[7916] in cryptography@c2.net mail archive
Re: Rijndael among the weakest of the AES candidates
daemon@ATHENA.MIT.EDU (Bram Cohen)
Tue Oct 3 17:25:46 2000
Date: Tue, 3 Oct 2000 11:53:40 -0700 (PDT)
From: Bram Cohen <bram@gawth.com>
To: lcs Mixmaster Remailer <mix@anon.lcs.mit.edu>
Cc: cryptography@c2.net
In-Reply-To: <20001002222035.26189.qmail@nym.alias.net>
Message-ID: <Pine.LNX.4.21.0010031147370.22701-100000@ultra.gawth.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On 2 Oct 2000, lcs Mixmaster Remailer wrote:
> Pure cipher strength actually played very little role in the selection.
> All the ciphers were judged adequately strong. Rijndael's main advantages
> were in practical implementation issues, plus resistance to various
> hardware failures.
>
> Rijndael has attacks on 6 or 7 out of the 10 rounds for 128 bits keys;
> 7 out of 12 rounds for 192 bit keys; and 7, 8 or 9 out of 14 rounds for
> 256 bit keys (Rijndael uses more rounds for larger keys). The attacks
> against larger numbers of rounds require prohibitive levels of work.
>
> For those whose primary interest in AES is high security, the emphasis
> might have been placed elsewhere. Rather than choosing a cipher with
> merely an "adequate" level of security, they would prefer that the
> choice had been made from among those ciphers judged highest in security:
> MARS, Twofish and Serpent. Choosing from among these ciphers by similar
> criteria of efficiency would probably have led to Twofish.
According to the NIST report, Rijndael's creators came up with an attack
against 6 rounds, and viewed that as not terribly worrisome. The existence
of a very impractical attack against 7 rounds hardly changes things much,
especially in light of Rijndael being very simple and hence relatively
easy to analyze.
-Bram Cohen
