Thanks for the summary. My only problem with Rijndael is that it is still rather young. I recall reading that NSA takes seven years to qualify a new cipher. It took at least that long for the open cryptographic community to trust DES. If someone asked me what cipher to use today in a new, very high value application, I would have a hard time choosing between Rijndael and 3DES. Rijndael appears to be a far superior design, but 3DES has enjoyed a lot more scrutiny. I was thinking it might be useful to define a "Paranoid Encryption Standard (PES)" that is a concatenation of all five AES finalists, applied in alphabetical order, all with the same key (128-bit or 256-bit). If in fact RC6 is the only finalist still subject to licensing by its developer, it could be replaced by DEAL (alphabetized under "D"). Since DEAL is based on DES, it brings the decades of testing and analysis DES has received to the party. DEAL was dinged in the first round because "it is claimed that DEAL-192 is no more secure than DEAL-128" and "equivalent keys are claimed for a fraction (2**64) of the 192-bit and 256-bit key spaces." http://csrc.nist.gov/encryption/aes/round1/r1report.htm#sec2.3.1 I don't think either issues is reason to exclude DEAL in this role, though if there were tweaks to DEAL that resolved them, they might be worth including. PES would be intended for encrypting material of the highest value while AES undergoes additional years of scrutiny. Given Rijndael's outstanding performance, PES could prove 10-20 times slower than AES, but that should not be a problem on modern PCs. User's of PES could still face third-party patent claims, such as Hitachi's, whatever validity they may have. To the extent that my ideas in this posting are patentable, I would happily place them in the public domain. Arnold Reinhold At 2:17 AM -0400 10/10/2000, Vin McLellan wrote:
Arnold G. Reinhold <reinhold@world.std.com> asked:
What is the licensing status of the other finalists? For example, I seem to >recall reading that RC6 would be licensed to the public at no charge if it won the competition. What now?
Since April, RC6 has being commercially licensed as part of RSA's BSAFE Crypto-C 5.0 and BSAFE Crypto-J 3.0 software developer toolkits. I don't expect that will change.
(RSA said, however, that by the end of the year its regular support and maintenance procedures will add Rijndael to both of those SDKs. RSA also said it will adopt the AES as "a baseline encryption algorithm" for its Keon family of digital cert products.)
Given RSA's market share, the eight BSAFE toolkits could be a major channel for distributing AES code to the developer community, particularly among OEMs. <http://www.rsasecurity.com/products/bsafe/>
Of the other three who made the finals in this "Crypto Olympics."
MARS, while patented, is available world-wide under a royalty-free license from Tivoli Systems, an IBM subsidiary. (See <http://www.tivoli.com>, although the Tivoli site doesn't seem to have anything but the press release.)
Serpent is public domain, now under the GNU PUBLIC LICENSE (GPL), although Serpent website warns that "some comments in the code still say otherwise." <http://www.cl.cam.ac.uk/~rja14/serpent.html>
Twofish is "unpatented, and the source code is uncopyrighted and license-free; it is free for all uses." <http://www.counterpane.com/twofish.html>
Suerte, _Vin