[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: comments on draft-ietf-ipsec-ciph-cbc-02.txt
On Thu, 12 Mar 1998, Roy Pereira wrote:
> How many rounds do you suggest for IDEA?
Not less than 6. But as the general cryptanalysis of IDEA is just
beginning (on contrary of the cryptanalysis of DES-style ciphers, which
has its traditions), I'd personally stick with the 8 rounds version of it:
getting it 8.5/6.5 faster by omitting two rounds and by potentially
decreasing the security is not a proper way. If you need speed, use some
ciphers designed to be fast. E.g., CAST5, Blowfish, RC5, Square. A
8-round IDEA is (on MMX machines) only <20% slower than 16-round DES. It
is not a big cost for the increased security.
> >The weak key lists are incomplete, as they will probably always be.
> >The chances of hitting one at random is negligible. What's the point ?
> >
> >What do you suggest we do with the weak key lists? From our knowledge, we
> >did include all known weak keys.
On page 4, the point should be clarified. I'm perfectly happy with not
checking for weak keys of IDEA. But there could be a _suggestion_ to xor
every subkey with a constant (see the paper by Daemen&Co).
Another remark on the same draft. 3DES's key is 168-bits, 192 includes the
parity bits. It should be clarified a bit better.
I'd like to know where the speed estimates have been get from.
[Schneier97] is not a valid reference: it has only estimations, which are
completely wrong in the case of IDEA. Hint: ask Antoon Bosselaers
(http://www.esat.kuleuven.ac.be/~bosselae/).
I feel also that in the several places the draft should refer to "Handbook
of Applied Cryptography" by MOV, not to [Schneier].
Helger Lipmaa
Cybernetica Ltd, senior research engineer
http://home.cyber.ee/helger; Phone +372-6542422
References: