AES competition: Difference between revisions
imported>Sandy Harris No edit summary |
mNo edit summary |
||
(48 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{subpages}} | {{PropDel}}<br><br>{{subpages}} | ||
{{TOC|right}} | {{TOC|right}} | ||
Starting in the late 90s, the US [[National Institute of Standards and Technology]] (NIST) ran a contest to find a [[block cipher]] to replace [[Data Encryption Standard]], DES. The winning cipher, previously known as [[Rijndael]] became the [[Advanced Encryption Standard]], AES. | Starting in the late 90s, the US [[National Institute of Standards and Technology]] (NIST) ran a contest to find a [[block cipher]] to replace the [[Data Encryption Standard]], DES. The winning cipher, previously known as [[Rijndael]] became the [[Advanced Encryption Standard]], AES. DES had become obsolete because its 56-bit [[Block_cipher#Key size | key size]] was inadequate to resist [[brute force attack]]s, given modern technology. | ||
The entire process was completely open; even their requirements document was published and comment or criticism invited before a final version was written, and all of the later work toward the choice of a standard was public as well. The whole process was widely praised by cryptographers as a fine example of taking [[Kerckhoffs' Principle]] into account. This was in sharp contrast to some of the criticisms that had been made of the secrecy in the [[DES]] standardisation process which was run by [[NIST]]'s ancestor, the [[National Bureau of Standards]]. | The entire process was completely open; even their requirements document was published and comment or criticism invited before a final version was written, and all of the later work toward the choice of a standard was public as well. The whole process was widely praised by cryptographers as a fine example of taking [[Kerckhoffs' Principle]] into account. This was in sharp contrast to some of the criticisms that had been made of the secrecy in the [[DES]] standardisation process which was run by [[NIST]]'s ancestor, the [[National Bureau of Standards]]. | ||
Line 8: | Line 8: | ||
The final requirements specified a block cipher with 128-bit [[Block_cipher#Block_size | block size]] and support for 128, 192 or 256-bit [[Block_cipher#Key size | key sizes]]. Evaluation criteria included security, performance on a range of platforms from 8-bit CPUs (e.g. in smart cards) up, and ease of implementation in both software and hardware. | The final requirements specified a block cipher with 128-bit [[Block_cipher#Block_size | block size]] and support for 128, 192 or 256-bit [[Block_cipher#Key size | key sizes]]. Evaluation criteria included security, performance on a range of platforms from 8-bit CPUs (e.g. in smart cards) up, and ease of implementation in both software and hardware. | ||
Fifteen submissions meeting basic criteria were received, not just from the US but from many other countries as well. All of the entries were [[#Iterated block ciphers | iterated block ciphers]]; in Shannon's terms all were [[#Cipher_structures|product ciphers]]. Most used an [[Block_cipher#SP network | SP network]] or [[Block_cipher#Feistel structure | Feistel structure]], or variations of those. Several had [[Block_cipher#Resisting_linear_.26_differential_attacks | proofs of resistance]] to various attacks. | Fifteen submissions meeting basic criteria were received, not just from the US but from many other countries as well. All of the entries were [[Block_cipher#Iterated block ciphers | iterated block ciphers]]; in Shannon's terms all were [[Block_cipher#Cipher_structures|product ciphers]]. Most used an [[Block_cipher#SP network | SP network]] or [[Block_cipher#Feistel structure | Feistel structure]], or variations of those. Several had [[Block_cipher#Resisting_linear_.26_differential_attacks | proofs of resistance]] to various attacks. | ||
In alphabetical order, the fifteen first round candidates were: | In alphabetical order, the fifteen first round candidates were: | ||
Line 14: | Line 14: | ||
All are described below. | All are described below. | ||
NIST succeeded in rounding up a fine group of suspects; many of the world's best-known cryptographers participated in various design teams and others contributed to analysis of candidates. We provide a table listing some of the [[ | NIST succeeded in rounding up a fine group of suspects; many of the world's best-known cryptographers participated in various design teams and others contributed to analysis of candidates. We provide a table listing some of the [[AES competition/Catalogs/AES_players|major players]] involved. | ||
After much analysis and testing, and two conferences, the field was narrowed to five finalists — [[#Twofish | Twofish]], [[#MARS | MARS]], [[#Serpent | Serpent]], [[#RC6 | RC6]], and [[#AES | Rjindael]]. After another year of analysis and testing focused on the finalists, and another conference with all of the finalist teams giving presentations, they chose a winner. In October 2002, Rijndael was chosen to become the [[Advanced Encryption Standard]] or AES. See [[Block_cipher/External_Links#AES_links | external links]] for the official standard. | After much analysis and testing, and two conferences, the field was narrowed to five finalists — [[#Twofish | Twofish]], [[#MARS | MARS]], [[#Serpent | Serpent]], [[#RC6 | RC6]], and [[#AES | Rjindael]]. After another year of analysis and testing focused on the finalists, and another conference with all of the finalist teams giving presentations, they chose a winner. In October 2002, Rijndael was chosen to become the [[Advanced Encryption Standard]] or AES. See [[Block_cipher/External_Links#AES_links | external links]] for the official standard. | ||
Line 20: | Line 20: | ||
The contest was open and international and extensive work was done on testing and comparing the various candidates. To facilitate this, NIST defined some standard interfaces which everybody used. For almost all candidate ciphers, implementations with these interfaces are readily available; see [[Block_cipher/External_Links#AES_links | external links]]. Many, though not all, of these ciphers have open licenses. This means that anyone implementing AES has the option of adding other ciphers at minimum cost, in particular the other three finalists with open licenses — [[#Twofish | Twofish]], [[#MARS | MARS]], and [[#Serpent | Serpent]]. This gives a cheap insurance policy against the (presumably remote) chance of someone finding a good attack on AES. | The contest was open and international and extensive work was done on testing and comparing the various candidates. To facilitate this, NIST defined some standard interfaces which everybody used. For almost all candidate ciphers, implementations with these interfaces are readily available; see [[Block_cipher/External_Links#AES_links | external links]]. Many, though not all, of these ciphers have open licenses. This means that anyone implementing AES has the option of adding other ciphers at minimum cost, in particular the other three finalists with open licenses — [[#Twofish | Twofish]], [[#MARS | MARS]], and [[#Serpent | Serpent]]. This gives a cheap insurance policy against the (presumably remote) chance of someone finding a good attack on AES. | ||
Because of the [[birthday attack]], a [[cryptographic hash]] needs to provide output of 2n bits to resist attacks as well as a cipher with an n-bit key. NIST has therefore issued standards for the [[SHA-2]] family of hashes — SHA-256, SHA-384 and SHA-512 to match the strength of AES, plus SHA-224 to match the 112-bit strength of [[ | Because of the [[birthday attack]], a [[cryptographic hash]] needs to provide output of <math>2n</math> bits to resist attacks as well as a cipher with an <math>n</math>-bit key. NIST has therefore issued standards for the [[SHA-2]] family of hashes — SHA-256, SHA-384 and SHA-512 to match the strength of AES, plus SHA-224 to match the 112-bit strength of [[Triple DES]]. However, those hashes are all derived from [[SHA]] and weaknesses have been shown in that, so in 2008 NIST started a contest similar to the AES contest to design an [[Advanced Hash Standard]] which can (if it proves necessary) replace SHA-2 as AES replaced DES. | ||
== AES == | == AES == | ||
The [[Advanced Encryption Standard]] or '''AES''' is the algorithm formerly known as '''Rijndael''' (pronounced approximately "rhine doll"). It was designed by two Belgians, Joan Daemen and Vincent Rijmen. | The [[Advanced Encryption Standard]] or '''AES''' is the algorithm formerly known as '''Rijndael''' (pronounced approximately "rhine doll"). It was designed by two Belgians, [[Joan Daemen]] and [[Vincent Rijmen]]. | ||
It is an iterated block cipher, but not a [[ | It is an iterated block cipher, but not a [[Feistel cipher]]; the overall structure is an [[Block_cipher#SP networks | substitution-permutation network]]. Nonlinearity is obtained by mixing operations from different algebraic groups. There are four operations. | ||
Two give confusion: | Two give confusion: | ||
: AddRoundKey: bitwise XOR of 128-bit state and 128-bit round key | : AddRoundKey: bitwise XOR of 128-bit state and 128-bit round key | ||
: SubBytes: run individual bytes through an 8 | : SubBytes: run individual bytes through an 8 by 8 [[S-box]] | ||
The other two give diffusion, treating the 128-bit block as a four by four matrix of bytes: | The other two give diffusion, treating the 128-bit block as a four by four matrix of bytes: | ||
: ShiftRows: cyclicly shift each row by a fixed amount | : ShiftRows: cyclicly shift each row by a fixed amount | ||
Line 39: | Line 39: | ||
The cipher is freely available for any use. See [[Block_cipher/External_Links#AES_links | external links]] for much more information. | The cipher is freely available for any use. See [[Block_cipher/External_Links#AES_links | external links]] for much more information. | ||
== Other finalists == | |||
There were originally fifteen AES candidates, but that was narrowed to five finalists for the second round of analysis. This section covers the four ciphers that made it into the finals but did not win. | There were originally fifteen AES candidates, but that was narrowed to five finalists for the second round of analysis. This section covers the four ciphers that made it into the finals but did not win. | ||
Line 52: | Line 52: | ||
| url = http://www.schneier.com/paper-twofish-paper.html | | url = http://www.schneier.com/paper-twofish-paper.html | ||
| date = 1998}}</ref> | | date = 1998}}</ref> | ||
was an AES finalist cipher from [[Bruce Schneier]]'s company [[Counterpane]]. Except for the name, it has little relationship to [[ | was an AES finalist cipher from [[Bruce Schneier]]'s company [[Counterpane]]. Except for the name, and using key-dependent S-boxes, it has little relationship to Schneier's earlier cipher [[Blowfish (cipher)| Blowfish]]; Twofish was a new design. | ||
Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a 16-round [[#Feistel structure | Feistel cipher]] using four key-dependent 8*8 S-boxes. | Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a 16-round [[#Feistel structure | Feistel cipher]] using four key-dependent 8*8 S-boxes. | ||
Line 62: | Line 62: | ||
=== Serpent === | === Serpent === | ||
[[Serpent (cipher)|Serpent]] was an AES finalist cipher from an international team of well-known researchers — [[Ross Anderson]] (UK), [[Eli Biham]] (Israel), and [[Lars Knudsen]] (Norway). Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. | |||
Serpent is an [[#SP network | SP network]] with 32 rounds. It uses eight 4 by 4 S-boxes, but unlike other ciphers it does not use them all in each round. Instead each round uses eight copies of the same S-box, so that 32-bit computer instructions can do eight 4-bit operations in parallel. Each of the eight S-boxes is used in four different rounds, | Serpent is an [[Block cipher#SP network | SP network]] with 32 rounds. It uses eight 4 by 4 S-boxes, but unlike other ciphers it does not use them all in each round. Instead each round uses eight copies of the same S-box, so that 32-bit computer instructions can do eight 4-bit operations in parallel. Each of the eight S-boxes is used in four different rounds, | ||
The cipher is freely available for any use. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]]. | The cipher is freely available for any use. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]]. | ||
Line 70: | Line 70: | ||
=== RC6 === | === RC6 === | ||
[[Rivest ciphers#RC6 | RC6]] was an AES finalist cipher from a team led by [[Ron Rivest]]. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. | |||
Like [[#RC5 | RC5]], RC6 made extensive use of data-dependent rotations. [[RSA | Like [[Rivest ciphers#RC5 | RC5]], RC6 made extensive use of data-dependent rotations. [[RSA Security]] have a page describing both ciphers; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]]. | ||
. | |||
RC6 is the only one of the five finalists which does not have a completely open license; it is still proprietary to [[RSA | RC6 is the only one of the five finalists which does not have a completely open license; it is still proprietary to [[RSA Security]]. | ||
=== MARS === | === MARS === | ||
[[MARS (cipher)|MARS]] was an AES finalist cipher from [[IBM]]. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. | |||
It uses a variant of the [[ | It uses a variant of the [[Feistel cipher | Feistel structure]] which they call a "type 3 Feistel network"; the 128-bit block is treated as four 32-bit sub-blocks; each round uses one sub-block as input and modifies all of the other three sub-blocks. Like RC6, it uses data-dependent rotations. One 9*32 S-box is used; for some operations it is treated as two 8*32 S-boxes. | ||
The cipher is now freely available. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]]. | The cipher is now freely available. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]]. | ||
Line 91: | Line 90: | ||
=== Hasty Pudding === | === Hasty Pudding === | ||
The | The [[Hasty Pudding (cipher)|Hasty Pudding Cipher]] or '''HPC''', from [[Rich Schroeppel]] was, in some ways, the most interesting of the AES candidates. It did not make it into the finals. | ||
Hasty Pudding is a '''variable size block cipher'''; blocks can be any size the application requires. It therefore might be ideal for things like encrypting disk blocks; see [[#Large block ciphers| large block ciphers]]. Also, quoting the home page "Arbitrary sets, such as dates, or the printable subset of ascii, or the 20-bit primes, can be encrypted to themselves." Key size is also variable; any integer number of bits. For AES use, the block size would be fixed at 128 bits and key size at 128, 192 or 256 bits. | Hasty Pudding is a '''variable size block cipher'''; blocks can be any size the application requires. It therefore might be ideal for things like encrypting disk blocks; see [[Block_cipher#Large-block ciphers| large block ciphers]]. Also, quoting the home page "Arbitrary sets, such as dates, or the printable subset of ascii, or the 20-bit primes, can be encrypted to themselves." Key size is also variable; any integer number of bits. For AES use, the block size would be fixed at 128 bits and key size at 128, 192 or 256 bits. | ||
Hasty Pudding is also a [[#Whitening and tweaking| tweakable]] block cipher, though it was designed before that term came into use. What is now called the "tweak" is called "spice" in Hasty Pudding. | Hasty Pudding is also a [[Block_cipher#Whitening and tweaking| tweakable]] block cipher, though it was designed before that term came into use. What is now called the "tweak" is called "spice" in Hasty Pudding. | ||
The cipher is freely available for any use. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]]. | The cipher is freely available for any use. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]]. | ||
Line 101: | Line 100: | ||
=== FROG === | === FROG === | ||
[[FROG (cipher)|FROG]] | |||
<ref>{{citation | <ref>{{citation | ||
| title= The FROG Encryption Algorithm | | title= The FROG Encryption Algorithm | ||
Line 109: | Line 108: | ||
was an AES candidate cipher; it did not make it into the finals. | was an AES candidate cipher; it did not make it into the finals. | ||
Like [[ | Like [[Hasty Pudding (cipher)|Hasty Pudding]], FROG is a [[Block cipher#Large-block ciphers| variable size block cipher]] and a rather unorthodox design. It supports block sizes from 8 to 128 bytes and key sizes from 5 to 125 bytes. For AES use, the block size would be fixed at 128 bits and key size at 128, 192 or 256 bits. | ||
FROG introduced a novel design principle. Most block ciphers use round keys as data, thereby making each round different, but each round uses exactly the same sequence of operations. FROG uses data derived from the primary key as a program for an interpreter, so that each round can use a different sequence of operations. Eight rounds are used. Encryption and decryption are fast, but the key schedule is rather slow because it has to build a program for the interpreter. | FROG introduced a novel design principle. Most block ciphers use round keys as data, thereby making each round different, but each round uses exactly the same sequence of operations. FROG uses data derived from the primary key as a program for an interpreter, so that each round can use a different sequence of operations. Eight rounds are used. Encryption and decryption are fast, but the key schedule is rather slow because it has to build a program for the interpreter. | ||
Line 122: | Line 121: | ||
}}</ref>. | }}</ref>. | ||
== | == Theory-based candidates == | ||
All the candidate designs took account of research in [[cryptanalysis]] and [[cryptography]], | |||
and many had proofs of resistance to various attacks, | |||
However, two had exceptionally direct links to theory. Both were designed based on | |||
research work, by the people who did the research, and both had proofs of resistance | |||
to both [[differential cryptanalysis]] and [[linear cryptanalysis]]. | |||
=== CAST 256 === | === CAST-256 === | ||
[[CAST (cipher)#CAST-256|CAST-256]] | |||
<ref>{{citation | <ref>{{citation | ||
| id=RFC2612 | | id=RFC2612 | ||
Line 138: | Line 142: | ||
was an AES candidate cipher from a Canadian team; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. | was an AES candidate cipher from a Canadian team; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. | ||
It is a Feistel-like cipher extended to four 32-bit sub-blocks instead of the two sub-blocks used in CAST-128 for 64-bit blocks. In the terms used by the MARS team, it is a "type one Feistel network"; each round takes one 32-bit sub-block as input and alters one 32-bit sub-block; 48 rounds are used. The F function and S-boxes are from [[#CAST-128 | CAST-128]]. | It is a Feistel-like cipher extended to four 32-bit sub-blocks instead of the two sub-blocks used in CAST-128 for 64-bit blocks. In the terms used by the MARS team, it is a "type one Feistel network"; each round takes one 32-bit sub-block as input and alters one 32-bit sub-block; 48 rounds are used. The F function and S-boxes are from [[CAST (cipher)#CAST-128 | CAST-128]]. | ||
It is freely available for any use. There is an RFC describing it; see [[Block_cipher/External_Links#RFCs_for_block_ciphers|external links]]. | It is freely available for any use. There is an RFC describing it; see [[Block_cipher/External_Links#RFCs_for_block_ciphers|external links]]. | ||
=== CRYPTON === | === DFC === | ||
[[DFC (cipher)|DFC]] or '''De-correlated Fast Cipher''' | |||
<ref>{{citation | |||
| author= H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay | |||
| title= Decorrelated Fast Cipher: an AES candidate | |||
| date= May 1998 | |||
| url = http://citeseer.ist.psu.edu/gilbert98decorrelated.html | |||
}}</ref> | |||
<ref>{{citation | |||
| author = Louis Granboulan, Phong Q. Nguyen, Fabrice Noilhan, Serge Vaudenay | |||
| title = DFCv2 | |||
| booktitle = Selected Areas in Cryptography, SAC 2000 | |||
| pages = 57-71 | |||
| publisher = Springer-Verlag | |||
| date = 2000 | |||
| url = http://citeseer.ist.psu.edu/granboulan00dfcv.html | |||
}}</ref> | |||
was an AES candidate cipher from a French team; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a six-round Feistel cipher using a single 6 by 32 S-box. | |||
This cipher was based on [[Serge Vaudenay]]'s theoretical work on [[decorrelation theory]]. That theory gives methods of constructing ciphers which are provably immune to [[differential cryptanalysis]], [[linear cryptanalysis]], and any other attacks that meet some fairly broad assumptions. | |||
However, some attacks on DFC were found by going outside those assumptions, [[Cryptanalysis#Side_channel_attacks|timing attack]]s on some implementations | |||
<ref>{{citation | |||
| author = Ian Harvey | |||
| date = March 1999 | |||
| title = The DFC Cipher: An Attack on Careless Implementations | |||
| conference = Second AES Candidate Conference | |||
| url = http://csrc.nist.gov/archive/aes/round1/conf2/papers/harvey.pdf | |||
| doi = 10.1.1.42.3196 | |||
}}</ref> | |||
and a more general attack using a variant of differential analysis | |||
<ref>{{citation | |||
| author = Lars Knudsen & Vincent Rijmen | |||
| title = On the Decorrelated Fast Cipher (DFC) and Its Theory | |||
| booktitle = 6th International Workshop on [[Fast Software Encryption]] (FSE '99) | |||
| pages = pp.81–94 | |||
| publisher = Springer-Verlag | |||
| date - March 1999 | |||
| url = http://www.cosic.esat.kuleuven.be/publications/article-367.ps | |||
}}</ref>. | |||
== Other AES candidates == | |||
This section covers the other ciphers that were proposed as AES candidates but not chosen for consideration in the final round. | |||
=== [[CRYPTON (cipher)|CRYPTON]] === | |||
'''CRYPTON''' | '''CRYPTON''' | ||
<ref>{{citation | <ref>{{citation | ||
Line 160: | Line 209: | ||
=== DEAL === | === DEAL === | ||
'''DEAL''', the '''Data Encryption Algorithm with Larger blocks''' | '''DEAL''', the '''Data Encryption Algorithm with Larger blocks''' | ||
was an AES candidate cipher; it did not make it into the finals. | was an AES candidate cipher; it did not make it into the finals. No-one really expected it to; it was entered mainly to provide a baseline for comparison to other ciphers. DEAL has approximately the overheads of [[Triple DES]], making it too slow to be a competitive candidate for AES. | ||
DEAL | DEAL was originally proposed | ||
<ref>{{citation | <ref>{{citation | ||
| title = DEAL - A 128-bit Block Cipher | | title = DEAL - A 128-bit Block Cipher | ||
Line 170: | Line 219: | ||
by [[Lars Knudsen]], but the AES submission was from [[Richard Outerbridge]]. Knudsen was a member of the [[#Serpent|Serpent]] team for AES. | by [[Lars Knudsen]], but the AES submission was from [[Richard Outerbridge]]. Knudsen was a member of the [[#Serpent|Serpent]] team for AES. | ||
DEAL | DEAL is a Feistel cipher using [[Data Encryption Standard|DES]] as the F function. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. Six rounds were used with a 128-bit or 192-bit key and 8 rounds with a 256-bit key. | ||
There were some [[cryptanalytic]] results | |||
<ref>{{citation | <ref>{{citation | ||
| author = John Kelsey & Bruce Schneier | | author = John Kelsey & Bruce Schneier | ||
Line 189: | Line 240: | ||
against the cipher. | against the cipher. | ||
=== | === [[E2 (cipher)|E2]] === | ||
'''E2''' was an AES candidate cipher from [[Nippon Telephone and Telegraph]]; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a 12-round Feistel network using a single 8 by 8 S-box. | '''E2''' was an AES candidate cipher from [[Nippon Telephone and Telegraph]]; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a 12-round Feistel network using a single 8 by 8 S-box. | ||
Line 244: | Line 254: | ||
}}</ref>. | }}</ref>. | ||
[[ | [[Camellia (cipher)|Camellia]] shares some design features with E2 and has largely replaced it. | ||
=== LOKI97 === | === LOKI97 === | ||
'''LOKI97''' was an AES candidate cipher from an Australian group; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. LOKI97 is one of | '''LOKI97''' was an AES candidate cipher from an Australian group; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. LOKI97 is one of several [[LOKI (cipher)|LOKI]] ciphers designed by the same group. It is a 16-round [[Feistel cipher]] with an F function that is basically two rounds of an [[SP network]]. This contrasts with [[Data Encryption Standard|DES]] where the F function is a single SP round. | ||
The cipher is freely available for any use. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]]. | The cipher is freely available for any use. It has a home page; see [[Block_cipher/External_Links#Homepages_for_block_ciphers | external links]]. | ||
=== MAGENTA === | === MAGENTA === | ||
'''MAGENTA''' or '''Multifunctional Algorithm for General-purpose Encryption and Network Telecommunication Applications''' was [[Deutsche Telekom]]'s entry in the AES competition. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a Feistel cipher with six or eight rounds. | '''MAGENTA''' or '''Multifunctional Algorithm for General-purpose Encryption and Network Telecommunication Applications''' was [[Deutsche Telekom]]'s entry in the AES competition. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a [[Feistel cipher]] with six or eight rounds. | ||
MAGENTA | MAGENTA | ||
Line 270: | Line 280: | ||
was presented at the second AES conference. The attackers included members of both the Twofish and Serpent teams, plus others. | was presented at the second AES conference. The attackers included members of both the Twofish and Serpent teams, plus others. | ||
=== | === SAFER+ === | ||
''' | '''SAFER+''' was an AES candidate cipher; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is an SP network using two S-boxes. 8 rounds are used with a 128-bit key, 12 for a 192-bit key, and 15 for a 256-bit key. | ||
Safer+ is one of a family of [[SAFER]] or '''Secure and Fast Encryption Routine''' ciphers designed by [[James Massey]] and co-workers for [[Cylink]] Corporation. All of these ciphers are unpatented and freely available for any use. There have been published attacks on some of them, but later versions have modifications to block those attacks. | Safer+ is one of a family of [[SAFER (cipher)|SAFER]] or '''Secure and Fast Encryption Routine''' ciphers designed by [[James Massey]] and co-workers for [[Cylink]] Corporation. All of these ciphers are unpatented and freely available for any use. There have been published attacks on some of them, but later versions have modifications to block those attacks. | ||
== References == | == References == | ||
{{reflist|2}} | {{reflist|2}}[[Category:Suggestion Bot Tag]] |
Latest revision as of 11:00, 4 July 2024
This article may be deleted soon. | ||
---|---|---|
Starting in the late 90s, the US National Institute of Standards and Technology (NIST) ran a contest to find a block cipher to replace the Data Encryption Standard, DES. The winning cipher, previously known as Rijndael became the Advanced Encryption Standard, AES. DES had become obsolete because its 56-bit key size was inadequate to resist brute force attacks, given modern technology. The entire process was completely open; even their requirements document was published and comment or criticism invited before a final version was written, and all of the later work toward the choice of a standard was public as well. The whole process was widely praised by cryptographers as a fine example of taking Kerckhoffs' Principle into account. This was in sharp contrast to some of the criticisms that had been made of the secrecy in the DES standardisation process which was run by NIST's ancestor, the National Bureau of Standards. The final requirements specified a block cipher with 128-bit block size and support for 128, 192 or 256-bit key sizes. Evaluation criteria included security, performance on a range of platforms from 8-bit CPUs (e.g. in smart cards) up, and ease of implementation in both software and hardware. Fifteen submissions meeting basic criteria were received, not just from the US but from many other countries as well. All of the entries were iterated block ciphers; in Shannon's terms all were product ciphers. Most used an SP network or Feistel structure, or variations of those. Several had proofs of resistance to various attacks. In alphabetical order, the fifteen first round candidates were:
All are described below. NIST succeeded in rounding up a fine group of suspects; many of the world's best-known cryptographers participated in various design teams and others contributed to analysis of candidates. We provide a table listing some of the major players involved. After much analysis and testing, and two conferences, the field was narrowed to five finalists — Twofish, MARS, Serpent, RC6, and Rjindael. After another year of analysis and testing focused on the finalists, and another conference with all of the finalist teams giving presentations, they chose a winner. In October 2002, Rijndael was chosen to become the Advanced Encryption Standard or AES. See external links for the official standard. The contest was open and international and extensive work was done on testing and comparing the various candidates. To facilitate this, NIST defined some standard interfaces which everybody used. For almost all candidate ciphers, implementations with these interfaces are readily available; see external links. Many, though not all, of these ciphers have open licenses. This means that anyone implementing AES has the option of adding other ciphers at minimum cost, in particular the other three finalists with open licenses — Twofish, MARS, and Serpent. This gives a cheap insurance policy against the (presumably remote) chance of someone finding a good attack on AES. Because of the birthday attack, a cryptographic hash needs to provide output of bits to resist attacks as well as a cipher with an -bit key. NIST has therefore issued standards for the SHA-2 family of hashes — SHA-256, SHA-384 and SHA-512 to match the strength of AES, plus SHA-224 to match the 112-bit strength of Triple DES. However, those hashes are all derived from SHA and weaknesses have been shown in that, so in 2008 NIST started a contest similar to the AES contest to design an Advanced Hash Standard which can (if it proves necessary) replace SHA-2 as AES replaced DES. AESThe Advanced Encryption Standard or AES is the algorithm formerly known as Rijndael (pronounced approximately "rhine doll"). It was designed by two Belgians, Joan Daemen and Vincent Rijmen. It is an iterated block cipher, but not a Feistel cipher; the overall structure is an substitution-permutation network. Nonlinearity is obtained by mixing operations from different algebraic groups. There are four operations. Two give confusion:
The other two give diffusion, treating the 128-bit block as a four by four matrix of bytes:
It encrypts 128-bit blocks with a 128, 192 or 256-bit key. The number of rounds varies with key size: 10 for 128-bit keys, 12 for 192-bit keys and 14 for 256-bit keys. The numbers of rounds were chosen based on an analysis showing that they are enough to give resistance to linear cryptanalysis and differential cryptanalysis. The cipher is freely available for any use. See external links for much more information. Other finalistsThere were originally fifteen AES candidates, but that was narrowed to five finalists for the second round of analysis. This section covers the four ciphers that made it into the finals but did not win. TwofishTwofish [1] was an AES finalist cipher from Bruce Schneier's company Counterpane. Except for the name, and using key-dependent S-boxes, it has little relationship to Schneier's earlier cipher Blowfish; Twofish was a new design. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a 16-round Feistel cipher using four key-dependent 8*8 S-boxes. The cipher is freely available for any use. It has a home page; see external links. It has a successor named "Threefish", used in the Skein hash algorithm, a candidate in the Advanced Hash Standard contest. SerpentSerpent was an AES finalist cipher from an international team of well-known researchers — Ross Anderson (UK), Eli Biham (Israel), and Lars Knudsen (Norway). Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. Serpent is an SP network with 32 rounds. It uses eight 4 by 4 S-boxes, but unlike other ciphers it does not use them all in each round. Instead each round uses eight copies of the same S-box, so that 32-bit computer instructions can do eight 4-bit operations in parallel. Each of the eight S-boxes is used in four different rounds, The cipher is freely available for any use. It has a home page; see external links. RC6RC6 was an AES finalist cipher from a team led by Ron Rivest. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. Like RC5, RC6 made extensive use of data-dependent rotations. RSA Security have a page describing both ciphers; see external links. RC6 is the only one of the five finalists which does not have a completely open license; it is still proprietary to RSA Security. MARSMARS was an AES finalist cipher from IBM. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It uses a variant of the Feistel structure which they call a "type 3 Feistel network"; the 128-bit block is treated as four 32-bit sub-blocks; each round uses one sub-block as input and modifies all of the other three sub-blocks. Like RC6, it uses data-dependent rotations. One 9*32 S-box is used; for some operations it is treated as two 8*32 S-boxes. The cipher is now freely available. It has a home page; see external links. Unconventional AES candidatesThis section covers two AES candidate ciphers that introduced new design ideas. Neither was chosen for consideration in the final round. Hasty PuddingThe Hasty Pudding Cipher or HPC, from Rich Schroeppel was, in some ways, the most interesting of the AES candidates. It did not make it into the finals. Hasty Pudding is a variable size block cipher; blocks can be any size the application requires. It therefore might be ideal for things like encrypting disk blocks; see large block ciphers. Also, quoting the home page "Arbitrary sets, such as dates, or the printable subset of ascii, or the 20-bit primes, can be encrypted to themselves." Key size is also variable; any integer number of bits. For AES use, the block size would be fixed at 128 bits and key size at 128, 192 or 256 bits. Hasty Pudding is also a tweakable block cipher, though it was designed before that term came into use. What is now called the "tweak" is called "spice" in Hasty Pudding. The cipher is freely available for any use. It has a home page; see external links. FROGFROG [2] was an AES candidate cipher; it did not make it into the finals. Like Hasty Pudding, FROG is a variable size block cipher and a rather unorthodox design. It supports block sizes from 8 to 128 bytes and key sizes from 5 to 125 bytes. For AES use, the block size would be fixed at 128 bits and key size at 128, 192 or 256 bits. FROG introduced a novel design principle. Most block ciphers use round keys as data, thereby making each round different, but each round uses exactly the same sequence of operations. FROG uses data derived from the primary key as a program for an interpreter, so that each round can use a different sequence of operations. Eight rounds are used. Encryption and decryption are fast, but the key schedule is rather slow because it has to build a program for the interpreter. While it was generally agreed that FROG was an interesting bit of work, it was found to have some weaknesses [3]. Theory-based candidatesAll the candidate designs took account of research in cryptanalysis and cryptography, and many had proofs of resistance to various attacks, However, two had exceptionally direct links to theory. Both were designed based on research work, by the people who did the research, and both had proofs of resistance to both differential cryptanalysis and linear cryptanalysis. CAST-256CAST-256 [4] was an AES candidate cipher from a Canadian team; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a Feistel-like cipher extended to four 32-bit sub-blocks instead of the two sub-blocks used in CAST-128 for 64-bit blocks. In the terms used by the MARS team, it is a "type one Feistel network"; each round takes one 32-bit sub-block as input and alters one 32-bit sub-block; 48 rounds are used. The F function and S-boxes are from CAST-128. It is freely available for any use. There is an RFC describing it; see external links. DFCDFC or De-correlated Fast Cipher [5] [6] was an AES candidate cipher from a French team; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a six-round Feistel cipher using a single 6 by 32 S-box. This cipher was based on Serge Vaudenay's theoretical work on decorrelation theory. That theory gives methods of constructing ciphers which are provably immune to differential cryptanalysis, linear cryptanalysis, and any other attacks that meet some fairly broad assumptions. However, some attacks on DFC were found by going outside those assumptions, timing attacks on some implementations [7] and a more general attack using a variant of differential analysis [8]. Other AES candidatesThis section covers the other ciphers that were proposed as AES candidates but not chosen for consideration in the final round. CRYPTONCRYPTON [9] [10] was an AES candidate cipher from a Korean team; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. CRYPTON uses an SP network with 12 rounds, does byte-level substitutions, and for some operations treats the 128-bit text as a four-by-four array of bytes. Overall, the design is rather similar to AES though some of the operations are different. DEALDEAL, the Data Encryption Algorithm with Larger blocks was an AES candidate cipher; it did not make it into the finals. No-one really expected it to; it was entered mainly to provide a baseline for comparison to other ciphers. DEAL has approximately the overheads of Triple DES, making it too slow to be a competitive candidate for AES. DEAL was originally proposed [11] by Lars Knudsen, but the AES submission was from Richard Outerbridge. Knudsen was a member of the Serpent team for AES. DEAL is a Feistel cipher using DES as the F function. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. Six rounds were used with a 128-bit or 192-bit key and 8 rounds with a 256-bit key. There were some cryptanalytic results [12] [13] against the cipher. E2E2 was an AES candidate cipher from Nippon Telephone and Telegraph; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a 12-round Feistel network using a single 8 by 8 S-box. There has been no published cryptanalysis of the full E2, but there is an attack on a reduced-round version [14]. Camellia shares some design features with E2 and has largely replaced it. LOKI97LOKI97 was an AES candidate cipher from an Australian group; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. LOKI97 is one of several LOKI ciphers designed by the same group. It is a 16-round Feistel cipher with an F function that is basically two rounds of an SP network. This contrasts with DES where the F function is a single SP round. The cipher is freely available for any use. It has a home page; see external links. MAGENTAMAGENTA or Multifunctional Algorithm for General-purpose Encryption and Network Telecommunication Applications was Deutsche Telekom's entry in the AES competition. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is a Feistel cipher with six or eight rounds. MAGENTA [15] is often cited as an example of Kerckhoffs' Principle, a demonstration of why unpublished and therefore unanalysed ciphers cannot be trusted. Of the 15 AES candidates, 14 were made public before the first AES conference. The MAGENTA team were the one exception; they made nothing public until their conference presentation. That presentation was given one morning, to an audience that included many of the world's top cryptographers. Some saw flaws, and there was intense discussion over lunch. By that evening, a draft paper on breaking the cipher was circulating and the final version [16] was presented at the second AES conference. The attackers included members of both the Twofish and Serpent teams, plus others. SAFER+SAFER+ was an AES candidate cipher; it did not make it into the finals. Like all AES candidates, it uses 128-bit blocks and supports key sizes of 128, 192 or 256 bits. It is an SP network using two S-boxes. 8 rounds are used with a 128-bit key, 12 for a 192-bit key, and 15 for a 256-bit key. Safer+ is one of a family of SAFER or Secure and Fast Encryption Routine ciphers designed by James Massey and co-workers for Cylink Corporation. All of these ciphers are unpatented and freely available for any use. There have been published attacks on some of them, but later versions have modifications to block those attacks. References
|