Serpent vs. AES
Albert Yang
don't.
I trying to put out a product, which will use a block cipher. Now, AES
seems the "obvious" choice, but it's not the one I trust the most.
Of the 5 AES finalists, I think Serpent had the most margain of
security. So, now here's the dilemma...
If I believe that Serpent is the most secure (warm fuzzies based, not
math based) then should I pick that as my block cipher of choice, or
should I pick AES simply because people who are buying crypto products
will be looking for these 3 little letters even though they can't tell
DES from AES from their ass? Do I do what I think is secure, or what I
think is marketable?
The capitalist side of me says, pick marketability, it's pointless to
have "the most secure" if nobody buys it. So I should go with AES, it's
secure "enough".
The crypto side of me says, don't be a microsoft, stick to what you
believe, you are producing a product that should remain strong for
possibly the rest of your life; and so pick security first, and pick a
BIG margain of safety, even if NIST didn't IMHO.
So I'm trying to take an unofficial vote here; any advice, comments,
criticisms are appreciated.
Thanks.
Albert
I'm leaning towards Serpent.... currently, unless someone can change my
mind...
Paul Rubin
> If I believe that Serpent is the most secure (warm fuzzies based, not
> math based) then should I pick that as my block cipher of choice, or
> should I pick AES simply because people who are buying crypto products
> will be looking for these 3 little letters even though they can't tell
> DES from AES from their ass? Do I do what I think is secure, or what I
> think is marketable?
The people who picked Rijndael over Serpent weren't crypto-idiots.
Warm fuzzies aren't relevant. AES is a federal standard now. If
there's 0.00005% chance of AES having a weakness but only 0.00004%
chance of Rijndael having a weakness, that difference is irrelevant.
If you design Serpent into a security-critical product instead of AES,
and something turns out to be wrong with Serpent and your product gets
broken into, you are going to be asked at your trial "why didn't you
use the federal standard?". While if you use AES and something turns
out wrong with it, you followed the standard which the expert
community (i.e. NIST) recognized as the best.
> The crypto side of me says, don't be a microsoft, stick to what you
> believe, you are producing a product that should remain strong for
> possibly the rest of your life; and so pick security first, and pick a
> BIG margain of safety, even if NIST didn't IMHO.
>
> So I'm trying to take an unofficial vote here; any advice, comments,
> criticisms are appreciated.
If you're planning on using the product for the rest of your life,
you're better off with AES. Researchers will keep trying to attack
it, and if they find anything they'll publish it and you'll hear about
it and fix your product. Serpent won't get anywhere near that amount
of attention, since hardly anyone will be using it. So in the long
run you'll be MORE vulnerable to someone discovering a secret attack
and using it to break into your product.
Really, if you don't trust AES, use the fallback that's already been
tried and true for the past 25 years. It's 3DES, not Serpent.
Paul Rubin
> Warm fuzzies aren't relevant. AES is a federal standard now. If
> there's 0.00005% chance of AES having a weakness but only 0.00004%
> chance of Rijndael having a weakness, that difference is irrelevant.
Oops, meant "Serpent" there. Sigh.
Albert Yang
> The people who picked Rijndael over Serpent weren't crypto-idiots.
> Warm fuzzies aren't relevant. AES is a federal standard now. If
> there's 0.00005% chance of AES having a weakness but only 0.00004%
> chance of Rijndael having a weakness, that difference is irrelevant.
> If you design Serpent into a security-critical product instead of AES,
> and something turns out to be wrong with Serpent and your product gets
> broken into, you are going to be asked at your trial "why didn't you
> use the federal standard?". While if you use AES and something turns
> out wrong with it, you followed the standard which the expert
> community (i.e. NIST) recognized as the best.
True, but if you read what they wrote about the 5 finalists, they even
commented that from the looks of things, Serpent has the biggest margain
of safety. Given the fact that we are picking the most "secure" (So I
thought) then I still think Serpent should have been picked. Now if
Serpent didn't fit into smartcards, hardware etc... that's one thing,
but it did...
I don't want to trudge up the old AES finalists debate...
I see your point, but I'm not quiet sold on it.
AES, crack for 7 out of 14 I think. Serpent, 6 out of 32. Margain of
error from a statistics point of view... I still shouldn't pick
serpent??
Albert
Nicol So
>
> The people who picked Rijndael over Serpent weren't crypto-idiots.
That's true, but Rijndael was not chosen over other candidates based on
a demonstrable superiority in security.
> Warm fuzzies aren't relevant. AES is a federal standard now. If
> there's 0.00005% chance of AES having a weakness but only 0.00004%
> chance of [Serpent] having a weakness, that difference is irrelevant.
> If you design Serpent into a security-critical product instead of AES,
> and something turns out to be wrong with Serpent and your product gets
> broken into, you are going to be asked at your trial "why didn't you
> use the federal standard?". While if you use AES and something turns
> out wrong with it, you followed the standard which the expert
> community (i.e. NIST) recognized as the best.
While the above scenario is quite possible, compliance with applicable
standards is not a defense, at least not a surefire one, in product
liability lawsuits.
--
Nicol So
Disclaimer: Views expressed here are casual comments and should
not be relied upon as the basis for decisions of consequence.
SCOTT19U.ZIP_GUY
<7x3cxqx...@ruckus.brouhaha.com>:
>Albert Yang <alb...@achtung.com> writes:
>> If I believe that Serpent is the most secure (warm fuzzies based, not
>> math based) then should I pick that as my block cipher of choice, or
>> should I pick AES simply because people who are buying crypto products
>> will be looking for these 3 little letters even though they can't tell
>> DES from AES from their ass? Do I do what I think is secure, or what I
>> think is marketable?
>
>The people who picked Rijndael over Serpent weren't crypto-idiots.
>Warm fuzzies aren't relevant. AES is a federal standard now. If
>there's 0.00005% chance of AES having a weakness but only 0.00004%
>chance of "SERPENT" having a weakness, that difference is irrelevant.
>If you design Serpent into a security-critical product instead of AES,
>and something turns out to be wrong with Serpent and your product gets
>broken into, you are going to be asked at your trial "why didn't you
>use the federal standard?". While if you use AES and something turns
>out wrong with it, you followed the standard which the expert
>community (i.e. NIST) recognized as the best.
By best you mean in an abstract sense of the word. The whole
goal was not aimed at finding the most secure.
>
>> The crypto side of me says, don't be a microsoft, stick to what you
>> believe, you are producing a product that should remain strong for
>> possibly the rest of your life; and so pick security first, and pick a
>> BIG margain of safety, even if NIST didn't IMHO.
>>
>> So I'm trying to take an unofficial vote here; any advice, comments,
>> criticisms are appreciated.
>
>If you're planning on using the product for the rest of your life,
>you're better off with AES. Researchers will keep trying to attack
>it, and if they find anything they'll publish it and you'll hear about
>it and fix your product. Serpent won't get anywhere near that amount
Actaully its most likely already broken or it would have never
been the standard. The real researchers with the backing of the
states billions will never publish the breaks and will at the same
time misdirect or hinder reasearches trying to actully do a public
break.
My advice use AES to play it safe if your working for a company
where procedure and lip service to the gov is important. But for
you own stuff don't use except as a possible bijective stage in
a multicipher encryption. Yes BICOM could well be one such stage
since it uses a bijective version of AES.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip old version
My Crypto code http://radiusnet.net/crypto/archive/scott/
My Compression code http://bijective.dogma.net/
**TO EMAIL ME drop the roman "five" **
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged.
As a famous person once said "any cryptograhic
system is only as strong as its weakest link"
Paul Rubin
> While the above scenario is quite possible, compliance with applicable
> standards is not a defense, at least not a surefire one, in product
> liability lawsuits.
It's not a surefire defense, but it's a safer bet than deciding not to
follow the standard.
Mok-Kong Shen
Albert Yang wrote:
>
[snip]
>
> True, but if you read what they wrote about the 5 finalists, they even
> commented that from the looks of things, Serpent has the biggest margain
> of safety. Given the fact that we are picking the most "secure" (So I
> thought) then I still think Serpent should have been picked. Now if
> Serpent didn't fit into smartcards, hardware etc... that's one thing,
> but it did...
If you are developing a software, probably you could
include all AES finalists and let the customer have
a choice, if he likes. (Of course you should stress
that Rijndael is standard and the others are not,
preferrably giving also pointers to literatures on
comparisons of these ciphers.)
M. K. Shen
David Wagner
>If I believe that Serpent is the most secure (warm fuzzies based, not
>math based) then should I pick that as my block cipher of choice,
Probably not. If you are concerned about AES, use 3AES or 3DES.
But if AES is the weakest point in your system, that's probably an
awfully good position to be in. Since I'm guessing AES probably
isn't the weakest link in your system (or most anyone else's system),
it might make more sense to focus effort on the weak parts rather
than on the stronger parts.
Peter Fairbrother
Hey, you're supposed to be the crypto expert, not the client, YOU choose the
cipher.
Another disadvantage of giving the client the choice is that you don't know
what other people are going to use - it might be totally insecure, like some
"secure" schemes that allow the encryption used to be "none". Security
depends on both ends of the channel. And it's an improper shirking of your
responsibilities (if not actually dishonest) to ask the client to ensure
that - YOU are supposed to be the expert.
Yet another disadvantage is that given the opportunity everyone and his
mother will add (and remove) ciphers, which creates incompatibilities, vide
the pgp/gpg/etc mess.
Though you might perhaps be able to super-encrypt to get the best of both, I
suppose. On reflection, probably not - the AES "standardness" probably fails
when used as part of a super-encryption.
-- Peter Fairbrother
Roman E. Serov
"SCOTT19U.ZIP_GUY"
>
> Actaully its most likely already broken or it would have never
> been the standard. The real researchers with the backing of the
> states billions will never publish the breaks and will at the same
> time misdirect or hinder reasearches trying to actully do a public
> break.
isn't worse than any of the finalists, so it's no doubt safe to use it.
Scott Contini
I'd be very careful about drawing conclusions about margin of security.
There is another thread here talking about an algorithm called XLS which
two French cryptographers are trying to use to attack Rijndael and Serpent.
While it is too still early to evaluate this research, their claims suggest
that Serpent is much more vulnerable to the attack than Rijndael. In fact,
the attack applied to Serpent *might* be the first theoretical break of an
AES finalist for 128-bit keys.
I encourage people to use Rijndael whenever possible. It is a great cipher
and there are good reasons why it was chosen as the AES.
Scott
Tom St Denis
> don't.
>
> I trying to put out a product, which will use a block cipher. Now, AES
> seems the "obvious" choice, but it's not the one I trust the most.
>
> Of the 5 AES finalists, I think Serpent had the most margain of
> security. So, now here's the dilemma...
There is another problem. On what basis are you forming these
statements. I mean other than conjecture why is Serpent more likely
to be secure? I'd say its the otherway around. Rijndael is provably
secure against several attacks, it has just as much reason to be
secure as Serpent [e.g. high diffusion, very non-linear sboxes,
etc...].
> If I believe that Serpent is the most secure (warm fuzzies based, not
> math based) then should I pick that as my block cipher of choice, or
> should I pick AES simply because people who are buying crypto products
> will be looking for these 3 little letters even though they can't tell
> DES from AES from their ass? Do I do what I think is secure, or what I
> think is marketable?
You should pick AES because a team of cryptographers decided that
Rijndael has more merit than Serpent. The AES competition was not
only about "who can make the most secure cipher". It was about making
a secure cipher that was flexible enough to be implementable on a
plethora of platforms.
To a large extent I'd say Twofish wins that one but Rijndael is
someone simpler I suppose.
> The capitalist side of me says, pick marketability, it's pointless to
> have "the most secure" if nobody buys it. So I should go with AES, it's
> secure "enough".
>
> The crypto side of me says, don't be a microsoft, stick to what you
> believe, you are producing a product that should remain strong for
> possibly the rest of your life; and so pick security first, and pick a
> BIG margain of safety, even if NIST didn't IMHO.
>
> So I'm trying to take an unofficial vote here; any advice, comments,
> criticisms are appreciated.
Its a good "marketing" decision to pick AES, but its also a good
"scientific" decision too. There is a reason AES was formed and you
should really follow it.
Although depending on your product why not offer both? AES as default
and Serpent as an optional cipher?
Tom
tbb...@mail.lrz-muenchen.de
I don't know the exact age of serpent, but as far as I know it's as well
as Rijndael farily new, being developed for the AES contest.
I for my own would prefer to use 3DES or blowfish since these ciphers are
much older and tested over a long time.
Else I do agree with you that serpent should be prefered if speed is not a
problem; second would be twotish, rijndael only third.
The fact rijndael is AES should be important only if you have to follow
standards for some reasons.
The fact rijndael is going to be the most-used cipher in the next decades
might be a pro for this cipher if you are going to change and update your
system in case rijndael will be improved or replaced.
On the other hand if you are not able to re-encrypt data it might be
better to use serpent since it is likely to be stronger - and might be a
less interesting target for cryptanalysis than rijndael.
Andreas Enterrottacher
Scott Contini
The XLS attack is by a French and Australian cryptographer
(not 2 French crytographers).
Scott
David Wagner
>problem; second would be twotish, rijndael only third.
My advice would be to use AES, not Twofish, unless there is some
special requirement that makes AES unsuitable. There's nothing wrong
with Twofish -- I'm pleased with the design and how it has held up --
but I think AES is even better, and AES is receiving more scrutiny than
any of the other finalists. This gives a powerful reason to prefer
AES over Twofish (or any of the other finalists, including Serpent,
for that matter).
Full disclosure: I was a co-designer of Twofish, so I'm probably biased.
msbob
Ross Anderson, one of the designers of Serpent, has recommended to use
just 256-bit AES rather than Serpent.[1] He recommends not to offer
various keysizes, or various algorithms because of protocol weaknesses
it very well may introduce (like some of Microsoft's user authenication
and Lanman compatibility weaknesses).
Like David Wagner said in another message, he also thinks along the
lines that your cipher algorithms are not the weakest point in a product
or system.[2]
1] Security Engineering, section 5.4.2 page 94
2] Ibid. (and elsewhere)
Bryan Olson
> I have a question, some of you out there might think it silly, but I
> don't.
>
> I trying to put out a product, which will use a block cipher. Now, AES
> seems the "obvious" choice, but it's not the one I trust the most.
>
> Of the 5 AES finalists, I think Serpent had the most margain of
> security. So, now here's the dilemma...
>
> If I believe that Serpent is the most secure (warm fuzzies based, not
> math based) then should I pick that as my block cipher of choice, or
> should I pick AES simply because people who are buying crypto products
> will be looking for these 3 little letters even though they can't tell
> DES from AES from their ass? Do I do what I think is secure, or what I
> think is marketable?
First, as Dave Wagner noted, you have no real chance of producing a
system in which AES is the weak link.
Second, a crypto standard is not just an authoritative security review;
it also serves the purpose of any other standard. People choose crypto
product (and most other products) that integrate and inter-operate with
the other systems they use. Standards help you play well with others.
Suppose a customer requires that crypto keys must stay in secure
hardware, and must never be present in a general purpose computer's
memory. Where will you get crypto tokens that implement non-standard
ciphers? Note that this is *not* a case of a know-nothing customer. If
you tell him that using Serpent more than makes up for loading the keys
into memory, he'll be right when he doesn't believe you.
Rijndael, Serpent and Twofish are all darn fine ciphers. Any of them
would have made a fine choice for AES. But that's in the past, and the
challenge now is to bring crypto to the people. Currently the world
runs on un-authenticated cleartext, so the major reason crypto fails to
protect people is that it goes unused. The only way to fix this problem
is to build crypto into the system that people actually use. Following
the standard is one small but critical part of the solution.
--Bryan
Albert Yang
Albert Yang
suggestion. I think if "paranoia" is what I am after (and I am) then I
should go ahead and run AES256-EDE. 3AES should really give me some
margain greater than just straight Serpent?? Of course, that's still
all theory.. But a great suggestion, didn't cross my mind for some
reason.
Albert
Albert Yang
See, they wanted an algorithm that would "be the most flexible and still
maintain a decent amount of security". That being said, those are THEIR
goals. Not mine.
My goals, (in hardware) the most secure algorithm I can muster... I
could care less about flexibility (albit serpent is perfect in hardware,
the fastest). Different goals, and so the selection criterions for AES
aren't the same as mine. Mine are: Security, Security, and fits in
hardware. I think Eli had a paper arguing for Serpent called the Case
for Serpent, where he states the same thing (or not just Eli, but the
whole Serpent team).
So viewed in this fact, you'd still say AES?
Albert
<snip>
> You should pick AES because a team of cryptographers decided that
> Rijndael has more merit than Serpent. The AES competition was not
> only about "who can make the most secure cipher". It was about making
> a secure cipher that was flexible enough to be implementable on a
> plethora of platforms.
>
> To a large extent I'd say Twofish wins that one but Rijndael is
> someone simpler I suppose.
> Tom
Mok-Kong Shen
If I were in the situation you described above, then
my action would have been unique and definite:
use AES, period.
M. K. Shen
Richard Parker
wrote on 4/20/02 3:56 PM:
> Got a link, or do I give google some mileage?
The paper that Scott Contini referenced is "Cryptanalysis of Block Ciphers
with Overdefined Systems of Equations" by Nicolas Courtois and Josef
Pieprzyk. They suggest that an XSL attack on 256-bit AES might be slightly
more efficient then exhaustive key search. They also apply their reasoning
to Serpent. If the theory holds, they calculate that the effective key
length of 192-bit and 256-bit Serpent might be as little as 143 bits.
<http://eprint.iacr.org/2002/044/>
-Richard
Paul Rubin
> David, I always highly respect your opinions and you make a great
> suggestion. I think if "paranoia" is what I am after (and I am) then I
> should go ahead and run AES256-EDE. 3AES should really give me some
> margain greater than just straight Serpent?? Of course, that's still
> all theory.. But a great suggestion, didn't cross my mind for some
> reason.
If somebody does something like that in a product, I'm sorry, but it
just makes me think the designer is obsessing too much about the block
cipher and there's probably a protocol failure or key leakage to be
found somewhere else in the system.
Tom St Denis
> Tom,
>
> See, they wanted an algorithm that would "be the most flexible and still
> maintain a decent amount of security". That being said, those are THEIR
> goals. Not mine.
"decent" meaning no known attacks. The fact that an attack almost
breaks [with the entire codebook] 7 out of 10 rounds doesn't mean that
Rijndael is more likely to fall than Serpent.
> My goals, (in hardware) the most secure algorithm I can muster... I
> could care less about flexibility (albit serpent is perfect in hardware,
> the fastest).
While Serpent is fast, it is also huge. You need to implement at
least 8*32=256 different copies a 4x4 sbox [assuming you unroll the
cipher]. Gigabit FPGA designs already exist [IIRC] for Rijndael so
I'd argue the "advantage" Serpent has is marginal at best [I mean for
most purposes 1Gbit is just as good as 8Gbit].
> Different goals, and so the selection criterions for AES
> aren't the same as mine. Mine are: Security, Security, and fits in
> hardware. I think Eli had a paper arguing for Serpent called the Case
> for Serpent, where he states the same thing (or not just Eli, but the
> whole Serpent team).
>
> So viewed in this fact, you'd still say AES?
Actually I would. AES is flexible, its going to be common place and
above all its resisted cryptanalysis for some time [its based on an
older design which still hasn't fallen to any new forms of analysis].
You really should consider using AES simply because if you want to
sell your app your customers are REALLY going to demand something
"official". If you take the time you will find out that Rijndael can
be done efficiently just about anywhere. The biggest trick is to
decompose the 8x8 sbox efficiently, once you get that the rest is
fairly linear [hence easier].
Tom
Tom St Denis
> David, I always highly respect your opinions and you make a great
> suggestion. I think if "paranoia" is what I am after (and I am) then I
> should go ahead and run AES256-EDE. 3AES should really give me some
> margain greater than just straight Serpent?? Of course, that's still
> all theory.. But a great suggestion, didn't cross my mind for some
> reason.
A word of caution. If you use "3AES" you are no longer using AES and
you shouldn't claim so. Its actually 3Rijndael which is not the AES
standard.
So if your product lists "uses AES" as a feature you're actually lying
if you use 3Rijndael.
Tom
Tom St Denis
> I don't know the exact age of serpent, but as far as I know it's as well
> as Rijndael farily new, being developed for the AES contest.
Rijndael is based on the Square cipher which is about as old as
Blowfish [actually from what I can tell Square was written ca. 1998
and Blowfish ca. 1994].
> I for my own would prefer to use 3DES or blowfish since these ciphers are
> much older and tested over a long time.
Blowfish relies on the difficulty of analysis for security. Ciphers
like Square and Rijndael [and des, and cast and...] put all the
"variables" in the open. They rely on math to defend against certain
classes of attacks instead of the inability to finish a test.
> Else I do agree with you that serpent should be prefered if speed is not a
> problem; second would be twotish, rijndael only third.
I don't know why everyone is so gung-ho after Serpent. I mean it has
its own shortcommings
1. Its hard to analyze [completely]
2. It has *no proof* of security against basic attacks like DC and LC
3. It is slow in software, big in hardware [if fast]
> The fact rijndael is AES should be important only if you have to follow
> standards for some reasons.
Silly thing that. Following "standards" thought as a wild idea.
Maybe we should invent our own ciphers and keep them "trade secrets"?
Tom
tbb...@mail.lrz-muenchen.de
> While Serpent is fast, it is also huge. You need to implement at
> least 8*32=256 different copies a 4x4 sbox [assuming you unroll the
> cipher]. Gigabit FPGA designs already exist [IIRC] for Rijndael so
> I'd argue the "advantage" Serpent has is marginal at best [I mean for
> most purposes 1Gbit is just as good as 8Gbit].
According to the evaluations done during the AES contest
(http://csrc.nist.gov/encryption/aes/round2/NSA-AESfinalreport.pdf)
Rijndael needs little bit less than twice as much area and more than twice
the transistor count when using an iterative design that is is slightly
more than half as fast as Serpent and it is still slightly larger and
had a 40% higher transistor count when using a pipelined design that is
60% slower than Rijndael in pipelined design.
Interestingly Twofish will need least hardware ressources of the three but
as well will be by far the slowest of them.
Or did meanwhile anybody a better job optimizing Rijndael?
Andreas Enterrottacher
tbb...@mail.lrz-muenchen.de
> A word of caution. If you use "3AES" you are no longer using AES and
> you shouldn't claim so. Its actually 3Rijndael which is not the AES
> standard.
>
> So if your product lists "uses AES" as a feature you're actually lying
> if you use 3Rijndael.
I disagree. AES does not tell what to do before or after encrypting a
block - in particular it does not tell that it would not be allowed to
AES-encrypt the encrypted block.
AE
Jean-Luc Cooke
> tbb...@mail.lrz-muenchen.de wrote in message news:<Pine.SOL.4.44.020420...@sun5.lrz-muenchen.de>...
> its own shortcommings
>
> 1. Its hard to analyze [completely]
> 2. It has *no proof* of security against basic attacks like DC and LC
> 3. It is slow in software, big in hardware [if fast]
How are you implementing Serpent Tom? Are you using the bit-sliced
s-boxes? I've gotten ANSI-C implementations to go quite fast
(32Mbyte/sec on P2-450 if I recall correctly). Nearly equivalent to
Rijndael when I did my work for Entrust.
WRT your comments about its complex design, I agree. It would be nice
if everything was 'naked', but the DES s-boxes used in Serpent are
very well analyses. And no one (?) knows them better than Biham - the
co-author or Diff. Cryp-anal.
Most tests you can do on serpent and Rijndael show interesting traits.
Rijndael has 'barely' enough rounds to protect itself. Serpent
deliberately uses twice as many.
JLC - not picking a fight, just making sure others get as much info
about this stuff as possible.
tbb...@mail.lrz-muenchen.de
> tbb...@mail.lrz-muenchen.de wrote in message news:<Pine.SOL.4.44.020420...@sun5.lrz-muenchen.de>...
> > I don't know the exact age of serpent, but as far as I know it's as well
> > as Rijndael farily new, being developed for the AES contest.
>
> Rijndael is based on the Square cipher which is about as old as
> Blowfish [actually from what I can tell Square was written ca. 1998
> and Blowfish ca. 1994].
From my point of view square is not rijndael so it is a new cipher - just
like blowfish is not DES while as well being a feistel network.
> > I for my own would prefer to use 3DES or blowfish since these ciphers are
> > much older and tested over a long time.
>
> Blowfish relies on the difficulty of analysis for security.
Not only - blowfish seems to be based on some observations done and has
extremely high security margins.
> Ciphers
> like Square and Rijndael [and des, and cast and...] put all the
> "variables" in the open. They rely on math to defend against certain
> classes of attacks instead of the inability to finish a test.
Yes - I think here we have simply a different point of view: As DES shows
to rely on math may open a cipher to unknown attacks.
This is why I prefere Serpent: The security margins are much higher than
necessary to protect against known attacks, this way strengthening the
cipher against what is not yet known.
> ...
> > The fact rijndael is AES should be important only if you have to follow
> > standards for some reasons.
>
> Silly thing that. Following "standards" thought as a wild idea.
> Maybe we should invent our own ciphers and keep them "trade secrets"?
>
I don't think we should do this, but a standard is only important for the
sake of compatibility - or in case the standard provides a more reliable
system.
But in our case both ciphers (Rijndael and Serpent) were tested in a
similar way during the AES contest - and I didn't read much new about
either cipher in the meantime.
The result of the AES-contest was that Serpent is (1) faster and smaller
in hardware and (2) has higher security margins while Rijndael was the
best general-purpose cipher and still flawless as far as security was
concerned.
Indeed I think Rijndael was the better choice for AES since it is strong
enough and better in software.
Nevertheless I don't see a reason not to use Serpent or Twofish at the
moment - this might be different in ten years when Rijndael will be better
tested than the other AES competitors.
AE
David Wagner
correctly, Rijndael is arguably better than Serpent for low-end FPGA's,
because the "minimum gate count" for Rijndael is lower than for Serpent.
See Nick Weaver's analysis (it should be available on his web page, or
online at NIST's records of the papers presented at the AES conferences).
Paul Rubin
> > So if your product lists "uses AES" as a feature you're actually lying
> > if you use 3Rijndael.
>
> I disagree. AES does not tell what to do before or after encrypting a
> block - in particular it does not tell that it would not be allowed to
> AES-encrypt the encrypted block.
I don't see how to implement 3AES in a typical key management system
where (as Bryan Olsen describes) the encryption is done by a secure
hardware module and general purpose computers are never allowed to
touch or see the key material. (Implementing 3AES on a general
purpose computer would IMO be pointless). If the hardware module
follows the standard and only does single AES, doing 3AES would
require the host computer to invoke the module 3 times for each
plaintext block, which would be very slow since these modules usually
have high communication overhead (you normally send them a big buffer
and the module encrypts the buffer in AES-CBC mode or whatever).
More importantly, it would be a security failure under the key
management discipline, since the general purpose computer would see
the intermediate ciphertext after running AES once and then after
running it twice. It would be like revealing the intermediate values
of a DES encryption after 1/3 and 2/3 of the rounds were done.
Simon Johnson
You'd still need a fusion reactor to power a computer capable of
searching that keyspace in a realistic amount of time. :)
Simon.
>
> -Richard
Joseph Ashwood
[snip all the stuff that everyone has already read anyway]
Each of the options has a number of qualities in it's favor. Serpent
seems to offer the greater security margin, Rijndael is certified and
marginally faster. The simple truth is that to attack either of these
will require a significant advance of the state of the art. History
shows that small security margins are usually the first to go, but it
also shows that there is a reasonable chance of an attack that works
regardless of rounds. Given this and the realization that we only
really care about 2 cases (the other cases the ciphers are
equivalent):
Rijndael weak, Serpent strong
Rijndael strong, Serpent weak
We need only to guess at the relative ratio of the odds. I'm
personally placing odds of 1 in 3 that the next attack is not affected
by the number of rounds. And about 1 in 20 that a signficant advance
only fells one of them (I believe the ciphers are closely related
enough that an attack on one is likely to quickly lead to an attack on
the other). Based on these guesses that puts the argument in favor of
Serpent by a fairly small margin. So taking into account the argument
put forward by another that if you choose Serpent and it fails, people
ask why you didn't use AES, but if you use AES and it fails people
blame the US government, it seems a safer idea to simply use AES.
Admittedly I'd suggest that in order to reduce your vulernability as
much as possible you use 256-bit keys, just to help safegaurd yourself
a little bit more. But this is all just to sway the odds better into
your favor for the decision. Just my personal opinion, but I think the
foundation for the opinion is fairly strong.
Joe
JoÄ—l Bourquard
news:7xhem4k...@ruckus.brouhaha.com...
> It would be like revealing the intermediate values
> of a DES encryption after 1/3 and 2/3 of the rounds were done.
3DES, not DES..
J.B
Albert Yang
interesting, and does bring about some serious reduction in security.
Be that still doesn't change my views on the fact that AES should have
had 2x the number of rounds necessary for minimum security.
Also, given that of all the candidates, Rijndael was the only one that
varied the number of rounds depending on keysize, it seemed like not a
great choice on the part of the authors to not increase the rounds to at
least 16.
But that's all in the past now...
Albert
Paul Rubin
> The introduction of XSL attacks against Rijndael and Serpent, is very
> interesting, and does bring about some serious reduction in security.
As I remember, XSL isn't affected by the number of rounds.
> Be that still doesn't change my views on the fact that AES should have
> had 2x the number of rounds necessary for minimum security.
Why 2x? Why not 1.5x or 3x or 1000x?
> Also, given that of all the candidates, Rijndael was the only one that
> varied the number of rounds depending on keysize, it seemed like not a
> great choice on the part of the authors to not increase the rounds to at
> least 16.
Why 16? Why not 1000?
eri...@lksejb.lks.agilent.com
> Albert Yang <alb...@achtung.com> writes:
> > The introduction of XSL attacks against Rijndael and Serpent, is very
> > interesting, and does bring about some serious reduction in security.
>
> As I remember, XSL isn't affected by the number of rounds.
>
> > Be that still doesn't change my views on the fact that AES should have
> > had 2x the number of rounds necessary for minimum security.
>
> Why 2x? Why not 1.5x or 3x or 1000x?
Why 2x? Because it would give a more comfortable margin over known
attacks against reduced-round versions of Rijndael. It doesn't
increase memory requirements much, and even with the slowdown of more
rounds it would still be reasonable fast.
Why not 1.5x or 3x? Either of those are probably reasonable choices
as well. Maybe 2x is just is nice round number.
Why not 1000x? It would result in impractally slow encryption.
> > Also, given that of all the candidates, Rijndael was the only one that
> > varied the number of rounds depending on keysize, it seemed like not a
> > great choice on the part of the authors to not increase the rounds to at
> > least 16.
>
> Why 16? Why not 1000?
Why 16? Because it would give a more comfortable margin over known
attacks against reduced-round versions of Rigndael. It doesn't
increase memory requirements much, and even with the slowdown of more
rounds it would still be reasonable fast.
Why not 1000? It would result in impractally slow encryption.
--
Eric Backus
R&D Design Engineer
Agilent Technologies, Inc.
425-335-2495 Tel
Paul Rubin
> > Why 2x? Why not 1.5x or 3x or 1000x?
>
> Why 2x? Because it would give a more comfortable margin over known
> attacks against reduced-round versions of Rijndael. It doesn't
> increase memory requirements much, and even with the slowdown of more
> rounds it would still be reasonable fast.
>
> Why not 1.5x or 3x? Either of those are probably reasonable choices
> as well. Maybe 2x is just is nice round number.
If 1.5x is reasonable, why not 1x? 1x, according to the designers,
already gives sufficient margin against reduced-round variants. If
you think you know more about cipher design than the AES designers
did, why didn't you submit a candidate cipher to the AES contest?
SCOTT19U.ZIP_GUY
<7xn0vp9...@ruckus.brouhaha.com>:
I don't think if a nonmember of the club submitted one that was
actually the best that it would stand a snowballs chance in hell
of making it past the first round.
Secondly the goal wasn't really security. Just appearent security
and the ability to run quickly in many environments. These last
requirements are much easily to measure than the so called security
requirement and if more rounds used for more security it would lose
out to faster methods.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip old version
My Crypto code http://radiusnet.net/crypto/archive/scott/
My Compression code http://bijective.dogma.net/
**TO EMAIL ME drop the roman "five" **
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged.
As a famous person once said "any cryptograhic
system is only as strong as its weakest link"
Albert Yang
to kind of agree here. As much as I'd love to believe the competition
was fair, and impartial, pedigree played a vital roll in the process,
which I don't think should have been. I think a "clean way" to do it
would have been to assign a reference number to every algorithm, and let
people analyse it on it's own merit, not "oh because Bruce designed it
so it must be good by default". I agree that pedigree does give me some
sort of assurance (for example, I seriously doubt Eli would design an
algorithm that is vulnerable to differential cryptoanalysis) but at the
same time, we might ASSUME that, and that might not be the case.
I don't think MARS should have made it to the finals at all. But that's
another debate altogether...
Albert
Paul Rubin
> I don't often agree with scotty too hotty (if you watch WWF), but I have
> to kind of agree here. As much as I'd love to believe the competition
> was fair, and impartial, pedigree played a vital roll in the process,
> which I don't think should have been. I think a "clean way" to do it
> would have been to assign a reference number to every algorithm, and let
> people analyse it on it's own merit, not "oh because Bruce designed it
> so it must be good by default". I agree that pedigree does give me some
> sort of assurance (for example, I seriously doubt Eli would design an
> algorithm that is vulnerable to differential cryptoanalysis) but at the
> same time, we might ASSUME that, and that might not be the case.
How would they do that, given that it was a public review process that
went on for more than a year? Are they supposed to forbid the
designers from talking about the algorithms they'd designed? Don't
you think the designer's publications about the design methods were
important for the evaluations? Are the designers supposed to be
completely anonymous (they can't even disclose that they've even
submitted something)? If not, I'd think it was pretty obvious that
Rijndael had came from the same people as Square, and that RC6 was a
follow-on to RC5. Basically your suggestion is completely
impractical, and even if it were practical isn't a good idea.
The fact is that 15 candidates were submitted; the 10 that didn't make
the finals (and maybe MARS, which did) were obvious losers; RC6 and
Serpent weren't competitive with Rijndael and Twofish on performance
grounds; that left it a two-horse race between Rijndael and Twofish.
The case for Rijndael in the final decision was presented pretty well.
It could be that there was some slight influence of politics or
pedigree involved but it was by no mean a technically bogus decision.
IMO, if all the candidates had been submitted totally anonymously, the
results of the contest would have been about the same as they were.
SCOTT19U.ZIP_GUY
>IMO, if all the candidates had been submitted totally anonymously, the
>results of the contest would have been about the same as they were.
>
>
I agree since I feel they already wanted a particular method to win.
And if the sheep think it was anonymous or not made little difference
the contest was not a real contest in any sense of the word. As proof
of that ascii text files that work in C was not enough to enter. As
more proof look at my serious questions about the use of bijective
padding for methods that requite padding. Some of the letter are still
on the AES site but no one gave them serious consideration. Since the
whole contest was a joke and true secutiy was not a major consideration.
David Crick
>
> would have been to assign a reference number to every algorithm,
> and let people analyse it on it's own merit, not "oh because Bruce
> designed it so it must be good by default". I agree that pedigree
> does give me some sort of assurance
In some ways I wonder if Twofish actually "suffered" because of this.
The Twofish team did such a thorough job in all of their papers and
with their design. Bruce is a known figure and this helped with the
cipher's publicity - both consciously/deliberately and otherwise.
I remember someone commenting during the process that "no amount
of Wiley books....". Rijndael won on merit, but perhaps Twofish was
"over engineered" in more than just the cryptographic design sense.
David.
--
+-------------------------------------------------------------------+
| David A Crick <dcr...@freeuk.com> PGP: (APR-2002 KEY) 0xAA1770F5 |
| Damon Hill Tribute Site: http://www.geocities.com/MotorCity/4236/ |
| M. Brundle Quotes: http://members.tripod.com/~vidcad/martin_b.htm |
+-------------------------------------------------------------------+
Ursus Horibilis
"David Crick" <dcr...@freeuk.com> wrote in message
news:3CCB0FF9...@freeuk.com...
> Albert Yang wrote:
> >
> > would have been to assign a reference number to every algorithm,
> > and let people analyse it on it's own merit, not "oh because Bruce
> > designed it so it must be good by default". I agree that pedigree
> > does give me some sort of assurance
>
> In some ways I wonder if Twofish actually "suffered" because of this.
>
> The Twofish team did such a thorough job in all of their papers and
> with their design. Bruce is a known figure and this helped with the
> cipher's publicity - both consciously/deliberately and otherwise.
>
> I remember someone commenting during the process that "no amount
> of Wiley books....". Rijndael won on merit, but perhaps Twofish was
> "over engineered" in more than just the cryptographic design sense.
>
> David.
>
The flip side is that Twofish might have lost by its indirect
association with a company whose actions have left a lot of people with
a bad taste in their mouths. Some method of "double blind" evaluation
such as Yang is suggesting might have produced different results.
David Crick
>
> The flip side is that Twofish might have lost by its indirect
> association with a company whose actions have left a lot of people
> with a bad taste in their mouths.
Would you care to elaborate on this?
SCOTT19U.ZIP_GUY
>
>In some ways I wonder if Twofish actually "suffered" because of this.
>
>The Twofish team did such a thorough job in all of their papers and
>with their design. Bruce is a known figure and this helped with the
>cipher's publicity - both consciously/deliberately and otherwise.
>
>I remember someone commenting during the process that "no amount
>of Wiley books....". Rijndael won on merit, but perhaps Twofish was
>"over engineered" in more than just the cryptographic design sense.
>
>
I don" like Mr BS but I suspect your are partialy correct.
I noticed before I left. The governemnt tended to send contracts
to minority owned companies rather than to companies based on
merit. Not that a minority owned company might not have had
merit but in general merit was of little consideration.
So (pretending it was meant to be an honest endevor) maybe
the judges thought twofish was better. But in the polticization
of things they felt it was best to give to one in Europe hoping
that it would decive people into thinking it was fair. Sort of
like promoting women at work who know very little about a job
over a white man who had the skill and ability to do the job in a
attempt to balance quotas. I have met a few talented black men
and woman at work but I honestly can say thats not the typical case
since in america getting a promotion at work is more a matter of
sex and race than ability maybe some day only ability will count.
Well its a dream not likely to occur in the near future.
If Bruce had a sex chance operation and changed his name to
Betty Sanchez ( note name was made up no intent to be a real name)
has odds of winning would have gone up. Maybe :)
Ursus Horibilis
"SCOTT19U.ZIP_GUY" <david_...@emailv.com> wrote in message
news:91FDA554BH110W...@209.249.90.102...
> I noticed before I left. The governemnt tended to send contracts
> to minority owned companies rather than to companies based on
> merit. Not that a minority owned company might not have had
> merit but in general merit was of little consideration.
>
> So (pretending it was meant to be an honest endevor) maybe
> the judges thought twofish was better. But in the polticization
> of things they felt it was best to give to one in Europe hoping
> that it would decive people into thinking it was fair. Sort of
> like promoting women at work who know very little about a job
> over a white man who had the skill and ability to do the job in a
> attempt to balance quotas. I have met a few talented black men
> and woman at work but I honestly can say thats not the typical case
> since in america getting a promotion at work is more a matter of
> sex and race than ability maybe some day only ability will count.
> Well its a dream not likely to occur in the near future.
>
> If Bruce had a sex chance operation and changed his name to
> Betty Sanchez ( note name was made up no intent to be a real name)
> has odds of winning would have gone up. Maybe :)
>
I worked in one very politically correct Business Unit of a very
politically correct Fortune 100 company. I had to look the other way
and swallow a boat load of stuff, and I was probably even more bitter
and cynical than you. Fortunately, NAFTA came alone and wiped this
company's ass.
At about the same time, I celebrated one birthday too many and was told,
after twenty years of outstanding performance reviews, that my, "skill
set, thought vast, was no longer in line with the company's goals and
objectives." So I was canned. That was the best damned thing that ever
happened in my life! I drew six months' salary as a severance package,
found a new job within three weeks and lived happily ever after. I
sincerely hope the you enjoy the same luck I had.
Ursus Horibilis
Sorry. The way my newsreader threaded the message made it look like you
were replying to my post instead of Mr. Crick's. Please ignore the
previous response.
Tom St Denis
> phr-n...@nightsong.com (Paul Rubin) wrote in
> <7x662dv...@ruckus.brouhaha.com>:
>
> >IMO, if all the candidates had been submitted totally anonymously, the
> >results of the contest would have been about the same as they were.
> >
> >
>
> I agree since I feel they already wanted a particular method to win.
> And if the sheep think it was anonymous or not made little difference
> the contest was not a real contest in any sense of the word. As proof
> of that ascii text files that work in C was not enough to enter. As
> more proof look at my serious questions about the use of bijective
> padding for methods that requite padding. Some of the letter are still
> on the AES site but no one gave them serious consideration. Since the
> whole contest was a joke and true secutiy was not a major consideration.
Question: Why do you peddle bijective mode for AES then?
I mean if AES was in fact trivially weak then using it in bijective
padding mode should be no better. What if AES were the I transform?
I o Compress = Compress
e.g. no security at all.
So you can't have it both ways. Either AES can be a secure cipher or
your bijective AES is super weak.
Perhaps you're the one working for the NSA?
Tom
Mok-Kong Shen
Ursus Horibilis wrote:
>
[snip]
> Some method of "double blind" evaluation
> such as Yang is suggesting might have produced different results.
Double blind is certainly desirable but not 'practical'
in the present case, I am afraid, given that some
authors would (for one or the other reasons have to)
give rationales or references that have a stong link
to their previously published and well-known works.
It's definitely much harder to do than e.g. in
pharmacy and medicine.
M. K. Shen
Bryan Olson
> Also, given that of all the candidates, Rijndael was the only one that
> varied the number of rounds depending on keysize,
That's false. I recall Massey (SAFER+) also varied rounds with keysize,
and I thought he made a good case for so doing.
--Bryan
eri...@lksejb.lks.agilent.com
> eri...@lksejb.lks.agilent.com writes:
> > Why 2x? Because it would give a more comfortable margin over known
> > attacks against reduced-round versions of Rijndael. It doesn't
> > increase memory requirements much, and even with the slowdown of more
> > rounds it would still be reasonable fast.
> >
> > Why not 1.5x or 3x? Either of those are probably reasonable choices
> > as well. Maybe 2x is just is nice round number.
>
> If 1.5x is reasonable, why not 1x? 1x, according to the designers,
> already gives sufficient margin against reduced-round variants.
At least some of those reduced-round attacks were found after the AES
candidates were submitted and couldn't be changed, weren't they?
> If you think you know more about cipher design than the AES
> designers did, why didn't you submit a candidate cipher to the AES
> contest?
I'm well aware of the arguments on both sides of this issue. I don't
claim to know more about cipher design than them, or than you, and
I'll happily use AES as it is. But that doesn't change my personal
opinion that it would have been better to add a few rounds to
Rijndael.
There are clearly diminishing returns to adding more rounds to a
cipher, but there is probably *some* additional security to be gained
by adding more rounds. The question is "how much" and whether it's
worth the additional complexity and computation time. This is a
judgement call, since every application has different needs but we're
standardizing on one cipher, and since we're speculating both about
what attacks may become available in the future and what computational
advances might be made.
I personally place somewhat more importance on security than speed,
since I believe that Moore's law will continue for at least a few more
years, and since I want AES to last as long as DES did. Combine that
preference with the fact that Rijndael was one of the faster ciphers,
with the knowledge that attacks were found against reduced-round
versions of Rijndael, and that the number of rounds attacked was a
good fraction of the total number of rounds, I conclude that adding a
few more rounds would be a good idea.
David Wagner
>As I remember, XSL isn't affected by the number of rounds.
If I remember correctly, I thought the authors said that the
complexity of the XSL attack is likely to increase subexponentially
in the number of rounds (still slower than the exponential dependence
one might intuitively hope for).
David Wagner
>The fact is that 15 candidates were submitted; the 10 that didn't make
>the finals (and maybe MARS, which did) were obvious losers; RC6 and
>Serpent weren't competitive with Rijndael and Twofish on performance
>grounds; that left it a two-horse race between Rijndael and Twofish.
>The case for Rijndael in the final decision was presented pretty well.
>It could be that there was some slight influence of politics or
>pedigree involved but it was by no mean a technically bogus decision.
Absolutely. I strongly support Rijndael, and by no means do I consider
it a technically bogus decision. It would have been a pleasure to see
Twofish win, but I think NIST made a very good decision.
John Savard
(David Wagner) wrote, in part:
>I strongly support Rijndael, and by no means do I consider
>it a technically bogus decision.
I don't support the blanket criticisms that characterize the choice of
Rijndael in those terms.
Still, it must be admitted that the selection gave a great deal of
weight to speed and efficiency, which could be quantified, and much
more limited weight to security. True, with the attention of the
world's best cryptographic researchers in the open community
concentrated on the candidate algorithms for months, that no
weaknesses are found is a positive sign. And it is hard to justify
giving a lot of weight, say, to gut feelings about possible future
attacks.
With my very limited knowledge of the higher technical reaches of this
subject, but by crude analogies with DES, I've noted that Rijndael
looks a bit safer with 128-bit blocks when an intermediate key size of
224 bits is used, as explained on my website at
http://home.ecn.ab.ca/~jsavard/crypto/co040801.htm
and my inclination is to favor something like MARS rather than to
consider it to be nearly an obvious loser.
The choice of Rijndael, however, was a sound one - and one that can be
easily defended.
John Savard
http://home.ecn.ab.ca/~jsavard/index.html
SCOTT19U.ZIP_GUY
<aanq6q$20oc$2...@agate.berkeley.edu>:
>Absolutely. I strongly support Rijndael, and by no means do I consider
>it a technically bogus decision. It would have been a pleasure to see
>Twofish win, but I think NIST made a very good decision.
I dought it was a good decision. But if Osamas gwoup of crazies
gets tricked into using it and the NSA uses its breaks of it to
destroy that group then I to will say it was a dam good decision
to go with Rijndael.
Scott Contini
> On Wed, 1 May 2002 04:16:26 +0000 (UTC), d...@mozart.cs.berkeley.edu
> (David Wagner) wrote, in part:
>
> >I strongly support Rijndael, and by no means do I consider
> >it a technically bogus decision.
>
> I don't support the blanket criticisms that characterize the choice of
> Rijndael in those terms.
>
> Still, it must be admitted that the selection gave a great deal of
> weight to speed and efficiency, which could be quantified, and much
> more limited weight to security. True, with the attention of the
A great deal of weight was also put on design philosophy.
Rijndael is one of the most beautifully designed block ciphers I have seen.
I think/hope most researchers will agree with that....
Scott
Mok-Kong Shen
"SCOTT19U.ZIP_GUY" wrote:
>
> d...@mozart.cs.berkeley.edu (David Wagner) wrote:
>
> >Absolutely. I strongly support Rijndael, and by no means do I consider
> >it a technically bogus decision. It would have been a pleasure to see
> >Twofish win, but I think NIST made a very good decision.
>
> I dought it was a good decision. But if Osamas gwoup of crazies
> gets tricked into using it and the NSA uses its breaks of it to
> destroy that group then I to will say it was a dam good decision
> to go with Rijndael.
Isn't it that Rijndael is not intended for top secret
classified materials of the government? If one desires
more security (for whatever reason), one could always
use multiple encryption (with or without other
algorithms), I suppose. I think it could be compared
like to a very good car for normal people. If, however,
you need one for racing, then you probably should look
elsewhere.
M. K. Shen
Bob Jenkins
> >
> > would have been to assign a reference number to every algorithm,
> > and let people analyse it on it's own merit, not "oh because Bruce
> > designed it so it must be good by default". I agree that pedigree
> > does give me some sort of assurance
>
> In some ways I wonder if Twofish actually "suffered" because of this.
>
> The Twofish team did such a thorough job in all of their papers and
> with their design. Bruce is a known figure and this helped with the
> cipher's publicity - both consciously/deliberately and otherwise.
>
> I remember someone commenting during the process that "no amount
> of Wiley books....". Rijndael won on merit, but perhaps Twofish was
> "over engineered" in more than just the cryptographic design sense.
>
> David.
I recall a comment during the selection process that it most of the
cryptanalysis of each cipher was coming from the designers of each
cipher, with the exception of extra analysis coming from Bruce's team.
If the bulk of the cryptanalysis effort done overall went into trying
to break Twofish, it isn't surprising that we'd end up finding more
potential flaws in Twofish than anything else. The more you look at
anything, the more you notice about it.
Along the same lines, I expect at least 2 of the 5 AES finalists to be
cracked within the next 20 years. No idea which ones, although
Rijndael has more probability than the others because more people will
be looking at it.
(Did I get the bit about Counterpane's analysis right? Going from
memory. I haven't analyzed any of these ciphers.)
Sam Simpson
> "SCOTT19U.ZIP_GUY" wrote:
>>
>> d...@mozart.cs.berkeley.edu (David Wagner) wrote:
>>
>> >Absolutely. I strongly support Rijndael, and by no means do I
>> >consider it a technically bogus decision. It would have been a
>> >pleasure to see Twofish win, but I think NIST made a very good
>> >decision.
>>
>> I dought it was a good decision. But if Osamas gwoup of crazies
>> gets tricked into using it and the NSA uses its breaks of it to destroy
>> that group then I to will say it was a dam good decision to go with
>> Rijndael.
>
> Isn't it that Rijndael is not intended for top secret classified
> materials of the government?
Is this one of the classic Mok-Kong Shen pseudo-question pseudo-assertion
awaiting correction? ;)
NIST have stated that AES can be used for sensitive but not classified
information (see e.g. pg 1 "The Design of Rijndael"...)
> If one desires more security (for whatever
> reason), one could always use multiple encryption (with or without other
> algorithms), I suppose. I think it could be compared like to a very good
> car for normal people. If, however, you need one for racing, then you
> probably should look elsewhere.
>
> M. K. Shen
--
Regards,
SCOTT19U.ZIP_GUY
<6f35025c.02050...@posting.google.com>:
>
>A great deal of weight was also put on design philosophy.
>Rijndael is one of the most beautifully designed block ciphers I have
>seen. I think/hope most researchers will agree with that....
>
>
Unfortunately this beauty could be its weakness.
Scott Contini
> con...@matmail.com (Scott Contini) wrote in
> <6f35025c.02050...@posting.google.com>:
>
> >
> >A great deal of weight was also put on design philosophy.
> >Rijndael is one of the most beautifully designed block ciphers I have
> >seen. I think/hope most researchers will agree with that....
> >
> >
>
> Unfortunately this beauty could be its weakness.
>
> David A. Scott
Believe it or not, you are not alone in this belief. At least 3
papers
allude to a similar claim:
N. Ferguson, R. Schroeppel, and D. Whiting. "A Simple Algebraic
Representation of Rijndael".
Nicolas Courtois and Josef Pieprzyk. "Cryptanalysis of Block
Ciphers with Overdefined Systems of Equations".
Sean Murphy and Matt Robshaw. "New Observations in Rijndael".
I am (presently) not expecting any of these results to turn into a
PRACTICAL
ATTACK which threatens the security of Rijndael for real world
applications. I
much prefer a scientific design where everything has a clear purpose
and
is well researched rather than a cipher that throws in a bunch of
operations
just because they SEEM to make it more difficult to attack (which
often
translates into a cipher that is more difficult to analyze). But that
is
just my humble opinion. I like Rijndael. It is my second favorite
cipher!
:O) (I am an RC6 fan!)
Scott
John Savard
wrote, in part:
>I
>much prefer a scientific design where everything has a clear purpose
>and
>is well researched rather than a cipher that throws in a bunch of
>operations
>just because they SEEM to make it more difficult to attack (which
>often
>translates into a cipher that is more difficult to analyze).
You are not alone in that. That is the general climate of opinion.
I incline in the other direction, but I see the validity of the other
point of view as well.
If a cipher had a part that was easy to analyze thoroughly, and
another part that was almost impossible to analyze, but which clearly
was independent of the first part, therefore unable to weaken it, that
would seem to me to be the ideal.
John Savard
http://home.ecn.ab.ca/~jsavard/index.html
Tom St Denis
> <6f35025c.02050...@posting.google.com>:
>
> >
> >A great deal of weight was also put on design philosophy.
> >Rijndael is one of the most beautifully designed block ciphers I have
> >seen. I think/hope most researchers will agree with that....
> >
> >
>
> Unfortunately this beauty could be its weakness.
As a scientist it's important to be a tad skeptic.
I have to ask this of you, is there anything mainstream that you *do*
support? I mean you hate DES, you hate AES, you hate deflate [the zip
codec], you hate people, etc...
Let me put it another way, what source of information are you using as
your basis for the message "Unfortunately this beauty could be its
weakness.". I mean where did that come from?
See the problem is you talk and talk and talk but you never
substantiate anything you say. In fact out of all the people here you
are by far the least credible [and don't drag me into this, I don't
admit to be a professional here...] person alive.
Put it another way, why would anyone actually pay attention to what
you have to say? Are you even trying to spark conversation or are you
just ranting off your rocker?
Tom
Bryan Olson
> Isn't it that Rijndael is not intended for top secret
> classified materials of the government? If one desires
> more security (for whatever reason), one could always
> use multiple encryption (with or without other
> algorithms), I suppose. I think it could be compared
> like to a very good car for normal people. If, however,
> you need one for racing, then you probably should look
> elsewhere.
Rijndael is a good cipher for people who are serious about protecting
their data. Those who want to play super-spy and fantasize about being
more secure than anyone else, can look to the suggestions of Shen or the
other people playing cryptographer.
--Bryan
SCOTT19U.ZIP_GUY
<3CD09A97...@nowhere.org>:
No Rijndael is not a good cipher for people who are serious
about protecting their data. Its a good cipher for those that
that knowing nothing about encryption and want to follow something
blessed by the government. But any free thinking indiviual should
not blindly trust it if real security is the goal. I truely doubt
if Osama and his Saudi clan are dumb enough to use it.
However I see nothing wrong using it as one of many ciphers in
series provided ther are bijective encryption layers. Something
that the inventors of Rijndael don't seem to grasp or admit.
If one wish to use it in layers I would suggest Matt BICOM at this
point as one of the best.
David Hopwood
John Savard wrote:
> With my very limited knowledge of the higher technical reaches of this
> subject, but by crude analogies with DES, I've noted that Rijndael
> looks a bit safer with 128-bit blocks when an intermediate key size of
> 224 bits is used, as explained on my website at
>
> http://home.ecn.ab.ca/~jsavard/crypto/co040801.htm
Your argument there seems to be that:
# Differential cryptanalysis attacks on DES become quite a bit easier for
# variants of DES with an odd number of rounds.
[...]
# Thus, one can obtain 12 regular rounds, which I view as desirable for the
# 128-bit and 192-bit block sizes, by specifying a key of 224 bits.
(Actually the number of rounds is not defined except for the standard key
sizes, but suppose for the sake of argument that we use 13 rounds, i.e.
what you call 12 "regular" rounds.)
The argument is not valid because Rijndael is an SPN, not a Feistel
network, so the analogy to DES is not even close. There's no reason
whatsoever to believe that any specific benefit would be gained from
using an even number of "regular" rounds for Rijndael.
You also say:
# As a nice bonus, the number of 32-bit words in 224 bits is seven, which
# is relatively prime to either four or six, which appears, at least from
# a naïve point of view, as if it might improve the key schedule at least
# slightly as well.
To me that sounds more like superstition or numerology than a technical
argument. I can't see anything about the key schedule that would make it
relevant whether the number of words in the key is relatively prime to the
number of words in a block.
- --
David Hopwood <david....@zetnet.co.uk>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBPNC0KTkCAxeYt5gVAQH0YAf/UGb3Tg8UvjQWe7uuCPtC8j9ULfSxaHt3
P86OkGvwktw6Nvl44YL5wxDc6Hrs3frAgmStOYsUl3/0yTwgfBh4gsummuVQTE5X
II/EnqEUdS9gujlm0E9ddrMS6w2vrWpKDsbKfJSy4vS+kfD4RNYmoFV9QxkYU4jO
W8p4xYdFwHz/dIDh71a4pKgRiDeg0qs1BBaTpdYu1+ymITWEhBiMBjSw8vpBTgFd
upXuBAKI4Wr52mvYnCtn/2L6bK0M7zxhmSwF0FTgSakDIY2vDCKjAJsQ/Wg51dIX
rh/7N2uFDzZzr6bkvMfy0dLnskPAvcLrRnKZWMXi9sYk7r3Oi1r8sg==
=0w+S
-----END PGP SIGNATURE-----
John Savard
<david....@zetnet.co.uk> wrote, in part:
>The argument is not valid because Rijndael is an SPN, not a Feistel
>network, so the analogy to DES is not even close. There's no reason
>whatsoever to believe that any specific benefit would be gained from
>using an even number of "regular" rounds for Rijndael.
I'd say that the difference in structure means there is no certainty
of that.
>To me that sounds more like superstition or numerology than a technical
>argument. I can't see anything about the key schedule that would make it
>relevant whether the number of words in the key is relatively prime to the
>number of words in a block.
Well, the subkey bytes produced by the key schedule issue forth from a
shift register - which recirculates the words of the key.
Again, I do admit that these things may well be absolutely no problem
at all - merely that there is a vague hint of a possibility that they
might be.
John Savard
http://home.ecn.ab.ca/~jsavard/index.html
Mok-Kong Shen
I am neither a cryptographer nor pretending to be one
or playing one. (There are people who openly 'claim' to
be cryptographers, but I am often not sure of which of
the three possibilities is true, though.) My knowledge
is too poor to enable me to profitably attempt to go
in that direction. I am a layman. I am just eager to
learn something in crypto to boast a tiny little bit
my beginner's knowledge. That's why I was recently
amazed and flattered by someone's claim that I had
written a lot about the theory of differential analysis,
which I never did and never could have done, I believe.
M. K. Shen
Mok-Kong Shen
John Savard wrote:
>
[snip]
> If a cipher had a part that was easy to analyze thoroughly, and
> another part that was almost impossible to analyze, but which clearly
> was independent of the first part, therefore unable to weaken it, that
> would seem to me to be the ideal.
There is some danger of these parts not cleanly separated
by the designers, I am afraid. If any, it would be
preferable to have these as independent ciphers, I guess.
M. K. Shen
Albert Yang
science, 100% experience, and 100% mystic arts. That comes out to be
400%.. That is why no algorithm is perfect, they are only 100%...
We know the Feistal structure WELL. We know SP-Networks well, but with
Rijndael, we only have basically SQUARE to go on.. And that doesn't
give me warm fuzzies. And as little as warm fuzzies count for, it still
counts for something.
There are algorithms we have all seen, that when we look at it, maybe
not something we can prove right then and there, but those who have seen
a lot of algorithms, seem to be able to spot a "strong" algorithm, or a
"weak" algorithm, or one that is vulnerable to certain attacks, almost
immediately.
From my viewpoint, at first site, I thought the approach that MARS took,
would have bought it the best amount of security margain. But it was
the weakest out of the finalists.
BS said it in his book, cryptography is a bit of a black art still. But
because of that, I thought we should have gone the conservative route,
and Rijndael definitely wasn't.
Also, re-reading the Serpent team's arguement for Serpent, it was
right. With Moore's law holding true, and with current use of 3DES,
obviously speed in software should not have been given as much weight as
what I think NIST did. Also, the top 3 criterions in terms of
importance should have been, security, security, and if it fits into
everything from smartcards to FPGA's, to 8 bit software to 64bit
software.
So while I can see how some people can defend Rijndael based on the
criterions set by NIST, I find the criterions themselves to be wrong...
Albert
Bryan Olson
> I am neither a cryptographer nor pretending to be one
> or playing one. (There are people who openly 'claim' to
> be cryptographers, but I am often not sure of which of
> the three possibilities is true, though.) My knowledge
> is too poor to enable me to profitably attempt to go
> in that direction. I am a layman. I am just eager to
> learn something in crypto to boast a tiny little bit
> my beginner's knowledge.
Eager to learn? Who do you think you're kidding?
> That's why I was recently
> amazed and flattered by someone's claim that I had
> written a lot about the theory of differential analysis,
> which I never did and never could have done, I believe.
Again, who do you think you're kidding? That you have been writing
about differential cryptanalysis for years is a simple fact, as Google
groups search shows. That you done so without knowing anything about it
should not be taken as a compliment.
But of course you knew that.
--Bryan
Mok-Kong Shen
I said that, excepting occasionally expressing my
negative 'sentiment', I never wrote anything concerning
the theory of differential analysis. I expressed that
there are in my view ways to avoid the huge amounts
of materials being available to the opponent, hence
the technique is of no essential relevance to the
real practice. That's about all I ever said on the
technique. (This is simply because I don't have the
knowledge ability to go into a 'theory' discussion.)
Are you convinced? I challenge you to prove the opposite!
M. K. Shen
Bryan Olson
> I said that, excepting occasionally expressing my
> negative 'sentiment', I never wrote anything concerning
> the theory of differential analysis.
You wrote:
>> > I was recently
>> > amazed and flattered by someone's claim that I had
>> > written a lot about the theory of differential analysis
Perhaps you could quoted this someone's claim, so we could see
who's telling the truth.
--Bryan
Mok-Kong Shen
Take up my challenge in the other post and we'll
see further.
M. K. Shen
Bryan Olson
> Bryan Olson wrote:
>>Perhaps you could quoted this someone's claim, so we could see
>>who's telling the truth.
>>
>
> Take up my challenge in the other post and we'll see further.
I have no idea what you are talking about. I gather you found that you
were unable to justify your claim. How about a retraction?
--Bryan
Mok-Kong Shen
The challenge is clearly formulated. Accept it or
not is up to you.
M. K. Shen
Tom St Denis
> fakea...@nowhere.org (Bryan Olson) wrote in
> <3CD09A97...@nowhere.org>:
>
> >Mok-Kong Shen wrote:
> >
> > > Isn't it that Rijndael is not intended for top secret
> > > classified materials of the government? If one desires
> > > more security (for whatever reason), one could always
> > > use multiple encryption (with or without other
> > > algorithms), I suppose. I think it could be compared
> > > like to a very good car for normal people. If, however,
> > > you need one for racing, then you probably should look
> > > elsewhere.
> >
> >Rijndael is a good cipher for people who are serious about protecting
> >their data. Those who want to play super-spy and fantasize about being
> >more secure than anyone else, can look to the suggestions of Shen or the
> >other people playing cryptographer.
> >
>
> No Rijndael is not a good cipher for people who are serious
> about protecting their data.
Why? Please back up your claim.
> Its a good cipher for those that
> that knowing nothing about encryption and want to follow something
> blessed by the government.
Actually AES was a process not really governed by the government.
They just organized it. The members really are the ones who
contributed the material. But if you don't trust the hundreads of
cryptographers that contributed who do *you* trust?
> But any free thinking indiviual should
> not blindly trust it if real security is the goal. I truely doubt
> if Osama and his Saudi clan are dumb enough to use it.
Why? Please back this up.
> However I see nothing wrong using it as one of many ciphers in
> series provided ther are bijective encryption layers. Something
> that the inventors of Rijndael don't seem to grasp or admit.
Because you fail to recognize my very real attack on bijective modes?
> If one wish to use it in layers I would suggest Matt BICOM at this
> point as one of the best.
Why is this better? Can you prove it? What are you claiming this is
better than? BICOM is a MODE of operation whereas Rijndael is just a
block cipher. That's like comparing a car to a piano and saying "the
car gets better mileage".
Tom
Bryan Olson
> Bryan Olson wrote:
I don't even know what challenge you are talking about.
All I asked you to do was justify what you claimed in this thread, by
citing the quote You still have not, and I think you found you cannot.
--Bryan
Mok-Kong Shen
O.k. concise and explicit: I never wrote anything
on the 'theory'of differential analysis. I did give
critiques about its being non-practical and argued
that there are ways in my view to avoid the huge
amount of materials needed by the technique and
that's all I said. Anything to back your point
about what I wrote on differential analysis?
Is the challenge now clear to you??
M. K. Shen
Bryan Olson
> O.k. concise and explicit: I never wrote anything
> on the 'theory' of differential analysis.
But you did write in this very thread:
| I was recently
| amazed and flattered by someone's claim that I had
| written a lot about the theory of differential analysis
Well where's the quote?
> I did give
> critiques about its being non-practical and argued
> that there are ways in my view to avoid the huge
> amount of materials needed by the technique and
> that's all I said.
You said absolutely everything I claimed you said, and I think you
know it.
> Anything to back your point
> about what I wrote on differential analysis?
Yes, absolutely. Here is what I wrote in another thread:
: For a long time you've been writing about differential cryptanalysis
I actually did a Google groups search to check. Yup, it's true, as you
can check for yourself.
> Is the challenge now clear to you??
Your fabrication is completely clear. I don't really care where you
imagine a line between theory and other-than-theory to be. I simply
claimed that you had written about differential cryptanalysis for years,
and that's just plain true. You inserted the word "theory" and then
disagreed with what you yourself fabricated.
--Bryan
Mok-Kong Shen
Bryan Olson wrote:
>
> Mok-Kong Shen wrote:
>
> > O.k. concise and explicit: I never wrote anything
> > on the 'theory' of differential analysis.
>
> But you did write in this very thread:
>
> | I was recently
> | amazed and flattered by someone's claim that I had
> | written a lot about the theory of differential analysis
>
> Well where's the quote?
In the thread 'A variant of block chaining' on
Mon, 29 Apr 2002 08:54:58 GMT you responded to what I
wrote:
I am flattered by your statement that for I long time
I have been writing about differential analysis. I am
certainly not conscious of having ever said anything
concerning the theory as such.
with the following:
Try Google advanced groups search, with this group,
author Shen, key work "differential". I have no idea
what you are flattered about either.
Since I know that I have 'never' said anything on the
'theory' of differential analysis in the group, I
obviously can't find my theoretical writing that you
thought existed. Now it is your turn to grab the
archieves of the internet to prove that I am wrong,
in case you do want to take up my explained challenge.
>
> > I did give
> > critiques about its being non-practical and argued
> > that there are ways in my view to avoid the huge
> > amount of materials needed by the technique and
> > that's all I said.
>
> You said absolutely everything I claimed you said, and I think you
> know it.
See above.
>
> > Anything to back your point
> > about what I wrote on differential analysis?
>
> Yes, absolutely. Here is what I wrote in another thread:
>
> : For a long time you've been writing about differential cryptanalysis
>
> I actually did a Google groups search to check. Yup, it's true, as you
> can check for yourself.
Come on, show the materials that you grabbed out and
prove that I had said anything concerning the 'theory'
of differential analysis! The readers of this thread
have a right to see who is right and who is wrong
in this issue.
>
> > Is the challenge now clear to you??
>
> Your fabrication is completely clear. I don't really care where you
> imagine a line between theory and other-than-theory to be. I simply
> claimed that you had written about differential cryptanalysis for years,
> and that's just plain true. You inserted the word "theory" and then
> disagreed with what you yourself fabricated.
See above for my quote and your 'immediate'/'direct'
response to that!
M. K. Shen
Mok-Kong Shen
Addendum: If I didn't write anything on the theory
(which is a fact), had it been your original point of
critique that I should not express my opinions on
the non-practicality of the technique in pratice (a
matter which I think many readers would consider
to be true)? You don't critique for nothing, do you??
M. K. Shen
Sam Simpson
> david_...@emailv.com (SCOTT19U.ZIP_GUY) wrote in message
> news:<92017351FH110W...@209.249.90.102>...
>> con...@matmail.com (Scott Contini) wrote in
>> <6f35025c.02050...@posting.google.com>:
>>
>>
>> >A great deal of weight was also put on design philosophy. Rijndael is
>> >one of the most beautifully designed block ciphers I have seen. I
>> >think/hope most researchers will agree with that....
>> >
>> >
>> >
>> Unfortunately this beauty could be its weakness.
>
> As a scientist it's important to be a tad skeptic.
>
> I have to ask this of you, is there anything mainstream that you *do*
> support? I mean you hate DES, you hate AES, you hate deflate [the zip
> codec], you hate people, etc...
Don't forget the classic Tom:
"I have not got any father than just a few variables past one round. I tried to search for real info on the 3.5 rounds that some one reverseved engineered but could not find it."
-- The literate David A. Scott posting to sci.crypt , June 26, 1998. RE his analysis of IDEA
:-)
How time flys ;))))
Bryan Olson
>
> Bryan Olson wrote:
>
>>But you did write in this very thread:
>>
>>| I was recently
>>| amazed and flattered by someone's claim that I had
>>| written a lot about the theory of differential analysis
>>
>>Well where's the quote?
>>
>
> In the thread 'A variant of block chaining' on
> Mon, 29 Apr 2002 08:54:58 GMT you responded to what I
> wrote:
>
> I am flattered by your statement that for I long time
> I have been writing about differential analysis. I am
> certainly not conscious of having ever said anything
> concerning the theory as such.
>
> with the following:
>
> Try Google advanced groups search, with this group,
> author Shen, key work "differential". I have no idea
> what you are flattered about either.
Yes, please do that search, so you can find what I had written
: For a long time you've been writing about differential cryptanalysis
is completely true. You seemed to disagree, since your nonsensical "I
am flattered" statement was a response to that.
Need I point out that you failed to cite a quote where anyone but
*yourself* names 'theory'? I of course justified what I had written. I
had never written specifically "theory".
> Since I know that I have 'never' said anything on the
> 'theory' of differential analysis in the group, I
> obviously can't find my theoretical writing that you
> thought existed.
One more time - the 'theory' was your own fabrication. Read
what I wrote, and you'll see the search finds exactly what I
claimed it would find.
> Now it is your turn to grab the
> archieves of the internet to prove that I am wrong,
> in case you do want to take up my explained challenge.
You proved it yourself. You cited *you* saying 'theory', and no one
else. Now how about that retraction?
> Come on, show the materials that you grabbed out and
> prove that I had said anything concerning the 'theory'
> of differential analysis! The readers of this thread
> have a right to see who is right and who is wrong
> in this issue.
They've seen. I claimed you wrote about DC, and that claim proves to be
true. You claimed that someone said you had written specifically about
theory, and you had not, and your claim is false. You can't find anyone
saying 'theory' other than yourself.
I don't really care where you imagine this theory/not-theory line.
You certainly were not writing about experience with DC. But it's
simply dishonest to insert the work 'theory' yourself, then claim
someone else is wrong based on you own fabrication.
--Bryan
Mok-Kong Shen
Bryan Olson wrote:
>
> Mok-Kong Shen wrote:
>
> >
> > Bryan Olson wrote:
> >
> >>But you did write in this very thread:
> >>
> >>| I was recently
> >>| amazed and flattered by someone's claim that I had
> >>| written a lot about the theory of differential analysis
> >>
> >>Well where's the quote?
> >>
> >
> > In the thread 'A variant of block chaining' on
> > Mon, 29 Apr 2002 08:54:58 GMT you responded to what I
> > wrote:
> >
> > I am flattered by your statement that for I long time
> > I have been writing about differential analysis. I am
> > certainly not conscious of having ever said anything
> > concerning the theory as such.
> >
> > with the following:
> >
> > Try Google advanced groups search, with this group,
> > author Shen, key work "differential". I have no idea
> > what you are flattered about either.
>
> Yes, please do that search, so you can find what I had written
Why should one care in the present debate what you wrote?
You have to show what I wrote and of the kind that
fulfill your claim!
>
> : For a long time you've been writing about differential cryptanalysis
>
> is completely true. You seemed to disagree, since your nonsensical "I
> am flattered" statement was a response to that.
>
> Need I point out that you failed to cite a quote where anyone but
> *yourself* names 'theory'? I of course justified what I had written. I
> had never written specifically "theory".
That quote you have snipped here. Hence I reproduce
below once again:
Shen:
I am flattered by your statement that for I long time
I have been writing about differential analysis. I am
certainly not conscious of having ever said anything
concerning the theory as such.
Olson:
Try Google advanced groups search, with this group,
author Shen, key work "differential". I have no idea
what you are flattered about either.
You certainly saw that last sentence of mine while
responding, didn't you? Did you ignore that? But see
also below.
>
> > Since I know that I have 'never' said anything on the
> > 'theory' of differential analysis in the group, I
> > obviously can't find my theoretical writing that you
> > thought existed.
>
> One more time - the 'theory' was your own fabrication. Read
> what I wrote, and you'll see the search finds exactly what I
> claimed it would find.
>
> > Now it is your turn to grab the
> > archieves of the internet to prove that I am wrong,
> > in case you do want to take up my explained challenge.
>
> You proved it yourself. You cited *you* saying 'theory', and no one
> else. Now how about that retraction?
See below.
>
> > Come on, show the materials that you grabbed out and
> > prove that I had said anything concerning the 'theory'
> > of differential analysis! The readers of this thread
> > have a right to see who is right and who is wrong
> > in this issue.
>
> They've seen. I claimed you wrote about DC, and that claim proves to be
> true. You claimed that someone said you had written specifically about
> theory, and you had not, and your claim is false. You can't find anyone
> saying 'theory' other than yourself.
>
> I don't really care where you imagine this theory/not-theory line.
> You certainly were not writing about experience with DC. But it's
> simply dishonest to insert the work 'theory' yourself, then claim
> someone else is wrong based on you own fabrication.
Look, here is another quote from you:
You've been writing about DC for years and you
still don't know its primary form, even though
you've been corrected before on this same point.
Were you not referring to the 'theory' of DC here??
M. K. Shen
Bryan Olson
> Why should one care in the present debate what you wrote?
Because you brought it up and stated it falsely.
> You have to show what I wrote and of the kind that
> fulfill your claim!
I'm not sure what claim you mean right there. I've proven my claim that
for a long time you've been writing about differential cryptanalysis. My
claim that no one but you specified 'theory' has also been shown true.
What other claim of mine is at issue? I'm certainly not responsible for
claims that *you* fabricate.
[...]
>>Need I point out that you failed to cite a quote where anyone but
>>*yourself* names 'theory'? I of course justified what I had written. I
>>had never written specifically "theory".
>>
>
> That quote you have snipped here. Hence I reproduce
> below once again:
>
> Shen:
> I am flattered by your statement that for I long time
> I have been writing about differential analysis. I am
> certainly not conscious of having ever said anything
> concerning the theory as such.
>
> Olson:
> Try Google advanced groups search, with this group,
> author Shen, key work "differential". I have no idea
> what you are flattered about either.
Again with your falsehoods. I included that quote in it's entirety in
my previous post - you quoted me quoting it. How do you justify that
kind of thing? Saying I snipped a quote that is right there in front of
you still quoted?
> You certainly saw that last sentence of mine while
> responding, didn't you? Did you ignore that? But see
> also below.
I don't know why you wrote that nonsense. I justified my claim with
which you clearly disagreed. I don't care how broadly you interpret
"theory" because it's not what I wrote.
[...]
> Look, here is another quote from you:
>
> You've been writing about DC for years and you
> still don't know its primary form, even though
> you've been corrected before on this same point.
>
> Were you not referring to the 'theory' of DC here??
So do that Google search. My claim there is true: you've been writing
about DC for years. I don't care how broadly you interpret 'theory'
because that's not what I wrote. You fabricated it.
--Bryan
Tom St Denis
Yeah seriously. Well it wasn't too far after that he blasted David
Wagner for posting his observations on the Scottu scheme... which
turned into his classic non-stop troll attacks which he uses to attack
anyone.
Tom
Mok-Kong Shen
Bryan Olson wrote:
>
> Mok-Kong Shen wrote:
>
> [...]
> > Look, here is another quote from you:
> >
> > You've been writing about DC for years and you
> > still don't know its primary form, even though
> > you've been corrected before on this same point.
> >
> > Were you not referring to the 'theory' of DC here??
>
> So do that Google search. My claim there is true: you've been writing
> about DC for years. I don't care how broadly you interpret 'theory'
> because that's not what I wrote. You fabricated it.
Let's once again have a look of what you wrote
previously:
I don't really care where you imagine this
theory/not-theory line. You certainly were not
writing about experience with DC. But it's
simply dishonest to insert the work 'theory'
yourself, then claim someone else is wrong based
on you own fabrication.
In the other quote above you accused me of not knowing
the 'primary form' of DC and, according to you, I had
given a totally wrong 'primary form' that you obviously
had corrected. I like to take the liberty to ask you
to 'clearly' tell what's your notion of that 'primary
form' of DC, such that one can see whether it belongs to
the 'theoretical' part of DC or the 'non-theoretical'
part of it, the latter including practical and also
eventually not individual cipher specific issues, e.g.
key management, programming, etc. Without that it is
extremely difficult to access the justification of your
words 'dishonest' and 'fabrication' in my conviction.
M. K. Shen
Bryan Olson
How about we check the Handbook of Applied Cryptography, a book you
yourself have citen in this group and even given the URL to the on-line
version. If we look up Differential Cryptanlaysis in the index, and flip
to the first entry thereunder, we read:
Differential cryptanalysis is one of the most general cryptanalytic
tools to date against modern interated block ciphers, including DES,
Lucifer and FEAL among many others. It is however, primarilly a
chosen-plaintext attack. [HAC 7.91]
There it is: the primary form is chosen plaintext. That's why over a
year ago I wrote:
[Shen:]
| > Let me first say something which could indeed turn out
| > to be wrong, because I am no expert. As far as I understand,
| > differential analysis is commonly not a chosen-plaintext
| > attack. It depends on the relatively abundant possibility
| > of the opponent picking out pairs of plaintexts that satisfy
| > certain fixed differences.
[Olson:]
| This is what I meant by "no evidence of any serious attempt
| to understand the material." It is not appropriate to waste
| everyone's time by posting what you know might be wrong (it
| is) and bemoaning your lack of expertise. Spend a few
| minutes of your own time and look it up. [2000-09-28]
Then just recently you showed you *still* had not checked this basic
fact.
[Shen:]
| The differential analysis is originally meant as
| an passive attack, if I don't err. [2002-04-28]
> Without that it is
> extremely difficult to access the justification of your
> words 'dishonest' and 'fabrication' in my conviction.
No it isn't. The above shows negligence, not fabrication. Fabrication
is inserting 'theory' yourself, then claiming my note that you've been
writing about DC was wrong, on the basis that you were not writing about
theory. Dishonest is continuing to claim I wrote something after you've
found out that I didn't. I'm not sure how to classify your claim that I
snipped a quote, in the same posts that shows the quote still there.
The level of negligence is hard to fathom, but it's not deceptive enough
to indicate dishonesty.
Feel free to call this a rant. Just don't pretend any of it isn't true.
--Bryan
Mok-Kong Shen
Just a simple question: Does chosen plantext attack
concern the theory of a cipher or is it entirely
a non-theory issue.
M. K. Shen
Bryan Olson
> Just a simple question: Does chosen plantext attack
> concern the theory of a cipher or is it entirely
> a non-theory issue.
How many times to I have to state my position? I do not care how
broadly you interpret 'theory'. You inserted it, so don't ask me to
read your mind as to what you intended the usage to include.
You attributed a claim to me that included the specification of 'theory'
that you inserted. You then claimed I was wrong based on what counted
as 'theory'. That's what I called a fabrication. Clear enough?
--Bryan
Mok-Kong Shen
Not at all. Since your 'primary form' concerns
exclusively 'theory' in my conviction, your accusation
of 'dishonest' and 'fabrication' is devoid of grounds
and hence proves to be rants.
M. K. Shen
Bryan Olson
What could you be talking about? You claimed you never wrote on the
theory of DC. I just quoted you writing on whether DC is chosen
plaintext, and now you say your conviction is that this issue is
exclusively 'theory'. You've contradicted yourself yet again. And
that's in addition to falsely claiming I specified 'theory'.
--Bryan
Mok-Kong Shen
I never claimed that you specified 'theory'. See the
post I just sent.
M. K. Shen
Mok-Kong Shen
Addendum: What do you mean by 'insert'?. I was the
first to use 'theory' in the sentence
I am certainly not conscious of having ever said
anything concerning the theory as such.
That was simply a remark to limit/clarify the scope
of future debate. That means, I don't think that I had
said anything on the theory of DC and hence it seems
to me likely that you have instead something to
criticize on the practical issues concerning DC. (I
intended to have you confirm/refute that, so that we
could continue to discuss on the right topic.)
M. K. Shen
Bryan Olson
> I never claimed that you specified 'theory'. See the
> post I just sent.
Both from this thread:
| That's why I was recently
| amazed and flattered by someone's claim that I had
| written a lot about the theory of differential analysis,
| which I never did and never could have done, I believe.
: Since I know that I have 'never' said anything on the
: 'theory' of differential analysis in the group, I
: obviously can't find my theoretical writing that you
: thought existed.
--Bryan
Mok-Kong Shen
Addendum: Note that the starting 'critical' sentence
of mine was:
I am certainly not conscious of having ever said
anything concerning the theory as such.
In this context, 'theory' means 'theory of DC', of
course. In my memory, we once discussed on a scheme of
mine and you found an ingenious attack. But that didn't
have anything to do with the 'theory of DC'. Or am
I wrong in this?
M. K. Shen