Information Security News mailing list archives
Re: Rijndael among the weakest of the AES candidates
From: InfoSec News <isn () C4I ORG>
Date: Wed, 4 Oct 2000 22:28:45 -0500
---------- Forwarded message ---------- Date: Wed, 04 Oct 2000 16:06:50 -0400 To: Steve Reid <sreid () sea-to-sky net>, cryptography () c2 net From: John Kelsey <kelsey.j () ix netcom com> Subject: Re: Rijndael among the weakest of the AES candidates Sender: owner-cryptography () c2 net -----BEGIN PGP SIGNED MESSAGE----- At 01:50 PM 10/3/00 -0700, Steve Reid wrote:
On Mon, Oct 02, 2000 at 10:20:35PM -0000, lcs Mixmaster Remailer wrote:Rijndael appears to be a compromise between security and efficiency. This leaves us in an unhappy and uncomfortable position. It may well be that Twofish and perhaps Serpent continue to be widely used alternatives to AES.
I expect Rijndael, being the chosen AES, is likely to receive far more analysis over the next few years than any of the other candidates. Assuming there are no major weaknesses found, that analysis should greatly increase confidence in Rijndael as compared to other algorithms.
I agree. Also, there's a *huge* difference between academic attacks and production attacks. An attack that breaks an AES candidate with (say) 2^{120} work and 2^{120} adaptive chosen plaintexts would be enough to destroy a candidate cipher, but it will never matter in real life. And at present, nobody who's talking has the faintest clue how you'd get even this kind of attack on Rijndael. It's interesting to note the cryptanalytic results that *haven't* affected real-world security of systems using DES: differential attacks, linear attacks, and extended Davies' attacks. The best attack on DES is (from memory) a linear attack that requires about 2^{43} known plaintexts. I would be totally shocked to find a single case of this attack being carried out to defeat the security of a real-world system. It's also interesting to note the cryptanalytic properties and attacks that *have* affected real-world security of DES-based systems: short keyspace, time-memory tradeoffs, weak and semi-weak keys, and complementation properties. *Those* have all had an impact on the security of real-world systems.
My expectation is based on what has happend with DES. Even though there are other algorithms that are more efficient and probably more secure there is more confidence in 3DES because of the amount of analysis that has gone into it. No other symmetric algorithm is likely to see as much analysis as DES has- except Rijndael.
I agree. Rijndael wasn't broken in two years of evaluation by the public community, and was evaluated by the NSA as well. (NSA more-or-less had a veto on any algorithm, as I understand it. They didn't use the veto for any of them, according to what I've heard.) After all that, it was just about always one of the two fastest/cheapest algorithms on every platform. That's why (IMO) it got chosen. I plan to keep working on cryptanalyzing it, and I imagine everyone in the block cipher cryptanalysis community does, too. But I don't think there's any reason to worry about a practical attack on it, and I haven't got a clue how to even come up with an academic break on it, and as far as I know, neither does anyone else on Earth. In five years, I suspect we'll know more about the security of Rijndael than we've ever known about the security of any cipher. And I expect that we'll still be happily using it. They won because their cipher is really, really good. - --John Kelsey, kelsey () counterpane com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> Comment: foo iQCVAwUBOduNoyZv+/Ry/LrBAQGX5QP/e8+b6a+WewcIgct/8F1Pt8pH82EI1BhT 1vfokkTsAkrr9jDxpZhFo17inkSWuUgnYY82nB9atU4uLCu22Y+JEAtf7MKxHEbi f1n0Q1CJmA0c7CIwaSUUslJ8+PxQbPlG9G2MrR9t1DjNfNGGRpabmYaRJKA19XkK K3BSn1uI+/0= =AqlZ -----END PGP SIGNATURE----- ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Re: Rijndael among the weakest of the AES candidates InfoSec News (Oct 04)