still hung up about it, I'll bet Twofish and Serpent are going to be around for awhile. I might look at Twofish anyway for stuff I mess with.
--
----------
ah honey, we're all resplendent - Bill Mallonee
NIST is just down the street from where I work, so a co-worker and I crashed the press conference. After navigating the sprawling government expanse, we arrived at the lecture room only to be interrogated as to what press organization we are from.
Mind you, showing up in t-shirts and shorts probably didn't help our credibility much, so I claimed that we were from Slashdot and we were allowed in with a shiny press kit.
The small audience was divided up between press people and stiff jaw types in conservative suits and ties. (spooks) I can't decide, though, which group decided to stare more at our hacker apparel, wondering who let the 2 techies in.
To NIST's credit, the evaluation of the various algorithms seems to have been done totally in the public eye. The analysis of the various candidate algorithms is supposedly posted publically and the algorithms are royalty-free. Plus, no modifications were allowed to the algorithms, so it's fairly unlikely that the NSA got their fingers into it.
To give props to SecurityFocus, a representative questioned the involvement of the NSA and asked why we should trust the government.
Smart card applications the key consideration?
by
BitMan
·
· Score: 5
In addition to the open-ended key size of Rijndael, after reading the AES Round 1 report, it looks like smart card applications were a key consideration (possible THE key?).
With smart cards, the issue is two fold. One, you need small code footprint, which both Rijndael and TwoFish did satisfy. And, two, the main means to hack smart cards is via power/EMI analysis.
Any circuit draws power and puts out EMI with the switching of its gates. Since there are power draws when they switch, the two are usually intertwined. I am familar with these because this because Theseus Logic's (my employer's) NCL (null convention logic) technology is ideal for smartcards because of its
more uniform power (gates switch independently so they are not switching and drawing power at the same time) further resulting in a
drastically reduced EMI signature compared to CBL (clocked boolean
logic). In addition to being reduced, the power/EMI signature it
looks nothing like CBL and those years of learning what CBL
circuits look like from a power/EMI standpoint are not applicable
to NCL at all.
TwoFish uses a very predictable addition subroutine that would
put out a reguarly timed power/EMI signature. Rijndael seems to
reduce its use of such easily identifyable operations (at least when analyzed under [6] in the report).
[ BTW, one thing I didn't understand was this statement about TwoFish: "During Round 1, there were a few concerns regarding the
overall complexity of its design." Anyone know what they meant by this? ]
-- Bryan "TheBS" Smith
-- -- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
Public domain Java implementation
by
iXus
·
· Score: 3
Cryptix releases it's Java implementation of Rijndael in the public domain. The BSD licensed Cryptix is also the first crypto toolkit that officially supports the AES.
For those who are interested in technical analysis, the NIST Report is online.
The basic gist of the report is that all algorithms are secure to NIST's comfort, with a large number of various details. The main reason for selecting Rinjdael over the other algorithms came down to performance.
Whereas the other algorithms either ran well or poorly depending on the platform (Serpent poor in register-poor software and a large initial requirement for hardware, Twofish being very slow for software subkey generation, MARS requiring 32 bit multiply and having awful subkey generation, and RC6 also requiring 32 bit multiply and poor subkey generation), Rijndael runs well regardless of platform, be it hardware or software, smartcard microcontroller or IA64.
I also seriously doubt that the Hitachi patent claim had anything to do with the selection. IT was not even mentioned in the report on the IP section, and was incredably vague (Hitachi was claiming a patent on rotation in encryption. The Caesar cypher could probably be claimed as 2000 year old prior art).
Re:I think Rijndael is the best candidate
by
slickwillie
·
· Score: 5
How does it work? Does it translate everything into Dutch?
Good commentary from Counterpane
by
Eck
·
· Score: 3
The commentary by folks over at Counterpane (Bruce Schneier, et al) seems quite good. They say good things about Rijndael, regardless of whether they really wanted their own Twofish to win out.
Do you really think the NSA would tell the outside world if they discovered a weakness?
People thought the same thing about DES. It turned out that the NSA had indeed tweaked the algorithm: they made it stronger!, so it could resist an attack the outside world had not discovered yet.
This is a good point. NSA paranoia is all good and proper, but moderated with some common sense, please.
I seriously doubt the security establishment would allow the finalist to have a weakness that they discovered in what is really quite a short amount of time. If they disovered it, then so could someone else. The 'national security' danger is actually much higher with a compromised AES candidate, than with one that the NSA can break. [insert rant on infrastructural warfare]
Strong crypto is here to stay, and I think finally the NSA realises this. The US and others are all better off with strong crypto than without it.
As others have pointed out at other times, most crypto schemes fail due to weaknesses in implementation or human protocol reasons, not due to weaknesses in the underlying cypher, so there is still plenty of latitude for the NSA. Have you tempest hardened your PC lately? Checked your keyboard for surreptitious key-logging gear? Installed 24/7 armed security guards in the server room?
Re:let the cracking begin...
by
milkman1
·
· Score: 3
Does no one read the errata for books before quoting them as truth. See:
http://www.counterpane.com/ac2errv30.html
* Page 157: The section on "Thermodynamic Limitations" is not quite correct. It requires kT energy to set or clear a single bit because these are irreversible operations. However,
complementing a bit is reversible and hence has no minimum required energy. It turns out that it is theoretically possible to do any computation in a reversible manner except for copying
out the answer. At this theoretical level, energy requirements for exhaustive cryptanalysis are therefore linear in the key length, not exponential.
Unfortunately, "Bob" is already taken...
by
alispguru
·
· Score: 3
Re: increasing security
by
__aawsxp7741
·
· Score: 4
Secondly, if you increase the number of rounds in Rjindael you can effectively double the security, and even then it is still one of the fastest candidates in software.
Where did you get this? According to the
paper,
for the number of rounds specified, there is no known attack that is stronger than exhaustive key search. Hence, adding rounds will add nothing to security. You have to increase the key length to achieve this.
I think Rijndael is the best candidate
by
Kiwi
·
· Score: 4
I feel that Rijndael (Google mirror, main page slashdotted) is the best candidate because it has the following advantages over the more populsr Twofish:
Rijndael has better performance on hardware than Twofish.
Rijndael is more extensible. In addition to a variable key size, Rijndael has a variable block size.
I am very pleased to see Rijndael become the new AES standard.
BTW, you pronounce it "Rain Doll".
- Sam
--
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
More information can be found on the Rijndael algorithm here. This link includes a copy of the white paper on the algorithm in PDF format, as well as the source code.
Date sent: Mon, 2 Oct 2000 12:36:00 -0400 (AST)
From: Ian Grigg
To: cryptix-users@cryptix.org
Subject: Rijndael is GREEN
Copies to: coderpunks@toad.com, cryptography@c2.net, cypherpynks@cyberpass.net,
dbs@philodox.com, iang@systemics.com
Send reply to: iang@systemics.com
For Release 11.00 EDT Monday 2nd October 2000
Rijndael is GREEN
NIST chooses Rijndael as the Advanced Encryption Standard
Announced today in Washington, DC, the National Institute of
Standards and Technology (NIST) has chosen Rijndael as the
Advanced Encryption Algorithm for the 21st century.
Rijndael -- pronounced Rhine-Dahl -- is the creation of two
Belgian cryptographers, Joan Daemen and Vincent Rijmen.
The Cryptix Development Team congratulates Vincent and Joan on
their extraordinary achievement and announces the immediate
release of the Cryptix JCE and Cryptix 3.2, both enabled with
AES as Rijndael.
International Cryptoplumbing
An international team of open source crypto volunteers from
The Cryptix Development Team supported the cryptographers
participating in the NIST contest, efforts that were recognised
with the award of a Certificate Of Appreciation from the United
States Department Of Commerce.
Raif S. Naffah, from Australia, led the Cryptix AES Support
Project which provided the Java code and tools for most
finalists, including Rijndael, for submission to NIST.
Paulo Barreto, Brazilian mathematician and programmer, provided
coding support for optimising Rijndael implementations; he has
been coding and reviewing algorithms for the Belgian team for
many years, including the predecessor to Rijndael, the Square
cipher.
Free Crypto
Under the terms of the NIST contest, Rijndael is free and
unencumbered for all purposes and all peoples. Cryptix
developers have agreed to match this condition, and hereby
place their Rijndael code in the public domain.
Normally, all Cryptix code is free for all purposes, but requires
acknowledgement of The Cryptix Foundation as owners under an
extremely liberal "BSD licence." Even this condition is now
dropped for the Rijndael code, so that all commercial providers
of Java cryptography, including Sun, Baltimore, RSA Labs, and
IAIK, may quickly offer their customers the best code.
No Arms Race Need Apply
Cryptography has long been treated as a munition by the US
government. Today's decision marks the end of an era stretching
back to the days of Enigma and Magic intercepts. The new
algorithm and the accompanying code base is absolutely unimpaired
by political or commercial limitations.
As a science, cryptography is the special domain of
mathematicians; formulas flow across borders as fast as emails.
As an idea, the Rijndael cipher can be written out in 10 or so
pages of paper, making it impermeable to regulations.
Fuel For The Revolution
As a tool, code for the new AES algorithm is less than 10,000
bytes, and thus cryptography slips into the average application
with less implication on costs than the price of a new PC. As a
building block, AES will help to fuel the new industrial
revolution in electronic commerce. Ciphers such as Rijndael will
keep valuable messages secure in the wild west of the Internet
far better than the old methods of obscurity and regulation.
Released by The Cryptix Foundation Limited, a Nevis corporation
dedicated to the spread of strong crypto.
Links:
NIST announces the winner of AES as Rijndael:
http://www.nist.gov/aes/
The Rijndael page of the Cryptography team, Joan Daemen and
Vincent Rijmen:
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
Cryptix places Rijndael code in public domain:
http://www.cryptix.org/aes/
Cryptix products JCE and Cryptix 3 now released with Rijndael
as AES:
http://www.cryptix.org/news/02102000.html
http://www.cryptix.org/products/jce/index.html
http://www.cryptix.org/products/cryptix31/index. html
http://www.cryptix.org/products/aes/index.html
About The Rijndael Team
Dr Joan Daemen is currently employed by Proton World
International. Dr Vincent Rijmen is a cryptography researcher
with Katholieke Universiteit Leuven in Belgium.
About Cryptix
Java cryptography was first provided under the label of Cryptix
in 1996. The Cryptix Development Team now includes crypto-
plumbers -- programmers who work with the algorithms and ciphers
of cryptographers to produce code and applications -- from 8
countries and publishes the most popular Java cryptography suite.
Cryptix products are generally published under the BSD licence,
making them free for all purposes when used with due
acknowledgement as to source. The Cryptix implementations of
Rijndael, written as part of our AES support project, are now
placed in the public domain so that all commercial suppliers
can proceed to support the AES without having to give any
acknowledgement.
About National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST), an
agency of the U.S. Department Of Commerce, is charged by the US
Congress with developing standards for industry. Many of its
standards achieve world-wide acceptance, and the predecessor DES
has been accepted as the de facto standard for encryption for
three decades, albeit with much controversy.
About the Advanced Encryption Standard
In order to allay concerns of interference, NIST sponsored the
open competition for the new algorithm, encouraging entries from
around the world. Some 21 submissions were narrowed down to five
finalists.
NIST encouraged competing cryptographers and the NSA (the world's
largest employer of cryptographers and mathematicians) to
critique the algorithms, building up a body of review that led
to today's choice of the new standard.
End.
Re:let the cracking begin...
by
Anonymous Coward
·
· Score: 5
The usual thermodynamic argument is simply incorrect. There is no lower limit to the energy required to perform an operation, as long as the operation is reversible. Ralph C. Merkle (from XEROX PARC) has done very recent work on this that raises the possibility of actually constructing such a computer, as opposed to the theoretical possibility of designing a computer that requires no energy to operate. You might also try the work of Samuel Olesky, Victor Chung, and W. Toynston, but their work tends to be much more technical. Schneier might be a good cryptographer, but he isn't a very good physicist (nor should he be expected to be). QC has nothing to do with this at all; an entirely classical computer can be made reversible.
To quote from Merkle's conclusion: "In summary, reversible computations are consistent with the basic laws of physics at a microscopic scale, while irreversible computations are in some sense fundamentally incompatible. The price we must pay for this incompatibility is heat. If we don't want to pay the price then we must learn to compute in harmony with the natural laws of physics, e.g., we must learn how to design reversible computers."
The NSA DID strengthen DES
by
nweaver
·
· Score: 5
The NSA tinkered with DES in two manners: Changing the S-boxes and reducing the key length. Both of these actually were done to strengthen the algorithm.
The S-box changes were rather mysterious, and were the origin of major speculation on the NSAs motives. However, when differential cryptoanalysis was discovered (about 15-20 years later), it was discovered that the S-box tweaks were specifically to strengthen DES against differential attacks. The NSA specifically modified the cypher to defend against a then publically unknown attack.
The second, reducing the key size, happened to also coincide to the differential behavior of DES. The core of the algorithm itself is really only about 2^56, not 2^64 in terms of work to cryptoanalyze. The key length was reduced to accuratly reflect the other cost of breaking the algorithm.
Remember, the NSA has a STRONG interest in insuring that the AES winner is a quality algorithm, since it will be used for secure but unclassified US government communications.[1] Also, while at the AES conference, talking with one of the NSA representatives, he was very happy with the security of all 5 algorithms and the process, that all the algorithms the NSA didn't like were eliminated in the first round.
[1] For classified systems, the NSA will still probably use their own algorithms, although this isn't suprising since the entire systems tend to be much more sophisticated in terms of system security. COTS solutions don't work for that market.
1.Rijndael is harder to implement than, say Serpent, in my opinion.
I don't understand why you would say this: The Rijndael algorithm (Just call it "rain-doll") is probably the second simplest AES algorithm to implement[1]. True, the paper can be a little bit confusing for an implementer (since it begins with the mathematical motivation), the algorithm itself is incredably easy: The S-box is a table lookup. The key addition is XOR. The row shift is just a byte manipulation. And the column mixing is simply 4 table lookups and XORs.
Compare this to Serpent, which requires a rather arcane set of sbox optimizations to run well, or the very complicated structures of Twofish or, glod forbid, MARS.
[1] The only easier one is RC6, which has been described as something you can specify on a cocktail napkin.
From the Rijndael FAQ:
Can't you give it another name ? (Propose it as a tweak !) Dutch is a wonderful language. Currently we are debating about the names "Herfstvrucht", "Angstschreeuw" and "Koeieuier". Other suggestions are welcome of course. Derek Brown, Toronto, Ontario, Canada, proposes "bob".
I second the call for "bob"! (although I would've supported "peter", too)
why twofish lost & rjindael won
by
konstant
·
· Score: 5
I'm really gratified by these results. Recently I was implementing all the major AES candidates (in C++) in order to find one that might solve a problem I was running up against at work. Of them all, the only one I really could understand was Rjindael (pronounced "Rhine Dale" btw).
For all the respect Schneier gets and deserves, Twofish is a horribly convoluted algorithm. They even had to publish a 200 page book explaining the damn thing, for gods sake, and even then the supposed experts who evaluated it for AES stated that they weren't confident they understood all its ins and outs.
Basically Rjindael is secure for two good reasons. The first is that mere humans like me can understand it, and that sort of simplicity means more probing minds, more redundant testing, and higher confidence of security. Not to mention easier implementation. Secondly, if you increase the number of rounds in Rjindael you can effectively double the security, and even then it is still one of the fastest candidates in software.
Twofish, RC6, Mars, etc were basically all ego-gratification projects intended to maintain corporate visibility in the cryptography market. There really is no better advertisement for your services than saying that you wrote AES. Rjindael on the other hand was an act of love - some hacker in Europe figured he knew crypto as well as all the suits. Looks like he proved it, too.
-konstant
Yes! We are all individuals! I'm not!
-- -konstant Yes! We are all individuals! I'm not!
Ok, NO brute force attack will crack a 256 bit key.
I resort once again to quoting Schneier, Applied Cryptography, Second Edition, pp157, 158: (slightly edited)
"One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. ... an ideal computer running at 3.2deg Kelvin [temperature of the cosmic background radiation of the universe] would consume 4.4*10^-16 ergs every time it set or cleared a bit.
If we built a Dyson sphere around the sun and captured all of its energy for 32 years, without any loss, we could power a computer to count up to 2^192.
These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than mattter and occupy something other than space."
Of course, perhaps Quantum computing may change some or all of this, but I am not qualified to comment on that.
Slashdot Mirror
It's quite likely that the reason for the selection has nothing to do with cryptography or any other technically relevent reason.
Hitachi has a patent which all finalists but Rijndael appear to infringe. Given the fact that Twofish, Serpent and Rijndael are all very secure, efficient to implement on all relevant platforms and are more or less the same on all other technical issues the determining factor is probably the patent issue.
Quite depressing, actually.
(BTW, it's not just me saying that all three would have made a great AES- many of the contenstants themselves have said so).
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
The whole purpose of this open standard competition was to expose the algorithims to everyone. This isn't just the NSA - Every development team that developed an algorithim was composed of some of the best cryptographers around (inclding guys like Bruce Schneier)
Then, after developing their algorithims, all these developers spent their spare time trying to break everyone else's implementation. The algorithims were open to everyone, and in some cases, they were effectively knocked out of the competition by weaknesses in their implementation.
I realize there are exceptions and the the NSA has behaved badly in the past, but read what this competition was about and how it was run. This was probably the best peer-reviewed encryption scheme/contest/implementation ever run, and anyone with a decent knowledge of encryption can look at the algorithim and decide for themselves how secure it is. (trolls talking out of their ass won't know it, but the experts will) -
And if you're still hung up about it, I'll bet Twofish and Serpent are going to be around for awhile. I might look at Twofish anyway for stuff I mess with.
----------
ah honey, we're all resplendent - Bill Mallonee
NIST is just down the street from where I work, so a co-worker and I crashed the press conference. After navigating the sprawling government expanse, we arrived at the lecture room only to be interrogated as to what press organization we are from. Mind you, showing up in t-shirts and shorts probably didn't help our credibility much, so I claimed that we were from Slashdot and we were allowed in with a shiny press kit. The small audience was divided up between press people and stiff jaw types in conservative suits and ties. (spooks) I can't decide, though, which group decided to stare more at our hacker apparel, wondering who let the 2 techies in. To NIST's credit, the evaluation of the various algorithms seems to have been done totally in the public eye. The analysis of the various candidate algorithms is supposedly posted publically and the algorithms are royalty-free. Plus, no modifications were allowed to the algorithms, so it's fairly unlikely that the NSA got their fingers into it. To give props to SecurityFocus, a representative questioned the involvement of the NSA and asked why we should trust the government.
In addition to the open-ended key size of Rijndael, after reading the AES Round 1 report, it looks like smart card applications were a key consideration (possible THE key?).
With smart cards, the issue is two fold. One, you need small code footprint, which both Rijndael and TwoFish did satisfy. And, two, the main means to hack smart cards is via power/EMI analysis.
Any circuit draws power and puts out EMI with the switching of its gates. Since there are power draws when they switch, the two are usually intertwined. I am familar with these because this because Theseus Logic's (my employer's) NCL (null convention logic) technology is ideal for smartcards because of its more uniform power (gates switch independently so they are not switching and drawing power at the same time) further resulting in a drastically reduced EMI signature compared to CBL (clocked boolean logic). In addition to being reduced, the power/EMI signature it looks nothing like CBL and those years of learning what CBL circuits look like from a power/EMI standpoint are not applicable to NCL at all.
TwoFish uses a very predictable addition subroutine that would put out a reguarly timed power/EMI signature. Rijndael seems to reduce its use of such easily identifyable operations (at least when analyzed under [6] in the report).
[ BTW, one thing I didn't understand was this statement about TwoFish: "During Round 1, there were a few concerns regarding the overall complexity of its design." Anyone know what they meant by this? ]
-- Bryan "TheBS" Smith
-- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
Cryptix releases it's Java implementation of Rijndael in the public domain. The BSD licensed Cryptix is also the first crypto toolkit that officially supports the AES.
Open source rules!
For those who are interested in technical analysis, the NIST Report is online.
The basic gist of the report is that all algorithms are secure to NIST's comfort, with a large number of various details. The main reason for selecting Rinjdael over the other algorithms came down to performance.
Whereas the other algorithms either ran well or poorly depending on the platform (Serpent poor in register-poor software and a large initial requirement for hardware, Twofish being very slow for software subkey generation, MARS requiring 32 bit multiply and having awful subkey generation, and RC6 also requiring 32 bit multiply and poor subkey generation), Rijndael runs well regardless of platform, be it hardware or software, smartcard microcontroller or IA64.
I also seriously doubt that the Hitachi patent claim had anything to do with the selection. IT was not even mentioned in the report on the IP section, and was incredably vague (Hitachi was claiming a patent on rotation in encryption. The Caesar cypher could probably be claimed as 2000 year old prior art).
Nicholas C Weaver
nweaver@cs.berkeley.edu
Test your net with Netalyzr
How does it work? Does it translate everything into Dutch?
The commentary by folks over at Counterpane (Bruce Schneier, et al) seems quite good. They say good things about Rijndael, regardless of whether they really wanted their own Twofish to win out.
-- "On second thought, let's not go there. 'Tis a silly place."
-- "On second thought, let's not go there. Camelot is a silly place."
Do you really think the NSA would tell the outside world if they discovered a weakness?
People thought the same thing about DES. It turned out that the NSA had indeed tweaked the algorithm: they made it stronger!, so it could resist an attack the outside world had not discovered yet.
I seriously doubt the security establishment would allow the finalist to have a weakness that they discovered in what is really quite a short amount of time. If they disovered it, then so could someone else. The 'national security' danger is actually much higher with a compromised AES candidate, than with one that the NSA can break. [insert rant on infrastructural warfare]
Strong crypto is here to stay, and I think finally the NSA realises this. The US and others are all better off with strong crypto than without it.
As others have pointed out at other times, most crypto schemes fail due to weaknesses in implementation or human protocol reasons, not due to weaknesses in the underlying cypher, so there is still plenty of latitude for the NSA. Have you tempest hardened your PC lately? Checked your keyboard for surreptitious key-logging gear? Installed 24/7 armed security guards in the server room?
Does no one read the errata for books before quoting them as truth. See:
http://www.counterpane.com/ac2errv30.html
* Page 157: The section on "Thermodynamic Limitations" is not quite correct. It requires kT energy to set or clear a single bit because these are irreversible operations. However,
complementing a bit is reversible and hence has no minimum required energy. It turns out that it is theoretically possible to do any computation in a reversible manner except for copying
out the answer. At this theoretical level, energy requirements for exhaustive cryptanalysis are therefore linear in the key length, not exponential.
... by the Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure which chooses to refer to itself as "Bob" rather than "TACDFIPSFKMI". See here if you don't believe me. As they both have something to do with Federal crypto standards, it would be too confusing to have them both named "Bob".
To a Lisp hacker, XML is S-expressions in drag.
- Rijndael has better performance on hardware than Twofish.
- Rijndael is more extensible. In addition to a variable key size, Rijndael has a variable block size.
I am very pleased to see Rijndael become the new AES standard.BTW, you pronounce it "Rain Doll".
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
More information can be found on the Rijndael algorithm here. This link includes a copy of the white paper on the algorithm in PDF format, as well as the source code.
From: Ian Grigg
To: cryptix-users@cryptix.org
Subject: Rijndael is GREEN
Copies to: coderpunks@toad.com, cryptography@c2.net, cypherpynks@cyberpass.net, dbs@philodox.com, iang@systemics.com
Send reply to: iang@systemics.com
For Release 11.00 EDT Monday 2nd October 2000
Rijndael is GREEN
NIST chooses Rijndael as the Advanced Encryption Standard
Announced today in Washington, DC, the National Institute of Standards and Technology (NIST) has chosen Rijndael as the Advanced Encryption Algorithm for the 21st century.
Rijndael -- pronounced Rhine-Dahl -- is the creation of two Belgian cryptographers, Joan Daemen and Vincent Rijmen.
The Cryptix Development Team congratulates Vincent and Joan on their extraordinary achievement and announces the immediate release of the Cryptix JCE and Cryptix 3.2, both enabled with AES as Rijndael.
International Cryptoplumbing
An international team of open source crypto volunteers from The Cryptix Development Team supported the cryptographers participating in the NIST contest, efforts that were recognised with the award of a Certificate Of Appreciation from the United States Department Of Commerce.
Raif S. Naffah, from Australia, led the Cryptix AES Support Project which provided the Java code and tools for most finalists, including Rijndael, for submission to NIST.
Paulo Barreto, Brazilian mathematician and programmer, provided coding support for optimising Rijndael implementations; he has been coding and reviewing algorithms for the Belgian team for many years, including the predecessor to Rijndael, the Square cipher.
Free Crypto
Under the terms of the NIST contest, Rijndael is free and unencumbered for all purposes and all peoples. Cryptix developers have agreed to match this condition, and hereby place their Rijndael code in the public domain.
Normally, all Cryptix code is free for all purposes, but requires acknowledgement of The Cryptix Foundation as owners under an extremely liberal "BSD licence." Even this condition is now dropped for the Rijndael code, so that all commercial providers of Java cryptography, including Sun, Baltimore, RSA Labs, and IAIK, may quickly offer their customers the best code.
No Arms Race Need Apply
Cryptography has long been treated as a munition by the US government. Today's decision marks the end of an era stretching back to the days of Enigma and Magic intercepts. The new algorithm and the accompanying code base is absolutely unimpaired by political or commercial limitations.
As a science, cryptography is the special domain of mathematicians; formulas flow across borders as fast as emails. As an idea, the Rijndael cipher can be written out in 10 or so pages of paper, making it impermeable to regulations.
Fuel For The Revolution
As a tool, code for the new AES algorithm is less than 10,000 bytes, and thus cryptography slips into the average application with less implication on costs than the price of a new PC. As a building block, AES will help to fuel the new industrial revolution in electronic commerce. Ciphers such as Rijndael will keep valuable messages secure in the wild west of the Internet far better than the old methods of obscurity and regulation.
Released by The Cryptix Foundation Limited, a Nevis corporation dedicated to the spread of strong crypto.
Links:
NIST announces the winner of AES as Rijndael:
http://www.nist.gov/aes/
The Rijndael page of the Cryptography team, Joan Daemen and Vincent Rijmen:
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
Cryptix places Rijndael code in public domain:
http://www.cryptix.org/aes/
Cryptix products JCE and Cryptix 3 now released with Rijndael as AES:
http://www.cryptix.org/news/02102000.html
http://www.cryptix.org/products/jce/index.html
http://www.cryptix.org/products/cryptix31/index. html
http://www.cryptix.org/products/aes/index.html
About The Rijndael Team
Dr Joan Daemen is currently employed by Proton World International. Dr Vincent Rijmen is a cryptography researcher with Katholieke Universiteit Leuven in Belgium.
About Cryptix
Java cryptography was first provided under the label of Cryptix in 1996. The Cryptix Development Team now includes crypto- plumbers -- programmers who work with the algorithms and ciphers of cryptographers to produce code and applications -- from 8 countries and publishes the most popular Java cryptography suite.
Cryptix products are generally published under the BSD licence, making them free for all purposes when used with due acknowledgement as to source. The Cryptix implementations of Rijndael, written as part of our AES support project, are now placed in the public domain so that all commercial suppliers can proceed to support the AES without having to give any acknowledgement.
About National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST), an agency of the U.S. Department Of Commerce, is charged by the US Congress with developing standards for industry. Many of its standards achieve world-wide acceptance, and the predecessor DES has been accepted as the de facto standard for encryption for three decades, albeit with much controversy.
About the Advanced Encryption Standard
In order to allay concerns of interference, NIST sponsored the open competition for the new algorithm, encouraging entries from around the world. Some 21 submissions were narrowed down to five finalists.
NIST encouraged competing cryptographers and the NSA (the world's largest employer of cryptographers and mathematicians) to critique the algorithms, building up a body of review that led to today's choice of the new standard.
End.
The usual thermodynamic argument is simply incorrect. There is no lower limit to the energy required to perform an operation, as long as the operation is reversible. Ralph C. Merkle (from XEROX PARC) has done very recent work on this that raises the possibility of actually constructing such a computer, as opposed to the theoretical possibility of designing a computer that requires no energy to operate. You might also try the work of Samuel Olesky, Victor Chung, and W. Toynston, but their work tends to be much more technical. Schneier might be a good cryptographer, but he isn't a very good physicist (nor should he be expected to be). QC has nothing to do with this at all; an entirely classical computer can be made reversible.
To quote from Merkle's conclusion: "In summary, reversible computations are consistent with the basic laws of physics at a microscopic scale, while irreversible computations are in some sense fundamentally incompatible. The price we must pay for this incompatibility is heat. If we don't want to pay the price then we must learn to compute in harmony with the natural laws of physics, e.g., we must learn how to design reversible computers."
The NSA tinkered with DES in two manners: Changing the S-boxes and reducing the key length. Both of these actually were done to strengthen the algorithm.
The S-box changes were rather mysterious, and were the origin of major speculation on the NSAs motives. However, when differential cryptoanalysis was discovered (about 15-20 years later), it was discovered that the S-box tweaks were specifically to strengthen DES against differential attacks. The NSA specifically modified the cypher to defend against a then publically unknown attack.
The second, reducing the key size, happened to also coincide to the differential behavior of DES. The core of the algorithm itself is really only about 2^56, not 2^64 in terms of work to cryptoanalyze. The key length was reduced to accuratly reflect the other cost of breaking the algorithm.
Remember, the NSA has a STRONG interest in insuring that the AES winner is a quality algorithm, since it will be used for secure but unclassified US government communications.[1] Also, while at the AES conference, talking with one of the NSA representatives, he was very happy with the security of all 5 algorithms and the process, that all the algorithms the NSA didn't like were eliminated in the first round.
[1] For classified systems, the NSA will still probably use their own algorithms, although this isn't suprising since the entire systems tend to be much more sophisticated in terms of system security. COTS solutions don't work for that market.
Nicholas C Weaver
nweaver@cs.berkeley.edu
Test your net with Netalyzr
1.Rijndael is harder to implement than, say Serpent, in my opinion.
I don't understand why you would say this: The Rijndael algorithm (Just call it "rain-doll") is probably the second simplest AES algorithm to implement[1]. True, the paper can be a little bit confusing for an implementer (since it begins with the mathematical motivation), the algorithm itself is incredably easy: The S-box is a table lookup. The key addition is XOR. The row shift is just a byte manipulation. And the column mixing is simply 4 table lookups and XORs.
Compare this to Serpent, which requires a rather arcane set of sbox optimizations to run well, or the very complicated structures of Twofish or, glod forbid, MARS.
[1] The only easier one is RC6, which has been described as something you can specify on a cocktail napkin.
Nicholas C Weaver
nweaver@cs.berkeley.edu
Test your net with Netalyzr
Can't you give it another name ? (Propose it as a tweak !)
Dutch is a wonderful language. Currently we are debating about the names "Herfstvrucht", "Angstschreeuw" and "Koeieuier". Other suggestions are welcome of course. Derek Brown, Toronto, Ontario, Canada, proposes "bob".
I second the call for "bob"! (although I would've supported "peter", too)
I'm really gratified by these results. Recently I was implementing all the major AES candidates (in C++) in order to find one that might solve a problem I was running up against at work. Of them all, the only one I really could understand was Rjindael (pronounced "Rhine Dale" btw).
For all the respect Schneier gets and deserves, Twofish is a horribly convoluted algorithm. They even had to publish a 200 page book explaining the damn thing, for gods sake, and even then the supposed experts who evaluated it for AES stated that they weren't confident they understood all its ins and outs.
Basically Rjindael is secure for two good reasons. The first is that mere humans like me can understand it, and that sort of simplicity means more probing minds, more redundant testing, and higher confidence of security. Not to mention easier implementation. Secondly, if you increase the number of rounds in Rjindael you can effectively double the security, and even then it is still one of the fastest candidates in software.
Twofish, RC6, Mars, etc were basically all ego-gratification projects intended to maintain corporate visibility in the cryptography market. There really is no better advertisement for your services than saying that you wrote AES. Rjindael on the other hand was an act of love - some hacker in Europe figured he knew crypto as well as all the suits. Looks like he proved it, too.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
I resort once again to quoting Schneier, Applied Cryptography, Second Edition, pp157, 158: (slightly edited)
"One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information.
... an ideal computer running at 3.2deg Kelvin [temperature of the cosmic background radiation of the universe] would consume 4.4*10^-16 ergs every time it set or cleared a bit.
If we built a Dyson sphere around the sun and captured all of its energy for 32 years, without any loss, we could power a computer to count up to 2^192.
These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than mattter and occupy something other than space."
Of course, perhaps Quantum computing may change some or all of this, but I am not qualified to comment on that.