On 2 Oct 2000, lcs Mixmaster Remailer wrote:
> Pure cipher strength actually played very little role in the selection.
> All the ciphers were judged adequately strong. Rijndael's main advantages
> were in practical implementation issues, plus resistance to various
> hardware failures.
>
> Rijndael has attacks on 6 or 7 out of the 10 rounds for 128 bits keys;
> 7 out of 12 rounds for 192 bit keys; and 7, 8 or 9 out of 14 rounds for
> 256 bit keys (Rijndael uses more rounds for larger keys). The attacks
> against larger numbers of rounds require prohibitive levels of work.
>
> For those whose primary interest in AES is high security, the emphasis
> might have been placed elsewhere. Rather than choosing a cipher with
> merely an "adequate" level of security, they would prefer that the
> choice had been made from among those ciphers judged highest in security:
> MARS, Twofish and Serpent. Choosing from among these ciphers by similar
> criteria of efficiency would probably have led to Twofish.
According to the NIST report, Rijndael's creators came up with an attack
against 6 rounds, and viewed that as not terribly worrisome. The existence
of a very impractical attack against 7 rounds hardly changes things much,
especially in light of Rijndael being very simple and hence relatively
easy to analyze.
-Bram Cohen
