Re: Rijndael among the weakest of the AES candidates

[InfoSec News <isn () C4I ORG>]

---------- Forwarded message ----------
Date: Wed, 04 Oct 2000 16:06:50 -0400
To: Steve Reid <sreid () sea-to-sky net>, cryptography () c2 net
From: John Kelsey <kelsey.j () ix netcom com>
Subject: Re: Rijndael among the weakest of the AES candidates
Sender: owner-cryptography () c2 net

-----BEGIN PGP SIGNED MESSAGE-----

At 01:50 PM 10/3/00 -0700, Steve Reid wrote:
> On Mon, Oct 02, 2000 at 10:20:35PM -0000, lcs Mixmaster Remailer
> wrote:
> > Rijndael appears to be a compromise between security and
> > efficiency. This leaves us in an unhappy and uncomfortable
> > position.  It may well be that Twofish and perhaps Serpent
> > continue to be widely used alternatives to AES.

> I expect Rijndael, being the chosen AES, is likely to
> receive far more analysis over the next few years than any
> of the other candidates. Assuming there are no major
> weaknesses found, that analysis should greatly increase
> confidence in Rijndael as compared to other algorithms.

I agree.  Also, there's a *huge* difference between academic
attacks and production attacks.  An attack that breaks an
AES candidate with (say) 2^{120} work and 2^{120} adaptive
chosen plaintexts would be enough to destroy a candidate
cipher, but it will never matter in real life.  And at
present, nobody who's talking has the faintest clue how
you'd get even this kind of attack on Rijndael.

It's interesting to note the cryptanalytic results that
*haven't* affected real-world security of systems using DES:
differential attacks, linear attacks, and extended Davies'
attacks.  The best attack on DES is (from memory) a linear
attack that requires about 2^{43} known plaintexts.  I would
be totally shocked to find a single case of this attack
being carried out to defeat the security of a real-world
system.

It's also interesting to note the cryptanalytic properties
and attacks that *have* affected real-world security of
DES-based systems: short keyspace, time-memory tradeoffs,
weak and semi-weak keys, and complementation properties.
*Those* have all had an impact on the security of real-world
systems.

> My expectation is based on what has happend with DES. Even
> though there are other algorithms that are more efficient
> and probably more secure there is more confidence in 3DES
> because of the amount of analysis that has gone into it. No
> other symmetric algorithm is likely to see as much analysis
> as DES has- except Rijndael.

I agree.  Rijndael wasn't broken in two years of evaluation
by the public community, and was evaluated by the NSA as
well. (NSA more-or-less had a veto on any algorithm, as I
understand it.  They didn't use the veto for any of them,
according to what I've heard.)  After all that, it was just
about always one of the two fastest/cheapest algorithms on
every platform.  That's why (IMO) it got chosen.  I plan to
keep working on cryptanalyzing it, and I imagine everyone in
the block cipher cryptanalysis community does, too.  But I
don't think there's any reason to worry about a practical
attack on it, and I haven't got a clue how to even come up
with an academic break on it, and as far as I know, neither
does anyone else on Earth.

In five years, I suspect we'll know more about the security
of Rijndael than we've ever known about the security of any
cipher.  And I expect that we'll still be happily using it.

They won because their cipher is really, really good.

- --John Kelsey, kelsey () counterpane com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>
Comment: foo

iQCVAwUBOduNoyZv+/Ry/LrBAQGX5QP/e8+b6a+WewcIgct/8F1Pt8pH82EI1BhT
1vfokkTsAkrr9jDxpZhFo17inkSWuUgnYY82nB9atU4uLCu22Y+JEAtf7MKxHEbi
f1n0Q1CJmA0c7CIwaSUUslJ8+PxQbPlG9G2MrR9t1DjNfNGGRpabmYaRJKA19XkK
K3BSn1uI+/0=
=AqlZ
-----END PGP SIGNATURE-----

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".