At 7:34 PM -0700 4/8/00, Paul Hoffman / IMC wrote:
For the past few months, there has been much talk of the likelihood that
the AES process will come out with two ciphers, not one. This was talked
about at the SAAG meeting in Adelaide, and folks from NIST said that this
was indeed the current thinking.
RFC 2440 and the current 2440bis draft has algorithm IDs that say "Reserved
for AES with 128-bit key" and so on. It might be wise to allocate another
three and specify that the actual algorithms used for IDs 7, 8, and 9 (and
probably 11, 12, and 13) will be defined by a future RFC.
I'd prefer to wait, myself. There are a few reasons for it.
I'm of two minds about this. Last spring I came out against it in my
comments to NIST. There's been talk about it since the first AES
conference, but it's only been talk. In the past, the main rationale for
more than one AES was that the AES has many goals, and it wasn't clear that
one cipher could serve all of those goals.
However, the analysis shows that at least three of the five finalists are
usable in all contexts, from smart cards to high-performance systems.If the
main argument for more than one AES is concern about usability on smart
cards (or other limited system -- the 8051 is probably going to be with us
always) and big switches, that concern has been addressed.
To my mind, the other technical rationale is the "what if it breaks"
question. That's a completely different can of worms, though. I think this
is the only reasonable reason for more than one algorithm, but it raises a
number of algorithms. If you have one, there's no good backup plan. If you
have more than one, the odds that you'll have to deal with *some* broken
cipher is higher. Ironically, under this argument, I tend to side with
notion of redundancy, but I respect the opinions of people who want
simplicity, and see their point.
(There's a third reason, and that's political. Let's suppose that the
technical favorite in NIST were Rijndael. Beyond the amusement value of
having a US standard cipher being written by people outside the US, that's
pretty much the icing on the cake for the argument that US governmental
controls on crypto have merely helped export crypto knowledge. It would
therefore behoove them to pick a second AES that they could slap a "Made in
USA" sicker on. But I digress.)
The third AES conference is next week. I hope this gets addressed there. If
they say there that yes, definitely, there will be two algorithms, then so
be it.
Until NIST says something official, the issue of whether there should be
more than one AES is under debate. As you can see, I have mix emotions
about the issue. I think it would be high-handed for me to act as if I know
what NIST is going to do before they've done it. It short-circuits the
debate.
If NIST says there's going to be two AES ciphers, it's five minutes of work
to add it in. I'm not sending out a revision next week, or the week after.
In three to four weeks there may be another 2440bis, if we get the MDC
hammered out. If a week after that I have to put out another draft, sure.
There's just no reason to do it now. It's not like we might run out of
algorithm numbers.
Jon