×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

AES Finalists, Round 2

justin++ posted more than 14 years ago | from the onefish-twofish-bluefish-blowfish dept.

Encryption 47

James Morris writes "NIST has announced the AES finalists for round two. (AES is new data encryption scheme intended to replace DES). The finalists are MARS (IBM), RC6 (RSA), Rijndael (Joan Daemen and Vincent), Serpent (Ross Anderson, Eli Biham and Lars Knudsen) and Twofish (Bruce Schneier and friends). " While this is the second round, the choosing of a finalist it still quite aways off.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

47 comments

Re:IDEA is fine, it's DES they're replacing... (2)

cpt kangarooski (3773) | more than 14 years ago | (#1755314)

And you're right, no crypto is strong enough to protect you from some attacks (e.g. Social Engineering...)

Obviously you're unfamilar with the BuBBE algorithm. Blocks of ciphertext include reminders to not tell anyone your passwords, to overwrite plaintext and to eat your soup before it gets cold and ruined (in high security environments, the default exception for gazpacho is no longer allowed).

There is a downside to this of course. You have to encrypt/decrypt messages at least once a day, and otherwise be a mensch to your software. If you don't, the whole algorithm gets farbissine, and that would be bad for you, you schlemazel.

Re:Why we want a patented algorithm to win (0)

Anonymous Coward | more than 14 years ago | (#1755315)

Americans, being Americans, will never actually choose a non-US algorithm as the AES (soon to be mis-named American Encryption Standard), ...

Which is probably why CAST-256 was dropped. Developed by a US-based company, but the actual development work was done in Canada.

Where's Microsoft "Research" (0)

Anonymous Coward | more than 14 years ago | (#1755316)

With the $billions that MS spends on "research" how come they're not in the thick of things in this contest? I don't think MS is getting their money's worth with their "research" spending.

Re:What happened to... (1)

Paul Crowley (837) | more than 14 years ago | (#1755317)

That was a public key method, a bit faster but no big deal. This competition is for secret key algorithms, a whole different ball game.

If you'd like to keep track of happenings in the crypto world, read the Cryptogram:

http://www.counterpane.com/crypto-gram.html
--

Re:What happened to... (0)

Anonymous Coward | more than 14 years ago | (#1755318)

Me: jlcooke@jlcooke.net What she did was a randition on a number theory based encryption algorithim. Kinda like RSA, but faster and uses more memory. RSA and what she did would not be eligable for this. And for that guy how thinks RSA stinks, block byphers are usless if you can't send them over the internet securly! :) Man-in-the-middle, is better than, "Oh look at me, here's my key". Just my 2 cents.

Why did they pick weak cyphers? (0)

Anonymous Coward | more than 14 years ago | (#1755319)

Me: jlcooke@jlcooke.net I strongly suggest that everyone take a look at: The Block Cipher Lounge [ii.uib.no] [Cypher vs Cipher is a British vs. USA thing]. You'll notice that CAST-256 did not make it the the second round. Nor did Hasty Pudding. These were arguably the two most advanced algorithims out there. And both have no known weeknesses. Why didn't the make it? First of all CAST-256 has been chosen as (loosly termed) "Canada's AES". The original CAST algorithims have been hailed by the likes of Phil Zimmerman in this PGP white papers as well as all over the crypto community. The good old US gov't is once again afraid. And Hasty Pudding, developed in the US, I feel wasn't included because the submission wasn't in PDF or an other fancy presentation. It was in plain text. I seems to me that NIST is more concrened with public image and parotizum than the greater good of the privacy of their citizens. This in indeed a sad sad day.

3DES effective keysize (1)

rjh (40933) | more than 14 years ago | (#1755320)

3DES is based on 56-bit keys, but it has the equivalent of between 112 and 114 bits of keysize (depending on who you talk to). A 112-bit key is pretty darn tootin' good.

DES is the world's most thoroughly examined algorithm and has had no successful attacks against it (save for brute force and ignorance). 3DES is still a very good choice for an algorithm, due to (a) the large effective keysize and (b) the incredible scrutiny which it has passed.

Schneier himself has said that if you're really paranoid about security, use 3DES instead of Blowfish, IDEA or anything else.

Re:Why did they pick weak cyphers? (1)

rjh (40933) | more than 14 years ago | (#1755321)

CAST may not be all it's cracked up to be: if I recall correctly, Schneier said that CAST wasn't much more secure with larger keysizes. Then again, Schneier's Twofish is a competitor for AES; I don't think that would skew his opinions, but it warranted being said.

Zimmerman is not a cryptanalyst or cryptographer, incidentally. He (formerly) wrote applications to implement established cryptography algorithms. He's certainly very knowledgable, but since he doesn't have a background in either creating ciphers or breaking them, I don't think his opinion carries very much weight as to whether or not CAST is secure.

PDF files are trivially easy to generate. If Hasty Pudding's authors submitted their algorithm in straight ASCII when the committee specified PDF as the format, then it's the fault of the Hasty Pudding team. Don't complain about the existence of reasonable rules; don't complain about people enforcing reasonable rules. Complain about the people who don't comply with reasonable rules.

Re:3DES effective keysize (1)

PhonyToad (73477) | more than 14 years ago | (#1755322)

3DES is

---SSSS------L---------OOOO-----W---------W---!!
--SS---------L-------OO----OO----W-------W----!!
----SSS------L------O--------O----W-W-W-W-----!!
-------SS----L-------OO----OO------W-W-W--------
----SSSS-----LLLLLL----OOOO---------W-W-------!!

Re:how sad... (1)

The_Morlock (69094) | more than 14 years ago | (#1755324)

Sad how? I'm sure everybody worked really hard on their algo's, and I'm sure every one of them was really good and all, but come on. Somebody has to win. you can't let everybody win and have 15 standards....then all you have is no standard.
I hold it that a little rebellion, now and then, is a good thing...

Re:Choice of PDF as file format. (1)

cameldrv (53081) | more than 14 years ago | (#1755325)

Maybe they're more concerned with the crypto than the format it's in.

Choice of PDF as file format. (2)

Ray Dassen (3291) | more than 14 years ago | (#1755326)

Don't complain about the existence of reasonable rules; don't complain about people enforcing reasonable rules.

I'm not convinced that requiring PDF is a reasonable rule; it offers few if any advantages over other formats. There is little in crypto design documents that requires total control over presentation, so e.g. HTML would have done just as well, and be a whole lot less to download for us poor folks in countries where bandwidth costs real money.

From NIST, being a body concerned with standards, I would find a requirement for documentation submitted in an official standard format (say SGML or XML) more logical than a requirement for a de-facto format like PDF.

Re:Where's Microsoft "Research"? (1)

Paul Crowley (837) | more than 14 years ago | (#1755327)

Good question, especially since Microsoft employ some pretty well known names in the field (eg Roger Needham). A .sig quote read "Microsoft is an intellectual roach motel: big brains go in, but you don't see anything come out".

Are they just trying to stop anyone else having any ideas by putting the brains out to graze? Your guess is as good as mine.
--

Go Twofish Go! (1)

slothbait (2922) | more than 14 years ago | (#1755328)

Damn...you stole my subject line.

I personally am rooting for twofish because:

1) It doesn't come from a company.
2) It has a really cool name (down with TLA's!)

There's something ironically appealing about a heavy-duty piece of (weapons-grade?) crypto with "fish" in the name. Then there is the whole seussian angle...

But I wonder what happened to the other fishes?

"One fish, two fish,
red fish, blue fish".

--Lenny

They didn't pick weak ciphers. (1)

Paul Crowley (837) | more than 14 years ago | (#1755329)

May I suggest actually reading the NIST document giving the reasons for their decisions?

CAST-256 wasn't chosen because of its mediocre performance and large ROM requirements on smartcards. It's the predecessor, CAST-128, that's now used in PGP. Note that although CAST is proven secure against certain classes of attack, it's also proven that you can build a weak cipher which passes the same tests.

HPC was never a serious contender: it's a bad performer on all platforms except 64-bit microprocessors, and it's too weird to be analysed in the time available.

This contest will have advanced the art of block cipher design and analysis whoever wins, and we'll have gained some damn good ciphers in the process.
--

Re:Go Twofish Go! (0)

Anonymous Coward | more than 14 years ago | (#1755330)

I think Counterpane is a company.

Re:Go TwoFish! (0)

Anonymous Coward | more than 14 years ago | (#1755331)

This is good. I made quite an arse of myself a while back, I was conversing via Email with Bruce about AES and I haphazardly asked his opinion "who do you think has the inside track? Probably MARS?" For some reason I totally forgot that he had designed Twofish, which is also an wonderful algorithm. It was quite embarassing, but he thought one of twofish, rc6 and mars would get it.

The big advantage of Serpent, MARS and RC6 is that they come from teams with a proven track record and a long history. Team twofish isn't too shaby either but they are the new kids on that block but they are certainly talented.

may the best cipher win.

Re:Why a new block cipher (1)

Tincan (64139) | more than 14 years ago | (#1755332)

I'm hoping you know that Twofish is a small variation on Blowfish. I can't believe that people writing here are touting Mars and Rijndael as the likely winners. Can we be serious? The only real contender is Twofish. IBM is good at a lot of things, but I don't think crypto is one of them (Mars). I suspect that one contributer is right in the sense that NIST will not choose a non-American algorithm, but in this case I can't envision that Rijndael would be even close. The number of cycles in Mars and Rijndael is insignificant compared to Twofish (and a few others). Loki97 would have made it if there was not a publicized theoretical attack (I think the attack required something on the order of 2^64 ciphertexts). I have known Bruce Schneier for years, worked with him, and met some of his team. They are the best outside of NSA hands down.

Re:Why did they pick weak cyphers? (1)

Mr T (21709) | more than 14 years ago | (#1755333)

Nothing against Phil, he's great but did you ever see Bass-o-matic? Go find a copy of PGP 1.0 and have a look-see. Phil is a wonderful activist and software engineer but he's not my choice of a cryptanalyst. His endorsment isn't glowing. I don't believe CAST to be as secure as the algorithms they have chosen.

the AES contest was good because we now have a bunch of fairly secure algorithms out in the public, not all of them are as secure as some but none of them is totally weak either. The 5 finalists are 5 fine algorithms that are put together by some of the foremost experts in the field. Being created by Eli Biham, Don Coppersmith or Ron Rivest is about as good a pedigree as you can get in the cryptography business aside from an NSA stamp which approves your cipher for classifed top secret military use.

Re:This truely is news for nerds (1)

destinati (63766) | more than 14 years ago | (#1755334)

RSA is very simple to understand and implement (using a generic big integer library with a powermod feature). Also, RSA's patent expires in September of 2000 (mark your calendars!).

As with every other good public key algorithm, it's slow on large integers. (The reason is the modulo the big composite number).

Man in the middle attacks aren't bad if you can have a trusted third party (SSL uses certs generated by primarily Verisign) verify the public keys and server certs.

AES has to have a variable key size [128, 192, 256] (with all forseeable computation ability, 128 will be all that is ever needed)

256 bit keys are a bit silly.. The 11579208923731619542357098500868790785326998466564 0564039457584007913129639936 keys are quite a lot to check (although, if all the atoms in the universe [estimated 10^78] were to test 1 key/sec, it'd only take about 0.1157920892 seconds). However.. 512 bit keys with all the atoms testing a trillion keys/second would take about (2^512)/(10^78)/60/60/24/(36525/100)/(10^12)
(4.2486779507765473608e56?) years..

Besides, if people want your information, they sure as heck won't be dumb enough to attack the algorithm. People fail long before the math does.

Re:IDEA is fine, it's DES they're replacing... (1)

ENOENT (25325) | more than 14 years ago | (#1755335)

> that would be bad for you, you schlemazel.

That's schlemiel to you, bub. Now watch out or I'll spill soup on you.


You mean women like Dorothy. Yea BABY Yea! (1)

joetee (13215) | more than 14 years ago | (#1755336)

Well known governor of technology, and freedom. There are some goverment paid "cryptologists" that ~evaluated~ THE CLIPPER CHIP, that are identified to us as female, who must remain seated
when around TRUE MINDS like Bruce.
I would expect a weakness/atrophy starting opposite the direction that BEN FRANKLIN speaks highly of "In praise of older women", that would be far worse than simple weakness in the knees,
when faced with THE (blue/red) BOOK AUTHOR.
The record speaks volumes about the condition of the mind end, which lost so much, for such a pointless reason, and for what?

To work as a paid consultant for the SDMI klan?

Go TwoFish! (1)

yonderboy (13585) | more than 14 years ago | (#1755337)

I hope TwoFish gets it. Bruce Schneier makes women's knees weak. That, and it's a badass algorithm.

how sad... (0)

Anonymous Coward | more than 14 years ago | (#1755338)

isn't it sad that only these made it ...

Re:Go TwoFish! (0)

Anonymous Coward | more than 14 years ago | (#1755340)

But the MARS C implementation runs at a rate of about 65 Mbit/sec on a P200. Its a moot point anyway. Everyone knows Schneir et al algorithm is loved by NIST. AC

This truely is news for nerds (1)

QuantumG (50515) | more than 14 years ago | (#1755341)

Damn.. I can remember when I memorized IDEA (I can't remember IDEA but I remember when I remembered it).. it still rules, no-one has cracked it and when they do, extend your key length.. rather than comming up with yet another semmetrical encryption method, why not come up with something a little better than RSA.. Public key encryption is a wonderful science but when you're talking about a possible man in the middle attack you still have to rely on a trusted signature or a "known" host key (like if you have never ssh'd to a box before and it says "do you want to save this host key".. at that point you could have been intercepted and are being fed a bogus key).. *yawn* the math enthrawls me.

Re:Go TwoFish! (0)

Anonymous Coward | more than 14 years ago | (#1755342)

But serpent is so impressive!:) It runs at over 26 Mbit/sec on a 200MHz Pentium (compared with about 15 Mbit/sec for DES).

Now what kind of first post is that..? (0)

Anonymous Coward | more than 14 years ago | (#1755343)

Talking about women and knees and stuff. Back in the good old days we used to write "FiRsT p0st!!@$!", and that was about it.
I tell ya.. the kids these days don't know the first thing about decent manners.

Rijndael or Twofish will win. (1)

Paul Crowley (837) | more than 14 years ago | (#1755344)

Some very strong candidates were dropped this time, but nearly all the algorithms have an area where they're a bit weak, whether it's smart card memory usage or performance on 64-bit, highly parallel machines. Two algorithms are rather good performers right across the board of applications, and those two are Rijndael and Twofish.

I used to think Twofish was the guaranteed winner, but these days I'm inclined more towards Rijndael, which achieves its flexibility in rather simpler ways. Note that Rijndael uses fewer rounds, but every round changes the entire block.

Surprised that MARS made it through. It's fast and clever and designed by Don Coppersmith who was one of the primary DES designers, but it's also pretty weird; of the sixteen rounds, eight are unkeyed mixing stages.
--

New Encryption Names anyone? (1)

Freaek (11909) | more than 14 years ago | (#1755346)

MARS? RC6? pah

I wanna see encryption coming from "Uranus"

or howabout "REALLY BIG, REALLY STRONG"

anyone else got any ideas?

Why we want a patented algorithm to win (1)

Logi (2799) | more than 14 years ago | (#1755347)

Of the 5 algorithms still standing, two are patented. These are MARS (by IBM) and RC6 (RSA Labs). The NIST rules state that the algorithm that is finally chosen as the AES must be free to implement and so these two companies have promised to free their algorithms if they should win. This leaves us in the strange position of hoping one of the "closed" submissions wins.

Actually, I had a talk with Jennifer Seberry and Josef Pieprzyk, two of the designers of the LOKI97 algorithm which didn't make it through the first round. They anticipated the outcome of the first round and expected either MARS or RC6 to win.

Americans, being Americans, will never actually choose a non-US algorithm as the AES (soon to be mis-named American Encryption Standard), but Rijndael may hang around for embedded devices, etc. where it is particularly efficient.

Just thought I'd share my few bits.

IDEA has a 64-bit blocksize, and RSA (1)

Paul Crowley (837) | more than 14 years ago | (#1755348)

IDEA is neat, but it's (a) slow compared to the alternatives, (b) patented, and (c) only has a 64-bit blocksize, so a dictionary attack (collect all plaintext/ciphertext pairs) is within reach. Read the descriptions of the five finalists, especially Rijndael; if you liked IDEA then you might think it's pretty neat.

There are *many* alternative public key systems; RSA is just the best known, not the fastest or most secure. But there can't be a mathematical solution to the man-in-the-middle attack because it's at least partly a political problem: who's the "legitimate" owner of a particular IP address/section of DNS address space, and who do you trust to certify it?

In practice DNSSEC would do a lot to address this, but it isn't getting implemented due to the usual crypto stupidity reasons.
--

Re:Why a new block cipher (0)

Anonymous Coward | more than 14 years ago | (#1755349)

ummmm, what? you "don't think crypto is one"
of the things IBM's done?

ibm built DES.

Re:Choice of PDF as file format. (1)

um... Lucas (13147) | more than 14 years ago | (#1755350)

If the documents are destined to be printed, PDF's the way to go. You can then refer to page breaks and even line breaks when discussing them ("For instance, on page 19 in the middle of the 8th line..."). That's not possible with HTML, nor ASCII, nor MS Word, etc... Word's not available on all platforms, and the mathematical fonts used will vary from platform to platform. HTML varies way too much depending on fonts, platform, printer, Text is text - no styling, no typography (subscripts, super scripts, mathmatical symbols)...

Really, the main issue is fonts - mathematical symbols that either won't exist or will have different mappings dependant on platform

That leaves PDF... There's free tools available toeate PDF files, so it's not like you need to spend extra money or anything.

My 2 cents

Why a new block cipher (1)

Logi (2799) | more than 14 years ago | (#1755351)

rather than comming up with yet another semmetrical encryption method, why not
come up with something a little better than RSA.. Public key encryption is a wonderful science but when you're talking about a possible
man in the middle attack you still have to rely on a trusted signature or a "known" host key


There are two things that make the proposed AES algorithms better than IDEA or Blowfish or triple-DES. No-one has actually broken them, but the art of cipher design has marched onwards.

1) Speed. Each of the algorithms that are left are faster than Blowfish, which is faster than IDEA which is faster than tri-DES.

2) The block-size. All the old, well-known ciphers work on 64-bit blocks. This is becomming too small. You start having problems with block-replay attacks and generally leaking information at a few gigabytes. My reference is at home, so I can't give the exact number. The AES candidates have a 128-bit block-size and this should never become a problem for them.

As for improving public-key cryptography, there are certain limits to what can theoretically be done. You always need some "secret" information, i.e. a private RSA/ElGamal/Schnorr/whatever key or a shared secret key for a symmetric cipher. If you suddenly connect to a box (with ssh) or want to send mail to someone (and are using pgp/gpg) you need something to "grab onto". What we really need is some sort of huge authentication framework. In fact, what we need is the pgp web of trust, but with everyone in it.

Also, IDEA is patented. Are you sure you weren't confusing it with Blowfish?

What happened to... (1)

WasterDave (20047) | more than 14 years ago | (#1755352)

That encryption algorithm developed by a sixteen year old irish schoolgirl? I remember a big stink being kicked up about this 8/9 months ago, then nothing.

Any ideas?

Re:Why a new block cipher (1)

PD (9577) | more than 14 years ago | (#1755353)

And the Feistel who invented the Feistel network was an IBM researcher.

Re:New Encryption Names anyone? (0)

Anonymous Coward | more than 14 years ago | (#1755354)

Rijndael should lose simply because it can't be pronounced by people with only one tounge.

Re:3DES effective keysize (1)

Gregg M (2076) | more than 14 years ago | (#1755355)

Cool cause thats what I attacked it with... ignorance.


I also tryed to lick it open. But that didn't work.

Re:Rijndael or Twofish will win. (1)

mvw (2916) | more than 14 years ago | (#1755356)

Do you have a decent link for Rijndael (Rhine valley)?

Re:Why we want a patented algorithm to win (0)

Anonymous Coward | more than 14 years ago | (#1755357)

Americans, being Americans, will never actually choose a non-US algorithm as the AES (soon to be mis-named American Encryption Standard), but Rijndael may hang around for embedded devices, etc. where it is particularly efficient.

Actually, we may pick Rijndael if we like it, just so we can refer to it by the more English-Speaker-Friendly acronym... We can *say* TwoFish...

I'm serious about Rijndael (1)

Paul Crowley (837) | more than 14 years ago | (#1755358)

To quote from the NIST report on their choice of 5:

"Rijndael

Major security gaps: none known
Minor general security gaps: none known
Advantages:
a. Excellent performance across platforms
b. Good security margin
[...snip 6 other advantages...]
Disadvantages: no significant disadvantages"

Note further that Rijndael is the *only* one of the 15 candidates not to rate a single entry in the "Disadvantages" field.

I don't know what you mean about the "number of cycles". If you mean "rounds", then Twofish uses 16 rounds and Mars 32. Rijndael uses between 10 and 14 rounds depending on key size, but remember that each of those rounds transforms the *entire* block, not half as in Twofish.

I like Twofish a lot, and wouldn't be surprised to see it win, but the more I look at Rijndael the more I like it.

All of the other candidates have serious disadvantages on some platform or other. Twofish's biggest disadvantage is its complexity, though there are some neat things about it, especially the key schedule which is a real advance in crypto technology.
--

Re:Rijndael or Twofish will win. (2)

Paul Crowley (837) | more than 14 years ago | (#1755359)

You can find out about all the Round 2 finalists, and other AES related websites, on NIST's Round 2 page: http://csrc.nist.gov/encryption/aes/round2/round2. htm
--

IDEA is fine, it's DES they're replacing... (1)

DiningPhilosopher (17036) | more than 14 years ago | (#1755360)

The point of AES is solely to find a new standard algorithm to replace DES. There's nothing wrong with IDEA or RSA or lots of other algorithms (okay, except that they're patented), but if you're going to create a new standard and make huge masses of established code in industries like banking obsolete, you might as well go with the very best algorithm you can find.

And you're right, no crypto is strong enough to protect you from some attacks (e.g. Social Engineering...)
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...