Re: CAST (and random AES chatter)

New Message Reply About this list Date view Thread view Subject view Author view

Bruce Schneier (schneier@counterpane.com)
Thu, 16 Jul 1998 22:19:13 -0500


At 11:13 PM 7/16/98 -0400, Perry E. Metzger wrote:
>Bruce Schneier writes:
>> I don't buy the design process.
>
>Really? I actually like the design process -- it strikes me as having
>some actual system to it, which most such processes do not have.

My problem with the CAST design process is it solely focused on the
known attacks. The S-boxes were designed to be secure against
linear and differential cryptanalysis. And they are. And then along
comes higher order differential cryptanalysis and some of the CAST
designs don't look very good anymore. Some of the designs, including
CAST-128, were immune, but the attacks cast serious doubts on the
design process.

>> And I DON'T like CAST-256.
>
>I agree with this. The paper did not give me a sense of ease. Too many
>"we believe the upper bound for this is X, so we therefore believe
>that we are likely immune to this attack", and not enough "we have
>actually attacked this" bits. The cipher may be okay (Carlisle is a
>smart guy) but the paper is not that comfort inducing.

Actually, I have more serious reservations. But there may be a paper
in it, so I'll let it go for now.

>As long as we are on the topic of AES candidates...
>
>I must say that I rather liked the Twofish paper. I'm not personally
>sure about the cipher itself yet -- it needs more attack -- but the
>paper had exactly the right attitude and degree of transparency about
>it. You didn't allude to the design process -- you described it -- and
>you didn't allude to attacks tried -- you gave the details.

Thanks.

>The MARS paper was also very good -- it had high transparency. I
>personally liked MARS a bunch, although it, too, is too young to trust
>yet.

My main complaint about MARS is that I cannot keep the entire design
in my head. One of the Twofish design goals was to create a cipher
that could be easily memorized. I find that I can imagine new attacks,
and carry out analysis, easier if the cipher is easy to conceptualize.
With MARS I am continually going back to the paper to remember how
something works. I am much less likely to find good analyses.

>Coolest of the recent AES batch seemed to be RC6, but the paper also
>left a bit to be desired in the way of transparency in describing
>attacks. I liked the design methodology description, though.

Data dependent rotations worry me, but Rivest is the master of the "too
good to be true cipher" that never seems to break. I like the design,
too.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
           Free crypto newsletter. See: http://www.counterpane.com


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:31 ADT