[2784] in cryptography@c2.net mail archive
Re: AES - draft of request for comments on candidate algorithms
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Fri May 29 14:04:33 1998
In-Reply-To: <3.0.5.32.19980528070722.008cce90@popd.ix.netcom.com>
Date: Fri, 29 May 1998 13:03:54 -0400
To: Edward Roback <edward.roback@nist.gov>
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: Bill Stewart Jim Foti <jfoti@nist.gov>, <bill.stewart@pobox.com>,
cryptography@c2.net, cypherpunks@cyberpass.net
>>X-Sender: foti@csmes.ncsl.nist.gov
>>X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
>>Date: Wed, 27 May 1998 13:35:10 -0400
>>To: roback@csmes.ncsl.nist.gov
>>From: Edward Roback <edward.roback@nist.gov> (by way of Jim Foti
>><jfoti@nist.gov>)
>>Subject: AES - draft of request for comments on candidate algorithms
>> (for August)
>>
>>AES contacts,
>>
>>Following is a working draft of an excerpt for our planned announcement
>>(for August, 1998) asking for comments on the AES candidate algorithms.
>>Since many of you will be analyzing the algorithms (and we presume reading
>>the comments we receive, since we'll make them publicly available), we
>>thought we'd ask for your informal feedback on our draft. Are we asking
>>for the right kind of comments? Should we also ask for others that might be
>>helpful? Suggestions?
>>
>>Thank you,
>>
>>Ed Roback
>>
>>
>>
>>W O R K I N G D R A F T
>>
...
>>
>>1. SECURITY:
>>
...
>>
>>ii. The extent to which the algorithm output is indistinguishable from a
>>random permutation on the input block.
>>
In my opinion, the choice of words for ii. is poor. Under a common
interpretation of "permutation," a random permutation of a block consiting
of all zero bits would still have all bits zero. I believe a better wording
would be:
"ii. [agr version] The extent to which the algorithm output is
indistinguishable from a
stream of random bits."
You may want to go further in defining what "indistinguishable from a
stream of random bits" means. I would expect the tests in FIPS-140 as a
minimum, along with other widely used randomness tests and a discussion of
the possibility of special input streams and/or keys that could produce
statistically non-random output. You may also want to suggest test lengths
to assure comparable data. Of course, tests beyond what is specifically
requested should be welcome.
Arnold Reinhold
