In 1999-2000 the US government ran a contest to devise AES (advanced encryption standard) the "best" secret key cryptosystem meeting certain criteria. The ultimate winner is called "Rijndael." The selection process involved a vote conducted using approval voting by the participants at the AES2 conference in March 1999. The results were as follows ("candidates" are the 5 AES finalists): Rijndael: 86 positive, 10 negative Serpent: 59 positive, 7 negative Twofish: 31 positive, 21 negative RC6: 23 positive, 37 negative MARS: 13 positive, 84 negative http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process Plurality voting would have been likely to fail in this use... This is a case where "range voting" might not have been as good as approval, because with range, there might have been "1-sided strategy" -- that is, there were various voters motivated to vote strategically, and the number of such "pre-biased voters" might have varied considerably depending on the candidate. QUESTION: There was an earlier AES round with 15 candidate systems (later narrowed to the above 5). Were any such votes conducted with those 15 as candidates, and if so what were the results? RC Schroeppel was the only all-American entrant in the contest with his "hasty pudding" system. I can see why they rejected it (messy, not well suited to hardware, largely unanalysed), but it did have some nice features, some of which, as far as I know, no other system has yet replicated: * will encrypt a bit string of any length. (Can even do "fractional bit lengths.") * high efficiency on 64-bit machines (albeit there seemed some dispute about that) * had something RCS called the "spice" (which later authors called "tweak") which enabled rapid key changing provided you only changed the spice not the rest of the key. This was not appreciated at the time but later authors seem to have viewed it as quite useful. * a feature HPC did not have but could have had if RCS had been smarter, was constant runtime independent of data, rendering immune to timing attacks. The winner Rijndael involved 256-byte lookup tables and hence is extremely susceptible to cache-status-based timing attacks, a fact not realized+proven until a few years after the winner was selected :(. RC6 and HPC both involved variable-distance word rotations, which on some machines are time-varying, and HPC had data-dependent memory access pattern, another no-no. However, as I said, RCS if he'd been a bit smarter could easily have designed HPC to avoid those no-no's unlike Rijndael which is inherently stuck with them. Also, designs of HPC's ilk also seem do-able in such a way as to get high resistance to power-measurement attacks. So it might be interesting to redo the HPC design in light of that and other criticisms. QUESTION: RCS contended unsuccessfully that 64-bit machines were where it was at, and performance on other machines was largely irrelevant. I suspect he was wrong, in the sense that a lot of computers like mobile phones and smart cards remain below 64-bit width and I suspect there are good reasons for that (battery life) likely to persist despite Moore's law. But... what do you think? What operations would you now recommend such a system be designed to use & avoid to get high portability and good performance? -- Warren D. Smith http://RangeVoting.org <-- add your endorsement (by clicking "endorse" as 1st step)