Rijndael & Hitachi

Arnold G. Reinhold reinhold at world.std.com
Tue Oct 10 10:44:13 PDT 2000 

Thanks for the summary. My only problem with Rijndael is that it is 
still rather young. I recall reading that NSA takes seven years to 
qualify a new cipher. It took at least that long for the open 
cryptographic community to trust DES.  If someone asked me what 
cipher to use today in a new, very high value application, I would 
have a hard time choosing between Rijndael and 3DES. Rijndael appears 
to be a far superior design, but 3DES has enjoyed a lot more scrutiny.

I was thinking it might be useful to define a "Paranoid Encryption 
Standard (PES)" that is a concatenation of all five AES finalists, 
applied in alphabetical order, all with the same key (128-bit or 
256-bit).  If in fact RC6 is the only finalist still subject to 
licensing by its developer, it could be replaced by DEAL 
(alphabetized under "D"). Since DEAL is based on DES, it brings the 
decades of testing and analysis DES has received to the party.  DEAL 
was dinged in the first round because "it is claimed that DEAL-192 is 
no more secure than DEAL-128" and "equivalent keys are claimed for a 
fraction (2**­64) of the 192-bit and 256-bit key spaces." 
http://csrc.nist.gov/encryption/aes/round1/r1report.htm#sec2.3.1 I 
don't think either issues is reason to exclude DEAL in this role, 
though if there were tweaks to DEAL that resolved them, they might be 
worth including.

PES would be intended for encrypting material of the highest value 
while AES undergoes additional years of scrutiny. Given Rijndael's 
outstanding performance, PES could prove 10-20 times slower than AES, 
but that should not be a problem on modern PCs. User's of PES could 
still face third-party patent claims, such as Hitachi's, whatever 
validity they may have.  To the extent that my ideas in this posting 
are patentable, I would happily place them in the public domain.

Arnold Reinhold


At 2:17 AM -0400 10/10/2000, Vin McLellan wrote:
>        Arnold G. Reinhold <reinhold at world.std.com> asked:
>
>> What is the licensing status of the other finalists? For example, 
>>I seem to >recall reading that RC6 would be licensed to the public 
>>at no charge if it won
>> the competition. What now?
>
>        Since April, RC6 has being commercially licensed as part of 
>RSA's BSAFE Crypto-C 5.0 and BSAFE Crypto-J 3.0 software developer 
>toolkits. I don't expect that will change.
>
>        (RSA said, however, that by the end of the year its regular 
>support and maintenance procedures will add Rijndael to both of 
>those SDKs. RSA also said it will adopt the AES as "a baseline 
>encryption algorithm" for its Keon family of digital cert products.)
>
>        Given RSA's market share, the eight BSAFE toolkits could be 
>a major channel for distributing AES code to the developer 
>community, particularly among OEMs. 
><http://www.rsasecurity.com/products/bsafe/>
>
>        Of the other three who made the finals in this "Crypto Olympics."
>
>MARS, while patented, is available world-wide under a royalty-free 
>license from Tivoli Systems, an IBM subsidiary. (See 
><http://www.tivoli.com>, although the Tivoli site doesn't seem to 
>have anything but the press release.)
>
>Serpent is public domain, now under the GNU PUBLIC LICENSE (GPL), 
>although Serpent website warns that "some comments in the code still 
>say otherwise." <http://www.cl.cam.ac.uk/~rja14/serpent.html>
>
>Twofish is "unpatented, and the source code is uncopyrighted and 
>license-free; it is free for all uses." 
><http://www.counterpane.com/twofish.html>
>
> Suerte,
>        _Vin

More information about the cypherpunks-legacy mailing list