AES Algorithm Coming Soon 41
Anonymous Coward writes: "The National Institute of Standards and Technology (NIST) will announce the winner of the Advanced Encryption Standard competition on Oct. 2 at 11:00 am (Eastern Standard Time). This algorithm is going to be the new government standard, so it's worth checking the page out. Following the announcement a report on the AES development efforts will be released on the NIST AES webpage. The NIST Advanced Encryption Standard page can be found at http://www.nist.gov/aes."
Because it is in the direct interest.. (Score:1)
Because secure cryptosystems are in the best interest of all but a few parties in the US government (*cough* 1/2 of the NSA *cough* CIA *cough*). The Federal Reserve, for example, depends on a secure banksystem, and DES and 3DES isn't cutting it.
Also, part of the point of this algorithm is that custom (read NSA designed) cryptographic hardware is expensive to make. Since the AES winner will be blessed by the NSA for secure governmental transactions in nonclassified systems, it is expected/hoped that the US government will be able to get secure cryptosystems for much lower costs.
Remember that 1/2 of the NSA is in charge of insuring that US Government communications ARE secure, they are greatly interested in AES being a success.
Nicholas C Weaver
nweaver@cs.berkeley.edu
The real winner... (Score:1)
serpent (Score:1)
algorithm in hardware, and the second fastest in software on the IA-64 archi-
tecture. Above all, Serpent should be chosen because it's the most secure of the
candidates."
I belive they are right
serpent has already been implemented in hardware and your palm/phone/watch is where you want it as well as big hulking systems yes two fish is nice but then how about geting it into everything umm hardware
my hope is serpent
regards
john jones
(a deltic so please dont moan about spelling but the content)
Re:Twofish (Score:3)
Nicholas C Weaver
nweaver@cs.berkeley.edu
Can the NSA/GCHQ fuck this contest up? (Score:1)
Why they are replacing DES (Score:2)
Of this I have no doubt. DES will be around for a long time, simply because it is so common, and common things are slow to become replaced.
But Triple DES is probably considered the most secure algorithm currently available...
This isn't saying much. In many government circles, you either use 3DES or... DES.
(again, because it has stood up to extreme pressure to "crack it)
As you noted, the problems with 3DES are more with the unwieldiness of it then with the security properties of the algorithm itself.
3DES is basically a hack to work around the limitations of a crummy algorithm by running it through the process multiple times. This makes it an expensive algorithm to implement. Cycles spent running DES multiple times would be better spent on a more secure algorithm.
It is like saying your '57 Cadillac still runs fine. Even if it does, a newer car will be much easier to deal with and much cheaper to operate.
Re:AES = Audio Engineering Society (Score:1)
Re:AES in OpenPGP (Score:2)
Still, it would be cool to put it in GPG before anyone else implements it.
Re:Algorithm(s) - MARS? (Score:1)
Re:Algorithm(s) - MARS? (Score:2)
Well, not really. I'm not a fan of MARS because I think it's big and slow. I don't mind the slow too much, but the *big* I do mind. IIRC the sample hgardware implementation of MARS was like 2x the size of the other candiates.
I guess this is mainly an aesthetic complaint: I dont like MARS because it looks ugly to me, but the uglyness is actually based upon a real property of the algorithm. At the end of the day, the simpler algorithm will be more likely to be correctly implemented. I like clear and simple - MARS seems to be the least clear and simple of all the 2nd round algorithms.
That being said, if MARS wins, I'll use it: I don't think it's without merit, it just seems worse than the other finalists.
best wishes,
Mike.
They forgot one... (Score:3)
They forgot one encryption stansard: Slashdot trolls!
It is an exciting new algorithm that automatically selects a random number from 1 to 5 then maps a phrase to it from memory:
1 - Natalie Portman
2 - Hot grits
3 - Beowulf cluster
4 - Penis bird
5 - F1rst P057!
Because it uses the innovative security precaution of making the output irrelevent to the input data, there is absolutely no risk of decryption, even if nobody intercepts the message in transit, and the recipient has the passphrase. Here is an example:
INPUT: AES algorithm coming soon!
OUTPUT: F1rst P057!
INPUT: Alpha system with 256GB Ram!
OUTPUT: But how meny Penis birds does it support?
etc, etc...
Michael
...another comment from Michael Tandy.
Re:How fast will DES be phased out? (Score:2)
Triple DES is slow (in software), and has some cumbersome key properties, as well as only 64 bit blocks. So they are replacing it with something that MIGHT be more secure (most likely). But Triple DES is probably considered the most secure algorithm currently available (again, because it has stood up to extreme pressure to "crack it)
Re:How fast will DES be phased out? (Score:2)
I think it boils down to this- you have to find out about your customers migration plan first. DES will be around for a while longer, yet.
Re:Unchristian algorithm (Score:2)
Um, the cipher they selected for DES was originally called Lucifer...
A shiver down the spine (Score:1)
Just because we don't want anyone to be able to use good crypto, doesn't mean we're bad guys. We just want you to use our systems..."
Coincidence is the Superstition of Science
Re:My bet... (Score:2)
Another TLA then? (Score:1)
Re:Open Standards Seting Activity (Score:1)
Of course, there's no way for them to address patents that are granted after AES has already been selected, and given the stupidity of the patent office these days, you can bet that this will happen...
--
THE CHOICE WAS RIJNDAEL (Score:2)
Erm, that's all......
Ack! Her! (Score:1)
Rijndael was chosen (Score:2)
Re:Algorithm(s) (Score:1)
If it's meant to be exportable then you can bet that the algorithm that gets selected will be one that the NSA knows how to crack with minimal effort. There's no way in hell they'd allow a standard that they couldn't crack to be approved by the U.S. Government.
As for the patent issue, the statement issued by NIST seems to imply that they won't initiate antitrust proceedings against anyone who has disclosed patent interests in the selected algorithm. I have a strong suspicion that the algorithm selected will have at least one big, disclosed patent against it. As with RSA, such a patent will hamper the standard from being adopted universally, which will be "good for National Security"...
--
It's Rijndael! (Score:1)
Twofish (Score:1)
Its good that it is completely open, so there can be no patenting problems.
This is good news if the winner becomes all round accepted
My bet... (Score:2)
I'll bet it's Rijndael.
Any takers?
Open Standards Seting Activity (Score:3)
NIST reminds all interested parties that the adoption of AES is being conducted as an open standards-setting activity....it may seek redress under the antitrust laws of the United States against any party in the future who might seek to exercise patent rights against any user of AES that have not been disclosed to NIST in response to this request for information.
Algorithm(s) (Score:3)
Likely winners:
Twofish (fast in s/w)
Serpent (solid)
Rijndael
Unlikely (IMHO)
MARS (eugh!)
RC6 (weak)
Whoever wins *should* be a net win for us all. These are all meant to be free and exportable (importable in some cases as they aren't all US ciphers
best wishes,
Mike.
Re:Algorithm(s) (Score:1)
Good point...the notice on NIST only states that any submitters must IDENTIFY to them any patents or inventions required. And warns against pursuing any patent rights that arent disclosed....
So I hope that they will be weighing the openness or willingness of any patent holders to release the patents in their decisions...
which do you choose ?
A patented system that has much higher tech merit, or a weaker, but open or openable system.
Re:Twofish (Score:2)
> Serpent would be my third choice, but it's too slow compared to the others.
Serpent OTOH still looks very secure. Serpent is indeed slow in software, but damn fast in hardware. I would trade the increasingly less-of-a-problem software speed for the increase in known security.
best wishes,
Mike
Re:Twofish (Score:2)
That's not exactly an unbiased source. 128-bit Rijndael (with 10 rounds) can be attacked faster than brute force, distinguished from a random permutation, in is respectively 6, 7, rounds, while 256-bit Rijndael (with 14 rounds) can be distinguished from a random permutation faster than brute force in 9 rounds. Rijndael is extremely hardware friendly and paralizable in software, so increasing the number of rounds by 2 (10,12,14) -> (12,14,16) or over (14,16,18) should be more than enough to alleviate any concerns.
Re:Algorithm(s) (Score:2)
OTOH, I expect whatever wins to be attacked by anyone that has a vaguely related patent. It'll be worth a lot of money...
best wishes,
Mike.
Re:Twofish (Score:5)
It is. That would be my second choice, after Rijndael.
From what I've read, Twofish doesn't stand up do differential power analysis as well as Rijndael does, and is not quite as smartcard-friendly. Rijndael may also work better on future parallel computers. Rijndael is slightly smaller, faster, etc, etc. AFAICS Rijndael slightly edges out Twofish in nearly every category.
Twofish is American though, which may make a difference.
Serpent would be my third choice, but it's too slow compared to the others. Mars is too complex. RC6 is too dependant on rotations.
I can't remember the details, but whoever wins is not allowed to milk it even if they have patents. It's one of the stipulations for all AES candidates (but it only applies to the one that wins).
Of course, it's possible they might select more than one algorithm...
Unchristian algorithm (Score:1)
I mean isn't the religious right going to protest over the name (which, obviously, a sign of an unchristian algorithm as well) and you know how much political weight they carry -- especially now before the elections?
One more that should have made the list: (Score:1)
after your private information is treated with CmdrTaco's spelling, timothy's grammar, and Jon Katz's writing style, who could possibly hope to understand it?
Bruce
Rijndael not as good as it looks (Score:1)
The Twofish Team's Final Comments on AES Selection, http://www.counterpane.com/twofish-final.html
Rijndael is faster than both Twofish and Serpent, but this is mostly attributable to the reduced number of rounds it implements.
For the AES to remain dependable over the next 20 years+, given projected advances in cryptanalysis, this presents a significant risk. Rijndael with more rounds will be safer, but much slower (80% slower at 18 rounds than at the current 10).
Serpent is a very conservative design, but is also quite slow. Twofish presents the middle ground in most people's estimation.
Re:Twofish (Score:1)
1) Monday is not the final step. NIST will announce
their encryption algorithm selection which will be proposed for the
Advanced Encryption Standard as a replacement for DES. There will be
public commentary on their proposal, and we should have an official
standard by next summer.
2) The new algorithm will be both faster and contain more key bits (choice
of 128, 192 or 256) than either DES or Triple-DES. Hopefully over
time no flaws will be discovered....
3) See http://www.nist.gov/aes/ for information on viewing the webcast.
--Neal
AES in OpenPGP (Score:4)
It might be nice publicity stunt to release a special version of GnuPG (1.0.4?) with AES support within seconds of the official announcement.
----
How fast will DES be phased out? (Score:1)
Problem is... I am desigining some hardware right now to enable hardware assist to SSL and 3DES is still considered a strong encryption. Depending on the AES selected, I may have the chance of replacing the DES engine with an AES one. Depends on the area required to implement in silicon, and the how fast it can run.
However, if DES will still be useful once this choice is made, I've already put a lot into this design. Your insights are appreciated.
Note to Digital Convergence (Score:3)
Re:Twofish (Score:4)
It's completely irrelevant how biased they are - I wasn't referencing their work as a groundless opinion. I was reference their paper "The Twofish Team's Final Comments on AES Selection" submitted in the round 2 comments stage which you should read. This isn't a question of the Blowfish team saying "la la la - Rijndael sucks", it's a case of them doing the analysis and showing why they think it has problems and publishing the results and the reasoning.
I agree that with modifications Rijndael can be made more secure. In fact, why not just scrap all the entries and say "let's start all over again with more secure versions"? it could go on forever. I think NIST should be choosing the most secure algorithms *entered*, and that isn't Rijndal.
my 0.02,
Mike.
It's hard to see the point (Score:1)
Why would the US government want to promote the use of an encryption algorithm it couldn't crack? Haven't been following the candidates, but the winner should be interesting.