ECE�297:11��Lecture�7 Why�a�new�standard? 1.�Old�standard�insecure�against�brute-force�attacks
2.�Straightforward�fixes�lead�to�inefficient� implementations Advanced�Encryption�Standard K1 K2 K3 • Triple�DES in out
3.�New�trends�in�fast�software�encryption • use�of�basic�instructions�of�the�microprocessor 4.�New�ways�of�assessing�cipher�strength� • differential�cryptanalysis • linear�cryptanalysis
Why�a�contest? External�format�of�the�AES�algorithm
• Focus�the�effort�of�cryptographic�community plaintext�block
Small�number�of�specialists�in�the�open�research 128�bits
• Stimulate�the�research�on�methods�of�constructing� secure�ciphers AES key
• Avoid�backdoor�theories 128,�192,�256��bits
128�bits • Speed-up�the�acceptance�of�the�standard
ciphertext�block
Rules�of�the�contest AES�Contest�Effort
Each�team�submits June�1998 15�Candidates Round�1 Detailed Justification Tentative from�USA,�Canada,�Belgium, Security France,�Germany,�Norway,�UK, Isreal, Software�efficiency cipher of�design results Korea,�Japan,�Australia,�Costa�Rica description decisions of�cryptanalysis August�1999 Round�2 5�final�candidates Security Source Mars,�RC6, Rijndael,�Serpent, Twofish Source Test Hardware�efficiency code code� vectors in�C in�Java October�2000 1�winner: Rijndael Belgium
1 AES�contest�- First�Round AES:�Candidate�algorithms North�America (8) Europe�(4) Asia�(2) 15�June�1998 Deadline�for�submitting�candidates 21 submissions,� Canada: Germany: Korea: 15�fulfilled�all�requirements CAST-256 Magenta Crypton Deal August�1998 1st�AES�Conference�in�Ventura,�CA Belgium: Japan: USA: Presentation�of�candidates Mars Rijndael E2 RC6 March�1999 2nd�AES�Conference�in�w�Rome,�Italy Twofish France: Safer+ Australia�(1) Review�of�results�of�the�First�Round� DFC HPC analysis Israel,�GB, Costa�Rica: Australia: August�1999 NIST�announces�five�final�candidates Norway: LOKI97 Frog Serpent
First�round����June�1998-August�1999 Survey�filled�by�104�participants�of�the� Second�AES�Conference�in�Rome,�March�1999
1. Rijndael +76 Security Software 2.�RC6 +73 3. Twofish +61 Overwhelming�YES Resistance implementations 4.�Mars +52 to�known�attacks, 5.�Serpent +45 randomness�tests PC Smart�cards 6.�E2 +14 Mild��YES 7.�CAST-256 -2 8.�Safer+ -4 Middle-of-the-Road 9.�DFC -5 10. Crypton -15 Mild�NO 11.�DEAL -70 12.�HPC -77 13.�Magenta -83 Overwhelming�NO 14.�Loki97 -85 15.�Frog -85
AES�Finalists�(1) AES�Finalists�(2) USA Mars - IBM� Europe C. Burwick,�D.�Coppersmith,�E. D’Avignon,� R. Gennaro,�S. Halevi,�C. Jutla,�S.�M. Matyas, Rijndael - J. Daemen,�V. Rijmen L.�O’Connor,�M. Peyravian,�D.�Safford, Katholieke�Universiteit�Leuven N. Zunic Belgium RC6��- RSA�Data�Security,�Inc. R. Rivest - MIT Serpent - R.�Anderson,�Cambridge,�England M. Robshaw,�R.�Sidney,�Y.�L.�Yin�- RSA E. Biham - Technion,�Israel L.�Knudsen,�University�of�Bergen,�Norway Twofish - Counterpane�Systems B. Schneier,�J.�Kelsey,�C.�Hall,�N.�Ferguson� - Counterpane,�D.Whiting�- Hi/fn,� D.�Wagner�- Berkeley
2 AES�contest:��Second�Round Second�round����August�1999-August�2000 13-14�April�2000 3rd�AES�Conference�in�New�York Security Hardware� 15�May�2000 Resistance�to implementations End�of�the�comment�period�for�Round�II new�attacks FPGA� ASIC 2�October�2000 Winner�announced
November�2001 FIPS-197:�AES�announced� May�2002 Standard�becomes�effective
How�NIST�has�made�a�final�decision? Security:�Theoretical�attacks�better� than�exhaustive�key�search
Serpent 9 32 BASIC�CRITERIA = Twofish 6 16 security software�efficiency Mars 11 16 without�16�mixing�rounds hardware�efficiency flexibility Rijndael 7 10
RC6 15 20 0 5 10 15 20 25 30 35 #�of�rounds�in�the�attack/total�#�of�rounds
Security:�Authors�of�attacks NIST�Report:�Security Team Attacked�cipher Security�Margin Twofish Kelsey,�Kohno, Schneier MARS Ferguson,�Stay,�Wagner,� High Serpent MARS Whiting Serpent Twofish
Serpent Rijndael Knudsen,�Meier Rijndael RC6 Adequate Other�groups RC6 Lucks,�U.�Mannheim Twofish Gilbert, Minier,�France�Telecom Simple Complex Gilbert, Handschuh, Joux, Vaudenay,�France�Telecom Complexity
3 Efficiency�in�software:�NIST-specified�platform� Efficiency�in�software:�NIST�tests 200�MHz�Pentium�Pro,�Borland�C++ 450�MHz�Pentium�II,�DJGPP gcc Speed�[Mbits/s] Speed�[Mbits/s] 128-bit�key 160 192-bit�key 128-bit�key 30 256-bit�key 140 192-bit�key 25 120 256-bit�key 20 100 80 15 60 10 40 5 20 0 0 Rijndael Rijndael RC6 Twofish Mars Serpent Mars RC6 Serpent Twofish
Efficiency�in�software:�Ranking�of�encryption NIST�Report:�Software�Efficiency speeds�for�various�platforms Encryption�and�Decryption�Speed
Intel Alpha Sun-Sparc H-P 32-bit 64-bit DSPs processors processors Mars 4���4���2���4���3���2 3���4���4 3 3 RC6 1 3���1 1 4���1 4���3���3 5 4 RC6 Rijndael Rijndael high Twofish Twofish Twofish 2���1 3���2���1 4 2���2���2 2 2 Rijndael Mars Rijndael 3���2���4���3���2���3 1 1 1 1 1 Mars Mars medium RC6 RC6 Serpent 5���5���5���5���5���5 5���5���5 4 5 Twofish low Serpent Serpent Serpent
NIST�Report:�Software�Efficiency Efficiency�in�software:�Key�setup 200�MHz�Pentium�Pro,�Borland�C++ Encryption�and�decryption�speed�in�software� Time�[clock�cycles] on�smart�cards 25000 128-bit�key 8-bit� 32-bit� 192-bit�key processors 20000 processors 256-bit�key
Rijndael 15000 Rijndael better high RC6 RC6 10000 medium Mars Mars Twofish 5000 low Serpent Twofish Serpent 0 Rijndael RC6 Mars Serpent Twofish
4 NIST�Report:�Software�Efficiency NIST�Report:�Software�Efficiency Key�scheduling Key�scheduling on�smart�cards 32-bit 64-bit DSPs 8-bit� processors processors processors
Rijndael Rijndael Rijndael high Serpent high Rijndael
Mars RC6 Mars Mars medium RC6 Serpent RC6 medium Twofish
Mars Serpent Twofish RC6 low Twofish low Twofish Serpent
Efficiency�in�software Efficiency�in�software:�Conclusions Encryption/decryption Strong�dependence�on: Strong�variation�of�results 1.�Instruction�set�architecture (e.g.,�variable�rotations) Serpent�the�worst�for�majority�of�platforms 2.�Programming�language Key�setup (assembler,�C,�Java)� Moderate�variation�of�results 3.�Compiler� Rijndael and�RC6�the�best�for�majority�of�platforms 4.�Programming�style Twofish�and�Serpent�the�worst�for�majority�of platforms
Primary�ways�of�implementing�cryptography Which�way�to�go? in�hardware ASIC FPGA ASICs FPGAs Application Specific Field Programmable Integrated Circuit Gate Array Off-the-shelf High�performance • designs�must�be�sent • bought�off�the�shelf Low�development�costs for�expensive�and�time and�reconfigured�by consuming�fabrication designers�themselves Low�power Short�time�to�the�market in�semiconductor�foundry • no�physical�layout�design; • designed�all�the�way design�ends�with Low�cost�(but�only� from�behavioral�description a�bitstream used in�high�volumes) Reconfigurability to�physical�layout to�configure�a�device
5 Reconfigurability Implementation�of�a�secret-key�cipher Round�keys�computed�on-the-fly control External�ROM�and�microprocessor�enables input key changing�an�FPGA�function�in�several�milliseconds
Encryption�vs.�decryption�vs.�key�scheduling Control� input�interface unit FPGA FPGA FPGA Key Encryption Decryption scheduling key 5-15�ms 5-15�ms encryption/decryption scheduling Various�algorithms FPGA FPGA FPGA round�key output�interface AES Triple�DES IDEA 5-15�ms 5-15�ms output
Implementation�of�a�secret-key�cipher Typical�Flow�Diagram�of� Round�keys�precomputed a�Secret-Key�Block�Cipher control input/key Round�Key[0] Initial�transformation input�interface Control� i:=1 unit
key Round�Key[i] Cipher�Round scheduling i:=i+1 encryption/decryption #rounds� times memory�of� i<#rounds? round keys output�interface Round�Key[#rounds+1] Final�transformation output
Basic�iterative�architecture Primary�parameters�of�hardware�implementations for�secret-key�block�ciphers Latency Throughput
multiplexer Mi+2 M i Mi+1 M register i Time�to� Encryption/ encrypt/decrypt� Encryption/ one�round combinational decryption a�single�block� decryption of�data logic Number�of�bits� Ci+2 encrypted/decrypted Ci Ci+1 in�a�unit�of�time
Ci
Block_size�·�Number_of_blocks_processed_simultaneously Throughput�= Latency
6 Dependence�of�the�encryption�time� Efficiency�in�hardware:�FPGA Virtex 1000:�Speed on�latency�and�throughput Throughput�[Mbit/s] 500 Message�size 431 444 George�Mason�University 450 414 University�of�Southern�California 400 353 Worcester�Polytechnic�Institute
350 294 300 (Message_size�–Block_size) Latency 250 Throughput 177 173 200 149 143 150 104 112 102 88 Time 100 62 61 50 Encryption�time 0 Serpent� Rijndael Twofish Serpent� RC6 Mars I8 I1
Efficiency�in�hardware:�FPGA Virtex 1000:�Area ASIC�implementations:�NSA�group Area�[CLB�slices] 700 606 128-bit�key�scheduling� 9000 George�Mason�University 7964 3-in-1�(128,�192,�256�bit)�key�scheduling 8000 University�of�Southern�California 600 7000 Worcester�Polytechnic�Institute 500 443 6000 5511 4621 400 5000 4312 4507 300 4000 2507 3528 202 202 2809 2744 2666 2638 3000 200 105 105 103 104 1749 57 57 2000 1076 1137 1250 100 1000 0 Rijndael Serpent� Twofish RC6 Mars 0 Twofish RC6 Serpent�RijndaelMars Serpent� I1 I8 I1
GMU�Results: Encryption�in�cipher�feedback�modes� NSA�Results: Encryption�in�cipher�feedback�modes� (CBC,�CFB,�OFB)�- Virtex FPGA (CBC,�CFB,�OFB)�- ASIC,�0.5�µm�CMOS Throughput�[Mbit/s] Throughput�[Mbit/s] 500 700 400 600 Rijndael Serpent�I8 Rijndael 500 300 400 200 Twofish Serpent�I1 300 Serpent�I1 100 RC6 200 Mars Mars 100 RC6 Twofish 0 0 0 1000 2000 3000 4000 5000 0 5 10 15 20 25 30 35 40 Area�[CLB�slices] Area�[CLB�slices]
7 NIST�Report�+�GMU�Report:� Conclusions�for�feedback�cipher�modes��(1) Hardware�Efficiency (CBC,�CFB,�OFB) Feedback�cipher�modes:�CBC,�CFB Speed • Speed (throughput)�should�be�the�primary� criteria�of�comparison High Rijndael Serpent
• Basic�iterative�architecture�is�the�most�appropriate Twofish Medium for�comparison�and�future�implementations RC6 • Serpent�and Rijndael are�over�twice�as�fast�as�the� Low MARS next�best�candidate�for�all�implementations
Small Medium Large Area
Conclusions�for�feedback�cipher�modes��(2) Encryption�Key�Setup�Latency�[µs] (CBC,�CFB,�OFB) 9.55 1.96 5.74 1 NSA� • Results�confirmed�by� 0.8 - three�independent�university�groups�for FPGAs,�and� USC - NSA�group�for ASICs 0.6
• Results�of�comparison�independent�of 0.4 implementation�technology (FPGAs vs. ASICs) 0.17 0.18 0.2 0.07 0.08 0.06 0 0.02 0 Mars RC6 Rijndael Serpent� Twofish I1
Encryption�vs.�Decryption�Key�Setup�Latency�[µs] Feedback�cipher�modes�- CBC M1 M2 M3 MN-1 MN 9.55 9.55 5.74 5.74 .�.�. 1 encryption� IV� decryption
0.8 0.67 E E E E E 0.6 .�.�.�
0.4 C C 0.21 1 C2 C3 CN-1 N 0.11 0.2 ⊕ 0 0.02 0.06 C1 =�AES(Mi IV) 0 C =�AES(M ⊕ C )������for�i=2..N Mars RC6 Rijndael Serpent� Twofish i i i-1 I1
8 Non-feedback�Counter�Mode�- CTR Full�Mixed�Inner�and�Outer-Round�Pipelining Cipher�1 Cipher�2 IV IV+1 IV+2 IV+N-1 IV+N round�1 .�.�. round�1
E E E E E .�.�.� round�2 target .�.�. M M M M M clock� .�.�. 0 1 2 N-1 N period, e.g.,�20�ns round�10
round�16 C C2 C3 CN-1 CN 1 128�bits Speed�= ⊕ Ci =�Mi AES(IV+i)������for�i=0..N target_clock_period
Encryption�in�non-feedback�modes�(ECB,�counter) NIST�Report�+�GMU�Report:� decryption�in�all�modes Hardware�Efficiency Speed�[Mbit/s] Non-feedback�cipher�modes:�ECB,�CTR 7000 Rijndael 6.4 Gbit/s Speed 6000 Rijndael Serpent RC6 Mars RC6 High Serpent 5000 Twofish Mars Twofish 4000
3000 Medium
2000 Assuming�clock�period�=�50�MHz 1000 Low
0 0 10000 20000 30000 40000 50000 60000 Small Medium Large Area�[CLB�slices] Area
Conclusions�for�non-feedback�cipher�modes�(1) Importance�of�the�AES�candidate� ECB,�counter hardware�efficiency�comparison
• All�ciphers�can�achieve�approximately� • Important�factor�used�to�differentiate�among� the�same�speed. final�candidates Area should�be�the�primary�criteria�of�comparison. - objective�and�commonly�accepted�measures - good�agreement�among�results�from�various�groups • Serpent, Twofish and Rijndael are�the�most� - large�differences�among�final�candidates cost-efficient�and�take�approximately�the�same� amount�of�area • Efficient�architectures�and�methodologies developed� for�all�algorithms
9 Flexibility:�Criteria Survey�filled�by�167�participants�of� the�Third�AES�Conference,�April�2000 #�votes • Additional�key-sizes�and�block-sizes 100 90 • Ability�to�function�efficiently�and�securely�in�a�wide 80 variaty of�platforms�and�applications 70 low-end smartcards,�wireless�- memory�requirements 60 IPSec,�ATM�- key�setup�time�in�hardware 50 B-ISDN,�satellite�communication�- encryption�speed 40 30 20 10 0 Rijndael Serpent Twofish RC6 Mars
Ranking�by�participants�of�the�AES3�Conference Most�likely�winner(s)�(1) Positive�votes�– negative�votes #�votes Rijndael 100 80 + – 60 • fastest�in�hardware • security�margin 40 20 • close�to�the�fastest�in�software� 0 • very�high�flexibility -20 -40 novel�ideas -60 -80 Rijndael Serpent Twofish RC6 Mars
Most�likely�winner(s)�(2) Most�likely�winner(s)�(3) Serpent Twofish – – + + • good�security�margin • moderately�fast in�hardware • large�security�margin • slow�in�software • fast�encryption/decryption • conservative�construction� • moderate�flexibility� in�software� • slow�key�setup� in�software • very�fast�in�hardware • American • moderate�flexibility • cryptanalytical reputation�of�authors • strongly advertized
10 Major�operations�of�AES�finalists Basic�cipher�operations�(1)�- S-box Software Hardware Serpent Rijndael Twofish RC6 Mars ROM C S-box�n�x�m S-boxes n-bit�address WORD�S[1< Basic�cipher�operations�(2) Basic�cipher�operations�(3)�- Multiplication Multiplication�in�the�Galois�Field�GF(2m) Software Hardware Software Hardware A B X C�=�const 32 32 C 8 8 C 32 32 x0 x3 x7 x0 x3 x4 x7 unsigned�long��A,�B,�C; <<,�^,�|,�& C�=�A*B; .�.�. MUL32 MUL�GF(28) 32 ASM y y 32 ASM 0 7 C MUL Half- Y ROL,�XOR,�OR,�AND Multiplier C=A·B�mod�232 Basic�cipher�operations�(4)�- Rotations Auxiliary�cipher�operations��- Permutation Software Hardware Software Hardware Mux-based�shifter A<<<0 A<<<16 x x x x n x1 2 3 n-1 n C C .�.�. C�=�(A�<<�B)�|�(A�>>�(32-B)); B[4] complex B[3] P sequence�of B[2] instructions .�.�. A�<<<�B B[1] <<,�|,�& B[0] n 32 y1 y2 y3 yn-1 yn A<< 11 AES:�Types�of�candidate�algorithms Feistel�Network:�Single�Round�of�Twofish Feistel Networks Modified Feistel Network D[3] D[2] D[1] D[0] Twofish Deal K2r+8 K2r+9 RC6 E2 LOKI97 <<<�1 MARS DFC Magenta CAST-256 F�- function Substitution- Others Linear�Transformation >>>�1 Networks Frog HPC Rijndael Safer+ D’[3] D’[2] D’[1] D’[0] Serpent Crypton Modified�Feistel�Network:�Single�Round�of�MARS Substitution-Linear�Transformation�Network: D[3] D[2] D[1] D[0] Single�Round�of�Serpent k k’ k=K[4+2i], k’�=�K[5+2i], 128 out1 i�- round�no. out2 in E S-boxes ⊕ out3 <<<13 Linear�Transformation K[i] 128 D’[3] D’[2 D’[1 D’[0 ] ] ] Substitution-Linear�Transformation�Network:� First�basic�architecture�of�Serpent�- Serpent�I1� Serpent�in�Hardware 128 128 128 128-bit�register initial�permutation Ki 128 regular�Serpent�round 128 128 128 128 128 32�x�S-box�0 32�x�S-box�1 32�x�S-box�7 K0,�...�,�K7,�K32 encryption decryption K32,�...�,�K7,�K0 128 128 128 block block 8-to-1�128-bit�multiplexer 128 128 linear�transformation K32 128 128 final�permutation 128 output 12 Alternative�basic�architecture�of�Serpent:�Serpent�I8 Rijndael�– Different�Circuits 128 for�Encryption�and�Decryption 128 128-bit�register plaintext ciphertext K0 round�0 32�x�S-box�0 subkey ByteSub linear�transformation one�implementation� round�of�Serpent = ShiftRow InvMixColumn 8�regular�cipher� round�7 K7 rounds MixColumn InvShiftRow 32�x�S-box�7 linear�transformation subkey InvByteSub K32 128 ciphertext plaintext output Rijndael�– Resource�Sharing�Between Encryption�and�Decryption Twofish�– Encryption/Decryption�Round inversed�affine transformation <<<1 encryption decryption >>>1 inversed�element F�- function in�Galois�field <<<1 affine InvShiftRow >>>1 transformation subkey ShiftRow InvMixColumn MixColumn subkey RC6�Round Twofish�– F-function R0 R1 R2 R3 h 32 32 32 32 M2 M0 q0 q0 q1 d e d e PHT q1 q0 q0 K2i MDS + F – S[2i+1] F – S[2i] q0 q1 q1 q1 q1 q0 A A d e d e h 5 5 M3 M1 <<< <<< q0 q0 q1 B B + S[2i+1] + S[2i] q1 q0 q0 K2i+1 MDS <<<�8 + <<<�9 R1 R0 R3 R2 q q q 0 1 1 d e e d d e e d q1 q1 q0 feedback feedback feedback feedback to�R to�R 0 1 to�R2 to�R3 13 MARS�- General�Structure MARS�- Keyed�Transformation plaintext D3�from D2�from D1�from D0�from mix�transf. mix�transf. mix�transf. mix�transf. + subkey D3�loop D2�loop D1�loop D0�loop forward�mixing optional swap keyed�forward subkeys transformation optional rotation to�the keyed�backwards subkeys right 128-bit�register transformation optional swap backwards�mixing - subkey Keyed�transformation�core ciphertext D3�loop D2�loop D1�loop D0�loop MARS�- Keyed�Transformation�Core MARS�– E-function D3 D2 D1 D0 1 <<< S 32 32 32 32 1 +/– 2 +/– E 32 K[4+2i] 3 >>>13 2 <<< <<<13 >>>13 K[5+2i] <<<�13 3 <<<�5 <<<�5 * Secret-key�cryptography�standards Operating�Modes�Contest Federal Banking International 4�Old�Modes� standards standards standards (CBC,�CFB,�OFB,�ECB) April�2001 NIST ANSI ISO 10�New�Candidates from�Egypt,�Estonia,�Norway,� FIPS�46-1�DES X3.92����DES Sweden,�Thailand,�USA FIPS�46-2�DES ISO�8732 Modes�of� operation Counter�mode FIPS�81�Modes�of X3.106�DES�modes�of�operation of�a�64-bit� Summer�2001 cipher operation 5�Standard�Modes X9.52 Modes�of�operation ISO�10116�Modes�of FIPS�46-3�Triple of�Triple�DES operation 2002 DES of�an�n-bit New�Standard�Modes cipher AES 14 Modes�submitted�to�the�contest�(1) Modes�submitted�to�the�contest�(2) Full�name Authors Institution Full�name Authors Institution A.�A.�Belal,� Alexandria� IGE Infinite�Garble� V.�D.�Gligor, VDG,�Inc.,� 2DEM 2D-Encryption�Mode M.�A.�Abdel- University,� Extension P.�Donescu USA Gawad Egypt KFB Key�Feedback�Mode� NADA,� ABC Accumulated�Block� J.�Håstad,� L.�Knudsen U.�of�Bergen� M.�Naslund Ericsson� Chaining Norway Sweden H.�Lipmaa,� Finland, UCSD,�USA,� OCB Offset�Codebook CTR Counter�Mode P.�Rogaway, Estonia,�USA,� P.�Rogaway Thailand D.�Wagner Thailand PCFB Propagating�Cipher� H.�Hellström StreamSec,� Feedback Sweden IACBC Integrity�Aware�CBC C.�Jutla IBM,�USA XCBC eXtended�CBC� IAPM Integrity�Aware� V.�D.�Gligor, VDG,�Inc.,� C.�Jutla IBM,�USA Encryption P.�Donescu USA Parallalizable�Mode Evaluation�Criteria�for�Modes�of�Operation Evaluation�criteria�(1)� Security Security • resistance�to�attacks • proof�of�security • random�properties�of�the�ciphertext Efficiency Efficiency� Functionality • number�of�calls�of�the�block�cipher • capability�for�parallel�processing • memory/area�requirements • initialization�time� • capability�for�preprocessing Evaluation�criteria�(2) Modes�of�operation:�Current�standard�- CBC Functionality M1 M2 M3 MN-1 MN • security�services .�.�. IV� - confidentiality,�integrity,�authentication • flexibility - variable�lengths�of�blocks�and�keys - different�amount�of�precomputations E E E E E .�.�.� - requirements�on�the�length�of�the�message • vulnerability�to�implementation�errors C C • requirements�on�the�amount�of�keys,�initialization 1 C2 C3 CN-1 N vectors,�random�numbers,�etc. Problems: • error�propagation�and�the�capability�for - No�parallel�processing�of�blocks�from�the�same�packet resynchronization - No�speed-up�by�preprocessing • patent�restrictions - No�integrity�or�authentication 15 Counter�mode Properties�of�existing�and�new�cipher�modes New IV IV+1 IV+2 IV+N-1 IV+N CBC CFB OFB standard .�.�. Proof�of�security E E E E E .�.�.� Parallel�processing decryption� only – K0 K1 K2 KN-1 KN M M M M M1 2 N-1 N Preprocessing 0 – – Integrity�and C C C C C Features:0 1 2 N-1 N authentication – – – +�Potential�for�parallel�processing Resistance +�Speed-up�by�preprocessing to�implementation – - No�integrity�or�authentication errors Encryption�with�authentication OCB Full�name Authors Institutions Control�sum IV 0 M1 M2 MN-1 MN IACBC Integrity�Aware�CBC C. Jutla IBM length (patent) g(L) IAPM Integrity�Aware C. Jutla IBM E Z1 Z2 ZN-1 ZN Parallalizable Mode (patent) ZN XCBC- eXtended CBC� V.�D. Gligor, VDG,�Inc., L E E .�.�. E E E XOR Encryption P. Donescu (patent) E XECB- eXtended ECB� V.�D. Gligor, VDG,�Inc., τ bits Z1 Z2 ZN-1 MN XOR Encryption P. Donescu (patent) R C C2 CN-1 CN T OCB Offset�Codebook P. Rogaway UCSD, USA, 1 Thailand Zi=f(L,�R)� 16