A Software-Optimized Encryption Algorithm - DocsLib

sign in sign up

<<

Home , SEAL (cipher)

To app ear in J of CryptologyFull version of Last revised Septemb er

A SoftwareOptimized Encryption Algorithm

Phillip Rogaway and Don Copp ersmith

Department of Computer Science Engineering I I Buildin g University of California

Davis CA USA rogawaycsucdavisedu

IBM TJ Watson ResearchCenter PO Box Yorktown Heights NY

USA copp erwatsonibmcom

Abstract We describ e a softwareecient encryption algorithm named

SEAL Computational cost on a mo dern bit pro cessor is ab out

clo ck cycles p er byte of text The cipher is a pseudorandom function

family under control of a key rst prepro cessed into an internal table

it stretches a bit p osition index into a long pseudorandom string

This string can b e used as the keystream of a Vernam cipher

Key words Cryptography Encryption Fast encryption Pseudoran

dom function family Software encryption Stream cipher

Intro duction

Encrypting Fast In Software Encryption must often b e p erformed at high

data rates a requirement sometimes met with the help of supp orting crypto

graphic hardware Unfortunately cryptographic hardware is often absent and

data condentiality is sacriced b ecause the cost of software cryptographyis

deemed to b e excessive

The computational cost of software cryptography is a function of the under

y of its implementation But regardless of imple lying algorithm and the qualit

mentation a cryptographic algorithm designed to run well in hardware will not

p erform in software as well as an algorithm optimized for software execution

The hardwareoriented Data Encryption Algorithm DES is no exception Of

ten what is needed is a welldesigned softwareoptimized encryption metho d for

to days general purp ose computers

To this end wehave designed SEAL Software Encryption Algorithm SEAL

is a pseudorandom function family under control of a key rst prepro cesse d

into a set of tables SEAL stretches a bit p osition index into a keystream of

essentially arbitrary length One then encrypts byXORing this keystream with

the plaintext in the manner of a Vernam cipher As with anyVernam cipher it

is imp erative that the keystream only b e used once

On a mo dern bit pro cessor SEAL can encrypt messages at a rate of ab out

clo ck cycles p er byte of text In comparison the DES algorithm is more than

times as exp ensive Even a Cyclic Redundancy Co de CRC is more costly

Related Work We are not the rst to realize the value of softwareoptimized

cryptography In Merkle describ ed the utilityofsoftwareoriented cryptog

raphy and he prop osed a suite of three softwareecient algorithms One of

them called Khufuisablock cipher which is similar in spirit to SEAL

An earlier softwareoriented blo ck cipher than Khufu is FEAL But this

algorithm and its variants have not proven to b e particularly secure see for

history and attacks Nor is it all that fast

RC is a p opular softwareecient stream cipher designed byRivest

It is fast though less fast than SEALRC is a softwareecient blo ck cipher

It to o was designed by Rivest Some other softwareecient ciphers include

BlowshandWAKE

History And Naming The full name of the cipher describ ed in this pap er

is SEAL An earlier version of this cipher was describ ed in and

denoted SEAL Though SEAL is the rst mo dication to SEAL which

the authors have describ ed a variantknown as SEAL had already app eared

SEAL apart from using NISTs revised in the literature it was identical to

Secure Hash Algorithm SHA instead of the original one SHA While

SEAL retains that change the more signicant adjustment is resp onsiveto

an attackby Handschuh and Gilb ert See Section for further information

on their attack and the dierences b etween SEAL and SEAL

In this pap er the name SEALby itself always refers to SEAL

Characteristics of the Cipher

Key characteristics and design choices of SEAL are explained b elow

Preprocessing The Key In typical applications requiring fast software cryp

tography data encryption is required over the course of a communication session

to a remote partner or over the course of a login session to a particular machine

In either case the key a which protects the session is determined at session setup

Typically this session setup takes at least a few milliseconds and is not a time

critical op eration It is therefore acceptable in most applications to sp end some

numberofmilliseconds to map the short key a to a less concise representation

of the cryptographic transformation sp ecialized to this key Our cipher has this

characteristic As such SEAL is an inappropriate choice for applications which

require rapid keysetup

LengthIncreasing Pseudorandom Function Variable Output And

Key Lengths The function SEAL is a typ e of cryptographic ob ject called a

pseudorandom function family PRF Such ob jects were rst dened in SEAL

is a lengthincreasing PRF under control of a bit key a SEAL maps a bit

string n to an Lbit string SEALa n L The number L can b e made as large or

as small as is needed for a target application but output lengths ranging from

a few bytes to a few thousand bytes are anticipated An arbitrary length key a

can b e used as the key for SEAL simply by selecting a SHAa

As a pseudorandom function family SEALa L should lo ok like a random

function if a is random and unknown The meaning of this is as follows First a

key a is taken at random from f g Next the adversary is given at random

either a blackb ox for the function SEALa L or else a blackb ox for a truly

random function R Either maps bits to L bits The adversarys job is to

guess whichtyp e of b ox she has Say that the adversary wins if she correctly

guesses Random or Pseudorandom Our goal is that for any reasonable

adversary she should not win with probability signicantly greater than

Though we will not attempt to dene reasonable or signicant weaimto

defeat adversaries with substantial computational resources and cleverness

A PRF can b e used to make a go o d stream cipher In a stream cipher the

encryption of a message dep ends not only on the key a and the message x but

also on the messages p osition n in the data stream This p osition is often a

counter sequence numb er which indicates which message is b eing enciphered

The encryption of string x at p osition n is given by hn x SEALa n Li where

L jxj In other applications n might indicate the address of a piece of data on

disk

Target Platforms Execution vehicles that should run the algorithm well in

TM TM TM

clude the Intel Intel Pentium pro cessors and contemp orary bit

RISC machines Because of the particular challenges involved in having a cipher

run well on the Pentium and b ecause of the p ervasiveness of this pro

cessor familywehave optimized our cipher with the characteristics of this pro

cessor family particularly in mind By doing well on these diculttooptimizefor

vehicles weexpecttodowell on any mo dern bit pro cessor

Some of the relevant limitations of the Pentium are a small register

set a twoop erand instruction architecture and a small rst level cache Here

is some further detail whichwas imp ortant in design choices These pro cessors

have general registers including the register normally used as a stackpointer

Most instructions work on two op erands A A op B instead of three A

B op C The has an KByte onchip cache for data and instructions while

entium has an KByte data cache and an KByte instruction cache the P

Cache misses can b e exp ensive The and Pentium pro cessors use a stage

instruction pip eline and if the base register for an address calculation is the

destination register of the preceding instruction an extra cycle will b e consumed

The Pentium pro cessor has dual instruction pip es one of whichrunsavery

limited instruction set It was not a design goal for the cipher to exhibit an

instruction dep endency structure whichwould allowustoalways ll b oth pip es

TableDriven Cipher One early decision was whether to make the cipher

a straightline program of logical op erations like MD or SHA or

to drive it instead by the use of a large table likeKhufu or a software DES

instead The tabledriven approachwas selected b ecause wefeltthatitwould

lead to a faster and easiertodesign cipher With the tabledriven algorithm we

could get very rapid diusion and there would b e less temptation to pro duce a

cipher whose most ecient implementation used selfmo difying co de

In view of the size of the rstlevel cache and the fact that servers maywant

to store in secondlevel cache the representation of the encryption transformation

of tens of clients it was decided that we should not b e to o generous with the

size of the tables that we used Wewould settle on a total size for all tables of

KBytes

pro cedure Initializen A B C D n n n n

A n R

B n iii R

C n iii R

D n iii R

for j to do

P A xfc B B T P A A iii

P B xfc C C T P B B iii

P C xfc D D T P C C iii

P D xfc A A T P D D iii

n n n n D B A C

P A xfc B B T P A A iii

P B xfc C C T P B B iii

P C xfc D D T P C C iii

P D xfc A A T P D D iii

Fig Initializati on of A B C D n n n n from n This initiali zatio n de

pends on aderived tables T and R

Denition of the Cipher

Notation We call a bit string a word and an bit string a byte The

empty string is denoted We write numb ers in hexadecimal by preceding them

with x and then using the symb ols af to represent decimal numb ers

resp ectivelyByy iii t we denote a right circular shift of the word y by t

bits in other words the ith bit of y iii t is y Similarly y hhh t denotes

itmod

a left circular shift of y by t bits By andwe denote bitwise AND

A we denote the complementof ABy A B we denote OR and XOR by

the sum ignoring the carry of the unsigned integers A and B this is the sum

mo d of numbers A and B Bykwe denote the concatenation op erator By

odd we mean the predicate which is true if and only if its argumentisanodd

number

function SEALa n L

y

for to do

Initializen A B C D n n n n

for i to do

P A xfc B B T P A A iii B B A

Q B xfc C C T Q B B iii C C B

P P C xfc D D T P C C iii D D C

Q Q D xfc A A T Q D D iii A A D

P P A xfc B B T P A A iii

Q Q B xfc C C T Q B B iii

P P C xfc D D T P C C iii

Q Q D xfc A A T Q D D iii

y y k B S i k C S i k D S i k A S i

if jy j L then return y y y

L

if odd i then A B C D A n B n C n D n

else A B C D A n B n C n D n

Fig Cipher mapping bit p osition index n to Lbit string SEALa n L under the

control of aderived tables T Rand S

Output Length Recall that we think of SEAL as pro ducing variablelength

output Let L be the numb er of output bits desired We assume a large b ound

on Lsay L So at most KBytes may b e pro duced p er index

Mapping The Key To The Tables Our rst task is to sp ecify the tables

T R and S all of which dep end only on the key aThekey a is used only to

dene these three tables

We sp ecify the tables using a function GFor a a bit string and i an

integer i G i is a bit value The function G is just the com

a

pression function of the Secure Hash Algorithm SHA For completeness

its denition is given in App endix A

Let us reindex G to construct a function whose images are bit words

i

y iH where instead of bit ones The function is dened b

a

i mo d

j j j j j

H kH kH kH kH G j for j bic

a

Thus a table of values is exactly a table for Gvalues read lefttoright

toptob ottom

Nowdene

T i i for all i

a

S j x j for all j and

a

k Rk x k for all

a

Four words of the array R are required for each kilobyte or fraction of a kilobyte

of SEALa n L Thus if one has a b ound L on the maximal p ossible value

max

of L then it is adequate to compute Rk for kdL eFor the

max

maximal p ermitted output length of KBytes one needs to calculate the SHA

compression function times

The Pseudorandom Function Given the number L the tables T Rand

S determined by a and a bit p osition index n the algorithm of Figure

stretches n to an Lbit pseudorandom string y

The algorithm uses a routine Initialize which using tables T and R maps n

and to the words A B C D n n n n That pro cedure is given in Figure

The outer lo op of Figure is to b e broken by line when enough output

bits have b een collected

Terminology For purp oses of subsequent discourse a round refers to the

execution of any one of lines in Figure while an iteration is the execution

of all of the lines asso ciated to a given value of iThus there are eight

rounds in each iteration

Explanations and Design Heuristics

Some of the structure of SEAL maybemadelessmysterious by the general

explanations of this section and the sp ecic attacks of Section The following

general heuristics were employed

Using a large secret keyderived Sb ox the KByte table T

Alternating arithmetic op erations which dont commute addition mo d

and bitwise XOR

Using internal state maintained by the cipher and not directly manifest in

the output data stream the registers n n n n

Using simple wellknown metho ds where adequate using SHA to gen

erate the tables

Somewhat more sp ecic heuristics

Varying the round function according to the round numb er eg alternat

ing use of P and Q

Varying the iteration function according to the iteration numb er eg

n n orn n in line and S values asso ciated to the iteration

The attention to the parity of the round and iteration number may help against

hplay o successive rounds or successive iterations attacks whic

Details of the metho d used to pro duce the tables T R and S the use of

SHA the indexing metho d etc are not b elieved to b e particularly imp or

tant we think of these tables as random no design rules are built into their

construction and we exp ect that any go o d pseudorandom generator applied to

the key should work ne

Details of the function Initialize are b elieved to b e of secondary imp ortance

Wewant A B C D n n n and n to b e unpredictable functions n

Each of the nal instruction on lines helps to diuse information in A B

C and D An earlier version of the cipher made analogous register mo dications

in lines but the statements would seem to havelessvalue there and so they

were removed to save cost

Some p erformancerelated explanations are given b elow

The divisions by are not to b e implemented by divisions or shifts we

are simply indexing into T in units of bytes instead of words This is more

ecient on some platforms whichmay p enalize for scaling word osets

and no less ecientonany platform we considered In a highlevel language

these divisions might b e implemented as a cast

On all pro cessors we know of there is no p erformance dierence b etween

using addition and XOR and so there is no p erformance reason to favor

the latter

On our target twoop erand machine architectures it is the same cost to

compute P P A xfc and then fetch T P as it would b e to fetch

T A xfc This is b ecause the computation of T A xfc to

preserve Amust b egin bymoving A into a temp orary register That move

is the same cost as adding A to register P

The state of P and Q is not maintained across iterations simply b ecause

machines with only registers will need to use the registers holding P

and Q at the end of the iteration Wedidnotwant to sp end the extra

cycles to write P and Q to memory and then read them back

Op erations are arranged so that in the clo ck cycle immediately following

a table lo okup there is always something worthwhile to do whichdoesnot

dep end on the value which is retrieved

Design Pro cess

A brief description of the design pro cess which has led to SEAL may b e considered

relevantorinteresting to some

SEAL The pro ject b egan in the summer of in resp onse to the p erception

of increasing customer needs for softwareecient cryptography Goals of the

design were rst enumerated in a presentation of Octob er Goals evolved as

e learned more there was never any xed or formal statement of requirements w

Merkles cipher Khufu was identied as the most relevant prior art Wechose

it as our starting p oint and searched for ways that would lead to something even

faster

A design philosophy emerged We thought it b etter to do exceptionally well

in environments having a particular set of minimal environmental characteristics

than to do reasonably well across a wider range of environments Our chosen

set of op erating characteristics b ecame a bit machine with at least eight

general purp ose registers a cache of at least KBytes and a usage scenario

which partitions encryption into a p erformance noncritical key setup followed

by rep eated and p erformancecritical encipherment of a reasonably large number

of bytes

We didnt care ab out the syntactic avor of the cipher wewould pro duce

even whether it was a blo ck cipher or something else seemed irrelevant except

insofar as this might inuence the ciphers sp eed

The rst suggestion March was for a blo ck cipher but so on wedevel

op ed a basic structure for a pseudorandom function family whichwas going

to b e faster This structure consisted of having four registers A B C D each

of whichwould mo dify a neighb oring register as a result of a single lo okup in

akeyderived table After some number of such register mo dications wewould

p eel o the currentvalue of the four registers and app end them to the growing

keystream This pro cess would then b e rep eated

A total of nine designs were considered b etween March and Octob er

Each revision was aimed to improve sp eed or p erceived strength Rogaway

would prepare a sp ecication and Copp ersmith would attack it Attacks were

considered far enough to makeclearwhatwas their main idea not to assess

their exact ecacyRogawaywould then study the attack try to identify some

essential weakness it exploited and then mo dify the cipher without decreasing

its sp eed to try to foil any similar cleverness

The inner lo op Figure was the sub ject of almost all of our eort Very

little attention was paid to Initialize Figure or to the table generation metho d

The design progressed entirely on pap er No statistical tests or other exp eri

ments were p erformed during the design of the cipher Our prop osal SEAL

was rst describ ed in Decemb er

SEAL In Handschuh and Gilb ert describ ed an attack on a simplied

version of SEAL and an attackonSEAL itself They require ab out

samples eachwords long to distinguish SEAL from a random function

Their attack is resp onsible for the main change b etween SEAL and SEAL

That change requires the use of two new XORs for each words of output as

wenow explain

Refer to Line of Figure The corresp onding line in SEAL had b een if

odd i then A C A n C n else A C A n C n Now

we mo dify all four registers A B C D instead of just the two registers A C

This b etter obscures relationships b etween the A B C D and A B C D

values of successive iterations Without the change there is a useful prop erty

on D C D saywhich do es not dep end on anyofn n n n see Un

published predecessors of SEAL resembled SEAL in mo difying eachof

A B C D at the end of an iteration removing the mo dications to B and D

was a p o orlychosen optimization

The other dierence b etween SEAL and SEAL is that in SEAL and

SEAL table generation uses SHA in lieu of the older SHA

Statistical Tests In resp onse to a referees request we sub jected SEAL to a

battery of statistical tests develop ed by Marsaglia We computed the MByte

string y SEALa LkSEALa LkkSEALa L for a xed key a

and L ie bytes None of the tests in revealed statistical

anomalies in y In a second exp erimentwe computed the MByte string

z SEALa LkSEALa LkkSEALa L where L

ie KBytes Again none of the tests revealed statistical anomalies in z

IllustrativeAttacks

This section illustrates some attack ideas whichwere imp ortantto SEALs evo

lution We describ e three attacks on a simplied version of our cipher This

simplied cipher WEAKisshow in Figure

function WEAKa n

y

Initialize n ABCD

a

for i to do

P A xf f B B T P A A iii B B A

P B xf f C C T P B B iii C C B

P C xf f D D T P C C iii D D C

A T P D D iii A A D P D xf f A

P A xf f B B T P A A iii

P B xf f C C T P B B iii

P C xf f D D T P C C iii

P D xf f A A T P D D iii

k C S i k D S i k A S i y y k B S i

return y

Fig The cipher WEAK attacks on which are given in the text Under the control of

aderived tables T R and S computed exactly as with SEAL this cipher maps bit

p osition index n to word string WEAKa n

Assemble a list of T op T values A simple attackon WEAK is based

on the observationthateachofA B C and D is mo died only two times

using T and the netchange due to this pair of T dep endent mo dications is

almost directly visible to the adversary

In this and all subsequent attacks we x an unknown key a and provide

the adversary sample output strings each of the form y WEAKa n The

adversary will not need to knowthe n which pro duced each string y

Fix one of the strings y the adversary collects and let us write y y y y

for its words For concreteness let us now x our attention on the change that

register B undergo es during the second iteration i of the algorithm This

change in B is manifest apart from S and S in y and y In particular

it is easy to verify by tracing through the denition of WEAK that

y S T P y S iii iii T P iii y S

for some P P fg Distribute iii over and collect up constants

and we get that

y y iii y iii c T P iii T P iii

for some constant c In other words up to some constant c the adversary can

directly see in the y s the XOR of a shifted version of pairs of words of T

To distinguish the output of WEAK from truly random data simply compute

the value of y y iii y iii for eachoutputword y whichisseen

If the strings are pseudorandom then this word will takeononly p ossible

values not From the birthday problem we will b e able to make a good

prediction of randompseudorandom using ab out strings y justby guessing

pseudorandom if we see a collision in the y y iii y iii values

in a sample of this size

Sorting on bits of y Let us go a bit further with the ab ove attack We

j

witness

y y iii y iii c T P iii T P iii

where P is the oset into T which is the value of P determined in line and

P is the oset into T whichisthevalue of P determined in line The thing

to notice is that we can tell when twostringsy and y have corresp onding P

and P which agree Simply sort the y values into buckets dep ending on the

value of the last bits of y All the strings in a given bucket receivethesame

P value Thus for the strings y of a given bucket

y y iii y iii

assumes only dierentvalues and these values apart from a shift are the

entries of T This forms the basis of a way to reconstruct T

Guess and verify a correlation between i and T i This next attackis

based on the fact that b ecause T is small and randomlygenerated it is not

unlikely that there will b e substantial correlations b etween some bit or small

set of bits of i and some particular bit of T i For example although the least

signicantbitofi is exp ected to agree with the th bit of T i on out of

words the standard deviation is so it would not b e strange if these two

bits agreed times or

Let us index the bits of a word x byx x x Supp ose that the least

signicant bit bit of i happ ens to b e correlated to the th bit of T i

Supp ose to o that the most signicant bit of i bit happ ens to b e correlated to

the th bit of T i As an example mayb e i T i of the time while

i T i of the time The adversary will b e able to sp ot correlations

like this based on a sample of y values

Once again fo cus on the net change to a particular register which o ccurs

during a particular iteration To b e concrete let us see how D changes during

iteration i First in line D is mo died byaT value which dep ends on C

While we dont know what this C value is after C is shifted places to the

right and XORed with the mo died D value the net change to bit of D is

biased according to the direction of the correlation b etween the least signicant

bit of i and T i in our example line preserves bit of the time and

complements bit of the time assuming C is uniformly distributed Next

on line D is shifted places to the right This moves the bit in question into

p osition D On line register D is XORed with a table value which dep ends

on C But this value of C is manifest in the output stream after it has b een

shifted and masked by the constant S Thus if the th bit of T i is correlated

with the most signicant bit of i the change to bit of D which line causes

will b e correlated to bit due to the right shift of C in line of y Finally

in line the bit in question is shifted into p osition We conclude that if the

initial assumption is correct then there will b e a statistical correlation b etween

y y and y This observation can form the basis of a statistical test

which lo oks for o ddities in the table T

Performance

To get a rough sense of the exp ected p erformance of SEAL wecount clo ck cycles

relative to an abstract machine mo del Assume a twoop erand machine with

bit words and at least general purp ose registers Assume that in a single clo ck

cycle we can execute a single addition logical and logical exclusive or data

movement or rotate Then counting instructions reveals that if we encrypt long

strings with SEALwe sp end ab out clo ck cycles p er byte Exp erimental results

on a real machine see b elow are in line with such an estimate

Some of the eciency of SEAL stems from the fact that its innerlo op uses

only table lo okups p er byte of output By way of comparison a software

DES implementation typically uses table lo okups p er byte

Bosselaers has recently provided us with exp erimental results on the p erfor

mance of various cryptographic algorithms We repro duce some of his data

in Figure quoting his gures for the ciphers SEALRC RC and DES as

well as the hash function MD For each of these algorithms Bosselaers wrote a

highly optimized assembly language implementation for the Pentium pro cessor

Performance of the co de was then measured on a MHz machine For all of the

algorithms shown co de and data were residentinonchip cache The cost of key

setup is ignored The SEAL gures are for encrypting bytes of data They

assume a littleendian convention for XORing the plaintext with SEALs output

The last column in the table gives the sp eed of SEAL divided by the sp eed of

the indicated algorithm

Algorithm Mbits Relativespeed

SEAL

RC

RC

DES

MD

Fig Timing gures rep orted by Bosselaers The platform is a MHz Intel Pen

tium pro cessor and the implementations are in optimized assembly language

Bosselaers rep orts that his SEAL implementation uses clo ckcyclesto

encrypt bytes This comes to cyclesbyte or Mbits with a MHz

pro cessor A total of instructions are executed to pro duce these bytes

of output instructionsbyte but of these instructions execute con

currently with the remaining

A straightforward implementation of SEAL in the language C runs at

Mbits on an SGI Indy with a MHz MIPS Pro cessor this is a

lowend workstation with a RISC CPU Compilation was under the Gnu com

n

SEALa n Lfora piler gcc with optimization and the co de computed

n

xed value of a L and a large value of M The cost of key setup was

ignored The exp erimental regime ignores the p erformance p enaltywhich will b e

incurred if the plaintext ciphertext or internal tables of SEAL are out of cache

The exp eriments ab ovehadSEAL pro duce output of bytes whichis

an advantageous value for the cipher When SEAL must pro duce fewer bytes of

output a larger fraction of time is sp entonInitializeFor the C co de mentioned

ab ove pro ducing bytes was slower p er byte than pro ducing bytes

Pro ducing bytes was slower Pro ducing output just more than a multiple

of bytes is also a suboptimal case for SEAL p erformance since little b enet

is made of the nal call to Initialize

Keysetup in SEAL has a cost comparable to computing SHA on ab out

KBytes of data this is estimated to b e msec on a MHz Pentium

In the design of SEAL no attention was paid to minimizing keysetup time If this

is at issue in a target application for SEAL one should select a dierent metho d

for generating SEALs tables eg using RC or RC or abandon the

use of SEAL entirely

Ro e did timing studies of C implementations of various cryptographic

algorithms including SEAL He used a SUN Sparc and a DEC Alpha In

his exp eriments on a Sun Sparc SEAL ran and times

faster than RC RC DES and MD resp ectively In his exp eriments

on a DEC Alpha SEAL ran and times faster than RC

RC DES and MD resp ectively The data indicates a greater sp eed

advantage for SEAL than do es the data rep orted by Probably Ro es C

co de was not uniformly optimized for all of the algorithms

Concluding Remarks

It should b e emphasized that using SEAL in the exp ected way do es nothing to

provide for data authenticityMany applications which require data privacy also

require data authenticitySuch applications should accompany SEALencrypted

data by a message authentication co de MAC Techniques for fast MAC gener

ation are an active area of research

SEAL is endianneutral and yet an endian convention is needed to interop era

bly encrypt using SEAL One p ossibilityistoallow encryption with either endian

convention but to include information in SEALencrypted ciphertext whichun

ambiguously indicates the endian convention employed

It is easy to mo dify SEAL to get a cipher optimized for bit architectures

The tables would b e twice as wide and Initialize would b e slightly changed

SEAL has the unusual attribute that doubling the word size and making natural

changes in the ciphers denition would nearly double the ciphers sp eed It is

unclear whether securitywould b e impacted by the longer word length

For purp oses of p ossible exp ort approval in various countries an intentionally

weakened version of SEAL can easily b e obtained simply by mo difying the key

generation pro cess For example instead of mapping variablelength key a to

underlying bit SEAL key a according to a SHAa one could instead

select a SHAMASK SHAa where MASK is a xed bit mask whose

Hamming weight can b e adjusted to adjust the security of the cipher

One thing that the present pap er has help ed to bring out is the usefulness of

designing encryption primitives to b e PRFs instead of blo ck ciphers or stream

ciphers A PRF may b e easier to use than a stream cipher b ecause there are

no synchronization requirements b eyond communicating the index and easier

to make softwareecient than a blo ck cipher

Acknowledgments

Sp ecial thanks to the twoanonymous referees for their ne comments and sug

gestions and to Anto on Bosselaers for his comments and timely p erformance

data and for his p ermission to rep ort some of that data here Thanks also to

Uri Blumenthal and Mike Ro e for their p erformance information

This work was supp orted in part by NSF CCR

References

E Biham and A Shamir Dierential Cryptanalysis of the Data Encryption Stan

dard SpringerVerlag

A Bosselaers p ersonal communications Septemb er Article to app ear

A Bosselaers R Govaerts and J Vandewalle Fast hashing on the Pentium Ad

vances in Cryptology CRYPTO Lecture Notes in Computer Science

Vol SpringerVerlag pp

O Goldreich S Goldwasser and S Micali How to construct random functions

Journal of the ACM Vol No pp

H Handschuh and H Gilb ert cryptanalysi s of the SEAL encryption algo

rithm Fast Software Encryption Lecture Notes in Computer Science Vol

SpringerVerlag pp

G Marsaglia The Marsaglia random number CDROM with the DIEHARD bat

tery of tests of randomness Distributed by the author geostatfsuedu from

Florida State University

A Menezes Pvan Oorschot and S Vanstone Handb o ok of Applied Cryptogra

phyCRC Press

R Merkle Fast software encryption functions Advances in Cryptology

CRYPTO Lecture Notes in Computer Science Vol SpringerVerlag

pp

National Bureau of Standards Federal Information Pro cessing Standards Publi

cation Data encryption standard January

National Institute of Standards US Department of Commerce FIPS Publication

Secure hash standard April sup ersedes FIPS PUB

A Ptzmann and R Amann Ecient software implementation of generalized

DES SECURICOM th Worldwide Conference on Computer and Communi

cations Security and Protection March

R Rivest The MD message digest algorithm RFC Internet Request for

ts April Commen

R Rivest unpublish ed work A description of RC app ears in B Schneier Ap

plied Cryptography Second Edition Proto cols Algorithms and Source Co de in

C John Wiley Sons Inc

R Rivest The RC encryption algorithm Fast Software Encryption Lecture

Notes in Computer Science Vol SpringerVerlag pp

M Ro e Performance of blo ck ciphers and hash functions one year later Fast

Software Encryption Lecture Notes in Computer Science Vol Springer

Verlag pp

P Rogaway and D Copp ersmith A softwareoptimized encryption algorithm

Fast Software Encryption Lecture Notes in Computer Science Vol Springer

Verlag pp Earlier version of this pap er

B Schneier Description of a new variablelen gth key bit blo ck cipher Blow

sh Fast Software Encryption Lecture Notes in Computer Science Vol

SpringerVerlag pp

A Shimizu and S Miyaguchi Fast data encryption algorithm FEAL Advances

in Cryptology Euro crypt Lecture Notes in Computer Science Vol

SpringerVerlag

D Wheeler A bulk data encryption algorithm Fast Software Encryption Lecture

Notes in Computer Science Vol SpringerVerlag pp

App endix A The TableGeneration Function

We sp ecify G i for bit string a and integer i The latter is

a

treated as a bit string whose value as an unsigned binary number is i This

function is dened directly from Sections of the denition is rep eated

here only for ease of reference

First wemake the following denitions For t set K xa

t

B D For t set K xedeba and f B C DB C

t t

and f B C DB C D For t set K xfbb cdc and

t t

f B C DB C B D C D For t set K

t t

xcacd and f B C DB C D

t

The bit string a is broken up into ve bit words a H H H H H

and the bit M is set to i k and then pro cessed by

a Divide M into words W W W where W is the leftmost word

so that W i W W W

b For t toletW W W W W hhh

t t t t t

c Let A H B H C H D H E H

d For t to do

TEMP A hhh f B C DE W K

t t t

E D D C C B hhh B A A TEMP

e H H A H H B H H C H H D H H E

After pro cessing M the value of G i is the bit string H H H H H

a

App endix B Test Case

This app endix provides adequate data to verify a correct implementation of

SEAL Supp ose the key is the bit string

a efcdab badcfe cdef

and assume wewant SEAL to pro duce KByte outputs ie L bits

Then the table R consists of words R R R

d cec fabddd db cff acdc ead fabe

ac cbd cac fec bdb fdccc dada dd

The table T consists of words T T T

be ced cacde bff fa cdfa bfe baf

e df da aeaffb ab af bb

eafcd ecf afabf e ad cdb ebe ccf

The table S consists of words S S S

ced ceefa fef babbc fb eb fdeefa af

cb db dce efa beae adbd ce fee

d fcc bddea fdd aa ece eaeff ba

Let n af Then y SEALa n L consists of y k y kky

a bcc abee f fbfd fafbd ccdecd fdeec

abdce aff a ef cb e aabed ceb

a fba ebd efab da fedfede aa ee

The XOR of the words of y is xefef

Web Analytics