[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AES Comments



At 12:27 PM 4/26/97 -0500, Bruce Schneier wrote to NIST about their
proposals for an Advanced Encryption Standard (AES) FIPS:

>With this in mind, I propose a set of Minimum Acceptability Criteria that
>pushes the envelope of current encryption algorithms:
>	A variable key, supporting (at least) a 128- and 256-bit key .
One of Bruce's comments is that any algorithm picked today will
probably be around until 2040-50; if computer speeds double every year,
then the marginally useful strength by then will be about 110-120 bits.
While it's nice to have an expandable key structure that will let you
increase the strength by then, 128 bits is really still strong enough,
and a fixed-keylength algorithm that's still workable in triple-mode 
should work just fine.
>		No more than double with a 256-bit key on any platform.
Allowing triple opens the field a lot, and by the time you need >128-bit keys,
machines will be so blazingly fast that a 50% difference won't matter much;
you'll still be able to encrypt that 1Gbps 3D video in real time.

>	Encryption speeds (in clock cycles per byte encrypted):
>		No more than 64 on an 8-bit smart card with a 128-bit key.

How fast do you really need, in seconds, for typical smart-card apps?
64 cycles at 1MHz is 16000 bytes/second; 128 cycles is 8000 bytes/second.
How fast are most smartcards?  1MHz?  2MHz?  500kHz?
The main uses I can see for 8-bit crypto processing are
- cheap, large-volume crypto for uncompressed voice (needs 8000 bytes/sec)
- adding crypto to digital phones ( ~800-1660 bytes/sec )
- money cards (if you're not using public-key, maybe you need 100 bytes,
	so 8000 bytes/sec is 1/80 sec transaction?)
- ATM machines (which typically have 4800-bits/sec data connections,
	== 600 bytes/sec, and often have 16-bit processors.  Even DES works.)

>		No more than 16 on a Pentium, Pentium Pro, PowerPC, or DEC
>		Alpha with a 128-bit key.
Which interestingly knocks out Blowfish (18 cycles), Khufu (20), and RC5 (23),
and the only things faster are SEAL and RC4 stream-only cyphers.
It's a tradeoff between forcing the development and testing of
cutting-edge speed, which may cost you in strength, vs. supporting a
bunch of existing algorithms we're starting to understand.
If it takes an extra 2 years to develop new algorithms,
you've doubled computer speed, so you could use the 17-32-cycle algorithms
you're rejecting today.....

>These requirements are not easy to meet.  As far as I know, no published
>block cipher meets them all (although some come close in many areas).  But
>requirements such as these will challenge the world's cryptographic
>research organizations to create something useful. 
>I know you realize that the selection process will take several years to
>complete.  Therefor, I urge you to approve triple-DES as an interim
>standard.  This will satisfy users who need a 64-bit block cipher for
>compatibility reasons, while allowing you the time required to choose and
>approve the best AES you can.

If this is the ulterior motive for requiring faster-than-current algorithms,
I'm all for it (:-)  Triple-DES is boring, slow, and just fine for most
applications.

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)