DOCSLIB.ORG

Report on the Development of the Advanced Encryption Standard (AES)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Report on the Development of the Advanced Encryption Standard (AES) Volume 106, Number 3, May–June 2001 Journal of Research of the National Institute of Standards and Technology [J. Res. Natl. Inst. Stand. Technol. 106, 511–577 (2001)] Report on the Development of the Advanced Encryption Standard (AES) Volume 106 Number 3 May–June 2001 James Nechvatal, Elaine Barker, In 1997, the National Institute of Standards NIST has decided to propose Rijndael as Lawrence Bassham, William and Technology (NIST) initiated a pro- the Advanced Encryption Standard Burr, Morris Dworkin, James cess to select a symmetric-key encryption (AES). The research results and rationale algorithm to be used to protect sensitive for this selection are documented in this Foti, and Edward Roback (unclassified) Federal information in report. furtherance of NIST’s statutory responsi- National Institute of Standards and bilities. In 1998, NIST announced the Technology, acceptance of 15 candidate algorithms Key words: Advanced Encryption Gaithersburg, MD 20899-8930 and requested the assistance of the Standard (AES); cryptography; cryptanaly- cryptographic research community in sis; cryptographic algorithms; encryption; analyzing the candidates. This analysis Rijndael. [email protected] included an initial examination of the [email protected] security and efficiency characteristics for [email protected] each algorithm. NIST reviewed the results of this preliminary research and Accepted: March 2, 2001 [email protected] selected MARS, RC, Rijndael, Serpent [email protected] and Twofish as finalists. Having reviewed [email protected] further public analysis of the finalists, Available online: http://www.nist.gov/jres Contents 1. Overview of the Development Process for the Advanced Encryption Standard and Summary of Round 2 Evaluations ........................ 515 1.1 Background................................................. 515 1.2 Overview of the Finalists...................................... 515 1.3 Evaluation Criteria ........................................... 516 1.4 Results from Round 2 ........................................ 517 1.5 The Selection Process......................................... 518 1.6 Organization of this Report .................................... 518 2. Selection Issues and Methodology ................................... 518 2.1 Approach to Selection ........................................ 518 2.2 Quantitative vs Qualitative Review .............................. 518 2.3 Number of AES Algorithms ................................... 518 2.4 Backup Algorithm ........................................... 519 2.5 Modifying the Algorithms ..................................... 520 511 Volume 106, Number 3, May–June 2001 Journal of Research of the National Institute of Standards and Technology 3. Technical Details of the Round 2 Analysis ............................ 520 3.1 Notes on Section............................................. 520 3.2 General Security ............................................. 520 3.2.1 Attacks on Reduced-Round Variants....................... 522 3.2.1.1 MARS ....................................... 522 3.2.1.2 RC6 ......................................... 523 3.2.1.3 Rijndael ...................................... 523 3.2.1.4 Serpent ....................................... 523 3.2.1.5 Twofish ...................................... 523 3.2.2 Security Margin ....................................... 524 3.2.3 Design Paradigms and Ancestry .......................... 525 3.2.4 Simplicity ............................................ 526 3.2.5 Statistical Testing ...................................... 526 3.2.6 Other Security Observations ............................. 526 3.2.7 Summary of Security Characteristics of the Finalists.......... 528 3.3 Software Implementations ..................................... 529 3.3.1 Machine Word Size .................................... 529 3.3.2 Other Architectural Issues ............................... 529 3.3.3 Software Implementation Languages....................... 529 3.3.4 Variation of Speed with Key Size ......................... 530 3.3.5 Summary of Speed on General Software Platforms ........... 530 3.3.6 Variation of Speed with Mode............................ 531 3.4 Restricted-Space Environments ................................. 532 3.4.1 A Case Study ......................................... 532 3.4.1.1 Notes on the Finalists ........................... 532 3.4.1.2 Comparison of the Finalists ...................... 533 3.4.2 A Second Case Study................................... 534 3.4.2.1 Notes on the Finalists ........................... 534 3.4.2.2 Comparison of the Finalists ...................... 535 3.5 Hardware Implementations..................................... 535 3.5.1 Architectural Options ................................... 535 3.5.1.1 The Basic Architecture .......................... 535 3.5.1.2 Internal Pipelinine .............................. 536 3.5.1.3 Loop Unrolling ................................ 536 3.5.1.4 External Pipelining ............................. 536 3.5.1.5 Hybrid Pipelining .............................. 536 3.5.2 Design Methodologies and Goals ......................... 536 3.5.3 Field Programmable Gate Arrays ......................... 536 3.5.3.1 Operations and Their Implementation .............. 537 3.5.3.2 A Case Study.................................. 537 3.5.3.2.1 Notes on the Four Finalists Implemented. 538 3.5.3.2.2 Comparison of the Four Implemented Finalists ............................. 539 3.5.3.3 A Second Case Study ........................... 540 3.5.3.3.1 Notes on the Finalists .................. 540 3.5.3.3.2 Comparison of the Finalists ............. 541 3.5.3.4 A Third Case Study............................. 542 3.5.3.4.1 Notes on the Finalists .................. 542 3.5.3.4.2 Comparison of the Finalists ............. 543 3.5.3.5 A Fourth Case Study............................ 543 3.5.3.5.1 Notes on the Finalists .................. 544 3.5.3.5.2 Comparison of the Finalists ............. 544 3.5.3.6 Overall Summary of FPGA Implementations ........ 544 512 Volume 106, Number 3, May–June 2001 Journal of Research of the National Institute of Standards and Technology 3.5.4 Application Specific Integrated Circuits .................... 545 3.5.4.1 A Case Study.................................. 545 3.5.4.1.1 Notes on the Finalists .................. 545 3.5.4.1.2 Comparison of the Finalists ............. 546 3.5.4.2 A Second Case Study ........................... 546 3.5.4.2.1 Notes on the Finalists .................. 547 3.5.4.2.2 Comparison of the Finalists ............. 547 3.5.5 Comparison of All Hardware Results ...................... 547 3.6 Attacks on Implementations.................................... 548 3.6.1 Timing and Power Attacks............................... 549 3.6.2 The Role of Operations ................................. 549 3.6.3 Implicit Key Schedule Weaknesses........................ 550 3.6.3.1 A Power Analysis Variant ....................... 550 3.6.3.2 A Second Power Analysis Variant ................. 550 3.6.4 Defenses Against Implementation-Dependent Attacks ......... 550 3.6.4.1 A Case Study in Defense ........................ 551 3.6.4.1.1 Notes on the Finalists .................. 551 3.6.4.1.2 Comparison of the Finalists ............. 552 3.7 Encryption vs Decryption...................................... 552 3.8 Key Agility ............ 553 3.9 Other Versatility and Flexibility ................................ 554 3.9.1 Parameter Flexibility ................................... 554 3.9.2 Implementation Flexibility ............................... 554 3.10 Potential for Instruction-Level Parallelism ........................ 555 4. Intellectual Property Issues ......................................... 556 5. Finalist Profiles .................................................. 557 5.1 MARS ..................................................... 557 5.1.1 General Security ....................................... 557 5.1.2 Software Implementations ............................... 557 5.1.3 Restricted-Space Environments ........................... 557 5.1.4 Hardware Implementations............................... 557 5.1.5 Attacks on Implementations.............................. 557 5.1.6 Encryption vs Decryption................................ 557 5.1.7 Key Agility ........................................... 557 5.1.8 Other Versatility and Flexibility .......................... 557 5.1.9 Potential for Instruction-Level Parallelism .................. 557 5.2 RC6....................................................... 558 5.2.1 General Security ....................................... 558 5.2.2 Software Implementations ............................... 558 5.2.3 Restricted-Space Environments ........................... 558 5.2.4 Hardware Implementations............................... 558 5.2.5 Attacks on Implementations.............................. 558 5.2.6 Encryption vs Decryption................................ 558 5.2.7 Key Agility ........................................... 558 5.2.8 Other Versatility and Flexibility .......................... 558 5.2.9 Potential for Instruction-Level Parallelism .................. 558 5.3 Rijndael.................................................... 558 5.3.1 General Security ....................................... 558 5.3.2 Software Implementations ............................... 558 5.3.3 Restricted-Space Environments ........................... 559 5.3.4 Hardware Implementations..............................
Load more

Recommended publications
  • Grade 6 Reading Student At–Home Activity Packet
    Printer Warning: This packet is lengthy. Determine whether you want to print both sections, or only print Section 1 or 2. Grade 6 Reading Student At–Home Activity Packet This At–Home Activity packet includes two parts, Section 1 and Section 2, each with approximately 10 lessons in it. We recommend that your student complete one lesson each day. Most lessons can be completed independently. However, there are some lessons that would benefit from the support of an adult. If there is not an adult available to help, don’t worry! Just skip those lessons. Encourage your student to just do the best they can with this content—the most important thing is that they continue to work on their reading! Flip to see the Grade 6 Reading activities included in this packet! © 2020 Curriculum Associates, LLC. All rights reserved. Section 1 Table of Contents Grade 6 Reading Activities in Section 1 Lesson Resource Instructions Answer Key Page 1 Grade 6 Ready • Read the Guided Practice: Answers will vary. 10–11 Language Handbook, Introduction. Sample answers: Lesson 9 • Complete the 1. Wouldn’t it be fun to learn about Varying Sentence Guided Practice. insect colonies? Patterns • Complete the 2. When I looked at the museum map, Independent I noticed a new insect exhibit. Lesson 9 Varying Sentence Patterns Introduction Good writers use a variety of sentence types. They mix short and long sentences, and they find different ways to start sentences. Here are ways to improve your writing: Practice. Use different sentence types: statements, questions, imperatives, and exclamations. Use different sentence structures: simple, compound, complex, and compound-complex.
    [Show full text]
  • Vector Boolean Functions: Applications in Symmetric Cryptography
    Vector Boolean Functions: Applications in Symmetric Cryptography José Antonio Álvarez Cubero Departamento de Matemática Aplicada a las Tecnologías de la Información y las Comunicaciones Universidad Politécnica de Madrid This dissertation is submitted for the degree of Doctor Ingeniero de Telecomunicación Escuela Técnica Superior de Ingenieros de Telecomunicación November 2015 I would like to thank my wife, Isabel, for her love, kindness and support she has shown during the past years it has taken me to finalize this thesis. Furthermore I would also liketo thank my parents for their endless love and support. Last but not least, I would like to thank my loved ones such as my daughter and sisters who have supported me throughout entire process, both by keeping me harmonious and helping me putting pieces together. I will be grateful forever for your love. Declaration The following papers have been published or accepted for publication, and contain material based on the content of this thesis. 1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: A library of C++ classes for vector Boolean functions in cryptography. ACM Transactions on Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html) 2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/ cryptographic-criteria-on-vector-boolean-functions. (Published) 3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector Boolean functions from a cryptographic perspective.
    [Show full text]
  • The First Biclique Cryptanalysis of Serpent-256
    The First Biclique Cryptanalysis of Serpent-256 Gabriel C. de Carvalho1, Luis A. B. Kowada1 1Instituto de Computac¸ao˜ – Universidade Federal Fluminense (UFF) – Niteroi´ – RJ – Brazil Abstract. The Serpent cipher was one of the finalists of the AES process and as of today there is no method for finding the key with fewer attempts than that of an exhaustive search of all possible keys, even when using known or chosen plaintexts for an attack. This work presents the first two biclique attacks for the full-round Serpent-256. The first uses a dimension 4 biclique while the second uses a dimension 8 biclique. The one with lower dimension covers nearly 4 complete rounds of the cipher, which is the reason for the lower time complex- ity when compared with the other attack (which covers nearly 3 rounds of the cipher). On the other hand, the second attack needs a lot less pairs of plain- texts for it to be done. The attacks require 2255:21 and 2255:45 full computations of Serpent-256 using 288 and 260 chosen ciphertexts respectively with negligible memory. 1. Introduction The Serpent cipher is, along with MARS, RC6, Twofish and Rijindael, one of the AES process finalists [Nechvatal et al. 2001] and has not had, since its proposal, its full round versions attacked. It is a Substitution Permutation Network (SPN) with 32 rounds, 128 bit block size and accepts keys of sizes 128, 192 and 256 bits. Serpent has been targeted by several cryptanalysis [Kelsey et al. 2000, Biham et al. 2001b, Biham et al.
    [Show full text]
  • Public Key Cryptography And
    PublicPublic KeyKey CryptographyCryptography andand RSARSA Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/ Washington University in St. Louis CSE571S ©2011 Raj Jain 9-1 OverviewOverview 1. Public Key Encryption 2. Symmetric vs. Public-Key 3. RSA Public Key Encryption 4. RSA Key Construction 5. Optimizing Private Key Operations 6. RSA Security These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011. Washington University in St. Louis CSE571S ©2011 Raj Jain 9-2 PublicPublic KeyKey EncryptionEncryption Invented in 1975 by Diffie and Hellman at Stanford Encrypted_Message = Encrypt(Key1, Message) Message = Decrypt(Key2, Encrypted_Message) Key1 Key2 Text Ciphertext Text Keys are interchangeable: Key2 Key1 Text Ciphertext Text One key is made public while the other is kept private Sender knows only public key of the receiver Asymmetric Washington University in St. Louis CSE571S ©2011 Raj Jain 9-3 PublicPublic KeyKey EncryptionEncryption ExampleExample Rivest, Shamir, and Adleman at MIT RSA: Encrypted_Message = m3 mod 187 Message = Encrypted_Message107 mod 187 Key1 = <3,187>, Key2 = <107,187> Message = 5 Encrypted Message = 53 = 125 Message = 125107 mod 187 = 5 = 125(64+32+8+2+1) mod 187 = {(12564 mod 187)(12532 mod 187)... (1252 mod 187)(125 mod 187)} mod 187 Washington University in
    [Show full text]
  • Rc-6 Cryptosystem in Vhdl
    RC-6 CRYPTOSYSTEM IN VHDL BY:- Deepak Singh Samant OBJECTIVE: TO IMPLEMENT A CRYPTOSYSTEM USING RIVEST CIPHER-6 (RC6) ALGORITHM IN VHDL(FPGA) What is CRYPTOLOGY? CRYPTOGRAPHY is the art and science of achieving security by encoding message to make them non-readable . CRYPTANALYSIS is the technique of decoding messages from a non-readable format back to readable format without knowing how they were initially converted from readable format to non-readable format. CRYPTOGRAPHY + = CRYPTOLOGY CRYPTANALYSIS Cryptography Overview: Comm. E(k) N/W D(k) Key Set K Key Set K Types Of Attacks: . General View: 1.Criminal Attack 2.Publicity Attack 3.Legal Attack .Technical View: oPassive Attacks oActive Attacks Release of message Interruption Traffic Attacks Modification Fabrication Symmetric key cryptography If same key is used for encryption and decryption,we call the mechanism as symmetric key cryptography. It has the key distribution problem. Symmetric key cryptography Algorithm DES IDEA RC4 RC5 BLOW AES FISH AES: US government wanted to standardize a cryptographic algorithm,which was to be used universally by them.It was to be called as the Advanced Encryption Standard(AES). Among various proposal submitted,only 5 were short listed: 1.Rijndael 3.Serpent 5.MARS 2.Twofish 4.RC6 LITERATURE SURVEY • Comparison: (1) MARS: Its throughput in the studies was generally low. Therefore, its efficiency (throughput/area) was uniformly less than the other finalists. (2) RC6 throughput is generally average. RC6 seems to perform relatively better in pipelined implementations, non-feedback mode (3) Rijndael: good performance in fully pipelined implementations. Efficiency is generally very good. 4) Serpent: feedback mode encryption.
    [Show full text]
  • Impossible Differentials in Twofish
    Twofish Technical Report #5 Impossible differentials in Twofish Niels Ferguson∗ October 19, 1999 Abstract We show how an impossible-differential attack, first applied to DEAL by Knudsen, can be applied to Twofish. This attack breaks six rounds of the 256-bit key version using 2256 steps; it cannot be extended to seven or more Twofish rounds. Keywords: Twofish, cryptography, cryptanalysis, impossible differential, block cipher, AES. Current web site: http://www.counterpane.com/twofish.html 1 Introduction 2.1 Twofish as a pure Feistel cipher Twofish is one of the finalists for the AES [SKW+98, As mentioned in [SKW+98, section 7.9] and SKW+99]. In [Knu98a, Knu98b] Lars Knudsen used [SKW+99, section 7.9.3] we can rewrite Twofish to a 5-round impossible differential to attack DEAL. be a pure Feistel cipher. We will demonstrate how Eli Biham, Alex Biryukov, and Adi Shamir gave the this is done. The main idea is to save up all the ro- technique the name of `impossible differential', and tations until just before the output whitening, and applied it with great success to Skipjack [BBS99]. apply them there. We will use primes to denote the In this report we show how Knudsen's attack can values in our new representation. We start with the be applied to Twofish. We use the notation from round values: [SKW+98] and [SKW+99]; readers not familiar with R0 = ROL(Rr;0; (r + 1)=2 ) the notation should consult one of these references. r;0 b c R0 = ROR(Rr;1; (r + 1)=2 ) r;1 b c R0 = ROL(Rr;2; r=2 ) 2 The attack r;2 b c R0 = ROR(Rr;3; r=2 ) r;3 b c Knudsen's 5-round impossible differential works for To get the same output we update the rule to com- any Feistel cipher where the round function is in- pute the output whitening.
    [Show full text]
  • Multiple New Formulas for Cipher Performance Computing
    International Journal of Network Security, Vol.20, No.4, PP.788-800, July 2018 (DOI: 10.6633/IJNS.201807 20(4).21) 788 Multiple New Formulas for Cipher Performance Computing Youssef Harmouch1, Rachid Elkouch1, Hussain Ben-azza2 (Corresponding author: Youssef Harmouch) Department of Mathematics, Computing and Networks, National Institute of Posts and Telecommunications1 10100, Allal El Fassi Avenue, Rabat, Morocco (Email:[email protected] ) Department of Industrial and Production Engineering, Moulay Ismail University2 National High School of Arts and Trades, Mekns, Morocco (Received Apr. 03, 2017; revised and accepted July 17, 2017) Abstract are not necessarily commensurate properties. For exam- ple, an online newspaper will be primarily interested in Cryptography is a science that focuses on changing the the integrity of their information while a financial stock readable information to unrecognizable and useless data exchange network may define their security as real-time to any unauthorized person. This solution presents the availability and information privacy [14, 23]. This means main core of network security, therefore the risk analysis that, the many facets of the attribute must all be iden- for using a cipher turn out to be an obligation. Until now, tified and adequately addressed. Furthermore, the secu- the only platform for providing each cipher resistance is rity attributes are terms of qualities, thus measuring such the cryptanalysis study. This cryptanalysis can make it quality terms need a unique identification for their inter- hard to compare ciphers because each one is vulnerable to pretations meaning [20, 24]. Besides, the attributes can a different kind of attack that is often very different from be interdependent.
    [Show full text]
  • Block Ciphers
    Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher KE KD untrusted communication link Alice E D Bob #%AR3Xf34^$ “Attack at Dawn!!” message encryption (ciphertext) decryption “Attack at Dawn!!” Encryption key is the same as the decryption key (KE = K D) CR 2 Block Cipher : Encryption Key Length Secret Key Plaintext Ciphertext Block Cipher (Encryption) Block Length • A block cipher encryption algorithm encrypts n bits of plaintext at a time • May need to pad the plaintext if necessary • y = ek(x) CR 3 Block Cipher : Decryption Key Length Secret Key Ciphertext Plaintext Block Cipher (Decryption) Block Length • A block cipher decryption algorithm recovers the plaintext from the ciphertext. • x = dk(y) CR 4 Inside the Block Cipher PlaintextBlock (an iterative cipher) Key Whitening Round 1 key1 Round 2 key2 Round 3 key3 Round n keyn Ciphertext Block • Each round has the same endomorphic cryptosystem, which takes a key and produces an intermediate ouput • Size of the key is huge… much larger than the block size. CR 5 Inside the Block Cipher (the key schedule) PlaintextBlock Secret Key Key Whitening Round 1 Round Key 1 Round 2 Round Key 2 Round 3 Round Key 3 Key Expansion Expansion Key Key Round n Round Key n Ciphertext Block • A single secret key of fixed size used to generate ‘round keys’ for each round CR 6 Inside the Round Function Round Input • Add Round key : Add Round Key Mixing operation between the round input and the round key. typically, an ex-or operation Confusion Layer • Confusion layer : Makes the relationship between round Diffusion Layer input and output complex.
    [Show full text]
  • On the NIST Lightweight Cryptography Standardization
    On the NIST Lightweight Cryptography Standardization Meltem S¨onmez Turan NIST Lightweight Cryptography Team ECC 2019: 23rd Workshop on Elliptic Curve Cryptography December 2, 2019 Outline • NIST's Cryptography Standards • Overview - Lightweight Cryptography • NIST Lightweight Cryptography Standardization Process • Announcements 1 NIST's Cryptography Standards National Institute of Standards and Technology • Non-regulatory federal agency within U.S. Department of Commerce. • Founded in 1901, known as the National Bureau of Standards (NBS) prior to 1988. • Headquarters in Gaithersburg, Maryland, and laboratories in Boulder, Colorado. • Employs around 6,000 employees and associates. NIST's Mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. 2 NIST Organization Chart Laboratory Programs Computer Security Division • Center for Nanoscale Science and • Cryptographic Technology Technology • Secure Systems and Applications • Communications Technology Lab. • Security Outreach and Integration • Engineering Lab. • Security Components and Mechanisms • Information Technology Lab. • Security Test, Validation and • Material Measurement Lab. Measurements • NIST Center for Neutron Research • Physical Measurement Lab. Information Technology Lab. • Advanced Network Technologies • Applied and Computational Mathematics • Applied Cybersecurity • Computer Security • Information Access • Software and Systems • Statistical
    [Show full text]
  • Internet Engineering Task Force (IETF) S. Kanno Request for Comments: 6367 NTT Software Corporation Category: Informational M
    Internet Engineering Task Force (IETF) S. Kanno Request for Comments: 6367 NTT Software Corporation Category: Informational M. Kanda ISSN: 2070-1721 NTT September 2011 Addition of the Camellia Cipher Suites to Transport Layer Security (TLS) Abstract This document specifies forty-two cipher suites for the Transport Security Layer (TLS) protocol to support the Camellia encryption algorithm as a block cipher. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6367. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
    [Show full text]
  • Serpent: a Proposal for the Advanced Encryption Standard
    Serpent: A Proposal for the Advanced Encryption Standard Ross Anderson1 Eli Biham2 Lars Knudsen3 1 Cambridge University, England; email [email protected] 2 Technion, Haifa, Israel; email [email protected] 3 University of Bergen, Norway; email [email protected] Abstract. We propose a new block cipher as a candidate for the Ad- vanced Encryption Standard. Its design is highly conservative, yet still allows a very efficient implementation. It uses S-boxes similar to those of DES in a new structure that simultaneously allows a more rapid avalanche, a more efficient bitslice implementation, and an easy anal- ysis that enables us to demonstrate its security against all known types of attack. With a 128-bit block size and a 256-bit key, it is as fast as DES on the market leading Intel Pentium/MMX platforms (and at least as fast on many others); yet we believe it to be more secure than three-key triple-DES. 1 Introduction For many applications, the Data Encryption Standard algorithm is nearing the end of its useful life. Its 56-bit key is too small, as shown by a recent distributed key search exercise [28]. Although triple-DES can solve the key length problem, the DES algorithm was also designed primarily for hardware encryption, yet the great majority of applications that use it today implement it in software, where it is relatively inefficient. For these reasons, the US National Institute of Standards and Technology has issued a call for a successor algorithm, to be called the Advanced Encryption Standard or AES.
    [Show full text]
  • Choosing Key Sizes for Cryptography
    information security technical report 15 (2010) 21e27 available at www.sciencedirect.com www.compseconline.com/publications/prodinf.htm Choosing key sizes for cryptography Alexander W. Dent Information Security Group, University Of London, Royal Holloway, UK abstract After making the decision to use public-key cryptography, an organisation still has to make many important decisions before a practical system can be implemented. One of the more difficult challenges is to decide the length of the keys which are to be used within the system: longer keys provide more security but mean that the cryptographic operation will take more time to complete. The most common solution is to take advice from information security standards. This article will investigate the methodology that is used produce these standards and their meaning for an organisation who wishes to implement public-key cryptography. ª 2010 Elsevier Ltd. All rights reserved. 1. Introduction being compromised by an attacker). It also typically means a slower scheme. Most symmetric cryptographic schemes do The power of public-key cryptography is undeniable. It is not allow the use of keys of different lengths. If a designer astounding in its simplicity and its ability to provide solutions wishes to offer a symmetric scheme which provides different to many seemingly insurmountable organisational problems. security levels depending on the key size, then the designer However, the use of public-key cryptography in practice is has to construct distinct variants of a central design which rarely as simple as the concept first appears. First one has to make use of different pre-specified key lengths.
    [Show full text]