RE: comments on draft-ietf-ipsec-ciph-cbc-02.txt

[Helger Lipmaa <helger@cyber.ee>]

On Thu, 12 Mar 1998, Roy Pereira wrote:

> How many rounds do you suggest for IDEA?

Not less than 6. But as the general cryptanalysis of IDEA is just
beginning (on contrary of the cryptanalysis of DES-style ciphers, which
has its traditions), I'd personally stick with the 8 rounds version of it: 
getting it 8.5/6.5 faster by omitting two rounds and by potentially
decreasing the security is not a proper way. If you need speed, use some
ciphers designed to be fast.  E.g., CAST5, Blowfish, RC5, Square. A
8-round IDEA is (on MMX machines) only <20% slower than 16-round DES. It
is not a big cost for the increased security.

> >The weak key lists are incomplete, as they will probably always be.
> >The chances of hitting one at random is negligible. What's the point ?
> >
> >What do you suggest we do with the weak key lists?  From our knowledge, we
> >did include all known weak keys.

On page 4, the point should be clarified. I'm perfectly happy with not
checking for weak keys of IDEA. But there could be a _suggestion_ to xor
every subkey with a constant (see the paper by Daemen&Co). 

Another remark on the same draft. 3DES's key is 168-bits, 192 includes the
parity bits. It should be clarified a bit better.

I'd like to know where the speed estimates have been get from. 
[Schneier97] is not a valid reference: it has only estimations, which are
completely wrong in the case of IDEA. Hint: ask Antoon Bosselaers
(http://www.esat.kuleuven.ac.be/~bosselae/)

I feel also that in the several places the draft should refer to "Handbook
of Applied Cryptography" by MOV, not to [Schneier]. 

Helger Lipmaa
Cybernetica Ltd, senior research engineer
http://home.cyber.ee/helger; Phone +372-6542422