Jerrold Leichter wrote:

I can come up with a cipher provably just as secure as AES-128 very quickly....

(Actually, based on the paper a while back on many alternative ways to formulate AES - it had a catchy title something like "How Many Ways Can You Spell AES?", except that I can't find one like that now - one could even come up with a formulation that is (a) probably as secure as AES-128; (b) actually faster in hardware or simpler to implement or whatever...)

You're probably looking for [1] by Barkan and Biham. What they do is replacing the irreducible polynomial and all the constants involved in Rijndael to get what they call "dual ciphers"; basically those ciphers are isomorphic to Rijndael. All in all they get 240 dual ciphers which are listed in [2]. What I found more interesting back then was that they also give square dual and log dual ciphers of Rijndael. I.e. let E be the Rijndael encryption and E' be the encryption function of the square/log dual Rijndael construction. Furthermore let f be a function that either performs bytewise squaring in GF(2^8) or replaces each byte with a logarithmic representation (relative to a generator g. you also need to fix log_g(0) = -\infty for this to make sense). Then

You're probably looking for [1] by Barkan and Biham. What they do is replacing the irreducible polynomial and all the constants involved in Rijndael to get what they call "dual ciphers"; basically those ciphers are isomorphic to Rijndael. All in all they get 240 dual ciphers which are listed in [2]. What I found more interesting back then was that they also give square dual and log dual ciphers of Rijndael. I.e. let E be the Rijndael encryption and E' be the encryption function of the square/log dual Rijndael construction. Furthermore let f be a function that either performs bytewise squaring in GF(2^8) or replaces each byte with a logarithmic representation (relative to a generator g. you also need to fix log_g(0) = -\infty for this to make sense). Then

E'(f(plaintext), f(key)) = f(E(plaintext, key))

`holds. The squaring construction then also naturally extends to what they call "higher-order self dual ciphers": meaning you can apply the squaring multiple times.`

`In 2004 Wu, Lu and Laih then demonstrated that using Barkan's and Biham's method can indeed lead to more efficient implementations of AES/Rijndael in hardware.`

Cheers, Ralf

[1] Elad Barkan and Eli Biham: In How Many Ways Can You Write Rijndael? ASIACRYPT 2002, Springer note: also on ePrint as http://eprint.iacr.org/2002/157 if you don't have Springer Link access

[2] Elad Barkan and Eli Biham: The Book of Rijndaels http://eprint.iacr.org/2002/158

[3] Shee-Yau Wu and Shih-Chuan Lu and Chi Sung Laih: Design of AES Based on Dual Cipher and Composite Field Topics in Cryptology, CT-RSA 2004, Springer

-- Ralf-P. Weinmann <[EMAIL PROTECTED]> TU Darmstadt, FB Informatik, FG Theoretische Informatik Tel: +49-(0)6151-16-6628

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]