Rijndael & Hitachi
Arnold G. Reinhold
reinhold at world.std.com
Tue Oct 10 10:44:13 PDT 2000
Thanks for the summary. My only problem with Rijndael is that it is
still rather young. I recall reading that NSA takes seven years to
qualify a new cipher. It took at least that long for the open
cryptographic community to trust DES. If someone asked me what
cipher to use today in a new, very high value application, I would
have a hard time choosing between Rijndael and 3DES. Rijndael appears
to be a far superior design, but 3DES has enjoyed a lot more scrutiny.
I was thinking it might be useful to define a "Paranoid Encryption
Standard (PES)" that is a concatenation of all five AES finalists,
applied in alphabetical order, all with the same key (128-bit or
256-bit). If in fact RC6 is the only finalist still subject to
licensing by its developer, it could be replaced by DEAL
(alphabetized under "D"). Since DEAL is based on DES, it brings the
decades of testing and analysis DES has received to the party. DEAL
was dinged in the first round because "it is claimed that DEAL-192 is
no more secure than DEAL-128" and "equivalent keys are claimed for a
fraction (2**64) of the 192-bit and 256-bit key spaces."
http://csrc.nist.gov/encryption/aes/round1/r1report.htm#sec2.3.1 I
don't think either issues is reason to exclude DEAL in this role,
though if there were tweaks to DEAL that resolved them, they might be
worth including.
PES would be intended for encrypting material of the highest value
while AES undergoes additional years of scrutiny. Given Rijndael's
outstanding performance, PES could prove 10-20 times slower than AES,
but that should not be a problem on modern PCs. User's of PES could
still face third-party patent claims, such as Hitachi's, whatever
validity they may have. To the extent that my ideas in this posting
are patentable, I would happily place them in the public domain.
Arnold Reinhold
At 2:17 AM -0400 10/10/2000, Vin McLellan wrote:
> Arnold G. Reinhold <reinhold at world.std.com> asked:
>
>> What is the licensing status of the other finalists? For example,
>>I seem to >recall reading that RC6 would be licensed to the public
>>at no charge if it won
>> the competition. What now?
>
> Since April, RC6 has being commercially licensed as part of
>RSA's BSAFE Crypto-C 5.0 and BSAFE Crypto-J 3.0 software developer
>toolkits. I don't expect that will change.
>
> (RSA said, however, that by the end of the year its regular
>support and maintenance procedures will add Rijndael to both of
>those SDKs. RSA also said it will adopt the AES as "a baseline
>encryption algorithm" for its Keon family of digital cert products.)
>
> Given RSA's market share, the eight BSAFE toolkits could be
>a major channel for distributing AES code to the developer
>community, particularly among OEMs.
><http://www.rsasecurity.com/products/bsafe/>
>
> Of the other three who made the finals in this "Crypto Olympics."
>
>MARS, while patented, is available world-wide under a royalty-free
>license from Tivoli Systems, an IBM subsidiary. (See
><http://www.tivoli.com>, although the Tivoli site doesn't seem to
>have anything but the press release.)
>
>Serpent is public domain, now under the GNU PUBLIC LICENSE (GPL),
>although Serpent website warns that "some comments in the code still
>say otherwise." <http://www.cl.cam.ac.uk/~rja14/serpent.html>
>
>Twofish is "unpatented, and the source code is uncopyrighted and
>license-free; it is free for all uses."
><http://www.counterpane.com/twofish.html>
>
> Suerte,
> _Vin
More information about the cypherpunks-legacy
mailing list