CDR: Re: Rijndael & NTRU

newer
CDR: Re: FC: U.S. Copyright Office...

older
CDR: Re: Parties

Vin McLellan

3 Oct 2000 3 Oct '00

midnight

On Mon, 2 Oct 2000, Vin McLellan <me> wrote:

...

...
Apparently the selection of Rijndael -- pronounced "Reign Dahl" or "Rain Doll" -- was not a big surprise to everyone.

Just got a note from Scott Crenshaw, the CEO of NTRU Cryptosystems (, one of the firms I consult for), expressing satisfaction at having "backed the right horse" while others dozed;-)

Paulo Barreto quipped:

...

Or it might not have occurred to everyone to prepare just-in-case releases for each of the finalists and wait for NIST's verdict ;-)

Yeah, I thought of that too;-) The NTRU folk, however, didn't wait for today's announcement to place their bet. The NTRU reference implementation for embedded systems -- the NERI toolkit the company has been shipping for a couple of months -- includes Rijndael code described as "an excellent complement to our core public key technology." Anyone know of any other commercial firms (other than the respective developers) which made an overt pre-announcement commitment to one of the AES candidates? Apparently the fact that Rujndael was the/a leading AES candidate was apparent to some prescient souls (not me <sigh>) at least since AES3 in N.Y. last April. As Bram Cohen put it: .> The selection of Rijndael was actually quite predictable - the round 2 .> report made it pretty clear that the only real contenders were Rijndael .> and Twofish, and hey, that last coin toss is free with 20/20 hindsight :) Suerte, _Vin

Show replies by date

Paulo S. L. M. Barreto

3 Oct 3 Oct

7:06 a.m.

On Tue, 03 Oct 2000, Vin McLellan wrote:

...

Apparently the fact that Rujndael was the/a leading AES candidate was apparent to some prescient souls (not me <sigh>) at least since AES3 in N.Y. last April. As Bram Cohen put it:

.> The selection of Rijndael was actually quite predictable - the round 2 ..> report made it pretty clear that the only real contenders were Rijndael c.> and Twofish, and hey, that last coin toss is free with 20/20 hindsight :)

Actually I had the clear impression that there were three real contenders: Rijndael, Serpent, and Twofish, in this order. Paulo.

Vin McLellan

4 Oct 4 Oct

3:18 a.m.

New subject: Rijndael & NTRU

...

As Bram Cohen put it:

...
.> The selection of Rijndael was actually quite predictable - the round 2 ..> report made it pretty clear that the only real contenders were Rijndael c.> and Twofish, and hey, that last coin toss is free with 20/20

hindsight :)

Actually I had the clear impression that there were three real contenders: Rijndael, Serpent, and Twofish, in this order.

Not to take anything from Rijndael, which is both popular and widely respected among many critical professionals, but I suspect that one of the more long-lasting (pseudo-conspiratorial) theories about the selection of Rijndael as the AES will be built around the fact that Rijndael's design apparently allowed it -- and it alone of the final five -- to escape the scope of a current US patent issued to Hitachi (which is said to cover the use of data rotation in encryption.) (Thus -- as the tale may be told -- did the "inadequacies" of the US Patent and Trademark Office define US and world crypto standards for the 21st Century;-) I can't (for the life of me;-) figure out which of Hatachi's US crypto patents this claim is based upon, but the formal Hitachi warning to NIST -- dated last April -- that Hitachi had IP (US patents) which covered AES candidates is at: http://csrc.nist.gov/encryption/aes/round2/comments/20000407-sharano.pdf. I noticed, Paulo, that you were one of those who were (unsuccessfully) nagging NIST for information about their reaction to the Hitachi IP claims. Any thoughts -- or additional information to offer -- in the aftermath of the coronation? Surete, _Vin

Paulo S. L. M. Barreto

5:48 a.m.

On Wed, 04 Oct 2000, Vin McLellan wrote:

...

Not to take anything from Rijndael, which is both popular and widely respected among many critical professionals, but I suspect that one of the more long-lasting (pseudo-conspiratorial) theories about the selection of Rijndael as the AES will be built around the fact that Rijndael's design apparently allowed it -- and it alone of the final five -- to escape the scope of a current US patent issued to Hitachi (which is said to cover the use of data rotation in encryption.)

(Thus -- as the tale may be told -- did the "inadequacies" of the US Patent and Trademark Office define US and world crypto standards for the 21st Century;-)

I can't (for the life of me;-) figure out which of Hatachi's US crypto patents this claim is based upon, but the formal Hitachi warning to NIST -- dated last April -- that Hitachi had IP (US patents) which covered AES candidates is at: http://csrc.nist.gov/encryption/aes/round2/comments/20000407-sharano.pdf.

I noticed, Paulo, that you were one of those who were (unsuccessfully) nagging NIST for information about their reaction to the Hitachi IP claims.

Any thoughts -- or additional information to offer -- in the aftermath of the coronation?

Hmm, pseudo-conspiratorial indeed, to say the least. I certainly noticed the fact that Rijndael was not mentioned in the Hitachi claim. However, so did Bruce Schneier, and he pointed out that Rijndael's ShiftRow operation is in fact a rotation, and so it should be also be covered by Hitachi's claims. Therefore, all AES finalists were seemingly equally endangered. I personally find Hitachi's claims absurd, and I wanted to know whether NIST thought the same way as I did. However, I think you might use the 21st century US legal system to manifest your concerns, if indeed you have any, that Hitachi's patent hindered the choice of any other algorithm (as this was rumoured a few days ago in this list -- I wonder who posted it, don't you, Vin?), against NIST's own statement on the contrary, made in the final report available from NIST's web site. I'll bet most people that were committed (perhaps financially) to any other of the finalists will show a reaction similar to yours. Well, this reaction is not unexpected anyway -- just remember that saying about Greeks and Trojans. Auguri, Paulo.

Vin McLellan

5 Oct 5 Oct

6:06 a.m.

New subject: Rijndael & Hitachi

...

On Wed, 04 Oct 2000, Vin McLellan <me> wrote:

...
Not to take anything from Rijndael, which is both popular and widely respected among many critical professionals, but I suspect that one of the more long-lasting (pseudo-conspiratorial) theories about the selection of Rijndael as the AES will be built around the fact that Rijndael's design apparently allowed it -- and it alone of the final five -- to escape the scope of a current US patent issued to Hitachi (which is said to cover the use of data rotation in encryption.)

(Thus -- as the tale may be told -- did the "inadequacies" of the US Patent and Trademark Office define US and world crypto standards for

the

...
21st Century;-) <snip>

Paulo S. L. M. Barreto replied: <snip>

...

I certainly noticed the fact that Rijndael was not mentioned in the Hitachi claim. However, so did Bruce Schneier, and he pointed out that Rijndael's ShiftRow operation is in fact a rotation, and so it should be also be covered by Hitachi's claims. Therefore, all AES finalists were seemingly equally endangered. I personally find Hitachi's claims absurd, and I wanted to know whether NIST thought the same way as I did.

I just found Schneier's 5/14 note: "AES Comment: the Hitachi patent," (on Sci.Crypt, via dejanews.) I was not aware that Rijndael's ShiftRow op was a rotation. That was a great letter. The TwoFish authors (among many others;-) obviously agree with your analysis.

...

However, I think you might use the 21st century US legal system to manifest your concerns, if indeed you have any, that Hitachi's patent hindered the choice of any other algorithm (as this was rumoured a few days ago in this list -- I wonder who posted it, don't you, Vin?), against NIST's own statement on the contrary, made in the final report available from NIST's web site.

Oh, come on! I do think the Hitachi claim should be challenged and disputed. I also don't think it is surprising -- particularly when the AES website's IP forum spins around the Hitachi patents and the relevance of the Hitachi claims is, in that forum, left unresolved -- that unaligned and wholly objective curious observers might bring up the question now. As the basis of an AES conspiracy theory, the two Hitachi patents strike me as pretty frail. (Rijndael is clearly a powerful and elegant algorithm, fully a peer if not the Obvious Choice among the five great cryptographic creations matched in the AES Finals.) OTOH, far more specious allegations have entangled millions in Byzantine mystery scenarios, on far less obtuse topics. My impression is that NIST covered itself with glory in its handling of the AES competition, but -- really! -- who in their right mind is gonna take the word of a US federal agency that the existence of issued US patents, and the scope of the patent-owner's claims, was irrelevant to their deliberations. (Even if it is true;-)

...

I'll bet most people that were committed (perhaps financially) to any other of the finalists will show a reaction similar to yours. Well, this reaction is not unexpected anyway -- just remember that saying about Greeks and Trojans.

My comment was simply that the Hitachi patent claims set the stage for rumors that may shadow the AES choice for years. I think that is unfortunate. Personally, I think it is embarrassing that the Hitachi patents were ever issued. My impression is that -- despite their vigorous competitive impulses -- the cryptographers who carried their work into the AES Finals all showed a great deal of respect for each other's work. They all shared the Pantheon of their Craft, and even the contenders were ennobled. In the aftermath of the NIST decision, I haven't heard sour grapes comments from any of them -- and I would be very surprised if I did. All the grumbling is just background noise from the wee folk, and I suspect it would be pretty much the same tenor, no matter which algorithm was chosen. Suerte, _Vin Vin McLellan The Privacy Guild Chelsea, MA USA

John Young

11:15 a.m.

New subject: CDR: Re: Rijndael & Hitachi

Has NIST provided other information on the Hitachi patent and the USG's evaluation of it other than Jim Foti's inscrutible comments on the discussion forum and similar inscrutibity in the R2 report? If this is all there is, it stinks of rancid red herring being called this year's never-you-mind perfume. Did Hitachi hold a gun to somebody's head, was a deal cut, is this an out held in reserve in case some fault is discovered in Rijndael, was means found to modify Rijndael to meet Hitachi's demand that has not been disclosed, is the patent claim a fiction, a mistake, a blowing of smoke. Have the authors of Rijndael commented on Hitachi's claim? A little people wants to know what the big people are hiding, or acting like they know we itty bittys don't have a clue about, about how crypto is far too important to tell the truth about, big gov and biz having their own claims on NDA, patent, copyright, personal cum national security, Ermil's cayenne, and stuff so hot if you knew you'd spin too and call it truth. The R2 report is so damn reasonable only a fool would cavil what's this fishy smell.

Arnold G. Reinhold

11:22 a.m.

New subject: Rijndael & Hitachi

At 5:43 AM -0400 10/5/2000, Vin McLellan wrote:

...

...

As the basis of an AES conspiracy theory, the two Hitachi patents strike me as pretty frail. (Rijndael is clearly a powerful and elegant algorithm, fully a peer if not the Obvious Choice among the five great cryptographic creations matched in the AES Finals.) OTOH, far more specious allegations have entangled millions in Byzantine mystery scenarios, on far less obtuse topics.

My impression is that NIST covered itself with glory in its handling of the AES competition, but -- really! -- who in their right mind is gonna take the word of a US federal agency that the existence of issued US patents, and the scope of the patent-owner's claims, was irrelevant to their deliberations. (Even if it is true;-)

...

My comment was simply that the Hitachi patent claims set the stage for rumors that may shadow the AES choice for years. I think that is unfortunate. Personally, I think it is embarrassing that the Hitachi patents were ever issued.

Maybe I am missing something, but what would be the big deal if NIST did take patent claims into account? There were five excellent candidates. If NIST picked Rijndael in part because it least likely to be tied up in court for the next N years, does that diminish their glory?

...

My impression is that -- despite their vigorous competitive impulses -- the cryptographers who carried their work into the AES Finals all showed a great deal of respect for each other's work. They all shared the Pantheon of their Craft, and even the contenders were ennobled. In the aftermath of the NIST decision, I haven't heard sour grapes comments from any of them -- and I would be very surprised if I did. All the grumbling is just background noise from the wee folk, and I suspect it would be pretty much the same tenor, no matter which algorithm was chosen.

Quite right. There is plenty of credit to go around. I was particularly pleased that NIST had the guts to pick a non-U.S. design. That's risky in Washington. Arnold Reinhold P.S. What is the licensing status of the other finalists? For example, I seem to recall reading that RC6 would be licensed to the public at no charge if it won the competition. What now?

Vin McLellan

8 Oct 8 Oct

6:36 p.m.

New subject: Rijndael & Hitachi

Vin McLellan <me> wrote:

...

...
My comment was simply that the Hitachi patent claims set the stage for rumors that may shadow the AES choice for years. I think that is unfortunate. Personally, I think it is embarrassing that the Hitachi patents were ever issued.

Arnold G. Reinhold replied:

...

Maybe I am missing something, but what would be the big deal if NIST did take patent claims into account? There were five excellent candidates. If NIST picked Rijndael in part because it least likely to be tied up in court for the next N years, does that diminish their glory?

Myself, I wouldn't blame NIST if they factored, as you suggest, avoidance of endless legal hassles into their decision-making process. (Nor, when you come down to it, would I be shocked to discover that NIST subsequently lied, or issued misleading comments, about whether the Hitachi patent claims were a factor in their decision... just to keep the AES Process out of the Courts.) The Hitachi patents become an inevitable issue -- for conspiracy buffs, if no one else -- only because the winner was the single AES Finalist that Hitachi did not claim was infringing upon its "data rotation" crypto patents.(See http://csrc.nist.gov/encryption/aes/round2/comments/20000410-sharano.pdf) (This, in turn, becomes a little more complicated because, as Schneier et al argue, Rijndael -- despite *not* being mentioned in the Hitachi letter than tagged the other four Finalist -- seems to be as vulnerable, or not, to the Hitachi patents as the named four: MARS, RC6, TwoFish, and Serpent.) I don't think anything that (might have) happened in NIST's private AES deliberations can lessen the accomplishment of this historically open process of soliciting, evaluating, and choosing (to the extent that any final selection can be open;-) Rijndael as the AES, from among the five great cryptosystems that were AES Finalists. While I appreciate how difficult it is for many -- Yanks and non-Yanks (indeed, anyone who knows anything about US Crypto Politics and the historic subservience of NIST to the NSA) -- to dismiss the influence of the US signals intelligence agencies upon the AES process as negligible, I think we lucked out. In the aftermath of the flawed Clipper Chip fiasco -- the Fortezza disaster; the pro-crypto rebellion of the EC; with the steady deterioration of the NSA's stature mystique in Congress and among American businessmen, and the common presumption that electronic commerce is the economic engine for the first decade of the 21st Century -- I think we got an open AES review, and a reasonable final choice among the best cryptosystems that could be solicited from the most capable (non-governmental) cryptographers available. Hosanna! Skeptics may quibble on relative weight put on various stated criteria, but no one familiar with the professional stature, respective egos, and personal independence of the "AES cryptographers," as a group, is going to suggest that these development teams were tame, tainted with some spooky impulses to offer only so much crypto strength and no more. That a Belgian cryptosystem was eventually selected as the American AES may make it easier to dismiss those fears overseas, and may hasten the adoption of AES internationally. Full AES standardization and interoperability, a good thing, should come more quickly. Given the integrity of the larger AES process -- and the universal respect Rijndael seemed to win among all the cryptographers involved -- I think it is clear that the relative weight of the Hitachi patent claims in NIST's AES selection process was minor. Whether, minor or not, that impact might have shifted the balance from another contender to Rijndael is impossible to say. Unless, of course, you accept NIST's simple declaration in its Report on the Development of the AES: http://csrc.nist.gov/encryption/aes/, pg. 79. Noting that NISt had solicited, collected, and analyzed IP claims relevant to the AES candidates, the report baldly states: "...IP was not a factor in NIST's selection of the proposed AES algorithm." That says, I think, that no IP claims against the AES Finalists were substantive enough to influence the final selection. (As an American, of course, I believe that skepticism about the truthfulness of any governmental declarations is an inalienable right, as well as common sense.) NIST's bureaucratic language is also just cryptic enough to support alternative interpretations. How "not a factor?" A recent C'punk tirade about NIST, AES, and HItachi from the irrepressible John Young, patron and editor of the Cryptome website, beats this drum; Mr. Young seeks deep secrets, undocumented considerations, tell-all revelations. (My own feeling is that it may be a bit much to expect NIST to publicly piss all over valid US patents and the US PTO. Maybe a terse declaration like that in the AES Report is about all cynics should expect at this time.) Mind you, NIST's AES Report also explained that the AES (Rijndael) will be published as a FIPS with a pro forma warning that existing patents might lead to claims against users of the AES standard. In truth, I'm not sure how big a deal it would be if the Hitachi patents -- and inadequacies of the US PTO and its recent history of issuing unlikely and bizarre patents in IT -- were found to have been, despite current denials, a factor in the eventual selection of Rijndael over the other contenders. Politically, I suspect that hanging a "deciding factor" in the AES decision on the US Patent and Trademark Office (PTO) would not be a prudent thing for NIST executives to do, particularly in the heat of a Gore/Bush Presidential race. It might focus a lot of querulous public attention on the less than glorious track record of the US Patent Office under the Clinton/Gore Administration. I figure there are always a lot of things unspoken, certainly unreported, in any big policy decision like this. Who can doubt it? (Even the AES timetable -- with the decision dropped in the middle of a Presidential race -- seems to a cynic like me designed to give NIST its best chance for keeping the AES Selection Process open and above board.) Given the quality of all the Final Five, others might make as good a case for an (unacknowledged by NIST) pro-Rijndael bias by noting that only Rijndael and Serpent were "non-corporate" entries. Or that Rijndael and Serpent were the only non-American AES Finalists -- and that Rijndael's designers (unlike Serpent's team of Ross Anderson et al) seem to be comparatively unpolitical or apolitical. [I chuckle to think of the consternation at GCHQ and several British Ministries if Prof. Anderson -- long an articulate and effective critic of the UK's slide toward a "Surveillance Society" -- picked up the additional stature of being co-author of the AES.] One can blither through endless permutations. And some will. Cryptographic standards like the proposed AES will inevitably attract doubtful critics and conspiratorial rumors. I trust that the ongoing validation of Rijndael over the next few years will settle them. Suerte, _Vin

proff＠suburbia.net

4:18 a.m.

New subject: CDR: Re: Rijndael & Hitachi

...

That a Belgian cryptosystem was eventually selected as the American AES may make it easier to dismiss those fears overseas, and may hasten the adoption of AES internationally. Full AES standardization and interoperability, a good thing, should come more quickly.

Not so, inprepid Vin. A Belgian cipher was chosen simply because the NSA was able to operate with relative impunity in that region, in which it has huge per-capita deployment, compared to a similar actions on its own soil. Cheers, Julian.

Bram Cohen

3:43 p.m.

New subject: Rijndael & Hitachi

On Sun, 8 Oct 2000, Vin McLellan wrote:

...

Myself, I wouldn't blame NIST if they factored, as you suggest, avoidance of endless legal hassles into their decision-making process.

With the current state of patents, it is literally impossible to do anything with a computer without violating a whole slew of patents whose validity is rather dubious. The only thing you can really do is politely tell anyone who bothers you about 'violating their patents' that you'll let them know if you decide you want to pay them off to avoid litigation, then forget about the matter unless you're actually forced to show up in court. NIST threatening a big scary anti-trust lawsuit against anyone who tries to pull something with the AES is quite laudable and more than I'd have expected them to do. -Bram Cohen

Vin McLellan

10 Oct 10 Oct

11:11 a.m.

New subject: Rijndael & Hitachi

Arnold G. Reinhold asked:

...

What is the licensing status of the other finalists? For example, I seem to >recall reading that RC6 would be licensed to the public at no charge if it won the competition. What now?

Since April, RC6 has being commercially licensed as part of RSA's BSAFE Crypto-C 5.0 and BSAFE Crypto-J 3.0 software developer toolkits. I don't expect that will change. (RSA said, however, that by the end of the year its regular support and maintenance procedures will add Rijndael to both of those SDKs. RSA also said it will adopt the AES as "a baseline encryption algorithm" for its Keon family of digital cert products.) Given RSA's market share, the eight BSAFE toolkits could be a major channel for distributing AES code to the developer community, particularly among OEMs. http://www.rsasecurity.com/products/bsafe/ Of the other three who made the finals in this "Crypto Olympics." MARS, while patented, is available world-wide under a royalty-free license from Tivoli Systems, an IBM subsidiary. (See http://www.tivoli.com, although the Tivoli site doesn't seem to have anything but the press release.) Serpent is public domain, now under the GNU PUBLIC LICENSE (GPL), although Serpent website warns that "some comments in the code still say otherwise." http://www.cl.cam.ac.uk/~rja14/serpent.html Twofish is "unpatented, and the source code is uncopyrighted and license-free; it is free for all uses." http://www.counterpane.com/twofish.html Suerte, _Vin

Arnold G. Reinhold

5:42 p.m.

New subject: Rijndael & Hitachi

Thanks for the summary. My only problem with Rijndael is that it is still rather young. I recall reading that NSA takes seven years to qualify a new cipher. It took at least that long for the open cryptographic community to trust DES. If someone asked me what cipher to use today in a new, very high value application, I would have a hard time choosing between Rijndael and 3DES. Rijndael appears to be a far superior design, but 3DES has enjoyed a lot more scrutiny. I was thinking it might be useful to define a "Paranoid Encryption Standard (PES)" that is a concatenation of all five AES finalists, applied in alphabetical order, all with the same key (128-bit or 256-bit). If in fact RC6 is the only finalist still subject to licensing by its developer, it could be replaced by DEAL (alphabetized under "D"). Since DEAL is based on DES, it brings the decades of testing and analysis DES has received to the party. DEAL was dinged in the first round because "it is claimed that DEAL-192 is no more secure than DEAL-128" and "equivalent keys are claimed for a fraction (2**64) of the 192-bit and 256-bit key spaces." http://csrc.nist.gov/encryption/aes/round1/r1report.htm#sec2.3.1 I don't think either issues is reason to exclude DEAL in this role, though if there were tweaks to DEAL that resolved them, they might be worth including. PES would be intended for encrypting material of the highest value while AES undergoes additional years of scrutiny. Given Rijndael's outstanding performance, PES could prove 10-20 times slower than AES, but that should not be a problem on modern PCs. User's of PES could still face third-party patent claims, such as Hitachi's, whatever validity they may have. To the extent that my ideas in this posting are patentable, I would happily place them in the public domain. Arnold Reinhold At 2:17 AM -0400 10/10/2000, Vin McLellan wrote:

...

Arnold G. Reinhold asked:

...
What is the licensing status of the other finalists? For example, I seem to >recall reading that RC6 would be licensed to the public at no charge if it won the competition. What now?

Since April, RC6 has being commercially licensed as part of RSA's BSAFE Crypto-C 5.0 and BSAFE Crypto-J 3.0 software developer toolkits. I don't expect that will change.

(RSA said, however, that by the end of the year its regular support and maintenance procedures will add Rijndael to both of those SDKs. RSA also said it will adopt the AES as "a baseline encryption algorithm" for its Keon family of digital cert products.)

Given RSA's market share, the eight BSAFE toolkits could be a major channel for distributing AES code to the developer community, particularly among OEMs. http://www.rsasecurity.com/products/bsafe/

Of the other three who made the finals in this "Crypto Olympics."

MARS, while patented, is available world-wide under a royalty-free license from Tivoli Systems, an IBM subsidiary. (See http://www.tivoli.com, although the Tivoli site doesn't seem to have anything but the press release.)

Serpent is public domain, now under the GNU PUBLIC LICENSE (GPL), although Serpent website warns that "some comments in the code still say otherwise." http://www.cl.cam.ac.uk/~rja14/serpent.html

Twofish is "unpatented, and the source code is uncopyrighted and license-free; it is free for all uses." http://www.counterpane.com/twofish.html

Suerte, _Vin

Michael Paul Johnson

6:18 p.m.

New subject: CDR: Re: Rijndael & Hitachi

At 01:44 PM 10/10/00 -0400, Arnold G. Reinhold wrote:

...

Thanks for the summary. My only problem with Rijndael is that it is still rather young. I recall reading that NSA takes seven years to qualify a new cipher. It took at least that long for the open cryptographic community to trust DES. If someone asked me what cipher to use today in a new, very high value application, I would have a hard time choosing between Rijndael and 3DES. Rijndael appears to be a far superior design, but 3DES has enjoyed a lot more scrutiny.

I was thinking it might be useful to define a "Paranoid Encryption Standard (PES)" that is a concatenation of all five AES finalists, applied in alphabetical order, all with the same key (128-bit or 256-bit). ...

To be truly paranoid, shouldn't you use independent, unrelated keys? What if the "outermost" cipher falls to an attack that allows the key to be computed, thus allowing the same key to be plugged into all the "inner" ciphers? To put this suggestion into perspective, consider that in the real world, pure cipher strength is rarely the weakest link in the security chain, provided that a reasonable key length and cipher are chosen. Having done that, go for it if you still think you can afford the extra time, space, and key management with (probably) no measurable increase in overall system security. _______ Michael Paul Johnson mpj@eBible.org http://ebible.org/mpj

Steve Furlong

6:41 p.m.

New subject: CDR: Re: Rijndael & Hitachi

Michael Paul Johnson wrote:

...

At 01:44 PM 10/10/00 -0400, Arnold G. Reinhold wrote:

...
I was thinking it might be useful to define a "Paranoid Encryption Standard (PES)"

To put this suggestion into perspective, consider that in the real world, pure cipher strength is rarely the weakest link in the security chain, provided that a reasonable key length and cipher are chosen.<

I was thinking the same thing. The five most secure algorithms in the world don't do any good if the passwords are on a post-it on the monitor. I really like Sunder's .sig about passwords and underwear; too bad a lot of users don't follow that advice. -- Steve Furlong, Computer Condottiere Have GNU, will travel 518-374-4720 sfurlong@acmenet.net

David Honig

9:07 p.m.

New subject: CDR: Re: Rijndael & Hitachi

At 03:59 PM 10/10/00 -0600, Michael Paul Johnson wrote:

...

...
I was thinking it might be useful to define a "Paranoid Encryption Standard (PES)" that is a concatenation of all five AES finalists, applied in alphabetical order, all with the same key (128-bit or 256-bit). ...

To be truly paranoid, shouldn't you use independent, unrelated keys? What if the "outermost" cipher falls to an attack that allows the key to be computed, thus allowing the same key to be plugged into all the "inner" ciphers?

And the Ultra-Paranoid ES, which adds random salt to each stage between ciphers...

John Kelsey

11 Oct 11 Oct

11:40 p.m.

New subject: Rijndael & Hitachi

-----BEGIN PGP SIGNED MESSAGE----- At 01:44 PM 10/10/00 -0400, Arnold G. Reinhold wrote: ...

...

I was thinking it might be useful to define a "Paranoid Encryption Standard (PES)" that is a concatenation of all five AES finalists, applied in alphabetical order, all with the same key (128-bit or 256-bit). If in fact RC6 is the only finalist still subject to licensing by its developer, it could be replaced by DEAL (alphabetized under "D"). Since DEAL is based on DES, it brings the decades of testing and analysis DES has received to the party.

This basic idea is discussed in Massey and Maurer's ``The Importance of Being First'' paper. There are a couple issues: a. The keys need to be independent. (Otherwise, imagine if cipher #1 is DES encryption, and cipher #2 is DES decryption.) b. There order of the ciphers matters for the kind of security proof you can do. If you do Twofish, then Rijndael, you can prove that a known-plaintext attack on this system = a known plaintext attack on Twofish and a chosen-plaintext attack on Rijndael. (That is, the combined system can be no easier to break than the easier of a known-plaintext attack on Twofish or a chosen-plaintext attack on Rijndael.) A smarter way to do this is to do OFB-mode or counter-mode with all N ciphers. That way, you can prove that breaking the resulting cipher is equivalent to breaking OFB mode encryption under all N of the ciphers.

...

DEAL was dinged in the first round because "it is claimed that DEAL-192 is no more secure than DEAL-128" and "equivalent keys are claimed for a fraction (2**-64) of the 192-bit and 256-bit key spaces." http://csrc.nist.gov/encryption/aes/round1/r1report.htm#sec2.3.1 I don't think either issues is reason to exclude DEAL in this role, though if there were tweaks to DEAL that resolved them, they might be worth including.

The dings in DEAL wouldn't amount to much in this setting, in practice. (Okay, so the dings in DEAL wouldn't ever matter in practice, unless you wanted to use DEAL alone for a hashing construction.)

...

Arnold Reinhold

--John Kelsey, Counterpane Internet Security, kelsey@counterpane.com PGP Fingerprint: 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use http://www.pgpinternational.com Comment: foo iQCVAwUBOeUCFiZv+/Ry/LrBAQF0bwP+OGBvMrvtcFQyOupBv4ulvTzjMtFWcSMU FfRRzFq3YSw3M2KkBsFiK2RPJJngh2LBfGLLSW8F5COpXkWmByKbrABqNsWufx5V 8fBexLjwZwC2zyJq/R+ynfdlx7IqYycjL1ZpRek2hwL5VYFKu2CCROCU9xcAunXK 6KEPFGPQ7iQ= =yCFE -----END PGP SIGNATURE-----

Arnold G. Reinhold

20 Oct 20 Oct

4:35 p.m.

New subject: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)

At 8:13 PM -0400 10/11/2000, John Kelsey wrote:

...

-----BEGIN PGP SIGNED MESSAGE-----

At 01:44 PM 10/10/00 -0400, Arnold G. Reinhold wrote:

...

...
I was thinking it might be useful to define a "Paranoid Encryption Standard (PES)" that is a concatenation of all five AES finalists, applied in alphabetical order, all with the same key (128-bit or 256-bit). If in fact RC6 is the only finalist still subject to licensing by its developer, it could be replaced by DEAL (alphabetized under "D"). Since DEAL is based on DES, it brings the decades of testing and analysis DES has received to the party.

This basic idea is discussed in Massey and Maurer's ``The Importance of Being First'' paper. There are a couple issues:

I read the Massey and Maurer paper (One can find it at http://www.isi.ee.ethz.ch/publications/isipap/umaure-mass-inspec-1993- 1.pdf ) and I have a couple of comments on it. As I understand it, their argument goes like this: Let the concatenated cipher C1*C2 applied to plaintext P be C2(C1(P)). If C2 is subject to attack when the plaintext it gets has certain statistical properties, then it is possible for C1's ciphertext to have those properties and the concatenated cipher to be less resistant to statistical attack than either component. Massey and Maurer give a very simple example to show this can occur. Here is a bit more realistic example: Suppose C1 simply permutes the input bits and that in doing so it takes the high-order bit of each plaintext byte and moves it to the first two bytes of the cipher text. Suppose further plaintext blocks that have the first two bytes zeroed are weak for C2. Then if C1 is fed ordinary printable ascii text with no parity, the first two bytes of C1-ciphertext will be zero, exposing the weakness of C2. On the other hand, if C2 were used alone on the same ascii plaintext it would never see zeros as input bytes and thus would not be subject to attack. However in the case of a chosen-plaintext attack, Massey and Maurer's argument does not work. In fact the proof they give of their "Proposition" can easily be adapted to prove that a concatenated cipher C1*...*Cn is always at least as difficult to break by chosen-plaintext as *any* cipher in the concatenation. Here is an outline of the proof. Note, as they do, that the worst case is when you can easily determine the key to every cipher except one. In their case it is the first cipher, in ours say it is Ci, 1<=i<=n. Then any set of chosen plaintext, ciphertext pairs (PTj, CTj) that results in a break of the concatenated cipher C1*...*Cn can be converted in to a set of chosen plaintext, ciphertext pairs (PT'j, CT'j) that results in a break of Ci as follows (I'll use CCk to denote the inverse cipher of Ck): PT'j = (C1*...*Ci-1)(PTj) CT'j = (CCi+1*...*CCn)(CTj) One might ask why this proof works in the chosen-plaintext attack but not the statistical attack. The reason is that in the later, while you can still compute each PT'j, there is no reason to expect that they will have the same statistical properties as the original PTj. However PT'1 is always equal to PT1, so the proof does work for the first cipher in the statistical attack case. That is where "the importance of being first" comes from. My main question is how much weight should we give to this result in designing a crypto system by combining AES candidates? Remember that the AES candidates were designed to resist chosen-plaintext attack. Resistance to chosen-plaintext attack is a far more stringent demand on a cipher than resistance to statistical attack. And I have just shown that a concatenated cipher is at least as strong as any of its components against chosen-plaintext attack. So why should we even consider Massey and Maurer's result? The one argument I can think of goes like this: Suppose we are wrong and all the component ciphers are subject to chosen-plaintext attack and, even worse, so is the concatenated cipher. The component ciphers might still be resistant to statistical attack and often this is the best attackers can do, so we would like the extra insurance. But in the real world of AES candidates I claim even that argument should be discarded. Massey and Maurer worry about the possibility that the output of one cipher may have statistical properties that cause weakness when that output is fed into the subsequent ciphers. The AES candidates were designed to have outputs that appear uniformly random and have all undergone extensive statistical testing http://csrc.nist.gov/encryption/aes/round1/r1-rand.pdf. The have also been studied for weak inputs. Thus the first cipher in the concatenation can be expected to destroy patterns in the plaintext, not create them. While not a mathematical proof, the results of the AES candidate analysis and testing to date make it overwhelmingly more likely that the concatenation of AES-candidate ciphers will in fact be more resistant to statistical attack than any of the individual ciphers.

...

a. The keys need to be independent. (Otherwise, imagine if cipher #1 is DES encryption, and cipher #2 is DES decryption.)

I don't think it is quite that clear. It might well be easier to prove, say, that Twofish is not the inverse of MARS for the same key than it is to prove the same result for separately hashed keys. But again, the likelihood of two different ciphers being accidental inverses is even lower than the likelihood of guessing the key correctly (there are (2**n)! bijections on n-bit blocks). And NIST has just released SHA-2 which provides 256 bit hashes, so I suppose we might as well use it here.

...

b. There order of the ciphers matters for the kind of security proof you can do. If you do Twofish, then Rijndael, you can prove that a known-plaintext attack on this system = a known plaintext attack on Twofish and a chosen-plaintext attack on Rijndael. (That is, the combined system can be no easier to break than the easier of a known-plaintext attack on Twofish or a chosen-plaintext attack on Rijndael.)

Is this the Massey and Maurer result or is there something specific about these two ciphers?

...

A smarter way to do this is to do OFB-mode or counter-mode with all N ciphers. That way, you can prove that breaking the resulting cipher is equivalent to breaking OFB mode encryption under all N of the ciphers.

The problem with OFB is that what you get is a stream cipher and that, in turn, means a unique IV for each message is required. I have spent a lot of effort in my CipherSaber project teaching people how to do that, and the risk of implementors getting it wrong is high. I've even seen commercial products that claim to use RC4 but don't do IVs. Note that IV reuse is far more catastrophic in a stream cipher than it would be in a block cipher used in a feedback mode. Also OFB means that ciphertext is always bigger than plaintext (if you include the IV). That prevents encryption in place, for example. I'd rather have a block cipher if at all possible. So here is my draft proposal for the Paranoid Encryption Standard, PES: (P is a plaintext block and K is the user key.) PES(P) =Twofish(Serpent(MARS(DEAL(AES(P))))), where: the key for AES is SHA2(K||"Rijndael") the key for DEAL is SHA2(K||"DEAL") the key for MARS is SHA2(K||"MARS") the key for Serpent is SHA2(K||"Serpent") the key for Twofish is SHA2(K||"Twofish") The character string constants are 8-bit ascii with zero parity bit. The order of each cipher is determined alphabetically, except that I obviously could have chosen to put Rijndael under "R" instead of "A." By putting it first we can take advantage of Massey and Maurer's result and state the PES is at least as strong against statistical attack as AES. The second cipher, DEAL, is based on DES, which has received the most public scrutiny of any cipher. I am not aware of any statistical attack on DES inputs or any statistical weaknesses in DES output that might compromise MARS. And, as we have shown above, PES is at least as resistant to chosen plaintext attack as any of its components. PES is intended to address concerns that AES might have a design flaw or deliberate, hidden weakness. Confidence that neither exist can only come from additional years of testing and analysis. PES, because it is at least as strong as AES and incorporates the strengths of four other AES design teams and the decades of work on DES, might be a better choice for very high value messages, where encryption time is not an issue. Some other comments I have received urged the use of salt. Salt is very important is overall system design, but it is not part of the cipher per se. As I mentioned in my earlier post, RC6 is not being used because it still requires licensing. No criticism of RC6 or its owner's decision to retain commercial licensing rights is intended. FWIW Arnold Reinhold

Bram Cohen

6:35 p.m.

New subject: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)

On Fri, 20 Oct 2000, Arnold G. Reinhold wrote:

...

I read the Massey and Maurer paper (One can find it at http://www.isi.ee.ethz.ch/publications/isipap/umaure-mass-inspec-1993- 1.pdf ) and I have a couple of comments on it.

This is just silly. There's nothing wrong with Rijndael. -Bram Cohen

John Kelsey

24 Oct 24 Oct

9:52 p.m.

New subject: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)

-----BEGIN PGP SIGNED MESSAGE----- At 02:26 PM 10/20/00 -0400, Arnold G. Reinhold wrote:

...

At 8:13 PM -0400 10/11/2000, John Kelsey wrote:

...

I read the Massey and Maurer paper (One can find it at http://www.isi.ee.ethz.ch/publications/isipap/umaure-mass-inspec-1993 1.pdf ) and I have a couple of comments on it.

Okay. I think it's a lot easier to understand their result and all its implications like this: Suppose we have two ciphers, E_{K}(X),F_{K}(X), and we encrypt by computing C[i] = E_{K1}( F_{K2}( P[i] ) ) Now, suppose I can break this composed cipher, when you choose E and F's keys independently, in a known plaintext attack. I have some algorithm, A(), into which I feed my known plaintexts and the corresponding ciphertexts, and it churns on them for awhile, and returns the keys K1,K2. This algorithm can be used to break E in a known plaintext attack as follows: You encrypt a bunch of messages under E_{K1}(X). I know nothing of K1, but I know the plaintexts and their corresponding ciphertexts. I randomly choose a key K2, encrypt all those ciphertexts with F_{K2}, and then feed the original plaintexts and my ciphertexts into my algorithm for breaking the composed cipher E_{K1}(F_{K2}(X)). That means that a known plaintext attack on E(F()) leads to a known plaintext attack on E(). I can also mount a chosen plaintext attack on F, when you choose a random key K2. I randomly select a key K1, randomly select a bunch of plaintexts, and encrypt them all under E_{K1}. I then send you the ciphertexts and ask you to encrypt them under F_{K2}. You do so, and send me back the results. I now send my original plaintexts and the ciphertexts you sent me into my algorithm for breaking the composed cipher E_{K1}(F_{K2}(X)). That means that a known-plaintext attack on E(F()) leads to a chosen-plaintext attack on F(). All the result is saying is that you can always convert breaking both ciphers to breaking either cipher individually. The cool part of this isn't the worry about which cipher comes first, it's the fact that, with independent keys, you can show that composing the ciphers gives you a cipher no weaker than the stronger of the two ciphers. The reason the keys have to be independent is because otherwise, the proof doesn't work. If the keys are chosen so that K1 == K2, then I can't build these attacks for my proof, because I can't choose F_{K2} without knowing K1. Now, we can also come up with examples of places where choosing K1 and K2 to be related is a bad idea. For example, imagine the following ``game:'' You define some structure for putting N block ciphers together, and then I get to choose the N ciphers, with the constraint that at least one of the N must be strong against all attacks. Now, in this model, it's clear that if the keys are all equal, I can choose the ciphers so that a structure like E1(E2(E2(X))) is easily broken. (Let E1 = 3DES encryption, E2 = 3DES decryption, and E3 = the identity cipher.) In this model, it's also clear that when the keys are independent, I can't choose the ciphers to include one strong cipher and N-1 ones specially designed to me to make the composition weak. If I could, I could always convert the algorithm into a chosen-plaintext attack on the strong cipher. But these are different arguments. The Massey and Maurer argument, at least as I've understood it, is that the keys have to be independent because otherwise the proof doesn't work, and so we can't say anything about their security. The game example I just gave argues that it's clearly possible to choose strong ciphers that fit into this multiple-encryption structure, and combine them in a way that's weak, when the keys are not independent. (But it's been five years or so since I read their paper, so I may be forgetting some of what they said.) ...

...

However in the case of a chosen-plaintext attack, Massey and Maurer's argument does not work. In fact the proof they give of their "Proposition" can easily be adapted to prove that a concatenated cipher C1*...*Cn is always at least as difficult to break by chosen-plaintext as *any* cipher in the concatenation.

Right. This falls out of the basic argument really nicely. If you want to use an algorithm to break E1(E2(X)) to break E1(X), it has to use a chosen-plaintext attack on E1.

...

My main question is how much weight should we give to this result in designing a crypto system by combining AES candidates?

Probably not too much, in terms of worrying about known-plaintext vs. chosen-plaintext attacks. Though honestly, I think designing your PES is like providing really effective padlocks for screen doors. (But you could say the same thing about AES with 256-bit keys.) ...

...

...
a. The keys need to be independent. (Otherwise, imagine if cipher #1 is DES encryption, and cipher #2 is DES decryption.)

I don't think it is quite that clear. It might well be easier to prove, say, that Twofish is not the inverse of MARS for the same key than it is to prove the same result for separately hashed keys. But again, the likelihood of two different ciphers being accidental inverses is even lower than the likelihood of guessing the key correctly (there are (2**n)! bijections on n-bit blocks). And NIST has just released SHA-2 which provides 256 bit hashes, so I suppose we might as well use it here.

See above. The important part of the Maurer and Massey proof, IMO, is that it shows that you do get at least the strength of the strongest component cipher against chosen-plaintext attacks. But that proof falls apart when you don't have independent keys, which means you can't really say anything about the strength of the composed cipher. And the game argument shows that it's possible to choose those ciphers with non-independent keys badly enough to make the composed cipher weaker than any of its components.

...

...
b. There order of the ciphers matters for the kind of security proof you can do. If you do Twofish, then Rijndael, you can prove that a known-plaintext attack on this system = a known plaintext attack on Twofish and a chosen-plaintext attack on Rijndael. (That is, the combined system can be no easier to break than the easier of a known-plaintext attack on Twofish or a chosen-plaintext attack on Rijndael.)

Is this the Massey and Maurer result or is there something specific about these two ciphers?

It's the Massey and Maurer result. ...

...

The problem with OFB is that what you get is a stream cipher and that, in turn, means a unique IV for each message is required.

Hmm. It seems like you're going to need an IV for any chaining mode. Using a superstrong block cipher, but then not bothering to use a chaining mode, is just silly. The IV reuse problem *is* a lot worse for OFB and counter modes than for any other mode. Though once you decide you're going to use CFB- or CBC-mode, and choose a random IV, nearly all attacks end up being chosen-plaintext attacks, so maybe that's another reason not to worry too much about which cipher is first.

...

So here is my draft proposal for the Paranoid Encryption Standard, PES: (P is a plaintext block and K is the user key.)

PES(P) =Twofish(Serpent(MARS(DEAL(AES(P))))), where:

...

the key for AES is SHA2(K||"Rijndael") the key for DEAL is SHA2(K||"DEAL") the key for MARS is SHA2(K||"MARS") the key for Serpent is SHA2(K||"Serpent") the key for Twofish is SHA2(K||"Twofish")

Just an aside: What properties are you assuming for SHA2? Because you're going to all this trouble to build a paranoid encryption standard, but then you're doing this weird construction to derive keys for everything, and it's not clear that you can prove anything about the structure when SHA2 is just a collision-resistant hash function. ...

...

Arnold Reinhold --John Kelsey, Counterpane Internet Security, kelsey@counterpane.com PGP Fingerprint: 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF

-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use http://www.pgpinternational.com Comment: foo iQCVAwUBOfSD3iZv+/Ry/LrBAQFBoAP+Jeq0bc9cA36WxnxOl+rz3O8bOYPkB0cG GLmCSm0gyxTPtfrDiqWW/fGFxOl0/E+Ec6IzG+WPrg7lwy5gjeOEHfzIkfB5dC0E rctkTSTum0lXGD3WKAOc4E+SKPaaU6pQRDZ4YcYkOZXGN9WVO88v7zZSGJvMCay9 ig11jvhdgGc= =Xa+c -----END PGP SIGNATURE-----

Arnold G. Reinhold

26 Oct 26 Oct

2:23 p.m.

New subject: CDR: Re: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)

At 2:14 PM -0700 10/20/2000, Bram Cohen wrote:

...

This is just silly. There's nothing wrong with Rijndael.

Maybe so. I do agree that Rijndael is an excellent design and a good choice for AES. But it hasn't been tested enough for complete confidence, in my opinion. Supposedly NSA takes 7 years to vet a new cipher. If anything, the public cryptographic community should take even longer, given we lack the budgets and accumulated methodologies that NSA can bring to bear. Testing is the most expensive part of any new cipher effort. So I think there is a practical basis for at least asking if there is a simple way to combine the AES finalists and take advantage of all the testing that each has already undergone. And, IMHO, it is an interesting theoretical question as well. Even if the answer is "yes," I am not advocating that it be used in most common applications, e.g network security, because there are so many greater risks to be dealt with. But it might make sense in some narrow, high value, applications. At 2:31 PM -0400 10/23/2000, John Kelsey wrote:

...

[long, clear exposition deleted]

The reason the keys have to be independent is because otherwise, the proof doesn't work. If the keys are chosen so that K1 == K2, then I can't build these attacks for my proof, because I can't choose F_{K2} without knowing K1.

I agree that Massey and Maurer's proof requires independent keys for each cipher, and have tried meet that requirement in my design. But the fact that Massey and Maurer's proof fails does not mean that the keys must, in fact, be independent for the combined cipher to be secure. See below.

...

Now, we can also come up with examples of places where choosing K1 and K2 to be related is a bad idea. For example, imagine the following ``game:'' You define some structure for putting N block ciphers together, and then I get to choose the N ciphers, with the constraint that at least one of the N must be strong against all attacks. Now, in this model, it's clear that if the keys are all equal, I can choose the ciphers so that a structure like E1(E2(E2(X))) is easily broken. (Let E1 = 3DES encryption, E2 = 3DES decryption, and E3 = the identity cipher.)

In this model, it's also clear that when the keys are independent, I can't choose the ciphers to include one strong cipher and N-1 ones specially designed to me to make the composition weak. If I could, I could always convert the algorithm into a chosen-plaintext attack on the strong cipher.

I have long felt that there should be some way to exclude using the inverse cipher in these counter examples just as we exclude the possibility that the attacker can simply guess the key. I think I have a different approach to formulating the problem which does that: Let's define a modified version of your game: game2. We'll stick with the two cipher case E(F()) for the moment. Here are the rules: 1. Just as in your game, you get to choose two ciphers, one of which has to be strong. 2. You pick which is E and which is F. 3. The ciphers have to be bijections (one-to-one, onto functions) on {1,...,2**N} where N is the block size in bits. In particular, this means each cipher has no internal state. The same input always produces the same output. 4. If K is the key for the combined cipher, then the key for E is also K, but the key for F is K xor M, where M is a bit string the same length as K that will be selected randomly AFTER you have specified your two ciphers. You will then be informed of its value (which will never change) and may use it in attempting to break E(F()), but you cannot input it into either cipher. If a strong cipher is assumed to have the property that you cannot derive any information about the content of an input block from examining the output block unless you know the complete key, then I claim E(F()) cannot be broken without guessing M. I am making a very broad assumption about what a strong cipher is, but even without it, I believe my version of the game breaks up all counterexamples that use the inverse ciphers to break E(F()). Now you might say "this construction proves my point, you are not using the same keys." That is true, but the keys are far from independent. I can go even further. Most block ciphers have some internal constants that can be varied. There may be constraints on how these constants are selected, but there is still some underlying variability. You can think of these constants as playing the same role as M in game2. If we were allowed to select final values for these constants in the strong cipher after the probe cipher was finalized, one could make a similar argument without a separate M.

...

...

...
The problem with OFB is that what you get is a stream cipher and that, in turn, means a unique IV for each message is required.

Hmm. It seems like you're going to need an IV for any chaining mode. Using a superstrong block cipher, but then not bothering to use a chaining mode, is just silly.

The IV reuse problem *is* a lot worse for OFB and counter modes than for any other mode. Though once you decide you're going to use CFB- or CBC-mode, and choose a random IV, nearly all attacks end up being chosen-plaintext attacks, so maybe that's another reason not to worry too much about which cipher is first.

Block ciphers are easy to test and audit and are hard to subvert (you have to alter the cipher at each node and at the same time.) On the other hand, IV generation schemes are hard to test, nearly impossible to audit, and relatively easy to subvert (you just have to sabotage the RNG at one node). It would be really foolhardy of me to introduce a stream cipher with those known risks, just to counter what I admit is a very small chance of an undetected flaw in Rijndael.

...

...
So here is my draft proposal for the Paranoid Encryption Standard, PES: (P is a plaintext block and K is the user key.)

PES(P) =Twofish(Serpent(MARS(DEAL(AES(P))))), where:

...
the key for AES is SHA2(K||"Rijndael") the key for DEAL is SHA2(K||"DEAL") the key for MARS is SHA2(K||"MARS") the key for Serpent is SHA2(K||"Serpent") the key for Twofish is SHA2(K||"Twofish")

Just an aside: What properties are you assuming for SHA2? Because you're going to all this trouble to build a paranoid encryption standard, but then you're doing this weird construction to derive keys for everything, and it's not clear that you can prove anything about the structure when SHA2 is just a collision-resistant hash function. ...

I am assuming SHA2 is a one-way hash as well. So breaking one of the component ciphers will not allow an attacker to derive the key for any of the other ciphers. It was an ad hoc response to your comment about the need for key independence. Better suggestions are welcome. My game2 construction, above, suggests that key independence doesn't have to be super strong. I suppose based on that argument I should use constants that were clearly derived after the individual cipher designs had been completed. One possibility might be to use voting results from the upcoming Nov. 7 U.S. presidential election: say, Alabama's for AES. Delaware's for DEAL, Maryland's for MARS and South Carolina's for Serpent, Tennessee's for Twofish. (Final voting results as decimal numbers in ascii, with no punctuation or leading zeros, in alphabetical order by candidate: Buchanan, Bush, Gore, Nader). Arnold Reinhold

Damien Miller

27 Oct 27 Oct

11:45 a.m.

New subject: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)

On Thu, 26 Oct 2000, Arnold G. Reinhold wrote:

...

simple way to combine the AES finalists and take advantage of all the testing that each has already undergone. And, IMHO, it is an interesting theoretical question as well. Even if the answer is "yes," I am not advocating that it be used in most common applications, e.g network security, because there are so many greater risks to be dealt with. But it might make sense in some narrow, high value, applications.

What threat model do you propose that would require this? I can't think of anything that isn't contrived and couldn't be served by using 3DES. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org

Arnold G. Reinhold

1:42 p.m.

New subject: CDR: Re: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)

At 4:16 PM +1100 10/27/2000, Damien Miller wrote:

...

On Thu, 26 Oct 2000, Arnold G. Reinhold wrote:

...
simple way to combine the AES finalists and take advantage of all the testing that each has already undergone. And, IMHO, it is an interesting theoretical question as well. Even if the answer is "yes," I am not advocating that it be used in most common applications, e.g network security, because there are so many greater risks to be dealt with. But it might make sense in some narrow, high value, applications.

What threat model do you propose that would require this?

o Your opponent has the cryptologic capabilities of the a major world power o The content has very high value (multi-billion dollar deal, could bring down a government, could start a war) o Long term protection is required (30+ years) o You are in a position to properly secure the terminals at both ends 0 Efficiency is not a concern For example, a chief of state's personal diary, an opposition leader's communications, best and final bids on large projects, etc.

...

I can't think of anything that isn't contrived and couldn't be served by using 3DES.

In a way I see this question as how one should manage the transition from 3DES to AES. Does one keep using DES until the big day and then switch to AES? Or does a blended solution make sense in some cases? While I think there may be a use for something like a Paranoid Encryption Standard in very unusual situations, I don't wish to waste more of people's time arguing with those who say there's no need for it at all. I don't have any compelling evidence. It's pure speculation. I am really more interested in the theoretical "why not?" question, i.e. is there any real downside in combining ciphers in this way, besides efficiency? Conventional wisdom seems to be more cautious than I think is justified and I am trying to prove that. Arnold Reinhold

Ed Gerck

11:48 a.m.

New subject: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)

"Arnold G. Reinhold" wrote:

...

...
This is just silly. There's nothing wrong with Rijndael. ... Testing is the most expensive part of any new cipher effort. So I

At 2:14 PM -0700 10/20/2000, Bram Cohen wrote: think there is a practical basis for at least asking if there is a simple way to combine the AES finalists and take advantage of all the testing that each has already undergone. And, IMHO, it is an interesting theoretical question as well. Even if the answer is "yes," I am not advocating that it be used in most common applications, e.g network security, because there are so many greater risks to be dealt with. But it might make sense in some narrow, high value, applications.

...which should then use OTPs, no? The whole point of AES was a combination of efficiency versus security. Otherwise, just use TripleDES. Getting Rijndael in use, out on its own, is the best way to verify whether it works well -- as efficiently and as securely as desired. This is the way to gain confidence, by testing. Trust is earned. Cheers, Ed Gerck

Paulo S. L. M. Barreto

3 Oct 3 Oct

7:10 a.m.

On Tue, 03 Oct 2000, Vin McLellan wrote:

...

Anyone know of any other commercial firms (other than the respective developers) which made an overt pre-announcement commitment to one of the AES candidates?

I've been told that entrust is embedding CAST-256, but this don't seem to matter that much. I wouldn't be surprised if RSA did the same with RC6; it is much less probable that IBM or Counterpane do this regarding MARS and Twofish, respectively. Counterpane lists several products known to implement Twofish. The shareware library MIRACL includes Rijndael for a long time now. I don't think it's difficult to find more examples. Paulo.

Bill Stewart

6 Oct 6 Oct

11:43 p.m.

New subject: Rijndael & NTRU

At 11:36 PM 10/2/00 -0400, Vin McLellan wrote:

...

Paulo Barreto quipped:

...
Or it might not have occurred to everyone to prepare just-in-case releases for each of the finalists and wait for NIST's verdict ;-)

Yeah, I thought of that too;-) The NTRU folk, however, didn't wait for today's announcement to place their bet.

While I'm not aware of many companies doing anything about it, it's not really that tough - all of the algorithms had relatively similar parameters and sizes and calling requirements, and they were required to provide reference editions. So you should be able to write a couple of routines like aes_keyschedule(parm1, parm2...) aes_encrypt(*key, data) aes_decrypt(*key, data) and plug in the reference editions with some format-munger glue. Tuning the algorithms for your hardware and software environment is more work, and maybe you want to wait till there's a winner, but you get to claim you were way ahead of the curve by announcing support the day of the announcement... Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639

8729

Age (days ago)

8753

Last active (days ago)

List overview

Download

24 comments

14 participants

participants (14)

Arnold G. Reinhold
Arnold G. Reinhold
Bill Stewart
Bram Cohen
Damien Miller
David Honig
Ed Gerck
John Kelsey
John Young
Michael Paul Johnson
Paulo S. L. M. Barreto
proff＠suburbia.net
Steve Furlong
Vin McLellan