The note [1] presents an interesting view on alternative representations of the Rijndael structure. The application of mathematical techniques is refreshing. The purpose of this reply is to clarify that the observations made do not contradict the security claims we made. While we are sure that the authors are fully aware of the merits and limitations of their results, we feel that a less experienced reader might easily draw wrong conclusions. From the beginning, our design strategy was to use as simple as possible components, to define clear evaluation criteria, and to use simple components with easily provable properties where possible. This paper is organised as folows. We start in Section 2 with a few comments on the used terminology. In Section 3 we restate our evaluation criterium for ‘diffusion’ and show that the results of [1] compare to it. In Section 4 we explain the advantages of using simple components, with provable properties. In Section 5 we explain the advantages of using a simple structure. This is illustrated with an analysis of the DES that contradicts the results of [1].
[1]
Kaisa Nyberg,et al.
Differentially Uniform Mappings for Cryptography
,
1994,
EUROCRYPT.
[2]
Sean Murphy.
New Observations on Rijndael
,
2000
.
[3]
William Millan,et al.
Efficient Methods for Generating MARS-Like S-Boxes
,
2000,
FSE.
[4]
Stefan Lucks,et al.
Attacking Seven Rounds of Rijndael under 192-bit and 256-bit Keys
,
2000,
AES Candidate Conference.
[5]
Bruce Schneier,et al.
Improved Cryptanalysis of Rijndael
,
2000,
FSE.
[6]
Marine Minier,et al.
A Collision Attack on 7 Rounds of Rijndael
,
2000,
AES Candidate Conference.
[7]
Kazukuni Kobara,et al.
Relationships among Differential, Truncated Differential, Impossible Differential Cryptanalyses against Word-Oriented Block Ciphers like RIJNDAEL, E2
,
2000,
AES Candidate Conference.