Candidates for AES

2 views
Skip to first unread message

Cosmo

unread,
Oct 25, 1998, 2:00:00 AM10/25/98
to

Okay....

What is the difference between RC5 and RC6 ? What is the key size of
RC6 ? Which among the following is considered to be the most difficult
algorithm to crack....

RC6
IDEA
DES
TRIPLE-DES
BLOWFISH
CAST

Also, I have deslib-4.01. Is there a similar package for rc5 or rc6
? I`ve been looking and just can`t seem to find anything. And lastly,
which algorithm appears ot be the most likely candidate for AES and when
will that decision be finalized ? I know that I`ve presented quite a few
questions but any information would be greatly appreciated.

Thanks in advance...

Cosmo


Sandy Harris

unread,
Oct 25, 1998, 2:00:00 AM10/25/98
to
co...@inreach.com wrote:

>What is the key size of RC6 ?

All AES candidates must support 128, 192 & 256-bit key sizes. Some
also support other sizes. I don't know if RC6 does.

>Which among the following is considered to be the most difficult
>algorithm to crack....
>
>RC6
>IDEA
>DES
>TRIPLE-DES
>BLOWFISH
>CAST

DES's 56-bit key space is obviously inadequate for serious use today:
http://www.counterpane.com/keylength.html
http://www.eff.org/descracker.html

IDEA, Blowfish, CAST-128 & 3-DES all have adequate key space &
no known serious weaknesses. All are old enough & well-known
enough to have had some serious analysis.

RC6, Twofish, CAST-128 & the other AES candidates can all use
256-bit keys, but are all relatively new & less analyzed.

> . . . And lastly, which algorithm appears ot be the most likely
>candidate for AES

Too early to tell.

>and when will that decision be finalized ?

Round 1 analysis & comment phase runs to mid-99 & winnows
the original 15 candidates to about 5. Round 2 is more intensive
work on those.

http://csrc.nist.gov/encryption/aes/aes_home.htm

jsa...@freenet.edmonton.ab.ca

unread,
Oct 25, 1998, 2:00:00 AM10/25/98
to
Cosmo (co...@inreach.com) wrote:
: What is the difference between RC5 and RC6 ? What is the key size of
: RC6 ?

RC5 encrypts a 64-bit block, RC6 a 128-bit block. RC6, as noted, supports
the AES standard key sizes. There's some detail about it on my web site;
you can start from this URL:

http://www.freenet.edmonton.ab.ca/~jsavard/comp04.html

: Which among the following is considered to be the most difficult
: algorithm to crack....

: RC6
: IDEA
: DES
: TRIPLE-DES
: BLOWFISH
: CAST

I suppose if you wanted to rank them, DES would be at the bottom. IDEA
wouldn't be quite as good as TRIPLE-DES, and BLOWFISH might be better.
CAST would be somewhere between IDEA and TRIPLE-DES as well. It isn't
clear if RC6 or BLOWFISH is better: Blowfish is good because it has all
key-dependent S-boxes, and RC6 is good because of a 128-bit block size.

John Savard

dsc...@networkusa.net

unread,
Oct 25, 1998, 2:00:00 AM10/25/98
to
In article <aGHY1.1583$4a.30...@news20.bellglobal.com>,
sandy....@sympatico.ca (Sandy Harris) wrote:

> co...@inreach.com wrote:
>
> >What is the key size of RC6 ?
>
> All AES candidates must support 128, 192 & 256-bit key sizes. Some
> also support other sizes. I don't know if RC6 does.
>

I could make a scott6u.zip that would handle any key size up
to 289 bits. and a 6 bit table takes hardly any space. It would
be in my opinion much more secure than the NSA entry that will
cleverly when the contest as the clipper chip replacement.

Of coures a scott8u.zip would run faster and be easier to
implement but then you talking about a key size of up to
1675 bits and that might be to strong for the masses to use.


--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own

Bauerda

unread,
Oct 25, 1998, 2:00:00 AM10/25/98
to
> >What is the key size of RC6 ?
>
> All AES candidates must support 128, 192 & 256-bit key sizes. Some
> also support other sizes. I don't know if RC6 does.

It does. RC6 supports all key sizes from 0 to 255 bytes.

David Bauer


Bruce Schneier

unread,
Oct 26, 1998, 3:00:00 AM10/26/98
to
On Sun, 25 Oct 1998 06:10:54 GMT, Cosmo <co...@inreach.com> wrote:
>Okay....

>
> What is the difference between RC5 and RC6 ?

It's compliated, but if you go to the NIST AES webpage and follow the
link of the RC6 webpage, you can find a really nice description of the
differences.

http://www.nist.gov/aeas/

>What is the key size of
>RC6 ?

All AES submissions, RC6 included, must accept key sizes of 128-,
192-,and 256-bits. All AES submissions can accept keys of any length
shorter than 256 bits by simply fixing some of the key bits.

>Which among the following is considered to be the most difficult
>algorithm to crack....
>
>RC6
>IDEA
>DES
>TRIPLE-DES
>BLOWFISH
>CAST

Triple-DES. Without any doubt. Nothing else has had anywhere near
the analysis.

RC6 is much too new for anyone to have any opinion on. DES has too
short a key length. IDEA is considered strong, but there is a new
attack on a reduced-round variant. Blowfish has no attacks against
the full 16 rounds. Neither does CAST-128.

>Also, I have deslib-4.01. Is there a similar package for rc5 or rc6
>? I`ve been looking and just can`t seem to find anything.

Don't know.

>And lastly,
>which algorithm appears ot be the most likely candidate for AES and when


>will that decision be finalized ?

Most likely is tough. The general consensus is that the front runners
are...nah...I don't want to say it.

I expect a single AES to be chosen sometime mid-year 2000.

>I know that I`ve presented quite a few
>questions but any information would be greatly appreciated.

The answers to most of these questions are out there.

Bruce


**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com

fungus

unread,
Oct 26, 1998, 3:00:00 AM10/26/98
to
dsc...@networkusa.net wrote:
>
> I could make a scott6u.zip that would handle any key size up
> to 289 bits. and a 6 bit table takes hardly any space. It would
> be in my opinion much more secure than the NSA entry that will
> cleverly when the contest as the clipper chip replacement.
>
> Of coures a scott8u.zip would run faster and be easier to
> implement but then you talking about a key size of up to
> 1675 bits and that might be to strong for the masses to use.
>

I could make a polyalphabetic cipher with a key as big as you
want....

...is anybody around here man enough to handle a full 1024 bits?

--
<\___/>
/ O O \
\_____/ FTB.

Roger Carbol

unread,
Oct 26, 1998, 3:00:00 AM10/26/98
to
Bruce Schneier wrote:

> All AES submissions, RC6 included, must accept key sizes of 128-,
> 192-,and 256-bits. All AES submissions can accept keys of any length
> shorter than 256 bits by simply fixing some of the key bits.

Couldn't one persuade DES (for example) to "accept" 256-bit keys
by throwing away most of the bits?

I'm sure it wouldn't be a good idea -- I'm just not convinced
that this "restriction" is any restriction at all.


.. Roger Carbol .. r...@shaw.wave.ca .. the need to be accepted

Tim Bass

unread,
Oct 26, 1998, 3:00:00 AM10/26/98
to
Roger Carbol wrote:

> Couldn't one persuade DES (for example) to "accept" 256-bit keys
> by throwing away most of the bits?

Roger,

Good question. Symmetric ciphers such as DES and (most) AES
candidates are designed with a few main principles:

(1) Non-linear substitution for confusion
(2) Linear permutations for diffusion
(3) Key scheduling and sub-key mixing
(4) Involution (ability for cipher to both crypt-decrypt)
(5) Performance (speed)
(6) Ability to work in generic modes (ECB,, etc.)
(7) Block size of data and length of key

These parameters are all tightly coupled in the design
process; so like most engineering systems, changing
one engineering criteria effects the other, in both
beneficial and less-beneficial ways.

AES is not only specified to accept larger keys (as one of
the posters pointed out) but also larger block sizes.
This effects the design of (1), (3), (4) and (5) very directly.

Hence, it is not simply a manner of 'persuading DES' as you
ask, but designing a new high performance, invertable, block
cipher. However, to be fair to your question, there are
AES candidates which are very "DES like", the first one
that comes to mind is DEAL. AND, the majority of the
AES candidates use the strength of the lessons learned
in DES, including involution (Feistel, 73 or 75) and confusion-
diffusion (Shannon, 49), s-boxes, p-boxes (Feistel, 73 or 75).

So! from an evolutionary perspective, your ideas are 'on-target'.
The hard work is in the the actual design details.

Best Regards,

Tim

--
Tim Bass
Principal Consultant, Systems Engineering
Bass & Associates
Tel: (703) 222-4243
Fax: (703) 222-7320
EMail: ba...@silkroad.com.antispam (remove antispam tag)
http://www.silkroad.com/consulting/technical.html

W T Shaw

unread,
Oct 27, 1998, 3:00:00 AM10/27/98
to

> Bruce Schneier wrote:
>
> > All AES submissions, RC6 included, must accept key sizes of 128-,
> > 192-,and 256-bits. All AES submissions can accept keys of any length
> > shorter than 256 bits by simply fixing some of the key bits.
>

> Couldn't one persuade DES (for example) to "accept" 256-bit keys
> by throwing away most of the bits?
>

> I'm sure it wouldn't be a good idea -- I'm just not convinced
> that this "restriction" is any restriction at all.
>

There is a question of validity of keys. It can just as easily work the
other way so that preset padding is added to shorter keys to make them as
long as needed.
--
---
Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver.
---
Decrypt with ROT13 to get correct email address.

Bryan G. Olson; CMSC (G)

unread,
Oct 28, 1998, 3:00:00 AM10/28/98
to
Bauerda (bau...@aol.com) wrote:

: It does. RC6 supports all key sizes from 0 to 255 bytes.

Right, and it also supports various block size. In Rivest's
notation, RC6 with specific parameters is written RC6-w/r/b.
W is the word size, and an RC6 block is always four times
the word size. R is the number of rounds, and b is the key
size in bytes.

The AES candidates are:

RC6-32/20/16
RC6-32/20/24
RC6-32/20/32

The intellectual property statement for AES allows NIST to
modify the algorithms, so I expect NIST could standardize
on different parameterizations if they want. I don't know
if RSA could or would restrict the use of RC6 with
non-standard parameters.


--Bryan


e...@obscure.reference

unread,
Oct 29, 1998, 3:00:00 AM10/29/98
to
On Mon, 26 Oct 1998 09:56:45 +0000, Roger Carbol <r...@shaw.wave.ca>

wrote:
>Bruce Schneier wrote:
>
>> All AES submissions, RC6 included, must accept key sizes of 128-,
>> 192-,and 256-bits. All AES submissions can accept keys of any length
>> shorter than 256 bits by simply fixing some of the key bits.
>
>Couldn't one persuade DES (for example) to "accept" 256-bit keys
>by throwing away most of the bits?
>
>I'm sure it wouldn't be a good idea -- I'm just not convinced
>that this "restriction" is any restriction at all.
>
>
>
>
>.. Roger Carbol .. r...@shaw.wave.ca .. the need to be accepted
I don't think hashing a long key to get a short one is insecure,
if the short key you get is long enough.
(assuming there is no weakness in the hash function)
But Des key are too short nowadays.

eli<dangling...@hotmail.com>

fungus

unread,
Oct 30, 1998, 3:00:00 AM10/30/98
to
On Mon, 26 Oct 1998 09:56:45 +0000, Roger Carbol <r...@shaw.wave.ca>
wrote:
>
>Couldn't one persuade DES (for example) to "accept" 256-bit keys
>by throwing away most of the bits?
>

Yes.

>I'm sure it wouldn't be a good idea -- I'm just not convinced
>that this "restriction" is any restriction at all.

The keys are big for a reason - security.

DES is a 56 bit algorithm, and 56 bits aren't enough to protect
you from a brute force attack.

Reply all
Reply to author
Forward
0 new messages