Cryptography-Digest Digest #818, Volume #12 Mon, 2 Oct 00 21:13:00 EDT
Contents:
Re: My Theory... (Tom St Denis)
Re: is NIST just nuts? (Tom St Denis)
Re: Choice of public exponent in RSA signatures (Paul Schlyter)
Re: It's Rijndael (Jim Gillogly)
Re: is NIST just nuts? (Cornelius Sybrandy)
Re: My Theory... (Cornelius Sybrandy)
Re: Key Attack on Serpent (Cornelius Sybrandy)
Re: It's Rijndael (John Savard)
Re: It's Rijndael (John Savard)
Re: It's Rijndael (John Savard)
Re: It's Rijndael (Paul Rubin)
Re: Problem question (Jim Gillogly)
Re: is NIST just nuts? (Jim Gillogly)
Re: My Theory... (Tom St Denis)
Re: Key Attack on Serpent (Tom St Denis)
Re: Idea for Twofish and Serpent Teams (Helger Lipmaa)
AES Rijndael 9 Round not secure ? ("Martin Miller")
Re: is NIST just nuts? (Tim Tyler)
Re: Do not vote for those communistic policies of Al Gore .... (Paul Schlyter)
Re: It's Rijndael (Paul Schlyter)
Re: AES Rijndael 9 Round not secure ? (Tom St Denis)
Re: Idea for Twofish and Serpent Teams (Tom St Denis)
Re: AES Rijndael 9 Round not secure ? (Paul Rubin)
Re: On block encrpytion processing with intermediate permutations (Bryan Olson)
Re: Do not vote for those communistic policies of Al Gore .... (Tom St Denis)
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: My Theory...
Date: Mon, 02 Oct 2000 22:55:59 GMT
In article <[EMAIL PROTECTED]>,
Cornelius Sybrandy <[EMAIL PROTECTED]> wrote:
> Note, this is just a theory, not a reason for Tom to get nasty with me
> (I too thought TwoFish was going to win).
>
> I read a little of the reasons Rijndael was picked They felt that it
> was the most consistant of all the candidates when it came to
> performance and that it one of the most suitable for hardware. Also,
I
> believe it is also the only algorithm immue to timing attacks. Now,
of
> all of the ciphers, Rijndael was the one that scaled the best blowing
> the others away on 64-bit architectures. This I think is one of the
> keys. By being able to scale as well as it did, it allows the
addition
> of more rounds to improve security while remaining very fast on 64-bit
> processors, which will become the norm.
This is true.
> Now, looking ahead into the far future (probably farther than NIST),
> let's look at further scalability: 128-bit processors. Hell, the
> Playstation 2 will have a 128-bit processor! I can only imagine what
> throughput you'll get with Rijndael on that with a 256-bit block on
> something like that. How far down the road are 128-bit chips? I
don't
> know, but I think (not sure here) that some of the new CPU's will have
> 128-bit MMX/SSE/3DNow/Whatever registers. I'll have to recheck, but I
> think the multimedia registers in the Intel and AMD chips are 64-bit,
so
> I expect them to increase proportionally when the 64-bit chips come
out.
This is true.
> The only other cipher that allowed for redefining blocksize was RC6, a
> very elegant cipher, but it didn't scale as well. One reason for this
> is that they still used 32-bit wordsizes when they did the testing.
If
> we were to benchmark RC6 and Rijndael with 256-bit blocks on a 64-bit
> processor, I'm sure we would see some very different results.
This is true.
> Well, that's my theory. Do I believe that Rijndael is a suitable AES
> winner? Yes. Do I believe it needs more rounds? From the evidence
> I've seen, yes. I honestly believe that the standard should increase
> the number of rounds especially since it appears it will not have a
> great affect on the performance of the cipher on the up and coming
> 64-bit processors.
This is true.
So what? The primary concern is security, not speed.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Date: Mon, 02 Oct 2000 23:12:14 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> [EMAIL PROTECTED] (Mark Carroll) wrote in
> <8rb042$23d$[EMAIL PROTECTED]>:
>
> >In article <[EMAIL PROTECTED]>,
> >SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
> >(snip)
> >>little to do with the contest. I am not sure two fish is secure
> >>but the government has to pick a cipher the NSA could break or they
> >>would not allow it to be used. I just hope it modivates him to find
> >(snip)
> >
> >Uh? That's why they made DES more resistant to differential
> >cryptanalysis by changing the S-boxes even though leaving it as it
was
> >would have given the NSA an advantage over the public in breaking it,
> >as differential attacks weren't public knowledge then?
> >
> >-- Mark
>
> They may have cleaned come some things up. But are your forgetting
the
> key size was lowered to be 56 bits. That alone made it easy for
> them to break.
Yup, you're definately right on this one.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: Choice of public exponent in RSA signatures
Date: 3 Oct 2000 01:02:58 +0200
In article <[EMAIL PROTECTED]>,
Roger Schlafly <[EMAIL PROTECTED]> wrote:
> Thomas Pornin wrote:
>> Besides, choosing a prime number speeds up the key selection algorithm
>> (e must be prime to (p-1)(q-1), so, with e = 3, when you choose p, you
>> have only ~67% chance that p-1 is prime to e).
>
> Testing for divisibility by 3 is so fast, compared to other needed
> operations, that it is insignificant. I doubt that you could notice
> the difference, if it is done in a reasonable way.
Testing for divisibility with 3 may be fast, but generating a new
prime if p-1 turns out to be divisible by 3 is much slower.
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: pausch at saaf dot se or paul.schlyter at ausys dot se
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: Mon, 02 Oct 2000 23:26:37 +0000
Someone anonymous wrote:
> Pure cipher strength actually played very little role in the selection.
> All the ciphers were judged adequately strong.
...
> NIST judged MARS, Serpent
> and Twofish to have "high" security margin, and RC6 and Rijndael to
> have "adequate" security margin.
...
> Rijndael appears to be a compromise between security and efficiency.
> This leaves us in an unhappy and uncomfortable position. It may well be
> that Twofish and perhaps Serpent continue to be widely used alternatives
> to AES.
If a cipher has an "adequate" security margin against all known
attacks, then it is as good from a security standpoint as any
other cipher. For example, Twofish with a 192-bit key should be
considered no more secure than Twofish with a 256-bit key, because
both are quite secure than any attacks we can foresee. In the
criterion you're citing from the NIST report they distinguish
between the security headroom of the ciphers, but since no-one has
been able to extend the current attacks beyond those regions,
there's little justification for treating a large headroom as much
different from a very large headroom. There would be cause for
concern if Rijndael were selected with 8 rounds, given the marginal
attack on 7 rounds, but NIST decided that 10 rounds gave an
adequate margin against unknown attacks.
Obviously at any moment someone could come up with another attack
against any of the candidates. Perhaps the Rump Session observation
will lead to a real break, for example. But this argument applies
equally to any of the candidates. Nobody's safe from the unknown
attack.
You said "Rijndael appears to be a compromise between security
and efficiency." I think NIST's view of the decision was a
little different: given that all candidates were strong enough,
they made the final decision on other grounds, including efficiency.
To put your argument into a little perspective, suppose Serpent
had been chosen, with its perceived high security margin. If the
rounds were doubled, it would have an even higher security margin.
If they were doubled again, it would be higher still. Would this
make you more comfortable with it? After all, security is the
most important criterion (I agree with this), and adding rounds
makes it harder. At some point you <have> to trade efficiency
against your perceived security margin. The only argument we
can reasonably have is how high a security margin is enough.
This is not to say that the competition couldn't have been more
complete given more resources. It would be interesting to see
all the statistics and studies with a Rijndael and RC6 with enough
rounds to give them what the community would consider a "high"
security margin, or to re-run the Mars, Twofish and Serpent
statistics and studies with what the community would consider
an "adequate" security margin. NIST didn't have the resources
to do this. They said in Sec. 2.5 that they considered changing
the number of rounds but decided not to for a number of reasons,
including that it would have invalidated many of the community's
studies of the ciphers -- and in any case, they were all believed
to have adequate security already.
Given their resources, I think NIST did an outstanding job
of balancing the pros and cons of the ciphers, of taking
into account all the comments they received, of keeping
a satisfying amount of the process open, and of sticking
to their announced schedule. Their report does them credit,
and while some of us may take issue with the importance given
to any particular criterion I think most of us would be
inclined to give them a rousing ovation for a job well done.
--
Jim Gillogly
Trewesday, 11 Winterfilth S.R. 2000, 22:53
12.19.7.10.15, 11 Men 18 Chen, Eighth Lord of Night
------------------------------
From: Cornelius Sybrandy <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Date: Mon, 02 Oct 2000 19:34:36 -0400
> They may have cleaned come some things up. But are your forgetting the
> key size was lowered to be 56 bits. That alone made it easy for
> them to break.
>
You are assuming, of course, they had the computing power back then to
break a 56-bit key. I doubt that they did and if so they only used it to
break messages that were designated as being very important. I doubt the
CRAY's back then were anything like the combined effort of distributed.net
and a specialized compter by IBM that took just over 22 hours to crack a
DES key.
>
>
> I leave you with this final thought from President Bill Clinton:
Nice thought! I always know that Hilary was the one really running the
show :-)
csybrandy
------------------------------
From: Cornelius Sybrandy <[EMAIL PROTECTED]>
Subject: Re: My Theory...
Date: Mon, 02 Oct 2000 19:40:08 -0400
> > Well, that's my theory. Do I believe that Rijndael is a suitable AES
> > winner? Yes. Do I believe it needs more rounds? From the evidence
> > I've seen, yes. I honestly believe that the standard should increase
> > the number of rounds especially since it appears it will not have a
> > great affect on the performance of the cipher on the up and coming
> > 64-bit processors.
>
> This is true.
>
> So what? The primary concern is security, not speed.
>
> Tom
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
What I was trying to say was that because of the scalability of Rijndael you
can increase the rounds without causing a significant detriment to speed on
the up and coming PC platforms. We all know, of course, that 64-bit chips
have been around for years, though I think I alluded to the fact that they
are new in my prior text. I never said that security was not the primary
concern, I was only trying to paint a better picture of what their train of
thought migh have been.
csybrandy
------------------------------
From: Cornelius Sybrandy <[EMAIL PROTECTED]>
Subject: Re: Key Attack on Serpent
Date: Mon, 02 Oct 2000 19:43:16 -0400
>
> > Am I just nuts?
>
> Yes you are tom... the nuttiest in the world.
Yes Tom. You are nuttier than a jar of Planters mixed nuts with extra
pistachio's :-)
csybrandy
"Damn, did I say that out loud...oops."
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: It's Rijndael
Date: Mon, 02 Oct 2000 23:35:54 GMT
On Mon, 02 Oct 2000 10:43:36 -0700, Roger Schlafly
<[EMAIL PROTECTED]> wrote, in part:
>All that speculation that NIST would favor IBM because of DES;
>favor a home team out of nationalism; dislike Rijndahl because
>of the foreign name; choose multiple winners out of indecisiveness;
>etc. down the drain. It looks like NIST just tried to pick the
>best candidate.
Yes, it is clear that NIST didn't choose a winner out of political
considerations. (Unless, of course, one subscribes to the theory that
NIST chose the one with the hard-to-pronounce name so that people
would be more likely to just call it the AES instead in future!)
Although the choice of Rijndael came as a complete surprise to me, it
did not come as a surprise to me that they chose the winner that:
- required the least memory, and
- ran the fastest
given that all the algorithms were of satisfactory security.
I hadn't paid close attention to how the algorithms fared in those
respects. My own instincts were to go for as much security as
possible, and I inclined towards Twofish - and MARS, despite recent
concerns about its security. But I favored a modification to MARS that
would have made it somewhat slower - and caused it to require
significantly more memory.
MARS, RC6, E2, and DFC all required multiplications, which would have
tended to slow them somewhat: but both Rijndael and Twofish require
GF(8) multiplications: as these aren't a standard instruction, I would
have thought them even worse. Although those of Rijndael require only
a very few shifts and XORs.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: It's Rijndael
Date: Mon, 02 Oct 2000 23:40:53 GMT
On 2 Oct 2000 17:59:56 GMT, David A Molnar <[EMAIL PROTECTED]>
wrote, in part:
>pretty much every christian, I'd guess.
>they don't actually know it's the original name of DES, but hey..
No, as D. A. Gwyn has pointed out, *that* was only the name of the
algorithm that preceded DES; the one with a 128-bit block and a
128-bit key, with only two teensy S-boxes, and which was not
particularly resistant to differential cryptanalysis.
Stick in a key-dependent S-box, however, for example as a substitution
before and after the cipher, or combine it with a stream cipher, and
those weaknesses essentially vanish, and the result is then much
stronger than DES, I would think.
I'm not sure IBM ever *gave* a name to the improved algorithm on
64-bit blocks derived from LUCIFER which it submitted to the NBS.
Considering their choice of name for its predecessor, perhaps that is
just as well.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: It's Rijndael
Date: Mon, 02 Oct 2000 23:49:10 GMT
On 2 Oct 2000 22:40:03 -0000, lcs Mixmaster Remailer
<[EMAIL PROTECTED]> wrote, in part:
>NIST has got its web site working again. The rationale document at
>http://csrc.nist.gov/encryption/aes/round2/r2report.pdf has some
>troubling aspects.
>NIST judged MARS, Serpent
>and Twofish to have "high" security margin, and RC6 and Rijndael to
>have "adequate" security margin.
That is a very strong argument for Twofish, then. The unkeyed mixing
in MARS seemed wasteful to me, but recent posts saying MARS didn't
have a chance implied to me that some attack was found, but I
apparently was wrong in understanding it that way. And Serpent had a
large and conservative number of rounds, as well as (it seemed to me)
presenting some difficulties for software implementation. But Twofish
was designed with smart cards in mind.
But if Rijndael is _significantly_ faster than Twofish, much as I
might be inclined to, I can't quarrel with their choice, because fast,
efficient encryption is something in high demand. If you want more
security, you can always use Triple-Rijndael. Or should that be
Triple-AES? Anyhow, I much admired his Panama, even if I never paid
Rijndael the attention it deserved.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: 02 Oct 2000 16:53:03 -0700
[EMAIL PROTECTED] (John Savard) writes:
> No, as D. A. Gwyn has pointed out, *that* was only the name of the
> algorithm that preceded DES; the one with a 128-bit block and a
> 128-bit key, with only two teensy S-boxes, and which was not
> particularly resistant to differential cryptanalysis.
Lucifer had a *32* bit block and a 128-bit key. Coppersmith more or
less chuckled about Lucifer's block size at his Crypto 2000 talk.
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Problem question
Date: Mon, 02 Oct 2000 23:53:45 +0000
Ernest Dumenigo wrote:
>
> I've been working on some of the problems given in Military
> Cryptanalytics, while reading it, and I am completely stuck on one of the
> problems, and have not been able to solve it!!
>
> The Plain text has been broken up into five letter groups, and each
> letter put in alphabetical order in each group:
>
> ORSUU ABIMR AEHNS ENSUV ADKOR ADEGM EEINN EMNVY EELSS S
>
> What I have come up with (and don't know if its right or wrong) is:
> Our submarine has ENSUV ADKOR ADEGM nine enemy vessels
>
> Can anyone make sense of that middle part? Or am I completely off track?
Looks good to me, except for your "has". I make it:
Our submarines have sunk or damaged nine enemy vessels.
Interesting kind of puzzle.
--
Jim Gillogly
Trewesday, 11 Winterfilth S.R. 2000, 23:52
12.19.7.10.15, 11 Men 18 Chen, Eighth Lord of Night
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Date: Tue, 03 Oct 2000 00:04:25 +0000
Cornelius Sybrandy wrote:
>
> > They may have cleaned come some things up. But are your forgetting the
> > key size was lowered to be 56 bits. That alone made it easy for
> > them to break.
> >
>
> You are assuming, of course, they had the computing power back then to
> break a 56-bit key. I doubt that they did and if so they only used it to
It was recognized immediately (but denied vigorously by the Gov't) that
56 bits were too short to protect against key-search attacks. If the
NSA didn't have brute force machines for handling DES within a decade or
so of the DES roll-out, they were shirking their responsibilities.
> break messages that were designated as being very important. I doubt the
> CRAY's back then were anything like the combined effort of distributed.net
The first Cray-1 didn't show up until 1976, but I suspect you're right.
> and a specialized compter by IBM that took just over 22 hours to crack a
> DES key.
The specialized computer (Deep Crack) was made by EFF, especially John
Gilmore and Paul Kocher, not by IBM.
--
Jim Gillogly
Trewesday, 11 Winterfilth S.R. 2000, 23:58
12.19.7.10.15, 11 Men 18 Chen, Eighth Lord of Night
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: My Theory...
Date: Mon, 02 Oct 2000 23:55:05 GMT
In article <[EMAIL PROTECTED]>,
Cornelius Sybrandy <[EMAIL PROTECTED]> wrote:
> > > Well, that's my theory. Do I believe that Rijndael is a suitable
AES
> > > winner? Yes. Do I believe it needs more rounds? From the
evidence
> > > I've seen, yes. I honestly believe that the standard should
increase
> > > the number of rounds especially since it appears it will not have
a
> > > great affect on the performance of the cipher on the up and coming
> > > 64-bit processors.
> >
> > This is true.
> >
> > So what? The primary concern is security, not speed.
> >
> > Tom
> >
> > Sent via Deja.com http://www.deja.com/
> > Before you buy.
>
> What I was trying to say was that because of the scalability of
Rijndael you
> can increase the rounds without causing a significant detriment to
speed on
> the up and coming PC platforms. We all know, of course, that 64-bit
chips
> have been around for years, though I think I alluded to the fact that
they
> are new in my prior text. I never said that security was not the
primary
> concern, I was only trying to paint a better picture of what their
train of
> thought migh have been.
So the millions of 32-bit i386+ chips are not included in this
thought? Also how slow is Twofish on a ia64 anyways?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Key Attack on Serpent
Date: Mon, 02 Oct 2000 23:55:40 GMT
In article <[EMAIL PROTECTED]>,
Cornelius Sybrandy <[EMAIL PROTECTED]> wrote:
> >
> > > Am I just nuts?
> >
> > Yes you are tom... the nuttiest in the world.
>
> Yes Tom. You are nuttier than a jar of Planters mixed nuts with extra
> pistachio's :-)
Well I was just not looking at the entire picture with the LFSR...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: Re: Idea for Twofish and Serpent Teams
Date: Tue, 03 Oct 2000 05:05:09 +0300
Tom St Denis wrote:
> Do what RSA did and make your own "Symmetric Cipher Standards" and
> ignore the govt.
>
> Tom
There was a thread recently in this newsgroup, about the general
attitude that guys who understand nothing about security try to strut
and to demand and to insult those who know better.
NIST didn't choose Rijndael due to some govt ignorance. Their choice was
made very carefully, and reflects very closely the average opinion in
the research community.
Helger
------------------------------
From: "Martin Miller" <[EMAIL PROTECTED]>
Subject: AES Rijndael 9 Round not secure ?
Date: Tue, 03 Oct 2000 00:15:45 GMT
Hi!
I'm really not an expert, but this paper describe a cryptanalysis of Rijndael
for 6,7,8 and a key attack that can break 9 round rijndael...
Should I be worried? (Well I am, but ;-)
http://www.counterpane.com/rijndael.ps.zip
I would like to hear some comments, since I did not see comments here
about it and I think that would be of interest to some of you here ;-)
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Reply-To: [EMAIL PROTECTED]
Date: Mon, 2 Oct 2000 23:54:43 GMT
Albert Yang <[EMAIL PROTECTED]> wrote:
: [Twofish] wasn't the most secure or had the most security margain
: (Serpent wins that)
I think this is true if you assume that additional rounds beyond the best
known attack result in more strength. More rounds certainly help prevent
some attacks - but can make little difference to other ones.
We probably can't say with very much confidence which out of Serpent,
Twofish, Rijndael has the "most security margin" until there are better
attacks on two of them.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: Do not vote for those communistic policies of Al Gore ....
Date: 3 Oct 2000 01:23:19 +0200
In article <8rb10u$d4q$[EMAIL PROTECTED]>,
William A. Nelson <[EMAIL PROTECTED]> wrote:
>
>Do not vote for those communistic policies of Al Gore .... I do not
>think that you and your property should be controlled by Al Gore's
>communistic policies ....
...and of course you shouldn't vote for the fascist Bush either.
Then, what's left to vote for in the US ??? :-))))))))
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: pausch at saaf dot se or paul.schlyter at ausys dot se
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: It's Rijndael
Date: 3 Oct 2000 01:03:19 +0200
In article <8raies$eof$[EMAIL PROTECTED]>,
David A Molnar <[EMAIL PROTECTED]> wrote:
> Serge Paccalin <[EMAIL PROTECTED]> wrote:
>
>> This answer is more serious than you could think. Who remembers the
>> original name of DES?
>
> pretty much every christian, I'd guess.
>
> they don't actually know it's the original name of DES, but hey..
And also every reader of Arthur C. Clarke's "2010 - Odyssey two" !
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: pausch at saaf dot se or paul.schlyter at ausys dot se
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: AES Rijndael 9 Round not secure ?
Date: Tue, 03 Oct 2000 00:34:52 GMT
In article <Ry9C5.285948$[EMAIL PROTECTED]>,
"Martin Miller" <[EMAIL PROTECTED]> wrote:
> Hi!
>
> I'm really not an expert, but this paper describe a cryptanalysis of
Rijndael
> for 6,7,8 and a key attack that can break 9 round rijndael...
>
> Should I be worried? (Well I am, but ;-)
>
> http://www.counterpane.com/rijndael.ps.zip
>
> I would like to hear some comments, since I did not see comments here
> about it and I think that would be of interest to some of you here ;-)
>
Well I forgot who just said it today... but we could double the rounds
for security, then double it again for more, then double it again for
more...
>From what I can tell Rijndael with 18 rounds is considered more then
secure enough. Of course 10 round Rijndael is techincally still
secure, but I would like the room of security provided by 18 rounds.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Idea for Twofish and Serpent Teams
Date: Tue, 03 Oct 2000 00:35:44 GMT
In article <[EMAIL PROTECTED]>,
Helger Lipmaa <[EMAIL PROTECTED]> wrote:
> Tom St Denis wrote:
>
> > Do what RSA did and make your own "Symmetric Cipher Standards" and
> > ignore the govt.
> >
> > Tom
>
> There was a thread recently in this newsgroup, about the general
> attitude that guys who understand nothing about security try to strut
> and to demand and to insult those who know better.
>
> NIST didn't choose Rijndael due to some govt ignorance. Their choice
was
> made very carefully, and reflects very closely the average opinion in
> the research community.
Try saying that to Mr Schneier or Dr. Biham....
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: AES Rijndael 9 Round not secure ?
Date: 02 Oct 2000 17:53:39 -0700
> > for 6,7,8 and a key attack that can break 9 round rijndael...
> >
> > Should I be worried? (Well I am, but ;-)
> >
> > http://www.counterpane.com/rijndael.ps.zip
That's *related* key attack. Generally, ciphers are deemed secure if
there's no known- or chosen- plaintext or ciphertext attacks. Nobody
really cares about related key attacks. RC4 is used for most internet
E-commerce (browser SSL) and also is vulnerable to related key
attacks, but since it's generally keyed by the output of hash
functions, the related key attacks can't be exploited by attackers.
It's unfortunate though that the Counterpane paper was published so
close to the AES announcement. I wonder whether NIST took the result
into account.
Well, now that the winner has been chosen, there's a several year
public review period to try to extend the attacks.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: On block encrpytion processing with intermediate permutations
Date: Tue, 03 Oct 2000 00:46:24 GMT
Mok-Kong Shen wrote:
> Bryan Olson wrote:
> > I see nothing about how the sender and receiver syncronize,
> > only that the key for the permutation should be independent
> > of the key to the block cipher.
> Each session uses a (different) secret seed for the PRNG.
> (I use effectively more key material, as said in a previous
> follow-up.)
Does your method requires a separate secure channel for
transporting the per-message keys? How do the sender
and receiver know which key to use?
[...]
> > Hard to sell exposing the key as a good thing.
>
> Sorry, the above sentence is difficult for me (foreigner)
> to understand.
Hard to take that seriously.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Do not vote for those communistic policies of Al Gore ....
Date: Tue, 03 Oct 2000 00:50:02 GMT
In article <8rb5d7$213$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Paul Schlyter) wrote:
> In article <8rb10u$d4q$[EMAIL PROTECTED]>,
> William A. Nelson <[EMAIL PROTECTED]> wrote:
> >
> >Do not vote for those communistic policies of Al Gore .... I do not
> >think that you and your property should be controlled by Al Gore's
> >communistic policies ....
>
> ...and of course you shouldn't vote for the fascist Bush either.
>
> Then, what's left to vote for in the US ??? :-))))))))
Better then Jean Chretien in Canada.... :-)
"Me I'sa put the peper on my plate" -- Jean Chretien with regard to
peper spraying students at OPAC.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
