DOCSLIB.ORG

Advanced Encryption Standard

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Advanced Encryption Standard ECE297:11Lecture7 Whyanewstandard? 1.Oldstandardinsecureagainstbrute-forceattacks 2.Straightforwardfixesleadtoinefficient implementations AdvancedEncryptionStandard K1 K2 K3 • TripleDES in out 3.Newtrendsinfastsoftwareencryption • useofbasicinstructionsofthemicroprocessor 4.Newwaysofassessingcipherstrength • differentialcryptanalysis • linearcryptanalysis Whyacontest? ExternalformatoftheAESalgorithm • Focustheeffortofcryptographiccommunity plaintextblock Smallnumberofspecialistsintheopenresearch 128bits • Stimulatetheresearchonmethodsofconstructing secureciphers AES key • Avoidbackdoortheories 128,192,256bits 128bits • Speed-uptheacceptanceofthestandard ciphertextblock Rulesofthecontest AESContestEffort Eachteamsubmits June1998 15Candidates Round1 Detailed Justification Tentative fromUSA,Canada,Belgium, Security France,Germany,Norway,UK, Isreal, Softwareefficiency cipher ofdesign results Korea,Japan,Australia,CostaRica description decisions ofcryptanalysis August1999 Round2 5finalcandidates Security Source Mars,RC6, Rijndael,Serpent, Twofish Source Test Hardwareefficiency code code vectors inC inJava October2000 1winner: Rijndael Belgium 1 AEScontest- FirstRound AES:Candidatealgorithms NorthAmerica (8) Europe(4) Asia(2) 15June1998 Deadlineforsubmittingcandidates 21 submissions, Canada: Germany: Korea: 15fulfilledallrequirements CAST-256 Magenta Crypton Deal August1998 1stAESConferenceinVentura,CA Belgium: Japan: USA: Presentationofcandidates Mars Rijndael E2 RC6 March1999 2ndAESConferenceinwRome,Italy Twofish France: Safer+ Australia(1) ReviewofresultsoftheFirstRound DFC HPC analysis Israel,GB, CostaRica: Australia: August1999 NISTannouncesfivefinalcandidates Norway: LOKI97 Frog Serpent FirstroundJune1998-August1999 Surveyfilledby104participantsofthe SecondAESConferenceinRome,March1999 1. Rijndael +76 Security Software 2.RC6 +73 3. Twofish +61 OverwhelmingYES Resistance implementations 4.Mars +52 toknownattacks, 5.Serpent +45 randomnesstests PC Smartcards 6.E2 +14 MildYES 7.CAST-256 -2 8.Safer+ -4 Middle-of-the-Road 9.DFC -5 10. Crypton -15 MildNO 11.DEAL -70 12.HPC -77 13.Magenta -83 OverwhelmingNO 14.Loki97 -85 15.Frog -85 AESFinalists(1) AESFinalists(2) USA Mars - IBM Europe C. Burwick,D.Coppersmith,E. D’Avignon, R. Gennaro,S. Halevi,C. Jutla,S.M. Matyas, Rijndael - J. Daemen,V. Rijmen L.O’Connor,M. Peyravian,D.Safford, KatholiekeUniversiteitLeuven N. Zunic Belgium RC6- RSADataSecurity,Inc. R. Rivest - MIT Serpent - R.Anderson,Cambridge,England M. Robshaw,R.Sidney,Y.L.Yin- RSA E. Biham - Technion,Israel L.Knudsen,UniversityofBergen,Norway Twofish - CounterpaneSystems B. Schneier,J.Kelsey,C.Hall,N.Ferguson - Counterpane,D.Whiting- Hi/fn, D.Wagner- Berkeley 2 AEScontest:SecondRound SecondroundAugust1999-August2000 13-14April2000 3rdAESConferenceinNewYork Security Hardware 15May2000 Resistanceto implementations EndofthecommentperiodforRoundII newattacks FPGA ASIC 2October2000 Winnerannounced November2001 FIPS-197:AESannounced May2002 Standardbecomeseffective HowNISThasmadeafinaldecision? Security:Theoreticalattacksbetter thanexhaustivekeysearch Serpent 9 32 BASICCRITERIA = Twofish 6 16 security softwareefficiency Mars 11 16 without16mixingrounds hardwareefficiency flexibility Rijndael 7 10 RC6 15 20 0 5 10 15 20 25 30 35 #ofroundsintheattack/total#ofrounds Security:Authorsofattacks NISTReport:Security Team Attackedcipher SecurityMargin Twofish Kelsey,Kohno, Schneier MARS Ferguson,Stay,Wagner, High Serpent MARS Whiting Serpent Twofish Serpent Rijndael Knudsen,Meier Rijndael RC6 Adequate Othergroups RC6 Lucks,U.Mannheim Twofish Gilbert, Minier,FranceTelecom Simple Complex Gilbert, Handschuh, Joux, Vaudenay,FranceTelecom Complexity 3 Efficiencyinsoftware:NIST-specifiedplatform Efficiencyinsoftware:NISTtests 200MHzPentiumPro,BorlandC++ 450MHzPentiumII,DJGPP gcc Speed[Mbits/s] Speed[Mbits/s] 128-bitkey 160 192-bitkey 128-bitkey 30 256-bitkey 140 192-bitkey 25 120 256-bitkey 20 100 80 15 60 10 40 5 20 0 0 Rijndael Rijndael RC6 Twofish Mars Serpent Mars RC6 Serpent Twofish Efficiencyinsoftware:Rankingofencryption NISTReport:SoftwareEfficiency speedsforvariousplatforms EncryptionandDecryptionSpeed Intel Alpha Sun-Sparc H-P 32-bit 64-bit DSPs processors processors Mars 442432 344 3 3 RC6 1 31 1 41 433 5 4 RC6 Rijndael Rijndael high Twofish Twofish Twofish 21 321 4 222 2 2 Rijndael Mars Rijndael 324323 1 1 1 1 1 Mars Mars medium RC6 RC6 Serpent 555555 555 4 5 Twofish low Serpent Serpent Serpent NISTReport:SoftwareEfficiency Efficiencyinsoftware:Keysetup 200MHzPentiumPro,BorlandC++ Encryptionanddecryptionspeedinsoftware Time[clockcycles] onsmartcards 25000 128-bitkey 8-bit 32-bit 192-bitkey processors 20000 processors 256-bitkey Rijndael 15000 Rijndael better high RC6 RC6 10000 medium Mars Mars Twofish 5000 low Serpent Twofish Serpent 0 Rijndael RC6 Mars Serpent Twofish 4 NISTReport:SoftwareEfficiency NISTReport:SoftwareEfficiency Keyscheduling Keyscheduling onsmartcards 32-bit 64-bit DSPs 8-bit processors processors processors Rijndael Rijndael Rijndael high Serpent high Rijndael Mars RC6 Mars Mars medium RC6 Serpent RC6 medium Twofish Mars Serpent Twofish RC6 low Twofish low Twofish Serpent Efficiencyinsoftware Efficiencyinsoftware:Conclusions Encryption/decryption Strongdependenceon: Strongvariationofresults 1.Instructionsetarchitecture (e.g.,variablerotations) Serpenttheworstformajorityofplatforms 2.Programminglanguage Keysetup (assembler,C,Java) Moderatevariationofresults 3.Compiler Rijndael andRC6thebestformajorityofplatforms 4.Programmingstyle TwofishandSerpenttheworstformajorityof platforms Primarywaysofimplementingcryptography Whichwaytogo? inhardware ASIC FPGA ASICs FPGAs Application Specific Field Programmable Integrated Circuit Gate Array Off-the-shelf Highperformance • designsmustbesent • boughtofftheshelf Lowdevelopmentcosts forexpensiveandtime andreconfiguredby consumingfabrication designersthemselves Lowpower Shorttimetothemarket insemiconductorfoundry • nophysicallayoutdesign; • designedalltheway designendswith Lowcost(butonly frombehavioraldescription abitstream used inhighvolumes) Reconfigurability tophysicallayout toconfigureadevice 5 Reconfigurability Implementationofasecret-keycipher Roundkeyscomputedon-the-fly control ExternalROMandmicroprocessorenables input key changinganFPGAfunctioninseveralmilliseconds Encryptionvs.decryptionvs.keyscheduling Control inputinterface unit FPGA FPGA FPGA Key Encryption Decryption scheduling key 5-15ms 5-15ms encryption/decryption scheduling Variousalgorithms FPGA FPGA FPGA roundkey outputinterface AES TripleDES IDEA 5-15ms 5-15ms output Implementationofasecret-keycipher TypicalFlowDiagramof Roundkeysprecomputed aSecret-KeyBlockCipher control input/key RoundKey[0] Initialtransformation inputinterface Control i:=1 unit key RoundKey[i] CipherRound scheduling i:=i+1 encryption/decryption #rounds times memoryof i<#rounds? round keys outputinterface RoundKey[#rounds+1] Finaltransformation output Basiciterativearchitecture Primaryparametersofhardwareimplementations forsecret-keyblockciphers Latency Throughput multiplexer Mi+2 M i Mi+1 M register i Timeto Encryption/ encrypt/decrypt Encryption/ oneround combinational decryption asingleblock decryption ofdata logic Numberofbits Ci+2 encrypted/decrypted Ci Ci+1 inaunitoftime Ci Block_size·Number_of_blocks_processed_simultaneously Throughput= Latency 6 Dependenceoftheencryptiontime Efficiencyinhardware:FPGA Virtex 1000:Speed onlatencyandthroughput Throughput[Mbit/s] 500 Messagesize 431 444 GeorgeMasonUniversity 450 414 UniversityofSouthernCalifornia 400 353 WorcesterPolytechnicInstitute 350 294 300 (Message_size–Block_size) Latency 250 Throughput 177 173 200 149 143 150 104 112 102 88 Time 100 62 61 50 Encryptiontime 0 Serpent Rijndael Twofish Serpent RC6 Mars I8 I1 Efficiencyinhardware:FPGA Virtex 1000:Area ASICimplementations:NSAgroup Area[CLBslices] 700 606 128-bitkeyscheduling 9000 GeorgeMasonUniversity 7964 3-in-1(128,192,256bit)keyscheduling 8000 UniversityofSouthernCalifornia 600 7000 WorcesterPolytechnicInstitute 500 443 6000 5511 4621 400 5000 4312 4507 300 4000 2507 3528 202 202 2809 2744 2666 2638 3000 200 105 105 103 104 1749 57 57 2000 1076 1137 1250 100 1000 0 Rijndael Serpent Twofish RC6 Mars 0 Twofish RC6 SerpentRijndaelMars Serpent I1 I8 I1 GMUResults: Encryptionincipherfeedbackmodes NSAResults: Encryptionincipherfeedbackmodes (CBC,CFB,OFB)- Virtex FPGA (CBC,CFB,OFB)- ASIC,0.5µmCMOS Throughput[Mbit/s] Throughput[Mbit/s] 500 700 400 600 Rijndael SerpentI8 Rijndael 500 300 400 200 Twofish SerpentI1 300 SerpentI1 100 RC6 200 Mars Mars 100 RC6 Twofish 0 0 0 1000 2000 3000 4000 5000 0 5 10 15 20 25 30 35 40 Area[CLBslices] Area[CLBslices] 7 NISTReport+GMUReport: Conclusionsforfeedbackciphermodes(1) HardwareEfficiency (CBC,CFB,OFB) Feedbackciphermodes:CBC,CFB Speed • Speed (throughput)shouldbetheprimary criteriaofcomparison High Rijndael Serpent • Basiciterativearchitectureisthemostappropriate Twofish Medium forcomparisonandfutureimplementations RC6 • Serpentand Rijndael areovertwiceasfastasthe Low MARS nextbestcandidateforallimplementations Small Medium Large Area Conclusionsforfeedbackciphermodes(2) EncryptionKeySetupLatency[µs] (CBC,CFB,OFB) 9.55 1.96 5.74 1 NSA • Resultsconfirmedby 0.8 - threeindependentuniversitygroupsfor FPGAs,and USC - NSAgroupfor ASICs 0.6 • Resultsofcomparisonindependentof 0.4 implementationtechnology (FPGAs vs. ASICs) 0.17 0.18 0.2 0.07 0.08 0.06 0 0.02 0 Mars RC6 Rijndael Serpent Twofish I1 Encryptionvs.DecryptionKeySetupLatency[µs] Feedbackciphermodes- CBC M1 M2 M3 MN-1 MN 9.55 9.55 5.74 5.74 ..
Load more

Recommended publications
  • State of the Art in Lightweight Symmetric Cryptography
    State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing.
    [Show full text]
  • Construction of Stream Ciphers from Block Ciphers and Their Security
    Sridevi, International Journal of Computer Science and Mobile Computing, Vol.3 Issue.9, September- 2014, pg. 703-714 Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology ISSN 2320–088X IJCSMC, Vol. 3, Issue. 9, September 2014, pg.703 – 714 RESEARCH ARTICLE Construction of Stream Ciphers from Block Ciphers and their Security Sridevi, Assistant Professor, Department of Computer Science, Karnatak University, Dharwad Abstract: With well-established encryption algorithms like DES or AES at hand, one could have the impression that most of the work for building a cryptosystem -for example a suite of algorithms for the transmission of encrypted data over the internet - is already done. But the task of a cipher is very specific: to encrypt or decrypt a data block of a specified length. Given an plaintext of arbitrary length, the most simple approach would be to break it down to blocks of the desired length and to use padding for the final block. Each block is encrypted separately with the same key, which results in identical ciphertext blocks for identical plaintext blocks. This is known as Electronic Code Book (ECB) mode of operation, and is not recommended in many situations because it does not hide data patterns well. Furthermore, ciphertext blocks are independent from each other, allowing an attacker to substitute, delete or replay blocks unnoticed. The feedback modes in fact turn the block cipher into a stream cipher by using the algorithm as a keystream generator. Since every mode may yield different usage and security properties, it is necessary to analyse them in detail.
    [Show full text]
  • Optimization of Core Components of Block Ciphers Baptiste Lambin
    Optimization of core components of block ciphers Baptiste Lambin To cite this version: Baptiste Lambin. Optimization of core components of block ciphers. Cryptography and Security [cs.CR]. Université Rennes 1, 2019. English. NNT : 2019REN1S036. tel-02380098 HAL Id: tel-02380098 https://tel.archives-ouvertes.fr/tel-02380098 Submitted on 26 Nov 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT DE L’UNIVERSITE DE RENNES 1 COMUE UNIVERSITE BRETAGNE LOIRE Ecole Doctorale N°601 Mathématique et Sciences et Technologies de l’Information et de la Communication Spécialité : Informatique Par Baptiste LAMBIN Optimization of Core Components of Block Ciphers Thèse présentée et soutenue à RENNES, le 22/10/2019 Unité de recherche : IRISA Rapporteurs avant soutenance : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Composition du jury : Examinateurs : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Jean-Louis Lanet, INRIA Rennes Virginie Lallemand, Chargée de Recherche, LORIA, CNRS Jérémy Jean, ANSSI Dir. de thèse : Pierre-Alain Fouque, IRISA, Université de Rennes 1 Co-dir. de thèse : Patrick Derbez, IRISA, Université de Rennes 1 Remerciements Je tiens à remercier en premier lieu mes directeurs de thèse, Pierre-Alain et Patrick.
    [Show full text]
  • First Modes of Operation Workshop (October 2000)-Key Feedback Mode: a Keystream Generator with Provable Security
    Key Feedback Mode: a Keystream Generator with Provable Security Johan H˚astad Royal Inst. of Technology, Sweden Institute for Advanced Study Mats N¨aslund Ericsson Research, Sweden 1 The setup Given A good block cryptosystem (AES). Wanted A good pseudorandom generator. 2 A good pseudorandom generator Short random seed 10010110110101.....01 PRG 001010110101010110001011011101.......01 Long "random-looking" sequence Generates many random looking • bits from a short initial seed. Looks very similar to truly random • bits. Passes many statistical tests. 3 Which statistical tests? Classically A list of good standard tests. Blum-Micali, Yao: All tests that can be implemented efficiently. 4 Passing a statistical test PR Probability the test rejects a truly random string. PG Probability the test rejects a string which is the output of the generator (on a random seed). P P E E-distinguishes. | R − G|≥ ⇔ 5 How good is AES? 1. Hard to crack given only the cryptotext. 2. Hard to find the key given both the plaintext and the cryptotext. 3. Looks like a random permutation when the key is unknown. 6 The easy solution Assume AES ( ) behaves like a K · random permutation. Counter-mode, i.e. outputting AESK(ctr + i);i =0; 1; 2 ::: gives a good pseudorandom generator which is very efficient and (almost by definition) passes all statistical tests. 7 Our proposal Assume that it is hard to find the key given the plaintext and the ciphertext (a diamond in the raw). Cut and polish it to get a good pseudorandom generator. 8 Traditional academic set-up We have a function f which is one-way, i.e.
    [Show full text]
  • How Far Can We Go Beyond Linear Cryptanalysis?
    How Far Can We Go Beyond Linear Cryptanalysis? Thomas Baign`eres, Pascal Junod, and Serge Vaudenay EPFL http://lasecwww.epfl.ch Abstract. Several generalizations of linear cryptanalysis have been pro- posed in the past, as well as very similar attacks in a statistical point of view. In this paper, we de¯ne a rigorous general statistical framework which allows to interpret most of these attacks in a simple and uni¯ed way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of general- ized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to general- ize the notions of bias, characteristic, and piling-up lemma. Keywords: Block ciphers, linear cryptanalysis, statistical cryptanalysis. 1 A Decade of Linear Cryptanalysis Linear cryptanalysis is a known-plaintext attack proposed in 1993 by Matsui [21, 22] to break DES [26], exploiting speci¯c correlations between the input and the output of a block cipher. Namely, the attack traces the statistical correlation between one bit of information about the plaintext and one bit of information about the ciphertext, both obtained linearly with respect to GF(2)L (where L is the block size of the cipher), by means of probabilistic linear expressions, a concept previously introduced by Tardy-Corfdir and Gilbert [30]. Soon after, several attempts to generalize linear cryptanalysis are published: Kaliski and Robshaw [13] demonstrate how it is possible to combine several in- dependent linear correlations depending on the same key bits.
    [Show full text]
  • Improved Meet-In-The-Middle Attacks on Round-Reduced Crypton-256
    Improved Meet-in-the-Middle Attacks on Round-Reduced Crypton-256 Yonglin Hao Department of Computer Science and Technology, Tsinghua Universtiy, Beijing 100084, China [email protected] Abstract. The meet-in-the-middle (MITM) attack has prove to be efficient in analyzing the AES block cipher. Its efficiency has been increasing with the introduction of various techniques such as differential enumeration, key-dependent sieve, super-box etc. The recent MITM attack given by Li and Jin has successfully mounted to 10-round AES-256. Crypton is an AES-like block cipher. In this paper, we apply the MITM method to the cryptanalysis of Crypton-256. Following Li and Jin's idea, we give the first 6-round dis- tinguisher for Crypton. Based on the distinguisher as well as the properties of Crypton's simple key schedule, we successfully launch MITM attacks on Crypton-256 reduced to 9 and 10 rounds. For 9-round Crypton-256, our MITM attack can recover the 256-bit key with a time complexity 2173:05, a memory complexity 2241:17. For the 10-round version, we give two MITM attacks. The basic attack requires a time complexity 2240:01 and memory complexity 2241:59. The time/memory complexity of the advanced MITM attack on 10-round Crypton is 2245:05=2209:59. Our MITM attacks share the same data complexity 2113 and their error rates are negligible. Keywords: Cryptanalysis, Crypton, MITM, Efficient Differential Enumeration Technique, Key- Dependent Sieve, Super-Box 1 Introduction The SPN-structural block cipher Crypton [1] was proposed by Lim in 1998 as a candidate algorithm for the Advanced Encryption Standard.
    [Show full text]
  • Collision Attacks on AES-192/256, Crypton-192/256, Mcrypton-96/128, and Anubis
    Hindawi Publishing Corporation Journal of Applied Mathematics Volume 2013, Article ID 713673, 10 pages http://dx.doi.org/10.1155/2013/713673 Research Article Collision Attacks on AES-192/256, Crypton-192/256, mCrypton-96/128, and Anubis Jinkeon Kang,1 Kitae Jeong,1 Jaechul Sung,2 Seokhie Hong,1 and Kyungho Lee1 1 Center for Information Security Technologies (CIST), Korea University, Anam-dong, Seongbuk-gu, Seoul 136-713, Republic of Korea 2 Department of Mathematics, University of Seoul, Jeonnong-dong, Dongdaemun-gu, Seoul 130-743, Republic of Korea Correspondence should be addressed to Kyungho Lee; [email protected] Received 19 July 2013; Accepted 22 August 2013 Academic Editor: Jongsung Kim Copyright © 2013 Jinkeon Kang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. At AES’00, a collision attack on 7-round reduced AES was proposed. In this paper, we apply this idea to seven SPN block ciphers, AES-192/256, Crypton-192/256, mCrypton-96/128, and Anubis. Applying our attacks on AES-192/256, we improve the attack result based on meet-in-the-middle attack (AES-192) and the attack result proposed in AES’00 (AES-256), respectively. Our attack result on Anubis is superior to known cryptanalytic result on it. In the cases of Crypton-192/256 and mCrypton-96/128, our attacks are applicable to 8-round reduced versions. The attack results on mCrypton-96/128 are more practical than known cryptanalytic results on them.
    [Show full text]
  • GOST R 34.12-2015: Block Cipher "Magma"
    Stream: Independent Submission RFC: 8891 Updates: 5830 Category: Informational Published: September 2020 ISSN: 2070-1721 Authors: V. Dolmatov, Ed. D. Baryshkov JSC "NPK Kryptonite" Auriga, Inc. RFC 8891 GOST R 34.12-2015: Block Cipher "Magma" Abstract In addition to a new cipher with a block length of n=128 bits (referred to as "Kuznyechik" and described in RFC 7801), Russian Federal standard GOST R 34.12-2015 includes an updated version of the block cipher with a block length of n=64 bits and key length of k=256 bits, which is also referred to as "Magma". The algorithm is an updated version of an older block cipher with a block length of n=64 bits described in GOST 28147-89 (RFC 5830). This document is intended to be a source of information about the updated version of the 64-bit cipher. It may facilitate the use of the block cipher in Internet applications by providing information for developers and users of the GOST 64-bit cipher with the revised version of the cipher for encryption and decryption. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not candidates for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8891.
    [Show full text]
  • Report on the Symmetric Key Block Cipher Modes of Operation Workshop October 20, 2000 Sponsored by the National Institute of Standards and Technology (NIST)
    Report on the Symmetric Key Block Cipher Modes of Operation Workshop October 20, 2000 Sponsored by the National Institute of Standards and Technology (NIST) A workshop was held to discuss the modes of operation for symmetric key block cipher algorithms on October 20, 2000 at the Baltimore Convention Center in Baltimore Maryland. 1. Welcome and Overview of Intent Elaine Barker extended a welcome to the workshop attendees and served as the workshop moderator. Elaine stated that the purpose of this workshop was to discuss the modes for protecting data using symmetric key block cipher techniques such as the Advanced Encryption Standard (AES). NIST plans to develop a new modes standard that is written to be independent of specific key or block sizes for specific algorithms, and to include the four DES modes (ECB, CBC, ECB, OFB) that were originally defined in Federal Information Processing Standard (FIPS) 81. Since FIPS 81 was written to be specific to DES and its key and block size, a new standard is needed that will address other symmetric key block cipher algorithms such as AES. Since the world has advanced beyond the world of the 1980s, other modes for protecting data for applications using these technologies are required. The intent of this workshop was to discuss additional modes, the security they afford and their applications. NIST would like to minimize the number of additional modes in order to avoid unnecessary implementation costs and promote interoperability. 2. Presentations Several papers were provided to NIST prior to the workshop as public comments. These papers and the associated presentations are provided on the NIST modes web page (http://www.nist.gov/modes), along with other comments received.
    [Show full text]
  • Stochastic Cryptanalysis of Crypton 123
    PublishedStochastic in Fast Software Cryptanalysis Encryption - FSEof 2000 Crypton - LNCS 1978 Marine Minier and Henri Gilbert France T´el´ecom R&D 38-40, rue du G´en´eral Leclerc 92794 Issy les Moulineaux Cedex9-France Tel:+33145294444 Abstract. Crypton is a 12-round blockcipher proposed as an AES can- didate by C.H. Lim in 1998. In this paper, we show how to exploit some statistical deficiencies of the Crypton round function to mount stocha- stic attacks on round-reduced versions of Crypton. Though more efficient than the best differential and linear attacks, our attacks do not endanger the practical security offered by Crypton. 1 Introduction Crypton [Li98] is a 12-round blockcipher which was submitted by C.H. Lim as one of the 15 candidates at the first Advanced Encryption Standard conference in August 1998. Crypton offers several interesting features. The encryption and decryption processes are strictly identical up to the key schedule (a quite re- markable property given the substitution/permutation structure of the cipher). Crypton is highly parallelizable and flexible, and thus well suited for efficient im- plementation on nearly any hardware or software platform. Moreover, Crypton provides some provable resistance against linear and differential cryptanalysis. The main cryptanalytic results obtained on Crypton so far are the analysis of the best differential and linear attacks by the algorithm designer [Li98], a transposition of the square attack to the 6-round Crypton by C. D’Halluin et al. [Hal99], the discovery of some weak keys by Vaudenay [Ba99], and statistical observations contained in an annex of [Ba99].
    [Show full text]
  • Security Systems Architecture on MAC Layer for with Reconfigurable A
    A Software-Radio Platform with Reconfigurable Architecture on MAC Layer for Security Systems por Ignacio Algredo Badillo Tesis sometida como requisito parcial para obtener el grado de DOCTORADO EN CIENCIAS EN LA ESPECIALIDAD DE CIENCIAS COMPUTACIONALES en el Instituto Nacional de Astrof´ısica, Optica´ y Electronica´ Diciembre 2008 Tonantzintla, Puebla Supervisada por: Dra. Claudia Feregrino Uribe, INAOE Dr. Rene´ Armando Cumplido Parra, INAOE °c INAOE 2008 El autor otorga al INAOE el permiso de reproducir y distribuir copias en su totalidad o en partes de esta tesis A Software-Radio Platform with Recon¯gurable Architecture on MAC Layer for Security Systems Ignacio ALGREDO-BADILLO December, 2008 ii Abstract The development, analysis and evaluation of architectures of high perfor- mance, as well as new methodologies of design hardware are useful tools in the area of security systems based on cryptography, where recently it is required flexibility to change di®erent functionalities. It is important to highlight two key points, on the one hand, the cryptographic algorithms utilize com- plex and iterative processes with many operations, and their application in communications networks causes a decreased speed of the data transmission. On the other hand, there is a great amount of communications networks, which establish standards or security architectures based on communication protocols. These last ones have functionalities that are independent of the algorithm, originating several possible combinations between di®erent types networks, protocols and algorithms. So, the flexibility is an important cha- racteristic because an ideal device of digital communications must be con- nected and establish interchange of data in any type of network.
    [Show full text]
  • AES); Cryptography; Cryptanaly- the Candidates
    Volume 104, Number 5, September–October 1999 Journal of Research of the National Institute of Standards and Technology [J. Res. Natl. Inst. Stand. Technol. 104, 435 (1999)] Status Report on the First Round of the Development of the Advanced Encryption Standard Volume 104 Number 5 September–October 1999 James Nechvatal, Elaine Barker, In 1997, the National Institute of Standards (MARS, RC6, Rijndael, Serpent and Donna Dodson, Morris Dworkin, and Technology (NIST) initiated a pro- Twofish) as finalists. The research results James Foti, and Edward Roback cess to select a symmetric-key encryption and rationale for the selection of the fi- algorithm to be used to protect sensitive nalists are documented in this report. National Institute of Standards and (unclassified) Federal information in The five finalists will be the subject of furtherance of NIST’s statutory responsi- further study before the selection of one or Technology, bilities. In 1998, NIST announced the more of these algorithms for inclusion in Gaithersburg, MD 20899-0001 acceptance of 15 candidate algorithms the Advanced Encryption Standard. and requested the assistance of the crypto- Key words: Advanced Encryption graphic research community in analyzing Standard (AES); cryptography; cryptanaly- the candidates. This analysis included an sis; cryptographic algorithms; initial examination of the security and encryption. efficiency characteristics for each al- gorithm. NIST has reviewed the results Accepted: August 11, 1999 of this research and selected five algorithms Available online: http://www.nist.gov/jres Contents 2.4.1.2 Other Architectural Issues ...........442 1. Overview of the Development Process for the Advanced 2.4.1.3 Software .........................442 Encryption Standard and Summary of Round 1 2.4.2 Measured Speed on General Platforms.........442 Evaluations ......................................
    [Show full text]