Hi,
As readers of sci.crypt and the [EMAIL PROTECTED] list will know, I
was struck by an apparent discrepancy between the NIST report on
the AES first round and one of the papers it refers to. I sent the
following mail to the AES list:
> There seems to be a discrepancy between Biham and Shamir's paper on
> Power Consumption Analysis from the second AES conference, and the
> discussion of that paper in NIST's Round 1 report (currently available
> from http://csrc.nist.gov/encryption/aes/round1/r1report.pdf).
>
> Biham and Shamir's paper (available from, among other places,
> http://csrc.nist.gov/encryption/aes/round1/conf2/papers/biham3.pdf)
> seems to state that, of the five finalists, Rijndael is more
> vulnerable than the others to their attack, and the other four
> are about as vulnerable as each other (it even explicitly says,
> of Serpent, "Thus, it is expected that (as in the case of Mars and
> RC6), it will not be easy to derive useful information on the key
> from the Hamming weights of the results."). But in NIST's
> discussion (section 2.5.3.1), they classify Rijndael, MARS and RC6
> as having "lesser implicit weaknesses" and Serpent and Twofish
> as having "no weakness", with no reference given other than
> Biham and Shamir's paper.
>
> Can anyone shed any light on this?
Today I received the following reply from Jim Nechvatal of NIST:
> Thanks for your comments (8/10) about the discussion of the Biham/Shamir
> power analysis paper in the NIST report. You make a good point. The
> classification of Serpent and Twofish as having "no weakness" and MARS,
> RC6, Rijndael as having some weakness was based on the fact that in the
> discussion of MARS, they refer to the possibility of gaining 2.54 bits of
> information per byte. This seems to apply to RC6 and Rijndael as well,
> although the discussion is vague. The discussions of Serpent and Twofish
> omit any reference to gaining any knowledge of key bits. However, the
> discussion is so vague that it may have been unwarranted to assume that no
> knowledge of key bits can be gained for Serpent and Twofish. In any case,
> the Biham/Shamir paper played no role in determining promotion to round 2.
> If it is to play a role in round 2, it will have to made more concrete.
> E.g., statements such as "the derivation ... is expected to be easier" in
> Section 2.12 will have to be instantiated before a candidate such as
> Rijndael is regarded as having any real weakness in this context. Even if
> this is the case, there is considerable debate about whether such attacks
> are a real concern.
Cheers,
William
