AES Finalists, Round 2 47
James Morris writes "NIST has announced the AES finalists for round two. (AES is new data encryption scheme intended to replace DES). The finalists are MARS (IBM), RC6 (RSA), Rijndael (Joan Daemen and Vincent), Serpent (Ross Anderson, Eli Biham and Lars Knudsen) and Twofish (Bruce Schneier and friends). " While this is the second round, the choosing of a finalist it still quite aways off.
Re:IDEA is fine, it's DES they're replacing... (Score:2)
Obviously you're unfamilar with the BuBBE algorithm. Blocks of ciphertext include reminders to not tell anyone your passwords, to overwrite plaintext and to eat your soup before it gets cold and ruined (in high security environments, the default exception for gazpacho is no longer allowed).
There is a downside to this of course. You have to encrypt/decrypt messages at least once a day, and otherwise be a mensch to your software. If you don't, the whole algorithm gets farbissine, and that would be bad for you, you schlemazel.
Re:What happened to... (Score:1)
If you'd like to keep track of happenings in the crypto world, read the Cryptogram:
http://www.counterpane.com/crypto-gram.html
--
3DES effective keysize (Score:1)
DES is the world's most thoroughly examined algorithm and has had no successful attacks against it (save for brute force and ignorance). 3DES is still a very good choice for an algorithm, due to (a) the large effective keysize and (b) the incredible scrutiny which it has passed.
Schneier himself has said that if you're really paranoid about security, use 3DES instead of Blowfish, IDEA or anything else.
Re:Why did they pick weak cyphers? (Score:1)
Zimmerman is not a cryptanalyst or cryptographer, incidentally. He (formerly) wrote applications to implement established cryptography algorithms. He's certainly very knowledgable, but since he doesn't have a background in either creating ciphers or breaking them, I don't think his opinion carries very much weight as to whether or not CAST is secure.
PDF files are trivially easy to generate. If Hasty Pudding's authors submitted their algorithm in straight ASCII when the committee specified PDF as the format, then it's the fault of the Hasty Pudding team. Don't complain about the existence of reasonable rules; don't complain about people enforcing reasonable rules. Complain about the people who don't comply with reasonable rules.
Re:3DES effective keysize (Score:1)
---SSSS------L---------OOOO-----W---------W---!
--SS---------L-------OO----OO----W-------W----!
----SSS------L------O--------O----W-W-W-W-----!
-------SS----L-------OO----OO------W-W-W-------
----SSSS-----LLLLLL----OOOO---------W-W-------!
Block Cipher Lounge (Score:2)
Re:how sad... (Score:1)
I hold it that a little rebellion, now and then, is a good thing...
Re:Choice of PDF as file format. (Score:1)
Choice of PDF as file format. (Score:2)
I'm not convinced that requiring PDF is a reasonable rule; it offers few if any advantages over other formats. There is little in crypto design documents that requires total control over presentation, so e.g. HTML would have done just as well, and be a whole lot less to download for us poor folks in countries where bandwidth costs real money.
From NIST, being a body concerned with standards, I would find a requirement for documentation submitted in an official standard format (say SGML or XML) more logical than a requirement for a de-facto format like PDF.
Re:Where's Microsoft "Research"? (Score:1)
Are they just trying to stop anyone else having any ideas by putting the brains out to graze? Your guess is as good as mine.
--
Go Twofish Go! (Score:1)
I personally am rooting for twofish because:
1) It doesn't come from a company.
2) It has a really cool name (down with TLA's!)
There's something ironically appealing about a heavy-duty piece of (weapons-grade?) crypto with "fish" in the name. Then there is the whole seussian angle...
But I wonder what happened to the other fishes?
"One fish, two fish,
red fish, blue fish".
--Lenny
They didn't pick weak ciphers. (Score:1)
CAST-256 wasn't chosen because of its mediocre performance and large ROM requirements on smartcards. It's the predecessor, CAST-128, that's now used in PGP. Note that although CAST is proven secure against certain classes of attack, it's also proven that you can build a weak cipher which passes the same tests.
HPC was never a serious contender: it's a bad performer on all platforms except 64-bit microprocessors, and it's too weird to be analysed in the time available.
This contest will have advanced the art of block cipher design and analysis whoever wins, and we'll have gained some damn good ciphers in the process.
--
Re:Why a new block cipher (Score:1)
Re:Why did they pick weak cyphers? (Score:1)
the AES contest was good because we now have a bunch of fairly secure algorithms out in the public, not all of them are as secure as some but none of them is totally weak either. The 5 finalists are 5 fine algorithms that are put together by some of the foremost experts in the field. Being created by Eli Biham, Don Coppersmith or Ron Rivest is about as good a pedigree as you can get in the cryptography business aside from an NSA stamp which approves your cipher for classifed top secret military use.
Re:This truely is news for nerds (Score:1)
As with every other good public key algorithm, it's slow on large integers. (The reason is the modulo the big composite number).
Man in the middle attacks aren't bad if you can have a trusted third party (SSL uses certs generated by primarily Verisign) verify the public keys and server certs.
AES has to have a variable key size [128, 192, 256] (with all forseeable computation ability, 128 will be all that is ever needed)
256 bit keys are a bit silly.. The 1157920892373161954235709850086879078532699846656
(4.2486779507765473608e56?) years..
Besides, if people want your information, they sure as heck won't be dumb enough to attack the algorithm. People fail long before the math does.
Re:IDEA is fine, it's DES they're replacing... (Score:1)
That's schlemiel to you, bub. Now watch out or I'll spill soup on you.
You mean women like Dorothy. Yea BABY Yea! (Score:1)
when around TRUE MINDS like Bruce.
I would expect a weakness/atrophy starting opposite the direction that BEN FRANKLIN speaks highly of "In praise of older women", that would be far worse than simple weakness in the knees,
when faced with THE (blue/red) BOOK AUTHOR.
The record speaks volumes about the condition of the mind end, which lost so much, for such a pointless reason, and for what?
To work as a paid consultant for the SDMI klan?
Go TwoFish! (Score:1)
This truely is news for nerds (Score:1)
Rijndael or Twofish will win. (Score:1)
I used to think Twofish was the guaranteed winner, but these days I'm inclined more towards Rijndael, which achieves its flexibility in rather simpler ways. Note that Rijndael uses fewer rounds, but every round changes the entire block.
Surprised that MARS made it through. It's fast and clever and designed by Don Coppersmith who was one of the primary DES designers, but it's also pretty weird; of the sixteen rounds, eight are unkeyed mixing stages.
--
Re:New Encryption Names anyone? (Score:1)
New Encryption Names anyone? (Score:1)
I wanna see encryption coming from "Uranus"
or howabout "REALLY BIG, REALLY STRONG"
anyone else got any ideas?
Why we want a patented algorithm to win (Score:1)
Actually, I had a talk with Jennifer Seberry and Josef Pieprzyk, two of the designers of the LOKI97 algorithm which didn't make it through the first round. They anticipated the outcome of the first round and expected either MARS or RC6 to win.
Americans, being Americans, will never actually choose a non-US algorithm as the AES (soon to be mis-named American Encryption Standard), but Rijndael may hang around for embedded devices, etc. where it is particularly efficient.
Just thought I'd share my few bits.
IDEA has a 64-bit blocksize, and RSA (Score:1)
There are *many* alternative public key systems; RSA is just the best known, not the fastest or most secure. But there can't be a mathematical solution to the man-in-the-middle attack because it's at least partly a political problem: who's the "legitimate" owner of a particular IP address/section of DNS address space, and who do you trust to certify it?
In practice DNSSEC would do a lot to address this, but it isn't getting implemented due to the usual crypto stupidity reasons.
--
Re:Choice of PDF as file format. (Score:1)
Really, the main issue is fonts - mathematical symbols that either won't exist or will have different mappings dependant on platform
That leaves PDF... There's free tools available toeate PDF files, so it's not like you need to spend extra money or anything.
My 2 cents
Why a new block cipher (Score:1)
come up with something a little better than RSA.. Public key encryption is a wonderful science but when you're talking about a possible
man in the middle attack you still have to rely on a trusted signature or a "known" host key
There are two things that make the proposed AES algorithms better than IDEA or Blowfish or triple-DES. No-one has actually broken them, but the art of cipher design has marched onwards.
1) Speed. Each of the algorithms that are left are faster than Blowfish, which is faster than IDEA which is faster than tri-DES.
2) The block-size. All the old, well-known ciphers work on 64-bit blocks. This is becomming too small. You start having problems with block-replay attacks and generally leaking information at a few gigabytes. My reference is at home, so I can't give the exact number. The AES candidates have a 128-bit block-size and this should never become a problem for them.
As for improving public-key cryptography, there are certain limits to what can theoretically be done. You always need some "secret" information, i.e. a private RSA/ElGamal/Schnorr/whatever key or a shared secret key for a symmetric cipher. If you suddenly connect to a box (with ssh) or want to send mail to someone (and are using pgp/gpg) you need something to "grab onto". What we really need is some sort of huge authentication framework. In fact, what we need is the pgp web of trust, but with everyone in it.
Also, IDEA is patented. Are you sure you weren't confusing it with Blowfish?
What happened to... (Score:1)
Any ideas?
Re:Why a new block cipher (Score:1)
Re:3DES effective keysize (Score:1)
I also tryed to lick it open. But that didn't work.
Re:Rijndael or Twofish will win. (Score:1)
I'm serious about Rijndael (Score:1)
"Rijndael
Major security gaps: none known
Minor general security gaps: none known
Advantages:
a. Excellent performance across platforms
b. Good security margin
[...snip 6 other advantages...]
Disadvantages: no significant disadvantages"
Note further that Rijndael is the *only* one of the 15 candidates not to rate a single entry in the "Disadvantages" field.
I don't know what you mean about the "number of cycles". If you mean "rounds", then Twofish uses 16 rounds and Mars 32. Rijndael uses between 10 and 14 rounds depending on key size, but remember that each of those rounds transforms the *entire* block, not half as in Twofish.
I like Twofish a lot, and wouldn't be surprised to see it win, but the more I look at Rijndael the more I like it.
All of the other candidates have serious disadvantages on some platform or other. Twofish's biggest disadvantage is its complexity, though there are some neat things about it, especially the key schedule which is a real advance in crypto technology.
--
Re:Rijndael or Twofish will win. (Score:2)
--
IDEA is fine, it's DES they're replacing... (Score:1)
And you're right, no crypto is strong enough to protect you from some attacks (e.g. Social Engineering...)