Follow Slashdot stories on Twitter


Forgot your password?
Encryption Security

AES Finalists, Round 2 47

James Morris writes "NIST has announced the AES finalists for round two. (AES is new data encryption scheme intended to replace DES). The finalists are MARS (IBM), RC6 (RSA), Rijndael (Joan Daemen and Vincent), Serpent (Ross Anderson, Eli Biham and Lars Knudsen) and Twofish (Bruce Schneier and friends). " While this is the second round, the choosing of a finalist it still quite aways off.
This discussion has been archived. No new comments can be posted.

NIST Announces AES Finalists, Round 2

Comments Filter:
  • And you're right, no crypto is strong enough to protect you from some attacks (e.g. Social Engineering...)

    Obviously you're unfamilar with the BuBBE algorithm. Blocks of ciphertext include reminders to not tell anyone your passwords, to overwrite plaintext and to eat your soup before it gets cold and ruined (in high security environments, the default exception for gazpacho is no longer allowed).

    There is a downside to this of course. You have to encrypt/decrypt messages at least once a day, and otherwise be a mensch to your software. If you don't, the whole algorithm gets farbissine, and that would be bad for you, you schlemazel.

  • That was a public key method, a bit faster but no big deal. This competition is for secret key algorithms, a whole different ball game.

    If you'd like to keep track of happenings in the crypto world, read the Cryptogram:
  • 3DES is based on 56-bit keys, but it has the equivalent of between 112 and 114 bits of keysize (depending on who you talk to). A 112-bit key is pretty darn tootin' good.

    DES is the world's most thoroughly examined algorithm and has had no successful attacks against it (save for brute force and ignorance). 3DES is still a very good choice for an algorithm, due to (a) the large effective keysize and (b) the incredible scrutiny which it has passed.

    Schneier himself has said that if you're really paranoid about security, use 3DES instead of Blowfish, IDEA or anything else.
  • CAST may not be all it's cracked up to be: if I recall correctly, Schneier said that CAST wasn't much more secure with larger keysizes. Then again, Schneier's Twofish is a competitor for AES; I don't think that would skew his opinions, but it warranted being said.

    Zimmerman is not a cryptanalyst or cryptographer, incidentally. He (formerly) wrote applications to implement established cryptography algorithms. He's certainly very knowledgable, but since he doesn't have a background in either creating ciphers or breaking them, I don't think his opinion carries very much weight as to whether or not CAST is secure.

    PDF files are trivially easy to generate. If Hasty Pudding's authors submitted their algorithm in straight ASCII when the committee specified PDF as the format, then it's the fault of the Hasty Pudding team. Don't complain about the existence of reasonable rules; don't complain about people enforcing reasonable rules. Complain about the people who don't comply with reasonable rules.
  • 3DES is

  • You missed part of the URL; this [] is the real link for the Block Cipher Lounge
  • Sad how? I'm sure everybody worked really hard on their algo's, and I'm sure every one of them was really good and all, but come on. Somebody has to win. you can't let everybody win and have 15 standards....then all you have is no standard.
    I hold it that a little rebellion, now and then, is a good thing...
  • Maybe they're more concerned with the crypto than the format it's in.
  • Don't complain about the existence of reasonable rules; don't complain about people enforcing reasonable rules.

    I'm not convinced that requiring PDF is a reasonable rule; it offers few if any advantages over other formats. There is little in crypto design documents that requires total control over presentation, so e.g. HTML would have done just as well, and be a whole lot less to download for us poor folks in countries where bandwidth costs real money.

    From NIST, being a body concerned with standards, I would find a requirement for documentation submitted in an official standard format (say SGML or XML) more logical than a requirement for a de-facto format like PDF.

  • Good question, especially since Microsoft employ some pretty well known names in the field (eg Roger Needham). A .sig quote read "Microsoft is an intellectual roach motel: big brains go in, but you don't see anything come out".

    Are they just trying to stop anyone else having any ideas by putting the brains out to graze? Your guess is as good as mine.
  • stole my subject line.

    I personally am rooting for twofish because:

    1) It doesn't come from a company.
    2) It has a really cool name (down with TLA's!)

    There's something ironically appealing about a heavy-duty piece of (weapons-grade?) crypto with "fish" in the name. Then there is the whole seussian angle...

    But I wonder what happened to the other fishes?

    "One fish, two fish,
    red fish, blue fish".

  • May I suggest actually reading the NIST document giving the reasons for their decisions?

    CAST-256 wasn't chosen because of its mediocre performance and large ROM requirements on smartcards. It's the predecessor, CAST-128, that's now used in PGP. Note that although CAST is proven secure against certain classes of attack, it's also proven that you can build a weak cipher which passes the same tests.

    HPC was never a serious contender: it's a bad performer on all platforms except 64-bit microprocessors, and it's too weird to be analysed in the time available.

    This contest will have advanced the art of block cipher design and analysis whoever wins, and we'll have gained some damn good ciphers in the process.
  • I'm hoping you know that Twofish is a small variation on Blowfish. I can't believe that people writing here are touting Mars and Rijndael as the likely winners. Can we be serious? The only real contender is Twofish. IBM is good at a lot of things, but I don't think crypto is one of them (Mars). I suspect that one contributer is right in the sense that NIST will not choose a non-American algorithm, but in this case I can't envision that Rijndael would be even close. The number of cycles in Mars and Rijndael is insignificant compared to Twofish (and a few others). Loki97 would have made it if there was not a publicized theoretical attack (I think the attack required something on the order of 2^64 ciphertexts). I have known Bruce Schneier for years, worked with him, and met some of his team. They are the best outside of NSA hands down.
  • Nothing against Phil, he's great but did you ever see Bass-o-matic? Go find a copy of PGP 1.0 and have a look-see. Phil is a wonderful activist and software engineer but he's not my choice of a cryptanalyst. His endorsment isn't glowing. I don't believe CAST to be as secure as the algorithms they have chosen.

    the AES contest was good because we now have a bunch of fairly secure algorithms out in the public, not all of them are as secure as some but none of them is totally weak either. The 5 finalists are 5 fine algorithms that are put together by some of the foremost experts in the field. Being created by Eli Biham, Don Coppersmith or Ron Rivest is about as good a pedigree as you can get in the cryptography business aside from an NSA stamp which approves your cipher for classifed top secret military use.

  • RSA is very simple to understand and implement (using a generic big integer library with a powermod feature). Also, RSA's patent expires in September of 2000 (mark your calendars!).

    As with every other good public key algorithm, it's slow on large integers. (The reason is the modulo the big composite number).

    Man in the middle attacks aren't bad if you can have a trusted third party (SSL uses certs generated by primarily Verisign) verify the public keys and server certs.

    AES has to have a variable key size [128, 192, 256] (with all forseeable computation ability, 128 will be all that is ever needed)

    256 bit keys are a bit silly.. The 11579208923731619542357098500868790785326998466564 0564039457584007913129639936 keys are quite a lot to check (although, if all the atoms in the universe [estimated 10^78] were to test 1 key/sec, it'd only take about 0.1157920892 seconds). However.. 512 bit keys with all the atoms testing a trillion keys/second would take about (2^512)/(10^78)/60/60/24/(36525/100)/(10^12)
    (4.2486779507765473608e56?) years..

    Besides, if people want your information, they sure as heck won't be dumb enough to attack the algorithm. People fail long before the math does.
  • > that would be bad for you, you schlemazel.

    That's schlemiel to you, bub. Now watch out or I'll spill soup on you.

  • Well known governor of technology, and freedom. There are some goverment paid "cryptologists" that ~evaluated~ THE CLIPPER CHIP, that are identified to us as female, who must remain seated
    when around TRUE MINDS like Bruce.
    I would expect a weakness/atrophy starting opposite the direction that BEN FRANKLIN speaks highly of "In praise of older women", that would be far worse than simple weakness in the knees,
    when faced with THE (blue/red) BOOK AUTHOR.
    The record speaks volumes about the condition of the mind end, which lost so much, for such a pointless reason, and for what?

    To work as a paid consultant for the SDMI klan?
  • I hope TwoFish gets it. Bruce Schneier makes women's knees weak. That, and it's a badass algorithm.
  • Damn.. I can remember when I memorized IDEA (I can't remember IDEA but I remember when I remembered it).. it still rules, no-one has cracked it and when they do, extend your key length.. rather than comming up with yet another semmetrical encryption method, why not come up with something a little better than RSA.. Public key encryption is a wonderful science but when you're talking about a possible man in the middle attack you still have to rely on a trusted signature or a "known" host key (like if you have never ssh'd to a box before and it says "do you want to save this host key".. at that point you could have been intercepted and are being fed a bogus key).. *yawn* the math enthrawls me.
  • Some very strong candidates were dropped this time, but nearly all the algorithms have an area where they're a bit weak, whether it's smart card memory usage or performance on 64-bit, highly parallel machines. Two algorithms are rather good performers right across the board of applications, and those two are Rijndael and Twofish.

    I used to think Twofish was the guaranteed winner, but these days I'm inclined more towards Rijndael, which achieves its flexibility in rather simpler ways. Note that Rijndael uses fewer rounds, but every round changes the entire block.

    Surprised that MARS made it through. It's fast and clever and designed by Don Coppersmith who was one of the primary DES designers, but it's also pretty weird; of the sixteen rounds, eight are unkeyed mixing stages.
  • Encryption from Uranus? How ridiculus!
  • MARS? RC6? pah

    I wanna see encryption coming from "Uranus"

    or howabout "REALLY BIG, REALLY STRONG"

    anyone else got any ideas?

  • Of the 5 algorithms still standing, two are patented. These are MARS (by IBM) and RC6 (RSA Labs). The NIST rules state that the algorithm that is finally chosen as the AES must be free to implement and so these two companies have promised to free their algorithms if they should win. This leaves us in the strange position of hoping one of the "closed" submissions wins.

    Actually, I had a talk with Jennifer Seberry and Josef Pieprzyk, two of the designers of the LOKI97 algorithm which didn't make it through the first round. They anticipated the outcome of the first round and expected either MARS or RC6 to win.

    Americans, being Americans, will never actually choose a non-US algorithm as the AES (soon to be mis-named American Encryption Standard), but Rijndael may hang around for embedded devices, etc. where it is particularly efficient.

    Just thought I'd share my few bits.
  • IDEA is neat, but it's (a) slow compared to the alternatives, (b) patented, and (c) only has a 64-bit blocksize, so a dictionary attack (collect all plaintext/ciphertext pairs) is within reach. Read the descriptions of the five finalists, especially Rijndael; if you liked IDEA then you might think it's pretty neat.

    There are *many* alternative public key systems; RSA is just the best known, not the fastest or most secure. But there can't be a mathematical solution to the man-in-the-middle attack because it's at least partly a political problem: who's the "legitimate" owner of a particular IP address/section of DNS address space, and who do you trust to certify it?

    In practice DNSSEC would do a lot to address this, but it isn't getting implemented due to the usual crypto stupidity reasons.
  • If the documents are destined to be printed, PDF's the way to go. You can then refer to page breaks and even line breaks when discussing them ("For instance, on page 19 in the middle of the 8th line..."). That's not possible with HTML, nor ASCII, nor MS Word, etc... Word's not available on all platforms, and the mathematical fonts used will vary from platform to platform. HTML varies way too much depending on fonts, platform, printer, Text is text - no styling, no typography (subscripts, super scripts, mathmatical symbols)...

    Really, the main issue is fonts - mathematical symbols that either won't exist or will have different mappings dependant on platform

    That leaves PDF... There's free tools available toeate PDF files, so it's not like you need to spend extra money or anything.

    My 2 cents
  • rather than comming up with yet another semmetrical encryption method, why not
    come up with something a little better than RSA.. Public key encryption is a wonderful science but when you're talking about a possible
    man in the middle attack you still have to rely on a trusted signature or a "known" host key

    There are two things that make the proposed AES algorithms better than IDEA or Blowfish or triple-DES. No-one has actually broken them, but the art of cipher design has marched onwards.

    1) Speed. Each of the algorithms that are left are faster than Blowfish, which is faster than IDEA which is faster than tri-DES.

    2) The block-size. All the old, well-known ciphers work on 64-bit blocks. This is becomming too small. You start having problems with block-replay attacks and generally leaking information at a few gigabytes. My reference is at home, so I can't give the exact number. The AES candidates have a 128-bit block-size and this should never become a problem for them.

    As for improving public-key cryptography, there are certain limits to what can theoretically be done. You always need some "secret" information, i.e. a private RSA/ElGamal/Schnorr/whatever key or a shared secret key for a symmetric cipher. If you suddenly connect to a box (with ssh) or want to send mail to someone (and are using pgp/gpg) you need something to "grab onto". What we really need is some sort of huge authentication framework. In fact, what we need is the pgp web of trust, but with everyone in it.

    Also, IDEA is patented. Are you sure you weren't confusing it with Blowfish?
  • That encryption algorithm developed by a sixteen year old irish schoolgirl? I remember a big stink being kicked up about this 8/9 months ago, then nothing.

    Any ideas?

  • And the Feistel who invented the Feistel network was an IBM researcher.

  • Cool cause thats what I attacked it with... ignorance.

    I also tryed to lick it open. But that didn't work.
  • Do you have a decent link for Rijndael (Rhine valley)?
  • To quote from the NIST report on their choice of 5:


    Major security gaps: none known
    Minor general security gaps: none known
    a. Excellent performance across platforms
    b. Good security margin
    [...snip 6 other advantages...]
    Disadvantages: no significant disadvantages"

    Note further that Rijndael is the *only* one of the 15 candidates not to rate a single entry in the "Disadvantages" field.

    I don't know what you mean about the "number of cycles". If you mean "rounds", then Twofish uses 16 rounds and Mars 32. Rijndael uses between 10 and 14 rounds depending on key size, but remember that each of those rounds transforms the *entire* block, not half as in Twofish.

    I like Twofish a lot, and wouldn't be surprised to see it win, but the more I look at Rijndael the more I like it.

    All of the other candidates have serious disadvantages on some platform or other. Twofish's biggest disadvantage is its complexity, though there are some neat things about it, especially the key schedule which is a real advance in crypto technology.
  • You can find out about all the Round 2 finalists, and other AES related websites, on NIST's Round 2 page: htm
  • The point of AES is solely to find a new standard algorithm to replace DES. There's nothing wrong with IDEA or RSA or lots of other algorithms (okay, except that they're patented), but if you're going to create a new standard and make huge masses of established code in industries like banking obsolete, you might as well go with the very best algorithm you can find.

    And you're right, no crypto is strong enough to protect you from some attacks (e.g. Social Engineering...)

"There is no distinctly American criminal class except Congress." -- Mark Twain