This morning the First AES Conference started with a presentation
    of NIST's Miles Smid and Jim Foti. Here are the main points:

    The 15 candidate algorithms were officially announced. The mystery
    one is MAGENTA submitted by Deutsche Telecom. Only 5 are from the
    U.S. the other 10 are international including some from Canada,
    France, Belgium, Germany, Japan, Israel, Corea and Costa Rica
    (me).

    The analysis period of the 15 algorithm starts August 20, 1998 and
    ends February 1, 1999. Approximately five finalists will be chosen
    by NIST and late March 1999 the Second AES Conference will take
    place. After another nine months or so of public review the AES
    will be selected and the Third AES Conference will take place. We
    are now in the year 2,000. After that the formal FIPS process will
    start. The NIST people made very clear the they would be the ones
    doing all the selecting.

    The public review process NIST has designed is very interesting:
    it has one informal free-format thread implemented through
    newsgroups that NIST will create for each individual candidate
    (see you at FROG's). Formal comments will be sent to NIST and are
    supposed to discuss the algorithms themselves, the evaluation
    criteria, objective comparisons, etc.

    NIST has already designed a new web site (www.nist.gov/aes) with
    all these goodies. There you can find forms for ordering two CDs:
    CD-1 has the complete package of the 15 submissions minus source
    code and Test Vectors (but these will be available on NIST's site
    anyway). CD-2 has the source code and will be available by next
    September.

    After that came the coffee break. Leaving the hall there was a
    table with piles of papers and everybody seemed to want a copy.
    One of these was Schneier's cryptanalysis of FROG. I didn't get
    one because I already had it. So, for better or worse, FROG will
    be noticed at the Conference.

    Before lunch two algorithms were presented. The format is 30-35
    minutes of presentation followed by 10 more of questions. Carlile
    Adams from Canada presented CAST256 a "classical" cipher that
    passed several evolutionary stages and is well polished and
    analysed. Then DFC from France, presented by Serge Vaudenav. What
    is interesting about this cipher is that it is based on proofs
    about its strength against differential and linear attacks - but
    not on higher order attacks.

    At lunch I sat at the same table as two guys from IBM. I spoke
    quite a bit with one of them about MARS. I asked how much effort
    went into the cipher - they mentioned (if I understood correctly)
    an estimate of 1,000 meetings - which is a lot. He told me that a
    disadvantage of the AES process is that design teams from
    different competitors could not consult freely with each other
    because they were afraid that the other team might steal a good
    idea.

    It turned out that the IBMer I talked with at lunch was Sahi
    Halevi who presented MARS immediately after that. The most
    interesting aspect of MARS is that it wraps a diffusion layer
    around a cryptographic core. He mentioned that this variability of
    logic is a possible defense against *unknown* attacks, a theme
    that is normally tabu in a field where almost all work in design
    is concentrated in defending against known attacks. He said that
    they specifically excluded from MARS anything that they could not
    cryptanalyze, for example multiplication between data. Overall he
    gave a very clear, lucid presentation. Everybody knows the story
    of DES so he got questions like: does the MARS design include any
    not published criteria? (answer: No), did anybody from the outside
    help them design it? (answer: No), how can he show that there are
    no trap-doors present (answer: most design follows clear criteria
    but there is always  a necessary element of trust too.)

    After that came MAGENTA presented by a young PhD student who was
    not very experienced. MAGENTA is a strange cipher in many ways: it
    is quite complex, does not use S-boxes, and has only two rounds of
    Feistel (if I understood correctly). The algorithm appeared to be
    one order of magnitude slower than everybody else - he mentioned a
    hardware card capable of encryption 1Mbit per second. After he
    finished he got so many hard questions - you wouldn't believe. I
    mean they really tore into him, sometimes putting up traps for him
    to fall into. It got so bad that a few of the participants started
    doing real time cryptanalysis and suggesting attacks that would
    break the algorithm right there and then. I marvelled that the
    German guy managed to keep his composure. The whole spectacle was
    rather shameful - after all NIST had just announced eight months
    for the analysis period and surely everybody will have enough time
    to criticise to one's heart's content.

    Then came the unpronounceable Rijndael presented by a very
    unflappable Joan Daemen. The algorithm based on Square is not of
    the Feistel kind - quite elegant and fast. It also uses only XORs
    and byte substitutions exactly like FROG.

    Other points of interest: There are almost 200 participants (I
    have the list) including about 20 from NSA. NSA, by the way, is
    never pronounced by name, it's always "they". Actually it is weird
    to think about what they may be thinking - maybe they consider the
    ciphers presented little more than toys. Who knows?

    By the way, this is one informally dressed crowd: many were in
    Tshirts, some in jeans, slippers, etc.

    Of course, I didn't recognize anybody. Almost. Yesterday evening
    while checking in at the hotel I saw the famous Bruce Schneier (I
    recognized him from a picture in his web-site) but was too shy to
    present myself. He is small, blond, has a pony-tail and dresses
    very informally. He gives the impression of unbounded energy and
    enthusiasm - usually he is surrounded by people. I did recognize
    some famous names in the list of participants including Biham,
    Zimmerman, Rivest, Shamir - unfortunately I could not find
    familiar names from this newsgroup.

    Tomorrow will be a long day with seven presentations including
    myself at number six: LOKI97, DEAL, RC6, E2, SERPENT, FROG, and
    FROG and Hasty Pudding were put back-to-back most probably by
    chance. I am apprehensive about my presentation: I knew I had an
    unconventional cipher but I wasn't aware of how unconventional - I
    hadn't really looked into the other algorithms before coming here
    and I found the ones presented today very close to the beaten
    path.

--
http://www.tecapro.com
email: diane...@tecapro.com

--
http://www.tecapro.com
email: diane...@tecapro.com

-----== Posted via Deja News, The Leader in Internet Discussion ==-----
http://www.dejanews.com/rg_mkgrp.xp   Create Your Own Free Member Forum