On 01/09/2014 05:37 PM, Les Mikesell wrote: > On Thu, Jan 9, 2014 at 4:32 PM, Robert Moskowitz <rgm at htt-consult.com> wrote: >>> I always just assumed that blowfish was good precisely because it >>> wasn't the one that was recommended/promoted by the groups likely to >>> be compromised. But, I try to stay out of politics so I don't worry >>> much about keeping secrets anyway. >> Bruce's twofish was better; it was his AES submission. > But didn't that come later? With nothing else to go on, that would > make me think that it is more likely to have been influenced by > whatever means corrupted the others. It was back in the heady days of finding a replacement for DES and 3DES. Rivest had his RC5 (there are calls again for a streaming cipher, and NIST may well 'pick' one this year). Kennedy had SAFER+ (used in Bluetooth, but SAFER+ was eliminated for AES because it was highly dependent on your RNG. Ask bluetooth vendors about their RNG). The peer review was brutal. Bruce himself will admit to issues found surrounding twofish. Some question the changes NSA had made with RInjdal, but again, massive peer review. And you see that review regularly. We wanted the GCM mode of operation for IEEE 802.1AE, and NSA offered some tweaks to tighten it up. Just a bit before (grumble, what was the profs name) made the same recommendation. The big things they help with. Too much public review and too many profs looking for research for their students (why we are moving away from SHA1, eventhough further work is showing it to be stronger that we thought). It is the subtle things around the use of the algorithms and protocols they go after.