[Cryptography] Best AES candidate broken

Ryan Carboni ryacko at gmail.com
Sun Jul 5 01:34:15 EDT 2015 

On Sat, Jul 4, 2015 at 9:01 PM, Jerry Leichter <leichter at lrw.com> wrote:

> On Jul 4, 2015, at 4:23 PM, Ryan Carboni <ryacko at gmail.com> wrote:
>
> The best AES candidate,
>
> Clearly many of the best cryptographers out there disagreed with you, as
> it didn't make it to the final round - and there's been general agreement
> that the AES selection process was of extremely high quality.
>
>
Except there's one problem with that assertion... Rijndael is easily broken
by.... cache timing, differential power, and many other attacks. The
knowledge that those attacks could be used certainly was known during the
AES competition. [relevant page from Serpent submission attached, will show
up in the Metzdowd archives]

Serpent was designed to be fast in hardware implementations... according to
the NSA's estimates for the NIST competition, 60% faster than Rijndael,
with a latency only twice as much.

But Serpent was not chosen. Serpent's designers did have slides during an
AES conference showing that standards are often used for decades... even a
century. [can't recall where those slides are]

I do not know what historians will think about modern cryptography, but I'm
guessing you could figure out what I think.

While Serpent was slower than Rijndael, there apparently were discussions
during the AES competition about requesting clarification as to the
security/performance tradeoffs for something more concrete than "more
secure and faster than TripleDES". [cannot remember where those documents
were] It's possible that the questions used for polling for the best cipher
for AES were loaded questions. The simplest modification to the ciphers
would be to ask the designers to increase or decrease the number of rounds.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150704/d2b5bd59/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: serpent.gif
Type: image/gif
Size: 45539 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150704/d2b5bd59/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AES Round 2 NSA hardware computations.pdf
Type: application/pdf
Size: 94303 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150704/d2b5bd59/attachment-0001.pdf>

More information about the cryptography mailing list