In message <11649.1109888351@critter.freebsd.dk>, "Poul-Henning Kamp" writes:

>I have studied the AES papers and in particular the attacks and
>critisisms of it very carefully, and they have proven a whole lot
>of things to be impossible, but they have not proven that there
>are not more that needs to be proven impossible.
>
>When DES was designed, nobody knew that differential attacks existed.

No, no one in the open sector new.  DES was specifically designed to 
resist differential cryptanalysis.  

The best source for information on how DES was designed is Don 
Coppersmith's paper "The Data Encryption Standard (DES) and its
strength against attacks", IBM Journal of Researchand Development,
Vol. 38, n. 3, pp. 243-250, May 1994.

It's worth noting that in the ~30 years since DES was designed, exactly 
*one* attack significantly better than brute force was found: linear 
cryptanalysis.  Coppersmith's paper shows how that could have been 
prevented, too.

A few years ago, Biham came up with a 2^79 attack against a 
slightly-weakened version of Skipjack, an NSA cipher.  I mentioned
that to a friend who has -- let's say "connections".  He smiled and 
said "2^79 complexity against an 80-bit cipher?  I don't call that an 
attack, I call that good engineering".  Since then, I've heard other 
statements from well-connected people that boil down to this:  NSA has 
a deep understanding of how strong a cipher is.  In that vein, I'll 
note that 256-bit AES is approved for Top Secret traffic.
>
>Shortly after AES was gold-plated the earlier mentioned attack
>method where it is decomposed into a massive number of equations
>was presented.
>
As noted, that attack is discredited.

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb