Quick viewing(Text Mode)

Camellia: a 128-Bit Block Cipher Suitable for Multiple Platforms

Camellia: a 128-Bit Block Cipher Suitable for Multiple Platforms

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

g —mel l i—X e IPVEfit flo ™k gipher

ƒuit—˜le for wultiple €l—tforms

y z y

u—zum—ro eoki „etsuy—s™hik—w— w—s—yuki u—nd—

z y z z

witsuru w—tsui ƒhiho wori—i tunkox—k—jim— „oshio „okit—

y

xipp on „elegr—ph —nd „elephone gorp or—tion

IEI rik—rino ok—D ‰okosuk—D u—n—g—w—D PQWEHVRU t—p—n

fm—roDk—nd—DshihogdislFnttF™oFjp

z

witsu˜ishi ile™tri™ gorp or—tion

SEIEI yfun—D u—m—kur—D u—n—g—w—D PRUEVSHI t—p—n

fi™hik—w—Dm—tsuiDjuneISDtokit—gdissFislFmel™oF™oFjp

†er IFHX tuly IQD PHHH

†er PFHX ƒeptem˜er PTD PHHI

e˜str—™tF ‡e — new IPVE˜it ˜lo ™k ™ipher ™—lled g—mel li—F g—melli—

supp orts IPVE˜it ˜lo ™ksize—nd IPVED IWPED —nd PSTE˜it keysD iFeF the s—me interf—™e

sp e™i™—tions —s the edv—n™ed in™ryption ƒt—nd—rd @eiƒAF i™ien™y on ˜ oth softE

w—re —nd h—rdw—re pl—tforms is — rem—rk—˜le ™h—r—™teristi™ of g—melli— in —ddition

to its high level of se™urityF st is ™onrmed th—t g—melli— provides strong se™urity

—g—inst dierenti—l —nd line—r ™rypt—n—lysisF gomp—red to the eiƒ n—listsD iFeF

we‚ƒD ‚gTD ‚ijnd—elD ƒerp entD —nd „woshD g—melli— oers —t le—st ™omp—r—˜le

en™ryption sp eed in softw—re —nd h—rdw—reF en optimized implement—tion of g—melE

li— in —ssem˜ly l—ngu—ge ™—n en™rypt on — €entiums s s @IFIQqrzA —t the r—te of RUI

w˜its p er se™ondF sn —dditionD — distinguishing fe—ture is its sm—ll h—rdw—re designF

e h—rdw—re implement—tionD whi™h in™ludes en™ryptionD de™ryptionD —nd the

s™hedule for IPVE˜it keysD o ™™upies only VFIPu g—tes using — HFIV"m gwyƒ eƒsg

li˜r—ryF „his is in the sm—llest ™l—ss —mong —ll existing IPVE˜it ˜lo ™k ™iphersF

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

gontents

I sntro du™tion I

P hesign ‚—tion—le

PFI p Efun™tion X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Q

PFP € Efun™tion X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Q

PFQ sE˜ oxes X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Q

I

PFR pvE —nd pv Efun™tions X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Q

PFS uey Īhedule X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X R

Q €erform—n™e pigures S

QFI ƒoftw—re €erform—n™e X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X S

QFP r—rdw—re €erform—n™e X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X S

R ƒoftw—re smplement—tion „e™hniques II

RFI ƒetup X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X II

RFP h—t— ‚—ndomiz—tion X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X IP

RFQ qener—l quidelines X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X IV

S r—rdw—re iv—lu—tions PH

SFI „yp e IX p—st smplement—tionEI @pully lo op unrolled —r™hite™tureA X X X X X X X X X PH

SFP „yp e PX ƒm—ll smplement—tionEI @vo op —r™hite™tureA X X X X X X X X X X X X X X X X PI

SFQ „yp e QX ƒm—ll smplement—tionEP @ƒp e™i—l g—se for p€qeD vo op —r™hite™tureA X X PP

SFR „yp e RX p—st smplement—tionEP @€ip eline —r™hite™tureA X X X X X X X X X X X X X X X PR

T ƒe™urity PT

TFI hierenti—l —nd vine—r grypt—n—lysis X X X X X X X X X X X X X X X X X X X X X X X X X PT

TFP „run™—ted hierenti—l grypt—n—lysis X X X X X X X X X X X X X X X X X X X X X X X X X PU

TFQ „run™—ted vine—r grypt—n—lysis X X X X X X X X X X X X X X X X X X X X X X X X X X X X PW

TFR grypt—n—lysis with smp ossi˜le hierenti—l X X X X X X X X X X X X X X X X X X X X X X PW

TFS fo omer—ng ett—™k X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X PW

TFT righer yrder hierenti—l ett—™k X X X X X X X X X X X X X X X X X X X X X X X X X X X QH

TFU ƒqu—re ett—™k X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X QH

TFV snterp ol—tion ett—™k —nd vine—r ƒume tt—™k X X X X X X X X X X X X X X X X X X X X QI

TFW xo iquiv—lentueys X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X QI

TFIH ƒlide ett—™k X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X QI

TFII ‚el—tedEkey ett—™k X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X QP

TFIP ƒt—tisti™—l „ests X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X QP

TFIQ smplement—tion ett—™ks X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X QP

TFIR frute por™e ett—™ks X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X QQ

U gon™lusion QS

e ristory RI i

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

I sntro du™tion

„his p—p er presents — IPVE˜it ˜lo ™k ™ipher ™—lled g—mel li—Dwhi™hw—s jointly develop ed ˜yx„„

—nd witsu˜ishi ile™tri™ gorp or—tionF g—melli— supp orts IPVE˜it ˜lo ™k size —nd IPVED IWPED —nd

PSTE˜it key lengthsD —nd so oers the s—me interf—™e sp e™i™—tions —s the edv—n™ed in™ryption

ƒt—nd—rd @eiƒAF „he design go—ls of g—melli— —re —s followsF

righ level of se™urityF „he re™ent —dv—n™es in ™rypt—n—lyti™ te™hniques —re rem—rk—˜leF e

qu—ntit—tiveev—lu—tion of se™urity —g—inst p owerful ™rypt—n—lyti™ te™hniques su™h —s dierenti—l

™rypt—n—lysis ‘fƒWQ“ —nd line—r ™rypt—n—lysis ‘wWR“ is ™onsidered to ˜ e essenti—l in designing —ny

new ˜lo ™k ™ipherF ‡eev—lu—ted the se™urityof g—melli— ˜y utilizing st—teEofE—rt ™rypt—n—lyti™

te™hniquesF ‡eh—ve ™onrmed th—t g—melli— h—s no dierenti—l —nd line—r ™h—r—™teristi™s th—t

IPV

hold with pro˜—˜ility more th—n P F woreoverD g—melli— w—s designed to oer se™urity —g—inst

other —dv—n™ed ™rypt—n—lyti™ —tt—™ks in™luding higher order dierenti—l —tt—™ks ‘uWSD tuWU“D

interp ol—tion —tt—™ks ‘tuWUD eHH“D rel—tedEkey —tt—™ks ‘fWRD uƒ‡WT“D trun™—ted dierenti—l —tE

t—™ks ‘uWSD w„WW“D ˜ o omer—ng —tt—™ks ‘‡WW“D —nd slide —tt—™ks ‘f‡WWD f‡HH“F

i™ien™y on multiple pl—tformsF es ™ryptogr—phi™ systems —re needed in v—rious —ppliE

™—tionsD en™ryption —lgorithms th—t ™—n ˜ e implemented e™iently on — wide r—nge of pl—tforms

—re desir—˜leD howeverD few IPVE˜it ˜lo ™k ™iphers —re suit—˜le for ˜oth softw—re —nd h—rdw—re

implement—tionF g—melli— w—s designed to oer ex™ellent e™ien™y in h—rdw—re —nd softw—re

implement—tionsD in™luding g—te ™ount for h—rdw—re designD memory requirements in sm—rt ™—rd

implement—tionsD —s well —s p erform—n™e on multiple pl—tformsF

g—melli— ™onsists of only VE˜yEVE˜it su˜stitution t—˜les @sE˜ oxesA —nd logi™—l op er—tions th—t

™—n˜ee™iently implemented on — wide v—riety of pl—tformsF „hereforeD it ™—n ˜ e implemented

e™iently in softw—reD in™luding the VE˜it pro ™essors used in lowEend sm—rt ™—rdsD QPE˜it pro ™esE

sors widely used in €gsD —nd TRE˜it pro ™essorsF g—melli— do esn9t use QPE˜it integer —dditions —nd

multipli™—tionsD whi™h —re extensively used in some softw—reEoriented IPVE˜it ˜lo ™k ™iphersF ƒu™h

op er—tions p erformw ell on pl—tforms providing — high degree of supp ortD eFgFD €entiumssGsss or

ethlonD ˜ut not —s well on othersF „hese op er—tions ™—n ™—use — longer ™riti™—l p—th —nd l—rger

h—rdw—re implement—tion requirementsF

„he sE˜ oxes of g—melli— —re designed to minimize h—rdw—re sizeF „he four sE˜ oxes —re

V

—ne equiv—lenttothe inversion fun™tion in the nite eld qp@P AF woreoverD we redu™ed the

V R

inversion fun™tion in qp@P A to — few qp@P A —rithmeti™ op er—tionsF st en—˜led us to implement

the sE˜ oxes ˜yfewer g—te ™ountsF

„he key s™hedule is very simple —nd sh—res p—rt of its pro ™edure with en™ryptionF st supp orts

onEtheEkey su˜key gener—tion —nd su˜keys —re ™omput—˜le in —ny orderF „he memory requireE

ment for gener—ting su˜keys is quite sm—llY —n e™ient implement—tion requires —˜ out QPE˜yte

‚ew for IPVE˜it keys —nd —˜ out TRE˜yte ‚ew for IWPE —nd PSTE˜it keysF

ƒt—nd—rdiz—tion —™tivitiesF sn w—r™h PHHH x„„ —nd witsu˜ishi ile™tri™ gorp or—tion proE

p osed g—melli— in resp onse to the ™—ll for ™ontri˜utions fromsƒyGsig t„g IGƒg PUD —iming—t

its ˜eing —dopted —s —n intern—tion—l st—nd—rdF sn ƒeptem˜er PHHHD we su˜mitted g—melli— to I

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

xiƒƒsi @xew iurop e—n ƒ™hemes for ƒign—tureD sntegrityD —nd in™ryptionA pro je™t —s — strong

™ryptogr—phi™ primitiveF sn ƒeptem˜ er PHHID g—melli— w—s sele™ted —s — ™—ndid—tes for the Pnd

€h—se of the xiƒƒsi pro je™tF

yutline of the p—p erF „his p—p er is org—nized —s followsX ƒe™tion P des™ri˜ es the r—tion—le

˜ ehind g—melli—9s designF ƒe™tion Q dis™usses the p erform—n™e of g—melli—F ƒe™tion R ™ont—ins

the te™hniques for softw—re implement—tionF sn ƒe™tion S we dis™uss our h—rdw—re ev—lu—tionsF

sn ƒe™tion T weev—lu—ted g—melli—9s strength —g—inst known —tt—™ksF ‡e ™on™lude in ƒe™tion UF

por the sp e™i™—tion of g—melli—D ple—se see the sep—r—te do ™ument titled ’ƒp e™i™—tion of

g—melli— { — IPVE˜it flo ™k gipherF4 ‡e will follow the denitions —nd not—tion given in this

sep—r—te p—p erF P

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

P hesign ‚—tion—le

PFI p Efun™tion

C

„he design str—tegy of the p Efun™tion of g—melli— follows th—t of the p Efun™tion of iP ‘uwe WV“F

„he m—in dieren™e ˜ etween iP —nd g—melli— is the —doption of the IEround @™onserv—tiveA ƒ€x

@ƒu˜stitutionE€ermut—tion xetworkAD not the PEround ƒ€xD iFeF ƒE€EƒF ‡hen the IEround ƒ€x

is used —s the round fun™tion in — peistel ™ipherD the theoreti™—l ev—lu—tion of the upp er ˜ ound

of dierenti—l —nd line—r ™h—r—™teristi™ pro˜—˜ility ˜ e™omes more ™ompli™—tedD ˜ut the sp eed

under the s—me level of ’re—l4 se™urity is exp e™ted to ˜e improvedF ƒee ƒe™tion T for det—iled

dis™ussions on se™urityF

PFP € Efun™tion

„he design r—tion—le of the € Efun™tion is simil—r to th—t of the € Efun™tion of iPF „h—t isD for ™omE

put—tion—l e™ien™yD it should ˜ e represented using only ˜ytewise ex™lusiveEy‚s —nd for se™urity

C

—g—inst dierenti—l —nd line—r ™rypt—n—lysisD its ˜r—n™h num˜er should ˜e optim—l ‘u„w WW“F

prom —mong the line—r tr—nsform—tions th—t s—tisfy these ™onditionsD we™hose one ™onsidering

highly e™ient implement—tion on QPEpro ™essors ‘e HH“ —nd highEend sm—rt ™—rdsD —s well —s

VE˜it pro ™essorsF

PFQ sE˜ oxes

V

es the sE˜ oxes we —dopted fun™tions —ne equiv—lent to the inversion fun™tion in qp@P A for

enh—n™ed se™urity —nd sm—ll h—rdw—re designF

st is well known th—t the sm—llest of the m—ximum dierenti—l pro˜—˜ility of fun™tions in

V T

qp@P Aw—s proven to ˜ e P D —nd the sm—llest of the m—ximumline—r pro˜—˜ilit yoffun™tionsin

V T

qp@P A is ™onje™tured to ˜ e P F „here is — fun™tion —ne equiv—lenttotheinversion fun™tion

V

in qp@P A th—t —™hieves the ˜est known of the m—ximum dierenti—l —nd line—r pro˜—˜ilitiesD

T

P F ‡e ™ho ose this kind of fun™tions —s sE˜ oxesF woreoverD the high degree of the fo ole—n

p olynomi—l of every output ˜it of the sE˜ oxes m—kes it di™ult to —tt—™k g—melli— ˜y higher order

dierenti—l —tt—™ksF „he two —ne fun™tions th—t —re p erformed —t the input —nd output of the

V V

inversion fun™tion in qp@P A ™ompli™—tes the expressions of the sE˜ oxes in qp@P AD whi™hm—kes

interp ol—tion —tt—™ks inee™tiveF w—king the four sE˜ oxes dierent slightly improves se™urity

—g—inst trun™—ted dierenti—l ™rypt—n—lysis ‘w„WW“F

V

por sm—ll h—rdw—re designD the elements in qp@P A™—n˜ e represented —s p olynomi—ls with

R

™o e™ients in the su˜eld qp@P AF sn other wordsD we ™—n implement the sE˜ oxes ˜y using — few

R

op er—tions in the su˜eld qp@P A ‘ws‰‰VV“F „wo —ne fun™tions —t the input —nd output of

V

the inversion fun™tion in qp@P A —lso pl—y — role in ™ompli™—ting the expressions of the sE˜ oxes

R

in qp@P AF

I

PFR pvE —nd pv Efun™tions

I

pvE—nd pv Efun™tions —re ’inserted4 ˜ etween every T rounds of — peistel network to provide

nonEregul—rity —™ross roundsF yne of the go—ls for su™h — design is to thw—rt future unknown

—tt—™ksF st is one of merits of regul—r peistel networks th—t en™ryption —nd de™ryption pro ™edures Q

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

I

—re the s—me ex™ept for the order of the su˜keysF sn g—melli—D p vap v Efun™tion l—yers —re

inserted every T roundsD ˜ut this prop erty is still preservedF

I

„he design ™riteri— of pvE —nd pv Efun™tions —re simil—r to those of the pvEfun™tion of

wsƒ„‰ ‘wWU“F „he dieren™e ˜etween wsƒ„‰ —nd g—melli— is the —ddition of IE˜it rot—tionF

„his is exp e™ted to m—ke ˜ytewise ™rypt—n—lysis h—rderD ˜ut it h—s no neg—tive imp—™t on

h—rdw—re size or sp eedF „he design ™riteri— —re th—t these fun™tions must˜eline—rfor—ny xed

key —nd th—t their forms dep end on key v—luesF ƒin™e these fun™tions —re line—r —s long —s the key

is xedD they do not m—ke the —ver—ge dierenti—l —nd line—r pro˜—˜ilities of the ™ipher higherF

woreoverD these fun™tions —re f—st in ˜ oth softw—re —nd h—rdw—re sin™e they —re ™onstru™ted ˜y

logi™—l op er—tions su™h —s exhD y‚D ˆy‚D —nd rot—tionsF

PFS uey Īhedule

„he design ™riteri— of the key s™hedule —re —s followsF

IF st should ˜ e simple —nd sh—re p—rt of its pro ™edure with en™ryptionGde™ryptionF

PF ƒu˜key gener—tion for IPVED IWPE —nd PSTE˜it keys ™—n ˜ e p erformed ˜y using the s—me key

s™hedule @™ir™uitAF woreoverD the key s™hedule for IPVE˜it keys ™—n ˜ e p erformed ˜y using

— p—rt of this ™ir™uitF

QF uey setup time should ˜ e shorter th—n en™ryption timeF

sn ™—ses where l—rge —mounts of d—t— —re pro ™essed with — single se™ret keyD the setup time

for key s™heduling m—y ˜ e unimp ort—ntF yn the other h—ndD in —ppli™—tions in whi™hthe

key is ™h—nged frequentlyDkey —gilityis—f—™torF yne ˜—si™ ™omp onentofkey —gilityiskey

setup timeF

RF st should supp ort onEtheEy su˜key gener—tionF

SF ynEtheEy su˜key gener—tion should ˜e ™omput—˜le in the s—me w—y in ˜oth en™ryption

—nd de™ryptionF

ƒome ™iphers h—ve sep—r—te key s™hedules for en™ryption —nd de™ryptionF sn other

™iphersD eFgFD ‚ijnd—el ‘h‚WV“ or ƒerp ent ‘efuWV“D su˜keys —re ™omput—˜le in the forw—rd

dire™tion only —nd require unwinding for de™ryptionF

TF „here should ˜ e no equiv—lentkeysF

UF „here should ˜ e no rel—tedEkey —tt—™ks or slide —tt—™ksF

griteri— I —nd P m—inly —ddress sm—ll h—rdw—re requirementsD griteri— QD RD —nd S —re —dE

v—nt—geous in terms of pr—™ti™—l —ppli™—tionsD —nd griteri— T —nd U —re for se™urityF

„he memory requirement for gener—ting su˜keys is quite sm—llF en e™ient implement—tion

of g—melli— for IPVE˜it keys requires IT ˜ytes @aIPV ˜itsA for the origin—l se™ret keyD u D —nd IT

v

˜ytes @aIPV ˜itsA for the intermedi—te keyD u F „hus the required memory is QP ˜ytesF ƒimil—rlyD

e

—n e™ient implement—tion of g—melli— for IWPE —nd PSTE˜it keys needs only TR ˜ytesF R

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

Q €erform—n™e pigures

QFI ƒoftw—re €erform—n™e

„—˜le I summ—rizes the ™urrent softw—re p erform—n™e of g—melli— on the ™ommonlyEused QPE˜it

—nd TRE˜it pro ™essorsF „—˜le P shows the softw—re p erform—n™e on the mi™ropro ™essors used for

sm—rt ™—rds —nd em˜ edded systemsD whi™h —re equipp ed with the restri™ted memoryF qener—lly

sp e—kingD the rst priority of the former is ’ƒp eedD4 while th—t of the l—tter is ’‚ew s—ge —nd

C C

‚yw s—geF4 ƒome of the d—t— —re pu˜lished in ‘esu HH—D gHID sƒuwHID esu HH˜D ‰HI—D

‰HI˜“D ˜ut the others h—ve not ˜ een pu˜lished yetF

„he t—˜les show th—t g—melli— ™—n ˜ e e™iently implemented on lowEend sm—rt ™—rdsD QPE˜it

T Q

—nd TRE˜it pro ™essorsF ‡e use the —˜˜revi—tions w @meg—A for IH —nd m@milliAfor IH in the

t—˜lesF

yptimiz—tion levelF ‡hen we ™o ded progr—ms using —ssem˜ly l—ngu—geD we tried to use

m—ny te™hniques des™ri˜ ed in ƒe™tion R to —™hieve the ˜ est p erform—n™eF roweverD there is —

ro omfor further impro vementF

yn the other h—ndD dep ending on the g ™ompiler usedD dierent—ssem˜ly ™o des —re pro du™ed

from the s—me g ™o deF „his me—ns th—t the —ssem˜ly ™o des —re not gu—r—nteed to ˜ e optim—lD

even if the g ™o de is optimizedF „husD we did not sp end — long time on optimizing g ™o deF

row to me—sure sp eedF st is di™ult to me—sure sp eed on modern pro ™essors sin™e there

—re m—ny elementsD for ex—mpleD st—tus of ™—™heD th—t —re ˜eyond the users ™ontrol —nd th—t

inuen™e sp eedF ‡e de™ided to me—sure sp eed under the following ™onditions —nd —ssumptionsX

 ell ™o des —nd d—t— —re ™orre™tly —lignedF

 snput —nd output texts —nd ™o des —re prelo—ded to the rst level ™—™heF

 fr—n™h predi™tions —re ™orre™tF

 ƒetup fun™tion @ex™ept for onEtheEy implement—tionsA gener—tes su˜keyEdep endent ™onE

st—nts fromthe se™ret k eyD —nd the ™onst—nts —re used ˜y en™ryption or de™ryption fun™tionF

 in™ryption @de™ryptionA fun™tion ex™ept for onEtheEy implement—tions ™—n en™rypt @deE

™ryptA —n integr—l num˜ er of ˜lo ™ksF

 ‡e me—sured the sp eed m—ny timesD —nd ™hose the ˜ est result to elimin—te ™—™he hit misses

—nd other un™ontroll—˜le f—™torsF

 ‡e —ver—ged the sp eed num˜ ers for l—rge ˜lo ™k en™ryptionD ˜ut the v—lues in™lude —ll

overhe—ds in™luding lo op —nd fun™tion ™—llsF

QFP r—rdw—re €erform—n™e

„—˜le Q represents the re™ent results on h—rdw—re p erform—n™e of g—melli— on eƒsg @eppli™—tion

ƒp e™i™ sntegr—ted gir™uitA —nd p€qe @pield €rogr—mm—˜le q—te err—yAF „—˜le R shows the

environment of our h—rdw—re design —nd ev—lu—tionF S

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

„—˜le RX r—rdw—re ev—lu—tion environment @eƒsgD p€qeA

v—ngu—ge @eƒsgD p€qeA †erilogErhv

hesign li˜r—ry @eƒsgA witsu˜ishi ile™tri™ HFQS"mgwyƒ eƒsg li˜r—ry

witsu˜ishi ile™tri™ HFIV"mgwyƒ eƒsg li˜r—ry

HFPS "mgwyƒ eƒsg li˜r—ry @rep orted ˜ yg‚‰€„‚ig

‚ep ort PHHHA

@p€qeA ˆilinx ˆgRHHHˆv series

ˆilinx †irtexi series

ƒimul—tor @eƒsgD p€qeA †erilogEˆv @ex™ept for HFPS"mA

@eƒsgA †gƒSFI @used for HFPS"mA

vogi™ synthesis @eƒsgA hesign gompiler version IWWVFHV @used for HFQS"mA

hesign gompiler version PHHHFIIEƒ€I @used for HFIV"mA

hesign gompiler version PHHHFHSEI @used for HFPS"mA

@p€qeA ƒynplify version SFQFI —nd evvsexgi version PFIi

@used for ˆgRHHHˆv seriesA

ƒynplify version TFIFQ —nd evvsexgi version QFQFHUi

@used for †irtexi seriesA

„—˜le SX r—rdw—re design p oli™ies @outlineA

„yp e „op priority yutline of logi™

„yp e I p—st implement—tion fromthe viewp oin t of in™@he™A sp eed pigure I

„yp e P ƒm—ll implement—tion fromthe viewp oin t of tot—l logi™ size pigure P

„yp e Q ƒm—ll implement—tion @sp e™i—l ™—se for p€qeA pigure Q

„yp e R €ip eline implement—tion pigure R T

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

‡eev—lu—ted „yp e I through „yp e R logi™F „—˜le S shows the top priorities of the logi™ typ esF

„he det—ils of e—™htyp e —re des™ri˜ ed in ƒe™tion SF U Table 1: Camellia Software Performance (updated on Aug.31, 2001) Speed RAM Usage(*1) ROM Usage Processor Language Key setup(*2) Enc. / Dec. Key setup(*2) Enc. / Dec. Total size Key setup(*2) Enc. / Dec. Table Reference [bits] [cycles] [cycles] [Mbps] [bytes] [bytes] [bytes] [bytes] [bytes] [bytes] 128 1,570 308 290.9 288 20 15,012 6,788 0 8,224 [AIK+00b] 128 160 371 241.5 28 36 11,420 1,046 2,150 8,224 [AIK+00b] Pentium III (*4) Assembly 192 222 494 181.4 28 36 13,032 1,469 3,323 8,240 [AIK+00b] 256 226 494 181.4 28 36 13,048 1,485 3,323 8,240 [AIK+00b] 128 - 326 255.2 --29,285 ---[C01] Pentium III (*5) Assembly 128(Enc) 467 (*3) 0.72msec --20,110 ---[C01] 128(Dec) 474 (*3) 0.73msec --20,236 ---[C01] Pentium II (*6) ANSI C(*7) 128 263 577 66.6 44 64 9,461 1,600 3,733 4,128 [AIK+00b] Pentium III (*8) Java(*9) 128 9,091 793 161.4 ------Not published 128 158 326 261.9 48 48 21,040 1,600 2,928 16,512 [AIK+00b] 128 118 339 251.8 48 48 20,736 1,132 3,076 16,528 [AIK+00b] Alpha 21264 (*10) Assembly 192 176 445 191.9 48 48 22,196 1,668 4,000 16,528 [AIK+00b] 256 176 445 191.9 48 48 22,204 1,676 4,000 16,528 [AIK+00b] 128 - 282 210.2 --31,552 ---[C01] Alpha 21264 (*11) Assembly 128(Enc) 448 (*3) 0.97msec --25,792 ---[C01] 128(Dec) 435 (*3) 0.94msec --25,792 ---[C01] 128 - 355 144.2 --15,240 ---[C01] UltraSPARCIIi (*12) Assembly 128403 (*3) 1.01msec --23,992 ---[C01]

(*1) The figure includes stack area, and excludes text area and key area. (*2) may be included. (*3) The figure includes key generation and one block . This is achieved by using the on-the-fly subkey generation. (*4) IBM PC/AT compatible PC, Intel Pentium III (700MHz), 256KB on-die L2 cache, FreeBSD 4.0R, 128MB main memory. (*5) IBM PC/AT compatible PC, Intel Pentium III (650MHz), 256KB on-die L2 cache, Windows98 SE, 64MB main memory. (*6) IBM PC/AT compatible PC, Intel Pentium II (300MHz), 512KB L2 cache, Windows95, 160MB main memory. (*7) Microsoft Visual C++ 6 with the optimization options /G6 /Zp16 /ML /Ox /Ob2. (*8) IBM PC/AT compatible PC, Intel Pentium III (1GHz), 256KB on-die L2 cache, Windows2000, 512MB main memory. (*9) IBM Java Compiler 1.2.2 and IBM Java VM 1.2.2. (*10) Alpha 21264 (667MHz), Tru64 UNIX 4.0F, 2GB main memory. (*11) Alpha 21264 (463MHz), Tru64 UNIX V5.1, 512MB main memory. (*12) Ultra SPARC IIi (400MHz), Solaris 7, 256MB main memory. Copyright NTT and Corporation 2000-2001 Table 2: Camellia Software Performance for Smart Cards and Embedded Systems (updated on Aug.31, 2001) Speed RAM Usage ROM Usage Key Sharing Processor Language size Key setup(*1) Enc. / Dec. Key setup(*1) Enc. / Dec. Total size Key setup(*1) Enc. / Dec. Table Reference size(*2) [bits] [cycles] [cycles] [bytes] [bytes] [bytes] [bytes] [bytes] [bytes] [bytes] 10,217 (*3) 8051 (*7) Assembly 128 0 32 (*4) 990 0 702 288 0 [AIK+00b] 10.22msec 5,146 28,382 128 44 (*5) 62 (*5) 1,698358 1,183 288 -131 Not published 1.03msec 5.68msec (Enc) 35,951 (*3) Z80 (*8) Assembly 0 60 (*5) - 1,023 - 7.19msec 128 1,268 -797 Not published (Dec) 37,553 (*3) 0 60 (*5) - 1,042 - 7.51msec 2,380 4,100 H8/3113 (*9) Assembly 128 208 (*6) 0 - - --- [Y01a] 0.95msec 1.64msec 7,500 9,900 MC68HC705B16 (*10) Assembly 128 208 (*6) 0 - - - - - [Y01a] 3.57msec 4.71msec 5,679 8,430 MC68HC908AB32 (*11) Assembly 128 208 (*6) 0 - - - - - [Y01b] 0.71msec 1.05msec 642 1,236 M32Rx/D (*12) Assembly 128 44 (*5) 44 (*5) 8,684 1,3923,164 4,128 0 [AIK+00b] 6.42msec 12.36msec

(*1) Key schedule may be included. (*2) Some ROM size may be reduced, since some functions can be shared among key generation, encryption and decryption. (*3) The figure includes key generation and one block encryption. This is achieved by using the on-the-fly subkey generation. (*4) The figure includes stack area, and excludes text area and key area. (*5) The figure includes stack area, text area and key area. (*6) The figure shows the size of round keys. (*7) Intel 8051 (12MHz; 1cycle=12 oscillator periods) simulator on Unix. (*8) Z80 (5MHz) simulator on Windows. (*9) Hitachi H8/3113 (5MHz; 1cycle=2 oscillator periods) on Hitachi's E6000 Emulator. (*10) Motorola 6805 series MC68HC705B16 (2.1MHz) on Motorola's In-Circuit Simulator Kits. (*11) Motorola 6805 series MC68HC908AB32 (8MHz) on Motorola's In-Circuit Simulator Kits. (*12) Mitsubishi 32-bit microcomputer M32Rx/D (100MHz) on MSA2310 evaluation board.

Copyright NTT and Mitsubishi Electric Corporation 2000-2001 Table 3: Camellia Hardware Performance (updated on Aug.31, 2001) Speed Area Size Efficiency Key Max. Key Architecture Design Library size Key setup Latency Throughput Total(*2) Enc./Dec.(*4) Throughput/Area Reference delay(*1) Unit expan.(*3) [bits] [nsec] [nsec] [cycles] [Mbps] [unit] [unit] [unit] [Kbps/unit] Mitsubishi 0.35µm 128 24.36 109.35 1 1,170.55 272.82 55.91 216.91 4.29 [AIK+00b] Unrolled Type 1 Mitsubishi 0.18µm 128 40.00 40.00 1 3,200.00Kgate 355.10 -- 9.01 Not published Mitsubishi 0.18µm 128 45.96 45.96 1 2,785.00 244.90 -- 11.37 Not published Mitsubishi 0.35µm 128 110.20 27.67 21 220.28 11.35 4.98 6.37 19.41 [AIK+00a] Mitsubishi 0.35µm 128 117.04 28.73 21 212.16 9.66 5.75 3.91 21.96 [AIK+00b] Mitsubishi 0.18µm 128 144.88 36.22 21 168.28 8.51 -- 19.77 Not published ASIC Mitsubishi 0.18µm 128 25.92 6.48 21 940.62 27.46 -- 34.25 Not published Mitsubishi 0.18µm 128 28.20 7.05 21 864.57 21.45 -- 40.31 Not published Loop Type 2 Kgate Mitsubishi 0.18µm 128 23.20 5.80 21 1,050.90 11.87 -- 88.52 Not published Mitsubishi 0.18µm 128 137.24 34.31 21 177.65 8.12 -- 21.87 Not published Mitsubishi 0.18µm 128 12.96 3.24 21 1,881.25 44.30 -- 42.47 Not published 0.25µm 256 - 5.46 - 837.00 39.35 22.76 16.33 21.27 [C01] 0.25µm 256 - 11.51 - 397.00 23.12 13.30 9.67 17.17 [C01] Type 2 Xilinx XC4000XL 128 362.83 78.82 21 77.34 1,296 -- 59.68 [AIK+00b] CLB Type 3 Xilinx XC4000XL 128 - 50.00 21 122.01 874 --139.60 [AIK+00b] Loop Xilinx VirtexE 128 135.03 30.56 21 199.46 1,816 --109.83 [ISKM01] FPGA Type 2 Xilinx VirtexE 128 126.00 28.80 21 211.90 1,816 --116.69 [ISKM01] Xilinx VirtexE 128 127.04 26.80 21 227.42Slice 1,780 --127.76 [ISKM01] Unrolled Type 1 Xilinx VirtexE 128 97.70 318.50 1 401.89 9,426 -- 42.64 [ISKM01] Pipeline Type 4 Xilinx VirtexE 128 83.25 18.96 20 6,749.99 9,692 --696.45 [ISKM01]

(*1) Critical path of data encryption (or decryption) (*2) The figure includes key scheduling logic, encryption/decryption logic, data selector (if necessary), output register, subkey register and buffers for fan-out adjustment. (*3) The figure includes subkey register. (*4) The figure includes output register and data selector (if necessary).

Copyright NTT and Mitsubishi Electric Corporation 2000-2001

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

R ƒoftw—re smplement—tion „e™hniques

„his se™tion des™ri˜ es how to implement g—melli— e™iently in softw—reF sn most ™—sesD —n

implement—tion ™—n ˜ e divided into two p—rtsX setup in™luding key s™hedule —nd d—t— r—ndomE

iz—tionD th—t isD en™ryption or de™ryptionF ‡e rst des™ri˜ e how to optimize the setup ™o deD —nd

then des™ri˜ e how to optimize the d—t— r—ndomiz—tion ™o deF

„his se™tion des™ri˜ es sp e™i™ te™hniques for VED QPED or TRE˜it pro ™essorsF roweverD — te™hE

nique for VE˜it pro ™essors m—y ˜ e —ppli™—˜le to QPE or TRE˜it pro ™essors —nd — te™hnique for QPE˜it

pro ™essors m—y ˜ e —ppli™—˜le to TRE˜it pro ™essorsF yther word sizes m—y need to ˜ e ™onsideredF

‡e —ssume th—t you rst implement g—melli— using the sp e™i™—tion —s it isF „his se™tion

will optimize the resulting ™o deF

xote th—t in this se™tion ’word4 me—ns the n—tur—l size of the t—rget pro ™essorF por ex—mpleD

the words of seEQP without wwˆ te™hnologyD seEQP with wwˆ te™hnology —nd elph— —re QPED

TRED —nd TRE˜its long resp e™tivelyF

RFI ƒetup

RFIFI ƒtore ell ƒu˜keys

ƒtore —ll su˜keys into memory on™e you gener—te them if you h—ve su™ient memoryD —nd use

the stored su˜keys for d—t— r—ndomiz—tionF

RFIFP ƒu˜key qener—tion yrder

‰ou do not h—ve to ™ompute su˜keys in orderF por ex—mpleD when you ™ompute su˜keys for —

IPVE˜it keyD rst ™ompute the su˜keys th—t only dep end on u D —nd then ™ompute su˜keys th—t

v

only dep end on u F „his redu™es the num˜ er of registers or memory for storing u F

e e

RFIFQ ˆy‚ g—n™ell—tion €rop erty in uey ƒ™hedule

„he key s™hedule of g—melli— is ˜—sed on the peistel stru™tureF fetween the Pnd round —nd the

Qrd roundD u is ˆy‚ed to —n intermedi—te v—lueF „his stru™ture ™—uses ™—n™ell—tions of u F

v v

wore pre™iselyD the input of the Qrd round ™—n ˜ e ™omputed ˜y the following equ—tionsF

@

@righth—lfA a p @u Y P A

vv I

for IPVE˜it keys

@left h—lf A a p @u  @righth—lfAY P A

v‚ P

@

@righth—lfA a u  p @u  u Y P A

‚‚ vv ‚v I

for IWPE —nd PSTE˜it keys

@left h—lf A a u  p @u  @right h—lf AY P A

‚v v‚ P

sing the —˜ ove equ—tionsD we ™—n elimin—te Q —nd P ˆy‚s in v for IPVE —nd IWPGPSTE˜it keysD

resp e™tivelyD ™omp—red to the str—ightforw—rd implement—tion of the sp e™i™—tionF

RFIFR ‚ot—tion fits for u D u D u D —nd u

v ‚ e f

‰ou do not need to keep u D u D u D—ndu D ˜ut you should keep their rot—ted v—lues when

v ‚ e f

gener—ting su˜keysF ‰ou ™—n gener—te su˜keys ˜y rot—ting the kept v—lues ˜y — sumof in tegr—l

multiples of IT  I˜itsF II

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

RFIFS kl —nd kl qener—tion from k —nd k

S T II IP

por IWPE —nd PSTE ˜it keysD you ™—n use wordEoriented rot—tion to gener—te @kl Ykl A from

S T

@k Yk AD sin™e @kl Ykl A equ—ls @k Yk A``` F „his s—ves — few instru™tions ™omp—red to genE

II IP S T II IP QP

er—l rot—tionF

RFIFT ynEtheEy ƒu˜key qener—tion

‰ou ™—n gener—te su˜keys onEtheEy F ell su˜keys —re one of the rot—ted v—lues of u D u D

v ‚

u D—ndu F „husD you rst gener—te u D u D u D —nd u D —nd then rot—te themto get the

e f v ‚ e f

su˜keysF ‚efer to ƒe™tion RFIFR for the rot—ted num˜ ers of ˜its for u D u D u D—ndu F

v ‚ e f

RFIFU IPVE˜it key —nd IWPGPSTE˜it key

sf your ™o de do es not need to use key sizes l—rger th—n IPV ˜itsD you do not need to gener—te

u F „h—t isD you ™—n omit the ™omput—tions for the l—st two p Efun™tionsF

f

RFIFV row to ‚ot—te —n ilement in 

VE˜it pro ™essorF es st—ted in ƒe™tion RFIFRD the —mount of rot—tion in ˜its is — sumof in tegr—l

multiples of IT  IF „husD you ™—n rot—te —n elementin  ˜yIT I ˜its ˜y rot—ting IE˜it left

or rightfollowed ˜y — PE˜yte moveF

QPE˜it pro ™essorF gonsider the use of — dou˜le pre™ision shift instru™tionX shrd or shld if

you —re progr—mming on seEQPF

RFIFW p Efun™tion

uey s™hedule in™ludes p Efun™tionsD ˜ut the m—in us—ge of the p Efun™tion is for d—t— r—ndomiz—E

tionF ‚efer to ƒe™tion RFPF

RFIFIH ueyed pun™tions

g—melli— h—s three keyed fun™tionsX ˜itwise ˆy‚D ˜itwise y‚D —nd ˜itwise exhF gonsider the

use of — selfEmo difying ™o deD if p ossi˜leF

RFP h—t— ‚—ndomiz—tion

RFPFI indi—n gonversion

g—melli— prefers ˜ig endi—nF „husD the ™o de for little endi—n pro ™essors needs —ddition—l ™o de

for endi—n ™onversionsF

„he most str—ightforw—rd implement—tion ™onverts the endi—n when lo—ding — register from

I

memory —nd storing — register to memoryF ynly pvE—ndpv Efun™tions —re endi—n dep endentF

I

wore pre™iselyD only the IE˜it rot—tion in pvEorpv Efun™tion is endi—n dep endentF „his me—ns

th—t you ™—n ™onvert endi—ns just ˜ efore or just —fter the IE˜it rot—tion with the —ppropri—te IP

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

su˜key gener—tion s™hemeF e ™om˜in—tion of ™omputing endi—n ™onversion —nd IE˜it rot—tion

m—y in™re—se the p erform—n™e of g—melli—F het—ils —re des™ri˜ ed in ƒe™tion RFPFPF

ƒome pro ™essors h—ve — sp e™i—l instru™tion for endi—n ™onversionF por ex—mpleD seEQP @—fter

VHRVTA h—s ˜sw—p instru™tionF se these instru™tionsF roweverD do not use the ˜yte sw—p

te™hnique des™ri˜ ed in ‘gWVD epp endix e“F „he te™hnique redu™es the ™o de sizeD ˜ut it is not

f—stD sin™e the memory lo—d —nd store instru™tion in™urs long l—ten™yF

es des™ri˜ ed —˜ oveD the endi—n pro˜lem only ee™ts the IE˜it rot—tion of — QPE˜it wordF

„husD we do not need full TRE˜it word endi—n ™onversionF

„he following —re gener—l metho ds to re—lize endi—n ™onversion for QPE˜it register xF sn

the following te™hniquesD you ™—n use either ‘ or  inste—d of C in the equ—tionsD —nd you ™—n

swit™h the ™omput—tion—l order ˜ etween shifts in™luding rot—tions —nd exhs with —n —ppropri—te

™onversion of m—sked ™onst—ntsF

ƒtr—ightforw—rdF

x 2 @x ( AC@@x ’ HxffHHA ( AC@@x ) A ’ HxffHHAC@x ) A

PR V V PR

„he te™hnique h—s high p—r—llelismF

winimum op er—tions without rot—tionF

x 2 @x ( AC @x ) A

IT IT

x 2 @@x ’ HxffHHffA ( AC@@x ) A ’ HxffHHffA

V V

sing rot—tionsF

x 2 @@x ’ HxffHHffAbbb AC@@x``` A ’ HxffHHffA

V V

sing ƒƒiF xew sntel €entiumf—mily pro ™essors in™luding € entiums s s h— ve— very ee™tive

instru™tion for reordering d—t—D whi™h is ™—lled pshufw ‘sWW“F S instru™tions in™luding pshufw

—re su™ientto™onvert endi—n for TRE˜it d—t—F

RFPFP IE˜it ‚ot—tion in vittle indi—n snterpret—tion

es des™ri˜ ed in ƒe™tion RFPFID we do not need endi—n ™onversion when lo—ding —nd storing texts

I

if we ™—n e™iently implement IE˜it rot—tion in pvE—ndpv Efun™tionsF

essuming x to ˜ e — QPE˜it register th—t ™ont—ins little endi—n d—t— to ˜ e rot—ted ˜y IE˜itD we

™—n ™ompute IE˜it rot—tion ˜y the following equ—tionF

x 2 @@PxA ’ HxfefefefeAC@@xbbb A ’ HxfefefefeA @IA

IS

yf ™ourseD this te™hnique requires —n —ppropri—te ™h—nges to su˜key setup —nd other fun™tionsF

xote th—t C in iqu—tion @IA ™—n ˜ e repl—™ed with ‘ or D —nd ™omputing Px ™—n ˜ e done ˜y

( D ``` or —ddition with x itselfD —nd you ™—n swit™h the ™omput—tion—l order ˜etween shifts

I I

in™luding rot—tions —nd exhs with —n —ppropri—te ™onversion of m—sked ™onst—ntsF

gonrmwhether y our pro ™essor h—s exhxy„ instru™tionD su™h—s p—ndn in seEQP —nd ˜i™

HxfefefefeF in elph—F sn this ™—seD you do not need to prep—re the ™onst—ntD IQ

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

RFPFQ ‡hitening

„he key —dditions kw —nd kw ™—n˜e™om˜ined into other keyed op er—tions using the following

P R

equ—tionsF

@x  k A  y a @x  y A  kY

@x  k A  l a x  @k  l AY

@x  k A ’ l a @x ’ l A  @k ’ l AY @PA

@x  k A``` a @x``` A  @k``` AY

I I I

@x  k A ‘ l a @x ‘ l A  @k ’ l AY

where xD y D k D l —re ˜it stringsF edjust su˜keys —t setup to elimin—te P ˆy‚s in vF

RFPFR uey ˆy‚

sing iqu—tions @PAD you ™—n movekey ˆy‚s to —ny pl—™e if the movement do es not go through

H

the ƒ Efun™tionF por ex—mpleD ™h—nging p Efun™tion ™omput—tion € @ƒ @ˆ  k AA to € @ƒ @ˆ AA  k

m—yimprove instru™tion s™hedulingF

RFPFS ƒ Efun™tion

V V

s is dened ˜y the —rithmeti™s in qp@P AF roweverD do not ™ompute qp@P A —rithmeti™sY inste—d

I

pre™ompute —nd h—rdE™o de — t—˜le in your progr—mD see „—˜le R in the sp e™i™—tionF

‡e strongly suggest th—t you —lso pre™ompute —nd h—rdE™o de s D s D—nds t—˜les in —ddition

P Q R

to s Difyou h—ve su™ient memory —nd VE˜it rot—tion is exp ensiveF sf you do not h—ve su™ient

I

memoryD the d—t— of s D s D —nd s ™—n ˜e gener—ted from the t—˜le for s using one rot—tion

P Q R I

@ƒee ƒe™tion RFS in the sp e™i™—tionAF

sf you h—ve su™ient memoryD —nd ™ost of t—˜le lo okup is he—vyD —s is true for the ™urrentt—v—

virtu—l m—™hinesD ™onsider the use of — two sE˜ ox™om˜ined t—˜leD for ex—mple @s @y AYs @y AAF

I I P P

RFPFT € Efun™tion

QPE˜it pro ™essorF vet @ Y A a @@z Yz Yz Yz AY @z Yz Yz Yz AA ˜e the input of € Efun™tion

v ‚ I P Q R S T U V

H H H H H H H H H H

—nd @ Y Aa@@z Yz Yz Yz AY @z Yz Yz Yz AA ˜ e the output of € Efun™tionF

I P Q R S T U V

v ‚

prompigure S in the sp e™i™—tionD y ou ™—n see th—t € Efun™tion ™—n ˜ e ™omputed —s followsF

 2   @ ``` A

v v ‚ V

 2   @ ``` A

‚ ‚ v IT

 2   @ bbb A

V

v v ‚

 2   @ bbb A

V

‚ ‚ v

H

 2 

‚

v

H

 2 

v

‚ IR

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

„he ™riti™—l p—th of this ™omput—tion is longF ‡e ™—n mo dify the ™omput—tion —s followsF

 2  ```

‚ ‚ V

 2     2  ```

V

v v ‚ ‚ ‚

 2  bbb  2   

V

v v ‚ ‚ v

 2     2  ```

IT

v v ‚ ‚ ‚

 2  ```  2   

V

v v ‚ ‚ v

H H

 2   2 

‚ v

v ‚

„he ™riti™—l p—th of the —˜ ove ™omput—tion is de™re—sedF st seems th—t the te™hnique requires one

—ddition—l rot—tionD howeverD you ™—n pro˜—˜ly ™om˜ine the rst step of the —˜ ove ™omput—tion

—nd ƒ Efun™tion without —ny —ddition—l ™ostF

VE˜it pro ™essor @orthogon—l mnemoni™sAF sf the instru™tion in your pro ™essor ™—n ˆy‚

—ny™om˜in—tion of registers —nd h—s su™ientregistersDyou ™—n ™ompute € Efun™tion ˜yusing

just IT ˆy‚s using pigure S in the sp e™i™—tionF

VE˜it pro ™essor @—™™umul—tor ˜—sedAF sf your pro ™essor is —™™umul—tor ˜—sedD minimizing

the num˜er of ˆy‚s is not —lw—ys — go o d ide—D sin™e the ™omput—tion m—y require register lo—d

from memory —nd store into memory m—nytimesF„he following ™omput—tion is optimized for

—n —™™umul—tor ˜—sed pro ™essorF

H

z 2 z  z  z  z  z

I R S T U

V

H H

z 2 z  z  z  z

I P Q

R V

H H

z 2 z  z  z  z

P U V

U R

H H

z 2 z  z  z  z

I P R

Q U

H H

z 2 z  z  z  z

I T U

T Q

H H

z 2 z  z  z  z

I Q R

P T

H H

z 2 z  z  z  z

R S T

S P

H H

z 2 z  z  z  z

P Q R

I S

H

‡hen indexing z ™osts m—ny op er—tionsD the following is usefulF

i

' 2 z  z  z  z  z  z  z  z

I P Q R S T U V

H

z 2 '  z  z

P S

I

H

z 2 '  z  z

Q T

P

H

z 2 '  z  z

R U

Q

H

2 '  z  z z

I V

R

H

z 2 '  z  z  z

Q R S

S

H

z 2 '  z  z  z

I R T

T

H

z 2 '  z  z  z

I P U

U

H

2 '  z  z  z z

P Q V

V IS

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

RFPFU ƒu˜stitution —nd €ermut—tion

„his se™tion des™ri˜ es how to e™iently ™ompute €  ƒ ™omp—red to indep endently ™omputing

ƒ —nd € F

TRE˜it pro ™essorF sf your pro ™essor h—s — su™iently l—rge rst level ™—™heD use the te™hnique

C

des™ri˜ ed in ‘‚h€ WT“F „he te™hnique prep—res the following t—˜les dened ˜y iqu—tions @QAF

ƒ€ @y A a @s @y AYs @y AYs @y AY HYs @y AY HY HYs @y AA

I I I I I I I I I I I I

ƒ€ @y A a @ HYs @y AYs @y AYs @y AYs @y AYs @y AY HY HA

P P P P P P P P P P P P

ƒ€ @y A a @s @y AY HYs @y AYs @y AY HYs @y AYs @y AY HA

Q Q Q Q Q Q Q Q Q Q Q Q

ƒ€ @y A a @s @y AYs @y AY HYs @y AY HY HYs @y AYs @y AA

R R R R R R R R R R R R

@QA

ƒ€ @y A a @ HYs @y AYs @y AYs @y AY HYs @y AYs @y AYs @y AA

S S P S P S P S P S P S P S

ƒ€ @y A a @s @y AY HYs @y AYs @y AYs @y AY HYs @y AYs @y AA

T T Q T Q T Q T Q T Q T Q T

ƒ€ @y A a @s @y AYs @y AY HYs @y AYs @y AYs @y AY HYs @y AA

U U R U R U R U R U R U R U

ƒ€ @y A a @s @y AYs @y AYs @y AY HYs @y AYs @y AYs @y AY HA

V V I V I V I V I V I V I V

xextD ™ompute the following equ—tionX

V

w

H H H H H H H H

@z Yz Yz Yz Yz Yz Yz Yz A 2 ƒ€ @y A

i i

I P Q R S T U V

iaI

„his te™hnique requires the following op er—tionsF

5 of t—˜le lo okups V

5ofˆy‚s U

ƒize of t—˜le @ufA IT

sf the rst ™—™he of the t—rget pro ™essor is mo der—tely l—rgeD repl—™e — few of the t—˜les

dened ˜y iqu—tions @QA with the t—˜les ˜ elowF

ƒ€ @y A a @s @y AYs @y AYs @y AYs @y AYs @y AYs @y AYs @y AYs @y AA

 I I I I I I I I

ƒ€ @y A a @s @y AYs @y AYs @y AYs @y AYs @y AYs @y AYs @y AYs @y AA

P P P P P P P P



@RA

ƒ€ @y A a @s @y AYs @y AYs @y AYs @y AYs @y AYs @y AYs @y AYs @y AA

 Q Q Q Q Q Q Q Q

ƒ€ @y A a @s @y AYs @y AYs @y AYs @y AYs @y AYs @y AYs @y AYs @y AA

R R R R R R R R



„henD m—sk the ne™ess—ry ˜yte p ositionsF „his te™hnique requires the following op er—tions if

you use just t—˜les of iqu—tions @RAF

5 of t—˜le lo okups V

5ofˆy‚s U

5ofexhs V

ƒize of t—˜le @ufA V

‡hen implementing this te™hnique on elph— —r™hite™ture ‘gWV“D —nd if the num˜ er of registers

is insu™ient for storing ™onst—nts for m—sking op er—tionD use z—p or z—pnot instru™tionsF IT

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

sf your pro ™essor ™—n e™iently ™opy h—lf ˜its of — register to the other h—lfD for ex—mE

pleD punp™kldqGpunp™khdq or pshufw instru™tions in seEQP ‘sWW“ whi™h —re re—lized —fter €enE

tium with wwˆ te™hnology —nd €entium sssD resp e™tivelyD prep—re ƒ€ D ƒ€ D ƒ€ D —nd ƒ€

I P Q R

dened in iqu—tions @QAF „henD ™ompute the following equ—tionX

H H H H H H H H

@z Yz Yz Yz Yz Yz Yz Yz A

I P Q R S T U V

2 ƒ€ @y A  ƒ€ @y A  ƒ€ @y A  ƒ€ @y A  # @ƒ€ @y A  ƒ€ @y A  ƒ€ @y A  ƒ€ @y AAY

I I P P Q Q R R I V P S Q T R U

where # denotes the op er—tion th—t ™opies the rst R˜ytes to the l—st R˜ytesF „his te™hnique

requires the following op er—tionsF

5 of t—˜le lo okups V

5ofˆy‚s U

5of# s I

ƒize of t—˜le @ufA V

QPE˜it pro ™essorF ‘e HH“ shows e™ient implement—tions of g—melli—Etyp e su˜stitution —nd

permut—tion networksF yne of the te™hniques prep—res the following t—˜les dened ˜y iqu—E

tions @SAX

ƒ€ @y A a @s @y AYs @y AYs @y AY HA

IIIH I I I

ƒ€ @y A a @ HYs @y AYs @y AYs @y AA

HPPP P P P

@SA

ƒ€ @y A a @s @y AY HYs @y AYs @y AA

QHQQ Q Q Q

ƒ€ @y A a @s @y AYs @y AY HYs @y AA

RRHR R R R

„henD ™ompute —s followsX

h 2 ƒ€ @y A  ƒ€ @y A  ƒ€ @y A  ƒ€ @y A

IIIH V HPPP S QHQQ T RRHR U

2 ƒ€ @y A  ƒ€ @y A  ƒ€ @y A  ƒ€ @y A

IIIH I HPPP P QHQQ Q RRHR R

H H H H

A 2 h  Yz Yz Yz @z

R Q P I

H H H H H H H H

A  @ bbb A Yz Yz Yz A 2 @z Yz Yz Yz @z

V

R Q P I V U T S

„his te™hnique requires the following op er—tionsF

5 of t—˜le lo okups V

5ofˆy‚s V

5 of rot—tions I

ƒize of t—˜le @ufA R

‘e HH“ —lso shows —n implement—tion th—t is suit—˜le for — pro ™essor in whi™h rot—tion is very

™ostlyF „he te™hnique prep—res the following t—˜les in —ddition to t—˜les dened ˜y iqu—tions @SAX

ƒ€ @y A a @s @y AY HY HYs @y AA

IHHI I I

ƒ€ @y A a @s @y AYs @y AY HY HA

PPHH P P

ƒ€ @y A a @ HYs @y AYs @y AY HA

HQQH Q Q

ƒ€ @y A a @ HY HYs @y AYs @y AA

HHRR R R IU

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

„henD ™ompute —s followsX

h 2 ƒ€ @y A  ƒ€ @y A  ƒ€ @y A  ƒ€ @y A

IIIH V HPPP S QHQQ T RRHR U

H H H H

@z Yz Yz Yz A 2 h  ƒ€ @y A  ƒ€ @y A  ƒ€ @y A  ƒ€ @y A

IIIH I HPPP P QHQQ Q RRHR R

I P Q R

H H H H

@z Yz Yz Yz A 2 h  ƒ€ @y A  ƒ€ @y A  ƒ€ @y A  ƒ€ @y A

IHHI I PPHH P HQQH Q HHRR R

S T U V

„his te™hnique requires the following op er—tionsF

5 of t—˜le lo okups IP

5ofˆy‚s II

ƒize of t—˜le @ufA V

RFPFV w—king sndi™es for sE˜ ox

‰ou ™—n m—ke —n index for sE˜ ox˜y simply using shifts —nd exhsF roweverD sever—l pro ™essors

h—vespe™i—l instru™tions for m—king —n indexD for ex—mpleD movzx in seEQP ‘sWW“ —nd ext˜l in

elph— ‘gWV“F

movzx is — f—st op er—tion in €TD ˜ut it ™—n ˜e used only for the two le—st signi™—nt ˜ytesF

e str—ightforw—rd implement—tion uses e—xD e˜xD e™xD —nd edx registers for storing @v Y‚ AD

r r

—nd P rot—tions —re used for m—king indi™esY P rot—tions —re used for re™overing ˜yte order in

the registers every roundF roweverD you ™—n remove P rot—tions for re™overing ˜yte order every

round if you prep—re rot—ted t—˜lesF xote th—t the ˜yte order in registers returns to — n—tur—l

order every R roundsF

RFQ qener—l quidelines

„his se™tion des™ri˜ es gener—l guidelinesF „he guidelines —re useful to optimize g—melli— —s well

—s other ˜lo ™k ™iphersF €le—se refer to the optimiz—tion m—nu—ls for e—™h pro ™essorF

evoid mis—ligned d—t— —™™essesF elmost —ll pro ™essors pen—lize mis—ligned d—t— —™™essF

elign d—t— to the word ˜ ound—ryF

evoid p—rti—l d—t— —™™essesF wost pro ™essors h—ve — fun™tion to —™™ess — sm—ller p—rt th—n

word sizeF roweverD this fun™tion m—y ™—use — p en—ltyF ho not —™™ess p—rti—l d—t—D even

if you do not need full size of word —nd you h—ve su™ient memoryF

fe ™—reful of the size of the ™—™heF sf the progr—mor its d—t— ex™eeds the size of the ™—™ heD

the sp eed of the progr—m will signi™—ntly de™re—seF vo op unrolling —nd t—˜le exp—nsion

—re go o d te™hniques to sp eed up the progr—mD ˜ut do not ex™eed the size of the ™—™heF

se intrinsi™ fun™tionsF ƒever—l ™ompilers supp ort intrinsi™ fun™tionsF por ex—mpleD when

you use wi™rosoft †isu—l gCC version T ™ompiler on seEQPD —nd de™l—re ’5pr—gm—

lrotlA4 —nd use ’ lrotl4D the ™ompiler gener—tes rot—tion instru™tions in intrinsi™@

—ssem˜ly l—ngu—geF ‚efer to the m—nu—l of the ™ompiler th—t you use for det—ilsF

we—suring pre™ise sp eeds is di™ultF „he running time of your ™o de dep ends on m—ny

f—™torsX ™—™he hit missesD yƒ interruptsD —nd so onF purthermoreD the ™ryptogr—phi™ IV

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

prop ertiesD for ex—mpleD the num˜er of ˜lo ™ks to ˜e en™ryptedD —lso ee™t the running

timeF

e few pro ™essors h—ve —n instru™tion to get the time st—mpF por ex—mpleD seEQP @—fter

€entiumA h—s rdts™ ‘sWW“ —nd elph— h—s rp™™ ‘gWV“F st is — go o d ide— to use the time

st—mp ™ounter for me—suring sp eedsD ˜ut you should not dire™tly —pply these instru™tions

to outEofEorder —r™hite™tures su™h —s €T —nd i†TF

sf you w—nt to me—sure sp eed pre™iselyD ™onsult go o d guide˜ o oksF por ex—mpleD if you

use €entiumf—mily pro ™essorsD refer to ‘pHH“F IW

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

S r—rdw—re iv—lu—tions

sn ƒe™tion QD we showed ev—lu—tion results of h—rdw—re implement—tions @eƒsgD p€qeA of

g—melli—F sn this ƒe™tionD we des™ri˜ e the design p oli™ies of the four typ es of logi™ ev—lu—ted in

ƒe™tion QF „he det—ils of e—™htyp e —re des™ri˜ ed ˜ elowF

SFI „yp e IX p—st smplement—tionEI @pully lo op unrolled —r™hite™tureA

sn „yp e ID we ev—lu—te the h—rdw—re implement—tion @eƒsg —nd p€qeA where the go—l is to

—™hieve the f—stest en™ryption —nd de™ryption sp eed with no ™onsider—tion of logi™ sizeF pigure I

outlines the „yp e I logi™F „—˜le T shows the ˜—si™ „yp e I ™omp onentsF on Plaintext /

Encryption and Key Expansion Key Decryption Logic Logic (or Decryption) Subkey Registers

Output Critical Path of Key Expansion Critical Path of Data Encrypti Registers

Ciphertext / Plaintext

pigure IX yutline of „yp e I @eƒsgD p€qeA

„—˜le TX „he ˜—si™ „yp e I ™omp onents

in™ryption —nd h—t— r—ndomizing logi™ for en™ryption —nd de™ryptionD

de™ryption logi™ whi™h ™onsists of ™om˜in—tion—l logi™F

yutput register ‚egister for the en™ryption @de™ryptionA d—t—F

uey exp—nsion logi™ vogi™inwhi™h su˜keys —re gener—ted fromk eyD

whi™h ™onsists of ™om˜in—tion—l logi™F

ƒu˜key register ‚egister for the output d—t— of key exp—nsion logi™F

„he design p oli™ies of these ˜—si™ ™omp onents —re listed ˜ elowF

IF ’in™ryption —nd de™ryption logi™4 —nd ’uey exp—nsion logi™4

@—A vo op —r™hite™ture is not intro du™edF PH

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

@˜A €ip eline —r™hite™ture is not intro du™edF

@™A ƒu˜stitution t—˜les @sE˜ oxesA —re designed ˜y logi™ synthesis to olF

PF ’yutput register4 —nd ’ƒu˜key register4

@—A „he size of yutput register is one ˜lo ™k @aIPV ˜itsAF

@˜A „he size of ƒu˜key register is the tot—l length of —ll su˜keys in the —lgorithmF

nder the —˜ ove design p oli™iesD we ev—lu—ted g—melli— on eƒsg —nd p€qe devi™esF „he

results —re summ—rized in „—˜le Q in ƒe™tion QF ’„hroughput4 is dened —s followsX

flo ™k size@IPV ‘˜its“A

„hroughput‘˜as“ a X

griti™—l p—th of d—t— en™ryption@de™ryptionA‘se™“

SFP „yp e PX ƒm—ll smplement—tionEI @vo op —r™hite™tureA

sn „yp e PD we ev—lu—te the h—rdw—re implement—tions on eƒsgs —nd p€qes with the go—l of

—™hieving the sm—llest logi™ in en™ryption @—nd de™ryptionAF pigure P outlines the „yp e P logi™F

„—˜le U shows the ˜—si™ „yp e P ™omp onentsF

Key on Plaintext / Ciphertext

Key Schedule Logic Data Selector and a part of Key Expansion Logic One Round of Encryption and Decryption Logic Subkey Registers with sharing a part of Critical Path of Key Expansi (or Decryption) (or all of) Key Expansion Logic Critical Path of Data Encryption Output Registers

Ciphertext / Plaintext

pigure PX yutline of „yp e P @eƒsgD p€qeA

„he design p oli™ies of these ˜—si™ ™omp onents —re —s followsF

IF ’in™ryption —nd de™ryption logi™4 —nd ’uey s™heduling logi™4

@—A vo op —r™hite™ture is intro du™ed @whi™h ™onsists of one round op er—tionAF

@˜A €ip eline —r™hite™ture is not intro du™edF PI

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

„—˜le UX „he ˜—si™ „yp e P ™omp onents

in™ryption —nd h—t— r—ndomizing logi™ for one round op er—tion of en™ryption —nd

de™ryptionD whi™h in™ludes @— p—rt of A key exp—nsion logi™D —nd de™ryption logi™

™onsists of ™om˜in—tion—l logi™sF

yutput register ‚egister for the output @—nd intermedi—teA d—t—F

h—t— sele™tor ƒele™tor whi™h sele™ts either en™ryptionGde™ryption d—t— or output d—t—F

uey s™heduling logi™ vogi™ in whi™h su˜keys —re gener—ted using @— p—rt of A

key exp—nsion logi™ in en™ryption —nd de™ryption logi™ —nd

™onsists of ™om˜in—tion—l logi™sF

ƒu˜key register ‚egister for the output d—t— of key s™heduling logi™F

@™A ƒu˜stitution t—˜les @sE˜ oxesA —re optimized ˜y h—ndF

@dA uey s™heduling logi™ ™onsists @— p—rt of A key exp—nsion logi™ —nd ™ontrol logi™F

PF ’yutput register4D ’ƒu˜key register4 —nd ’h—t— sele™tor4

@—A „he size of yutput register is one ˜lo ™k @aIPV ˜itsAF

@˜A „he size of ƒu˜key register is th—t of the su˜keys used in in™ryption —nd de™ryption

logi™F

@™A h—t— sele™tor is PEI sele™torD whose size is one ˜lo ™k @aIPV ˜itsAF

nder the —˜ ove design p oli™iesD weev—lu—ted g—melli— on eƒsgs —nd p€qesF „he results

—re summ—rized in „—˜le Q in ƒe™tion QF ’„hroughput4 is dened —s followsX

flo ™k size@IPV ‘˜its“A

X „hroughput‘˜as“ a

griti™—l p—th of d—t— en™ryption@de™ryptionA‘se™“ l—ten™y

SFQ „yp e QX ƒm—ll smplement—tionEP @ƒp e™i—l g—se for p€qeD vo op —r™hiE

te™tureA

sn „yp e QD we ev—lu—ted the h—rdw—re implement—tion @p€qeA —s — sp e™i—l ™—se of „yp e PF

sn „yp e QD we —ssume th—t —ll su˜keys —re given —nd —re lo—ded into p€qe intern—l memoryF

pigure Q outlines the „yp e Q logi™F „—˜le V shows the ˜—si™ „yp e Q ™omp onentsF

„he design p oli™ies of these ˜—si™ ™omp onents —re —s followsF

IF ’in™ryption —nd de™ryption logi™4

@—A vo op —r™hite™ture is intro du™ed @whi™h ™onsists of one round op er—tionAF

@˜A €ip eline —r™hite™ture is not intro du™edF

@™A ƒu˜stitution t—˜les @sE˜ oxesA —re optimized ˜y h—ndF

PF ’yutput register4D ’ƒu˜key memory4 —nd ’h—t— sele™tor4 PP

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

Plaintext / Ciphertext

Data Selector

One Round of Encryption and Subkeys Decryption (or Decryption) Logic Subkey Memory Critical Path of Data Encryption Output Registers

Ciphertext / Plaintext

pigure QX yutline of „yp e Q @p€qeA

„—˜le VX „he ˜—si™ „yp e Q ™omp onents

in™ryption —nd h—t— r—ndomizing logi™ for one round op er—tion of en™ryption —nd

de™ryption logi™ de™ryptionD whi™h in™ludes @— p—rt of A key exp—nsion logi™D —nd

™onsists of ™om˜in—tion—l logi™F

yutput register ‚egister for the output @—nd intermedi—teA d—t—F

h—t— sele™tor ƒele™tor whi™h sele™ts either en™ryption @de™ryptionA d—t— or output d—t—F

ƒu˜key memory wemory for the su˜keys lo—ded fromoutsideF PQ

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

@—A „he size of yutput register is one ˜lo ™k @aIPV ˜itsAF

@˜A „he size of ƒu˜key memory is the length of —ll su˜keys in the —lgorithmF

@™A h—t— sele™tor is PEI sele™tor whose size is one ˜lo ™k @aIPV ˜itsAF

nder the —˜ ove design p oli™iesD weev—lu—ted g—melli— on —n p€qeF „he results —re sumE

m—rized in „—˜le QF ’„hroughput4 is dened —s followsX

flo ™k size@IPV ‘˜its“A

„hroughput‘˜as“ a X

griti™—l p—th of d—t— en™ryption@de™ryptionA‘se™“ l—ten™y

SFR „yp e RX p—st smplement—tionEP @€ip eline —r™hite™tureA

sn „yp e RD we ev—lu—te the h—rdw—re implement—tion @p€qeA where the go—l is to —™hieve

the f—stest en™ryption —nd de™ryption sp eed with no ™onsider—tion of logi™ sizeF @„he pip eline

—r™hite™ture ™—nnot re—lize —ny feed˜—™k mo desD su™h —s gfgD gpfD —nd ypfAF pigure R outlines

the „yp e R logi™F „—˜le W shows the ˜—si™ „yp e R ™omp onentsF

Plaintext / Ciphertext

Encryption and Decryption Logic

Stage 1 1 round Register 1

Key Expansion Key Logic 1 round Stage n-1 Register n-1 Subkey Registers

Pipeline Stage 1 round Critical Path of Stage n Register n Critical Path of Key Expansion

Ciphertext / Plaintext

pigure RX yutline of „yp e R @p€qeA

„he design p oli™ies of these ˜—si™ ™omp onents —re —s followsF

IF ’in™ryption —nd de™ryption logi™4 —nd ’uey exp—nsion logi™4

@—A vo op —r™hite™ture is not intro du™edF

@˜A €ip eline —r™hite™ture is intro du™edF

@™A ƒu˜stitution t—˜les @sE˜ oxesA —re designed ˜y logi™ synthesis to olF

@dA „he size of ‚egisters @I $ nA is one ˜lo ™k @a IPV ˜itsAF PR

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

„—˜le WX „he ˜—si™ „yp e R ™omp onents

in™ryption —nd h—t— r—ndomizing logi™ for en™ryption —nd de™ryptionD

de™ryption logi™ whi™h ™onsists of ™om˜in—tion—l logi™D —nd

‚egisters @I $ nA for the output —nd intermedi—te d—t—F

uey ixp—nsion logi™ gom˜in—tion—l logi™ in whi™h su˜keys —re gener—ted fromthe k eyF

ƒu˜key register ‚egister for the output d—t— fromk ey exp—nsion logi™F

PF ’ƒu˜key register4

@—A „he size of ƒu˜key register is the tot—l length of —ll su˜keys in the —lgorithmF

nder the —˜ ove design p oli™iesD we ev—lu—ted g—melli— on —n p€qe devi™esF „he results

—re summ—rized in „—˜le QF ’„hroughput4 is dened —s followsX

flo ™k size @IPV ‘˜its“A

X „hroughput‘˜as“ a

griti™—l p—th of €ip eline ƒt—ge ‘se™“ PS

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

T ƒe™urity

TFI hierenti—l —nd vine—r grypt—n—lysis

„he most wellEknown —nd p owerful —ppro—™hes to —tt—™king m—ny˜lo™k ™iphers —re dierenti—l

™rypt—n—lysisD prop osed ˜y fih—m —nd ƒh—mir ‘fƒWQ“D —nd line—r ™rypt—n—lysisD intro du™ed ˜y

w—tsui ‘wWR“F „here —re sever—l metho ds of ev—lu—ting se™urity —g—inst these —tt—™ksD where

there is — kind of ’du—lity4 rel—tion ˜etween them ‘wWSD g†WS“X in other wordsD the se™urity

—g—inst ˜ oth —tt—™ks ™—n ˜ e ev—lu—ted in simil—r w—ysF

st is known th—t the upp er ˜ ounds of dierenti—lGline—r ™h—r—™teristi™ pro˜—˜ilities ™—nD for

sever—l ˜lo ™k ™iphersD ˜e estim—ted using the minimum num˜ ers of dierenti—lGline—r —™tive

sE˜ oxes in some ™onse™utive roundsF u—nd— ‘uHH“ shows the minimum num˜ ers of dierenE

ti—lGline—r —™tive sE˜ oxes for peistel ™iphers with ™onserv—tive ƒ€x @ƒE€A round fun™tionF rereE

—fterD we —ssume th—t line—r tr—nsform—tion € is ˜ije™tiveF

henition I „he ˜r—n™hnum˜er f of line—r tr—nsform—tion € is dened ˜y

f amin@w @xACw @€ @xAAAY

r r

xTaH

where w @xA denotes the ˜ytewise r—mming weightof xF

r

e dierenti—l —™tive sE˜ ox is dened —s —n sE˜ oxgiven — nonEzero input dieren™eF henition P

e line—r —™tive sE˜ oxisdened—s—nsE˜ ox given — nonEzero output m—sk v—lueF

„heorem I „he minimumn um˜ er of dierenti—lGline—r —™tive sE˜ oxes in —ny eight ™onse™utive

rounds is equ—l or l—rger th—n Pf CIF

m

por —ny given SxD Sy D TxD Ty P qp@P AD the dierenti—lGline—r pro˜—˜ilities of henition Q

m m

s E˜ oxX qp@P A 3 qp@P A —re dened —sX

i

m

5fx P qp@P Ajs @xA  s @x  SxAa Sy g

i i

€r‘s @xA  s @x  SxAa Sy “a

i i

m

x

P

m

5fx P qp@P Ajx  Tx a s @xA  Ty g

i

€r ‘x  Tx a s @xA  Ty “a

i

m

x

P

henition R vet p —nd q ˜e the m—ximum dierenti—lGline—r pro˜—˜ilities of —ll sE˜ oxes

s s

fs Ys YXXXgF

I P

p a m—x m—x €r‘s @xA  s @x  SxAaSy “

s i i

x

i

xTaHY y

P

q a m—x m—x @P €r‘x  Tx a s @xA  Ty “  IA

s i

x

i

y TaHYx

„heorem P vet h —nd v ˜e the minimumn um˜ ers of tot—l dierenti—lGline—r —™tive sE˜ oxesF

h v

„henD the m—ximum dierenti—lGline—r ™h—r—™teristi™ pro˜—˜ilities —re ˜ ounded ˜y p —nd q D

s s

resp e™tivelyF PT

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

‡ith the —˜ oveEmentioned te™hniquesD we prove th—t g—melli— oers immunity to these

—tt—™ks ˜yshowing the upp er ˜ ounds of m—ximumdieren ti—lGline—r ™h—r—™teristi™ pro˜—˜ilitiesD

sin™e g—melli— is — peistel ™ipher whose round fun™tion uses the ƒE€ round fun™tionF

sn the ™—se of g—melli—D the m—ximumdieren ti—lGline—r pro˜—˜ilities of the sE˜ oxes —re

T

p a q aP X

s s

„he ˜r—n™hnum˜ er of the line—r tr—nsform—tion @€ Efun™tionA is SD iFeF

f aSX

vetting pD q ˜ e the m—ximumdieren ti—lGline—r ™h—r—™teristi™ pro˜—˜ilities of g—melli— redu™ed

I

to ITEround without pvE—ndpv Efun™tionsD resp e™tivelyDweh—ve

P@Pf CIA T PP IQP P@Pf CIA T PP IQP

p p a@P A aP —nd q q a@P A aP

s s

from „heorems I —nd PF foth pro˜—˜ilities —re ˜ elow the se™urity threshold of IPVE˜it ˜lo ™k

IPV

™iphersX P F st follows th—t there is no ee™tive dierenti—l ™h—r—™teristi™ or line—r ™h—r—™E

I

teristi™ for g—melli— redu™ed to more th—n IS rounds without pvE —nd pv Efun™tionsF ƒin™e

I

pvE —nd pv Efun™tions —re line—r for —ny xed keyD they do not m—ke the —ver—ge dierenE

ti—lGline—r pro˜—˜ilities of the ™ipher higherF ren™eD it is proven th—t g—melli— oers enough

se™urity —g—inst dierenti—l —nd line—r —tt—™ksF

xote th—t the result —˜ ove —re ˜—sed on „heorems I —nd PF foth theorems de—l with gener—l

™—ses of peistel ™iphers with ƒ€x round fun™tionD so we exp e™t th—t g—melli— is —™tu—lly more

se™ure th—n shown ˜y the result —˜ oveF es supp orting eviden™eD we ™ounted the num˜ er of —™tive

sE˜ oxes of g—melli— with redu™ed roundsF „he ™ounting —lgorithm is simil—r to th—t des™ri˜ ed

in ‘wWW“ ex™ept following three itemsF

 €rep—re the t—˜le for the num˜ er of —™tive sE˜ oxes inste—d of tr—nsition pro˜—˜ility t—˜leF

 gount the num˜ er of —™tive sE˜ oxes inste—d of ™omputing tr—nsition pro˜—˜ilityF

I

 pvE —nd pv Efun™tions set —ll elements to the minimumn um˜erof—™tive sE˜ oxes in the

t—˜leF „his me—ns th—t the —lgorithm gives ™onsider—tion to existen™e of we—k su˜keys inE

I

serted to pvE —nd pv Efun™tionsD sin™e there m—y ˜ e some p ossi˜ility of ™onne™ting every

l—ter dierenti—lGline—r ™h—r—™teristi™ with the previous one with the highest pro˜—˜ilityD

whi™h is equiv—lent to the minimumn um˜ er of —™tive sE˜ oxesF

es — resultD we ™onrmed th—t IPEround g—melli— with pvE —nd pvEfun™tions h—s no dierE

IPV

enti—lGline—r ™h—r—™teristi™ with pro˜—˜ility higher th—n P @see „—˜les IH —nd IIAF

TFP „run™—ted hierenti—l grypt—n—lysis

„he —tt—™ks using trun™—ted dierenti—ls were intro du™ed ˜yunudsen ‘uWS“F re dened them

—s dierenti—ls where only — p—rt of the dieren™e ™—n ˜e predi™tedF „he notion of trun™—ted

dierenti—ls intro du™ed ˜y him is wideD ˜ut with — ˜yteEoriented ™ipher it is n—tur—l to study

˜ytewise dierenti—ls —s trun™—ted dierenti—ls ‘w„WW“F PU

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

5 of rounds I P Q R S T U V W IH II IP

IP QH RP TT WT

istim—tion ˜—sed P P P P P

on „hF I —nd P @PA @SA @UA @IIA @ITA

T IP RP SR TT UP UP UV IHV IPH IQP

g—melli— I P P P P P P P P P P P

@HA @IA @PA @UA @WA @IIA @IPA @IPA @IQA @IVA @PHA @PPA

I T IP RP SR TT UV WH IHV IPT IQP

without pvGpv E I P P P P P P P P P P

fun™tions @HA @IA @PA @UA @WA @IIA @IQA @ISA @IVA @PIA @PPA

xoteX „he num˜ ers in ˜r—™kets —re the num˜erof—™tivesE˜oxesF

„—˜le IHX pp er ˜ ounds of dierenti—l ™h—r—™teristi™ pro˜—˜ility of g—melli—

5 of rounds I P Q R S T U V W IH II IP

IP QH RP TT WT

istim—tion ˜—sed P P P P P

on „hF I —nd P @PA @SA @UA @IIA @ITA

T IP QT SR TT UP UP UV IHP IPH IQP

g—melli— I P P P P P P P P P P P

@HA @IA @PA @TA @WA @IIA @IPA @IPA @IQA @IUA @PHA @PPA

I T IP QT SR TT UV VR IHV IPH IQP

without pvGpv E I P P P P P P P P P P

fun™tions @HA @IA @PA @TA @WA @IIA @IQA @IRA @IVA @PHA @PPA

xoteX „he num˜ ers in ˜r—™kets —re the num˜erof—™tivesE˜oxesF

„—˜le IIX pp er ˜ ounds of line—r ™h—r—™teristi™ pro˜—˜ility of g—melli—

„he m—ximumdieren ti—l pro˜—˜ility is ™onsidered to provide the stri™t ev—lu—tion of se™uE

rity —g—inst dierenti—l ™rypt—n—lysisD ˜ut ™omputing its v—lue is imp ossi˜le in gener—lD sin™e —

dierenti—l is — set of —ll dierenti—l ™h—r—™teristi™s with the s—me input dieren™e —nd the s—me

output dieren™e for — w—rkov ™ipher ‘vwwWI“F yn the other h—ndD — trun™—ted dierenti—l

™—n ˜e reg—rded —s — su˜set of the dierenti—l ™h—r—™teristi™s whi™h —re exploit—˜le in ™ryptE

—n—lysisF por some ™iphersD eFgFD ˜yteEoriented ™iphersD the pro˜—˜ility of trun™—ted dierenti—l

™—n ˜ e ™omputed e—sily —nd ™orre™tlyD —nd it gives — more stri™t ev—lu—tion th—n the m—ximum

dierenti—l ™h—r—™teristi™ pro˜—˜ilityF

e trun™—ted dierenti—l ™rypt—n—lysis of redu™edEround v—ri—nts of iP w—s presented ˜y w—tE

sui —nd „okit— —t pƒi9WW ‘w„WW“F „heir —n—lysis w—s ˜—sed on the ’˜yte ™h—r—™teristi™D4 where

the v—lues to the dieren™e in — ˜yte —re distinguished ˜ etween nonEzero —nd zeroF „hey found —

UEround ˜yte ™h—r—™teristi™D whi™h le—ds to — p ossi˜le —tt—™k on —n VEround v—ri—ntofiPwithout

s„ Epun™tion @the initi—l tr—nsform—tionA —nd p„Epun™tion @the n—l tr—nsform—tionAF „he ˜ est

—tt—™k of iP shown in ‘wƒeuHH“ ˜re—ks —n VEround v—ri—nt of iP with either s„ Epun™tion or

WR

p„Epun™tion using P ™hosen pl—intextsF sn ‘wƒeuHH“ we —lso show the —tt—™k whi™h distinE

guishes — UEround v—ri—nt of iP with s„ E—ndp„Epun™tions from— r—ndomp erm ut—tion using

WI

P ™hosen pl—intextsF

g—melli— is — ˜yteEoriented ™ipher simil—r to iPD —nd it is imp ort—nttoev—lu—te its se™urity

—g—inst trun™—ted dierenti—l ™rypt—n—lysisF ‡e se—r™hed for trun™—ted dierenti—ls using —n PV

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

—lgorithm simil—r to the one des™ri˜ ed in ‘w„WWD wƒeuHH“F „he m—in dieren™e of the round

fun™tion ˜etween iP —nd g—melli— is the —doption of the IEround ƒ€x not the PEround ƒ€xD

V

iFeF ƒE€EƒF sn the se—r™h for trun™—ted dierenti—ls of iPD we used —˜ out P —s the pro˜—˜ility

of dieren™e ™—n™ell—tion in ˜yte —t the ˆy‚ of peistel networkF roweverD the round fun™tion

of g—melli— do esn9t h—vethe se™ond sE˜ oxesEl—yerD —nd the ™—n™ell—tion sometimes o ™™urs with

pro˜—˜ility IF es — resultD more th—n IHEround g—melli— is indistinguish—˜le from — r—ndom

I

permut—tion ˜ oth withGwithout pvEGpv Efun™tion l—yersF

‚e™entlyD ƒugit— et —lF9s p—p er on trun™—ted —nd imp ossi˜le dierenti—l ™rypt—n—lysis of

I

g—melli— @without pvEGpv Efun™tionsA w—s —™™epted for eƒseg‚‰€„ PHHI ‘ƒusHI“F „hey

™l—imth—t they found t wo nonEtrivi—l WEround trun™—ted dierenti—ls @with the s—me inputGoutput

dierenti—l p—tternsAD whi™h le—d to — p ossi˜le —tt—™k of g—melli— redu™ed to II rounds without

I

inputGoutput whitenings —nd pvEGpv Efun™tionsF rowever we think it is still op en howm—ny

rounds of g—melli— ™—n ˜ e —tt—™ked using the trun™—ted dierenti—lsF

TFQ „run™—ted vine—r grypt—n—lysis

‡eintro du™e — new ™rypt—n—lysis ™—lled trun™—ted line—r ™rypt—n—lysisF

hue to the du—lity ˜etween dierenti—l —nd line—r ™rypt—n—lysisD we ™—n ev—lu—te se™urity

—g—inst trun™—ted line—r ™rypt—n—lysis ˜y using — simil—r —lgorithm to th—t —˜ oveF „o put it

™on™retelyD we ™—n p erform the se—r™h ˜y repl—™ing the m—trix of € Efun™tion with the tr—nsE

p osed m—trixF es — resultD more th—n IHEround g—melli— is indistinguish—˜le from — r—ndom

I

permut—tion without pvEGpv Efun™tion l—yersF

TFR grypt—n—lysis with smp ossi˜le hierenti—l

„he imp ossi˜le dierenti—l me—ns the dierenti—l whi™h holds with pro˜—˜ility HD or the dierenE

ti—l whi™h never existsF sing su™h —n imp ossi˜le dierenti—lD it is p ossi˜le to n—rrowdown the

™—ndid—tes of the su˜keyF st is known th—t there is —t le—st one SEround imp ossi˜le dierenti—l

in —nypeistel network with — ˜ije™tive round fun™tionF ƒin™e g—melli— h—s the peistel network

I

@with pvE —nd pv Efun™tions inserted ˜ etween every T roundsA —nd the round fun™tion is ˜ije™E

tiveD g—melli— h—s SEround imp ossi˜le dierenti—lsF eddition—lly —s — re™ent resultD ƒugit— et —lF

I

found — UEround imp ossi˜le dierenti—l for g—melli— @without pvEGpv Efun™tionsA ‘ƒusHI“F ‡e

I

exp e™t pvE —nd pv Efun™tions m—ke —tt—™king g—melli— using imp ossi˜le dierenti—ls di™ultD

sin™e the fun™tions ™h—nge dierenti—l p—ths dep ending on key v—luesF sn ™onsequentD g—melli—

with full rounds will not ˜ e ˜roken ˜y ™rypt—n—lysis using imp ossi˜le dierenti—lsF

TFS fo omer—ng ett—™k

fo omer—ng —tt—™k ‘‡WW“ requires P dierenti—lsF vet the pro˜—˜ilityof the dierenti—ls ˜e p

—nd p F en ˜ o omer—ng —tt—™k th—t is sup erior th—n exh—ustivekey se—r™h requires

r

TR

p p ! P X @TA

r

sing „—˜le IHD there is no ™om˜in—tion th—t s—tises snequ—lity@TA for g—melli— without pvE

I I

—nd pv Efun™tionsF „he ˜ est ˜ o omer—ng pro˜—˜ility for g—melli— without pvE —nd pv E

TT IP

fun™tions redu™ed to VEround is ˜ ounded ˜yP th—t is o˜t—ined ˜y p aP @Q roundsA —nd

PW

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

SR I

p aP @S roundsAF ƒin™e —tt—™k—˜le rounds for g—melli— without pvE—nd pv Efun™tions is

r

˜ ounded ˜ymu™h shorter th—n the sp e™i™—tion of g—melli—D IVD g—melli— seems se™ure —g—inst

— ˜ o omer—ng —tt—™kF

TFT righer yrder hierenti—l ett—™k

righer order dierenti—l —tt—™k is gener—lly —ppli™—˜le to ™iphers th—t ™—n ˜e represented —s

fo ole—n p olynomi—ls of low degreeF sn the higher order dierenti—l —tt—™k des™ri˜ ed in ‘tuWUD

„heoremI“D the prop ert y th—t if the intermedi—te ˜its —re represented ˜y fo ole—n p olynomi—ls

of degree —t le— st dD the @d C IAEth order dierenti—l of the fo ole—n p olynomi—l ˜ e™omes H is

utilizedF

hegrees of fo ole—n p olynomi—ls of the sE˜ oxes „he fun™tions —ne @over qp@PAA equivE

V

—lent to the inversion fun™tion in qp@P A —re —dopted —s the sE˜ oxesF st is known th—t the degree

V

of the fo ole—n p olynomi—l of every output ˜it of the inversion fun™tion in qp@P A is UD ˜ut the

degree for the sE˜ oxes of g—melli— is not trivi—lD sin™e the —ne fun™tions —re —dded —t the input

—nd outputF ‡e ™onrmed th—t the degree of the fo ole—n p olynomi—l of every output ˜it of the

sE˜ oxes is U ˜y nding fo ole—n p olynomi—l for every output ˜it of the sE˜ oxesF

hegrees of fo ole—n p olynomi—ls of the entire ™ipher st is exp e™ted th—t the degree

of —n intermedi—te ˜it in the en™ryption pro ™ess in™re—ses —s the d—t— p—ss through m—ny sE

˜oxesD whose degree is UF „hereforeD we exp e™t th—t higher order dierenti—l —tt—™ks f—il

—g—inst g—melli— with full roundsF roweverD there is still ro omfor further study on higher order

dierenti—l —tt—™ks of g—melli—D ˜ e™—use there —re other —ppro—™hes for higher order dierenti—l

—tt—™ksF sn ‘uuHI“ u—w—˜—t— et —lF shows th—t g—melli— with IH rounds @without pvE —nd

I

pv Efun™tionsA ™—n ˜e —tt—™ked f—ster th—n exh—ustive se—r™h when the key size is PSTE˜itF

„he —tt—™k is —ppli™—˜le to W rounds for IWPE˜it keys —nd V rounds for IPVE˜it keysF elthough

the —˜ ove —tt—™k is titled — ’higher order dierenti—l —tt—™k4D the used —ppro—™h is simil—r to

th—t used for the ƒqu—re —tt—™kF

TFU ƒqu—re ett—™k

„he ƒqu—re —tt—™kw—s prop osed —s — dedi™—ted —tt—™kon ƒqu—re ‘hu‚WU“ th—t exploits its

˜yteEoriented stru™tureF st works well for other ˜yteEoriented ™iphers su™h —s ‚ijnd—elD riero ™rypt

—nd g—melli—F por our ™rypt—n—lysis of g—melli— using the ƒqu—re —tt—™kD see ƒe™tF TFVF

„he —ppro—™h of ƒqu—re —tt—™k resem˜les th—t of higher order dierenti—l —tt—™ksX one

™ho oses — ™ert—in ™omplete set of pl—intextsD —nd —fter some rounds of the ™ipherD predi™ts —

keyEindep endent prop erty with pro˜—˜ility oneF „he higher order dierenti—l —tt—™k of g—melli—

˜yu—w—˜—t— et —lF ‘uuHI“ —lso t—kes this —ppro—™hF

enother ƒqu—re —tt—™k ˜y re —nd ing ‘rHI“ on T rounds of g—melli— w—s —™™epted

for sgsgƒ PHHIF „he ™l—imed —tt—™k on T rounds of g—melli— requires mu™h more ™omplexE

IIP

ity th—n u—w—˜—t— —nd u—neko9s —tt—™k @the —tt—™k ‘rHI“ requires P en™ryptions —nd the

PP V

—tt—™k ‘uuHI“ P aT en™ryptionsAD ˜ut fewer pl—intexts @the —tt—™k ‘rHI“ requires IQ P

IU

pl—intexts —nd the —tt—™k ‘uuHI“ P pl—intextsAF QH

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

TFV snterp ol—tion ett—™k —nd vine—r ƒum ett—™k

„he interp ol—tion —tt—™k prop osed in ‘tuWU“ is typi™—lly —ppli™—˜le to —tt—™king ™iphers th—t use

simple —lge˜r—i™ fun™tionsF

„he prin™iple of interp ol—tion —tt—™k is th—tD roughly sp e—kingD if the ™iphertext is represented

—s — p olynomi—l or r—tion—l expression of the pl—intext whose num˜er of unknown ™o e™ients

is x D the p olynomi—l or r—tion—l expression ™—n ˜ e ™onstru™ted using x p—irs of pl—intexts —nd

™iphertextsF yn™e the —tt—™ker ™onstru™ts the p olynomi—l or r—tion—l expressionD he ™—n en™rypt

—nypl—intext into the ™orresp onding ™iphertext or de™rypt —ny ™iphertext into the ™orresp onding

pl—intext for the key without knowing the keyF ƒin™e x determines the ™omplexity —nd the

num˜ er of p—irs required for the —tt—™kD it is imp ort—nttom—ke x —s l—rge —s p ossi˜leF sf x is

so l—rge th—t it is impr—™ti™—l for the —tt—™kers to g—ther x pl—intextE™iphertext p—irsD the ™ipher

is se™ure —g—inst interp ol—tion —tt—™kF

vine—r sum —tt—™k ‘eHH“ is — gener—liz—tion of the interp ol—tion —tt—™k ‘tuWU“F e pr—™ti™—l

—lgorithm th—t ev—lu—tes the se™urity —g—inst line—r sum —tt—™k w—s prop osed in ‘eHH“F ‡e

V

se—r™hed for line—r rel—tions ˜etween —ny pl—intext ˜yte —nd —ny ™iphertext ˜yte over qp@P A

using the —lgorithmF „—˜le IP summ—rizes the resultsF

„—˜le IPX ƒm—llest num˜ er of unknown ™o e™ients for IPVED IWPED —nd PSTE˜it keys

whitening I C round r @r`RA I

whitening I C round R PSS

wore rounds PST

„—˜le IP shows th—t g—melli— is se™ure —g—inst line—r sum —tt—™k in™luding interp ol—tion

—tt—™kF st —lso implies th—t g—melli— is se™ure —g—inst ƒqu—re —tt—™k ‘hu‚WU“ followed ˜y ‘eHHD

„heoremQ“F

TFW xo iquiv—lent ueys

ƒin™e the set of su˜keys gener—ted ˜y the key s™hedule ™ont—in the origin—l se™ret keyD there

is no equiv—lent set of su˜keys gener—ted from distin™t se™ret keysF „hereforeD we exp e™t th—t

there —re no distin™t se™ret keys ˜oth of whi™h en™rypt e—™h of m—ny pl—intexts into the s—me

™iphertextF

TFIH ƒlide ett—™k

sn ‘f‡WWD f‡HH“ the slide —tt—™ks were intro du™edD ˜—sed on e—rlier work in ‘fWRD uWQ“F sn

p—rti™ul—r it w—s shown th—t iter—ted ™iphers with identi™—l round fun™tionsD th—t isD equ—l

stru™tures —nd equ—l su˜keys in the round fun™tionsD —re sus™epti˜le to slide —tt—™ksF

I

sn g—melli—D pvE —nd pv Efun™tions —re ’inserted4 ˜etween every T rounds of — peistel

network to provide nonEregul—rity —™ross roundsF woreoverD from the viewp oint of the key

s™heduleD slide —tt—™ks seems to ˜ e very unlikely to su™™eed @ƒee ƒe™tion TFIIAF QI

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

TFII ‚el—tedEkey ett—™k

‡e —re ™onvin™ed th—t the key s™hedule of g—melli— m—kes rel—tedEkey —tt—™ks ‘fWRD uƒ‡WT“ very

di™ultF sn these —tt—™ksD —n —tt—™ker must ˜ e —˜le to get en™ryptions using sever—l rel—ted keysF

sf the rel—tion ˜ etweenD s—yDtwokeysD is known then if the ™orresp onding rel—tions ˜ etween the

su˜keys ™—n ˜ e predeterminedD it might ˜ e™ome p ossi˜le to predi™t howthekeys would en™rypt

— p—ir of dierent pl—intextsF roweverD sin™e the su˜keys dep end on u —nd u D whi™h —re the

e f

results of en™ryption of — se™ret keyD —nd if —n —tt—™ker w—nts to ™h—nge the se™ret keyD he ™—n9t

get u —nd u desiredD —nd vi™e vers—D these su˜key rel—tions will ˜ e very h—rd to ™ontrol —nd

e f

predi™tF

TFIP ƒt—tisti™—l „ests

wost of st—tisti™—l ™h—r—™teristi™s dep ends on the dierenti—l —tt—™k —nd other ™rypt—n—lyti™

—tt—™ksF por ex—mpleD it is frequently dis™ussed how m—ny ™iphertext ˜its —re ™omplemented

when one pl—intext ˜it is ™omplementedF e™™ording to the denition —nd the prop erty of the

dierenti—l distri˜ution t—˜leD the resist—n™e to dierenti—l —tt—™ks implies th—t the num˜er of

™omplemented ˜its is —˜ out — h—lfF yf ™ourseD we m—y nd — st—tisti™—l we—knessD if we h—ve

enough ™omput—tion—l resour™eF roweverD none in the world h—s —n e™ient resour™e to ™ompute

su™h — st—tisti™—l me—sure for — IPVE˜it ˜lo ™k ™ipherF

xote th—t the followingF st is frequently tested for — round fun™tionD ˜ e™—use of the limited

™omput—tion—l resour™eF roweverD we think th—t it is not signi™—ntD ˜ e™—use we ™—n ™onstru™t

— ™ipher th—t do es not showgood st—tisti™—l prop erties for the round fun™tion ˜ut shows go o d

st—tisti™—l prop erties for — ™ipher —nd we ™—n —lso ™onstru™t — ™ipher th—t shows go o d st—tisti™—l

prop erties for the round fun™tion ˜ut do es not show go o d st—tisti™—l prop erties for — ™ipherF

sn the g‚‰€„‚ig ‚ep ort PHHH ‘gHI“D it is rep orted th—t the —v—l—n™heEee™t ev—lu—tion on

g—melli— w—s held —nd th—t they found some points whi™h devi—te from the exp e™ted v—lue in

the round fun™tionD ˜ut no p—rti™ul—r ™h—r—™teristi™s in the d—t—Er—ndomizing p—rt —fter the Rth

roundF

TFIQ smplement—tion ett—™ks

st is well known th—t — poor implement—tion ™—n le—k inform—tion ˜y timing —tt—™ks ‘uWT“ or

power —n—lysis —tt—™ks ‘uttWW“F sing the ™l—ssi™—tion prop osed in ‘h‚WW“D g—melli— is in the

group of ’f—vor—˜le4 —lgorithmsD sin™e it uses only logi™—l op er—tions —nd t—˜leElo okups —nd xed

rot—tionsF

yn the other h—ndD gh—ri et —lF ‘gt‚‚WW“ ™l—ims th—t —ll eiƒ ™—ndid—tes —re sus™epti˜le to

power —n—lysis —tt—™ksF es these two p—p ers ™ontr—di™t with e—™h otherD how to resist —g—inst

power —n—lysis —tt—™ks is not knownD sin™e study on p ower —n—lysis —tt—™ks h—s just ˜ egunF ‡e

think th—t g—melli— should ˜ e prote™ted ˜y the h—rdw—re te™hniques —nd should not ˜ e ev—lu—ted

˜y the se™urity dire™tly derived fromthe sp e™i™—tionD ™onsidering the ™urren t—rtF ‡ehopeth—t

the study on implement—tion —tt—™ks will ˜ e progressed in the ne—r futureF QP

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

TFIR frute por™e ett—™ks

wost ˜rute for™e —tt—™ks —re —ppli™—˜le to —ny deterministi™ ˜lo ™k ™ipherD —nd the ™orresp onding



™omplexity dep ends on only the ˜lo ™k size or key size D reg—rdless of its designF g—melli— h—s

— ˜lo ™k size of IPVE˜it —nd —llows for the three key sizes of IPVED IWPED —nd PSTE˜itF sn the

dis™ussions ˜ elowD k denotes the key size in ˜itsF

ixh—ustive key se—r™hF sn exh—ustive key se—r™hD if —n —tt—™ker gets one p—ir of pl—intext

—nd ™iphertext en™rypted in igf mo deD he ™—n nd the ™orre™t key ˜y en™rypting the pl—intext

k

with —ll P p ossi˜le keysF

ewe—kness in the key s™heduling of the ™ipher ™—n help improve the e™ien™y of exh—ustive

key se—r™h —tt—™k ‘uWR“D ˜ut we h—venot found su™h — we—kness in g—melli—F „he ™omplexity

k I

of the exh—ustive key se—r™h is estim—ted to ˜e —˜ out P en™ryptions on —ver—geF „husD the

IPU IWI PSS

required ™omplexity for exh—ustive key se—r™h is P D P D —nd P en™ryptions for g—melli—

with IPVED IWPED —nd PSTE˜it keysD resp e™tivelyF „hereforeD g—melli—9s se™urity —g—inst exh—ustive

key se—r™h is —dequ—teF

„imeEmemory tr—deEo —tt—™kF „here —re some words th—t —re often used in pl—intextsF

k k

sf —n —tt—™ker en™rypts su™h — pl—intext ˜lo ™k using P keys —nd store them in sp—™e for P

™iphertextsD then —fter he gets the ™orresp onding ™iphertextD he only h—s to lo ok it up to nd

k

the ™orresp onding keyF „his —tt—™kis™—lled t—˜le —tt—™kF sn this —tt—™kD —fter P en™ryption is

doneD the —tt—™k ™omplexityismu™h sm—ller th—n is true for exh—ustivekey se—r™hF

„imeEmemory tr—deEo —tt—™k ‘rVHD uwWT“ ™—n dr—sti™—lly redu™e ˜ oth time ™omplexityon

inter™epted ™iphertexts of exh—ustivekey se—r™h —nd sp—™e ™omplexity of t—˜le —tt—™kF roweverD

˜ oth —tt—™ks require pre™omput—tion equiv—lent to the time ™omplexity of exh—ustivekey se—r™hF

„he key sizes supp orted ˜y g—melli— —re long enough for se™urity —g—inst exh—ustivekey se—r™h

˜ytod—y9s te™hnologyF

hi™tion—ry —tt—™kF sn di™tion—ry —tt—™kD —n —tt—™ker ™olle™ts pl—intextE™iphertext p—irs under

the s—me key —nd put them in — ’di™tion—ry4F ‡hen the —tt—™ker ™—n see only — ™iphertext

en™rypted ˜y the keyDhe™—n™he™k if it is in the di™tion—ryF sf it isD he h—s —lre—dy the pl—intextF

IPV

ƒin™e the ˜lo ™k size of g—melli— is IPV ˜itsD di™tion—ry —tt—™kwould require the sp—™e for P

dierent pl—intext ˜lo ™ks to —llow the —tt—™kers to en™rypt or de™rypt —r˜itr—ry mess—ges under

—n unknown keyF „he su™™ess pro˜—˜ility dep ends on the sp—™e for the di™tion—ryD —nd —s

the ˜lo ™k size is l—rgerD the required sp—™e to —™hieve the s—me su™™ess pro˜—˜ility in™re—ses

exp onenti—llyF „he IPVE˜it ˜lo ™k ™ipher g—melli— h—s enough se™urity —g—inst this —tt—™kF

w—t™hing ™iphertext —tt—™kF sn m—t™hing ™iphertext —tt—™k ‘uWVD „heoremP“D when —˜ out

the squ—re ro ot of —ll ™iphertexts —re —v—il—˜le identi™—l ™iphertext ˜lo ™ks ™—n ˜ e exp e™ted with

I

pro˜—˜ility more th—n ˜y the ’˜irthd—y p—r—dox4 for some mo des of op er—tions su™h —s igfD

P

gfgD —nd gpf mo desF „henD v—lu—˜le inform—tion —˜ out the pl—intexts ™—n ˜ e derivedF xote



ƒtri™tly sp e—kingD the ™omput—tion time required for the —tt—™k dep ends on the p erform—n™e of the ˜lo ™k

™ipherF roweverD the p erform—n™e only —e™ts the en™ryption time —nd only ™h—nges the time ™omplexity ˜y

negligi˜le f—™torF QQ

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

th—t this —tt—™k is indep endent of the key sizeF ƒin™e the ˜lo ™k size of g—melli— is IPV ˜itsD the

TR

thre—t to this —tt—™k is sm—llD if en™ryption of —s m—ny—sP ˜lo ™ks under the s—me key is not

p erformedF QR

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

U gon™lusion

‡e h—ve presented g—melli—D the r—tion—le ˜ ehind its designD its suit—˜ility for ˜oth softw—re

—nd h—rdw—re implement—tionD —nd the results of our ™rypt—n—lysesF

„he p erform—n™es shown in this p—p er le—ve ro om for further optimiz—tionsF „he l—test

p erform—n™e results will ˜ e p osted on the g—melli— home p—geX httpXGGinfoFislFnttF™oFjpG

™—melli—GF

‡eh—ve —n—lyzed g—melli— —nd found no imp ort—ntwe—knessF „he ™ipher h—s — ™onserv—tive

design —nd —ny pr—™ti™—l —tt—™ks —g—inst g—melli— would require — m— jor ˜re—kthrough in the

—re— of ™rypt—n—lysisF ‡e think th—t g—melli— is — very strong ™ipherD whi™hm—t™hes the se™urity

of the existing ˜ est ˜lo ™k ™iphersF QS

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

‚eferen™es

‘eHH“ uF eokiF €r—™ti™—l iv—lu—tion of ƒe™urity —g—inst qener—lized snterp ol—tion ett—™kF

sisgi „r—ns—™tions pund—ment—ls of ile™troni™sD gommuni™—tions —nd gomputer

ƒ™ien™es @t—p—nAD †olF iVQEeD xoF ID ppF QQ{QVD PHHHF @e prelimin—ry version w—s

presented —t ƒeg9WWAF

‘efuWV“ ‚F endersonD iF fih—mD —nd vF unudsenF ƒerp entX e plexi˜le flo ™k gipher ‡ith

w—ximumessur—n™eF sn „he pirst eiƒ g—ndid—te gonferen™eD IWWVF

C

‘esu HH—“ uF eokiD „F s™hik—w—D wF u—nd—D wF w—tsuiD ƒF wori—iD tF x—k— jim—D —nd „F „okit—F

smplement—tions of the IPVE˜it ˜lo ™k ™ipher { g—mel li— {F „e™hni™—l ‚ep ort

sƒigPHHHEUQD „he snstitute of ile™troni™sD snform—tion —nd gommuni™—tion inE

gineersD PHHHF @in t—p—neseAF

C

‘esu HH˜“ uF eokiD „F s™hik—w—D wF u—nd—D wF w—tsuiD ƒF wori—iD tF x—k— jim—D —nd „F „okit—F

g—mel li—X e IPVEfit flo ™k gipher ƒuit—˜le for wultiple €l—tforms { ixtended e˜E

str—™t {F sn pirst xiƒƒsi ‡orkshopD PHHHF

‘e HH“ uF eoki —nd rF ed—F yptimized ƒoftw—re smplement—tions of iPF sisgi

„r—ns—™tions pund—ment—ls of ile™troni™sD gommuni™—tions —nd gomputer ƒ™ien™es

@t—p—nAD †olF iVQEeD xoF ID ppF IHI{IHSD PHHHF @„he full p—p er is —v—il—˜le on

httpXGGinfoFislFnttF™oF7 line˜re—k‘Q“jpGePG‚elho™sGAF

‘fWR“ iF fih—mF xew „yp es of grypt—n—lyti™ ett—™ks sing ‚el—ted ueysF tourn—l of

gryptologyD†olF UD xoF RD ppF PPW{PRTD IWWRF @„he extended —˜str—™t w—s —pp e—red

—t i ‚yg‚‰€„9WQAF

‘fƒWQ“ iF fih—m —nd eF ƒh—mirF hierenti—l grypt—n—lysis of the h—t— in™ryption ƒt—nE

d—rdF ƒpringerE†erl—gD ferlinD reidel˜ ergD xew ‰orkD IWWQF

‘f‡WW“ eF firyukov —nd hF ‡—gnerF ƒlide ett—™ksF sn vF unudsenD editorD p—st ƒoftw—re

in™ryption | Tth sntern—tion—l ‡orkshopD pƒi9WWD †olume ITQT of ve™ture xotes

in gomputer ƒ™ien™eD ppF PRS{PSWD ferlinD reidel˜ ergD xew ‰orkD IWWWF ƒpringerE

†erl—gF

‘f‡HH“ eF firyukov —nd hF ‡—gnerF edv—n™ed ƒlide ett—™ksF sn ƒF †—uden—yD editorD

edv—n™es in gryptology | i ‚yg‚‰€„PHHHD †olume IVHU of ve™ture xotes in

gomputer ƒ™ien™eD ppF SVW{THTD ferlinD reidel˜ ergD xew ‰orkD PHHHF ƒpringerE

†erl—gF

‘gWV“ gomp—q gomputer gorp or—tionF elph— er™hite™ture r—nd˜ook @†ersion RAD

IWWVF @‰ou ™—n downlo—d the m—nu—l from gomp—q9s te™hni™—l do ™umenE

t—tion li˜r—ryX httpXGGwwwFsupportF™omp—qF™omG—lph—EtoolsGdo™ument—tionG

™urrentG™hipEdo™sFhtmlAF

‘gHI“ g‚‰€„‚igF g‚‰€„‚ig ‚ep ort PHHHD epril PHHIF QT

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

‘gt‚‚WW“ ƒF gh—riD gF tutl—D tF ‚F ‚—oD —nd €F ‚oh—tgiF e g—ution—ry xote ‚eg—rding iv—luE

—tion of eiƒ g—ndid—tes on ƒm—rtEg—rdsF sn ƒe™ond edv—n™ed in™ryption ƒt—nd—rd

g—ndid—te gonferen™eDppF IQQ{IRUD rotel uirin—leD ‚omeD st—lyD IWWWF snform—tion

„e™hnology v—˜ or—toryD x—tion—l snstitute of ƒt—nd—rds —nd „e™hnologyF

‘g†WS“ pF gh—˜—ud —nd ƒF †—uden—yF vinks fetween hierenti—l —nd vine—r grypt—n—lyE

sisF sn eF hF ƒ—ntisD editorD edv—n™es in gryptology | i ‚yg‚‰€„9WRD †olume

WSH of ve™ture xotes in gomputer ƒ™ien™eD ppF QST{QTSF ƒpringerE†erl—gD ferlinD

reidel˜ ergD xew ‰orkD IWWSF

‘hu‚WU“ tF h—emenD vF ‚F unudsenD —nd †F ‚ijmenF „he flo ™k gipher ƒqu—reF sn iF fih—mD

editorD p—st ƒoftw—re in™ryption | Rth sntern—tion—l ‡orkshopD pƒi9WUD †olume

IPTU of ve™ture xotes in gomputer ƒ™ien™eD ppF SR{TVD ferlinD reidel˜ ergD xew

‰orkD IWWUF ƒpringerE†erl—gF

‘h‚WV“ tF h—emen —nd †F ‚ijmenF eiƒ €ropos—lX ‚ijnd—elD IWWVF @httpXGGwwwFes—tF

kuleuvenF—™F˜eG~rijmenGrijnd—elGAF

‘h‚WW“ tF h—emen —nd †F ‚ijmenF ‚esist—n™e eg—inst smplement—tion ett—™ksF e gomE

p—r—tive ƒtudy of the eiƒ €rop os—lsF sn „he ƒe™ond eiƒ g—ndid—te gonferen™eD

IWWWF

‘pHH“ eF pogF row to optimize for the €entium mi™ropro™essorsD PHHHF @httpXGGwwwF

—gnerForgG—ssemGAF

‘rVH“ wF rellm—nF e grypt—n—lyti™ timeEmemory tr—deEoF siii „r—ns—™tions on snforE

m—tion „heoryD†olF s„EPTD xoF RD ppF RHI{RHTD IWVHF

‘rHI“ ‰F re —nd ƒF ingF ƒqu—re ett—™kon ‚edu™ed g—melli— gipherF su˜mitted to the

Qrd sntern—tion—l gonferen™e on snform—tion —nd gommuni™—tions ƒe™urity @sgsgƒ

PHHIAD PHHIF

‘sWW“ sntel gorp or—tionF sntel er™hite™ture ƒoftw—re heveloper9s w—nu—l @†olume PX snE

stru™tion ƒet ‚eferen™eAD IWWWF @‰ou ™—n downlo—d the m—nu—l fromsn tel9s develop er

siteX httpXGGdeveloperFintelF™omGAF

‘sƒuwHI“ „F s™hik—w—D „F ƒorim—™hiD „F u—suy—D —nd wF w—tsuiF yn the ™riteri— of h—rdw—re

ev—lu—tion of ˜lo ™k ™iphers @IAF „e™hni™—l ‚ep ort sƒigPHHIESQD „he snstitute of

ile™troni™sD snform—tion —nd gommuni™—tion ingineersD PHHIF @in t—p—neseAF

‘tuWU“ „F t—ko˜sen —nd vF ‚F unudsenF „he snterp ol—tion ett—™k on flo ™k gipherF sn

iF fih—mD editorD p—st ƒoftw—re in™ryption | Rth sntern—tion—l ‡orkshopD pƒi9WUD

†olume IPTU of ve™ture xotes in gomputer ƒ™ien™eDppF PV{RHD ferlinD reidel˜ ergD

xew ‰orkD IWWUF ƒpringerE†erl—gF

‘uWQ“ vF ‚F unudsenF grypt—n—lysis of vyusWIF sn tF ƒe˜ erry —nd ‰F hengD editorsD edE

v—n™es in gryptology | e ƒg‚‰€„9WPD†olume UIV of ve™ture xotes in gomputer

ƒ™ien™eDppF IWT{PHVF ƒpringerE†erl—gD ferlinD reidel˜ ergD xew ‰orkD IWWQF QU

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

‘uWR“ vF ‚F unudsenF €r—™ti™—lly se™ure peistel ™iphersF sn ‚F endersonD editorD p—st

ƒoftw—re in™ryption IWWQ | g—m˜ridge ƒe™urity ‡orkshop @pƒiIAD†olume VHW of

ve™ture xotes in gomputer ƒ™ien™eD ppF PII{PPID ferlinD reidel˜ ergD xew ‰orkD

IWWRF ƒpringerE†erl—gF

‘uWS“ vF ‚F unudsenF „run™—ted —nd righer yrder hierenti—lsF sn fF €reneelD editorD

p—st ƒoftw—re in™ryption | ƒe™ond sntern—tion—l ‡orkshopD†olume IHHV of ve™ture

xotes in gomputer ƒ™ien™eD ppF IWT{PIIF ƒpringerE†erl—gD ferlinD reidel˜ ergD xew

‰orkD IWWSF

‘uWT“ €F uo ™herF „iming ett—™ks on smplement—tions of hieErellm—nD ‚ƒeD hƒƒD —nd

yther ƒystemsF sn xF uo˜litzD editorD edv—n™es in gryptology | g‚‰€„y9WTD

†olume IIHW of ve™ture xotes in gomputer ƒ™ien™eDppF IHR{IIQF ƒpringerE†erl—gD

ferlinD reidel˜ ergD xew ‰orkD IWWTF

‘uWV“ vF ‚F unudsenF flo ™k giphers |e ƒurveyF sn fF €reneel —nd †F ‚ijmenD editorsD

ƒt—te of the ert in epplied gryptogr—phyD†olume ISPV of ve™ture xotes in gomputer

ƒ™ien™eDppF IV{RVD ferlinD reidel˜ ergD xew ‰orkD IWWVF ƒpringerE†erl—gF

‘uHH“ wF u—nd—F €r—™ti™—l ƒe™urityiv—lu—tion —g—inst hierenti—l —nd vine—r ett—™ks for

peistel giphers with ƒ€x ‚ound pun™tionF sn ƒegPHHHD ƒeventh ennu—l ‡orkshop

on ƒele™tedere—s in gryptogr—phyD IREIS eugust PHHHD ‡orkshop ‚e™ordDPHHHF

‘uttWW“ €Fuo™herD tF t—eD —nd fF tunF hierenti—l €ower en—lysisF sn wF ‡ienerD editorD

edv—n™es in gryptology | g‚‰€„y9WWD†olume ITTT of ve™ture xotes in gomputer

ƒ™ien™eDppF QVV{QWUF ƒpringerE†erl—gD ferlinD reidel˜ ergD xew ‰orkD IWWWF

‘uuHI“ „F u—w—˜—t— —nd „F u—nekoF e ƒtudy on righer yrder hierenti—l ett—™k of

g—melli—F sn ƒe™ond xiƒƒsi ‡orkshopD PHHIF @„his p—p er is ˜—sed on „F u—w—˜—t—D

‰F yhg—ki —nd „F u—nekoD ’e ƒtudy on ƒtrength of g—melli— —g—inst righer yrder

hierenti—l ett—™kD4 @in t—p—neseAD „e™hni™—l rep ort of sisgiD sƒigPHHIEWD ppFSS{

TPD „he snstitute of ile™troni™sD snform—tion —nd gommuni™—tion ingineersD PHHIFAF

‘uwWT“ uF uusud— —nd „F w—tsumotoF yptimiz—tion of „imeEwemory „r—deEy gryptE

—n—lysis —nd sts eppli™—tion to hiƒD pievEQPD —nd ƒkip j—™kF sisgi „r—ns—™tions

pund—ment—ls of ile™troni™sD gommuni™—tions —nd gomputer ƒ™ien™es @t—p—nAD

†olF iUWEeD xoF ID ppF QS{RVD IWWTF

C

‘uwe WV“ wF u—nd—D ƒF wori—iD uF eokiD rF ed—D wF yhku˜ oD ‰F „—k—shim—D uF yht—D —nd

„F w—tsumotoF e xew IPVE˜it flo ™k gipher i P F „e™hni™—l ‚ep ort sƒigWVEIPD

„he snstitute of ile™troni™sD snform—tion —nd gommuni™—tion ingineersD IWWVF @in

t—p—neseAF

‘uƒ‡WT“ tF uelseyD fF ƒ™hneierD —nd hF ‡—gnerF ueyEƒ™hedule grypt—n—lysis of shieD qE

hiƒD qyƒ„D ƒepi‚D —nd „ripleEhiƒF sn xF uo˜litzD editorD edv—n™es in gryptology

|g‚‰€„y9WTD†olume IIHW of ve™ture xotes in gomputer ƒ™ien™eDppF PQU{PSIF

ƒpringerE†erl—gD ferlinD reidel˜ ergD xew ‰orkD IWWTF QV

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

C

‘u„w WW“ wF u—nd—D ‰F „—k—shim—D „F w—tsumotoD uF eokiD —nd uF yht—F e ƒtr—tegy for

gonstru™ting p—st ‚ound pun™tions with €r—™ti™—l ƒe™urity —g—inst hierenti—l —nd

vine—r grypt—n—lysisF sn ƒF „—v—res —nd rF weijerD editorsD ƒele™tedere—s in grypE

togr—phy | Sth ennu—l sntern—tion—l ‡orkshopD ƒeg9WVD †olume ISST of ve™ture

xotes in gomputer ƒ™ien™eD ppF PTR{PUWD ferlinD reidel˜ ergD xew ‰orkD IWWWF

ƒpringerE†erl—gF

‘vwwWI“ ˆF v—iD tF vF w—sseyD —nd ƒF wurphyF w—rkov giphers —nd hierenti—l grypt—n—lysisF

sn hF ‡F h—viesD editorD edv—n™es in gryptology | i ‚yg‚‰€„9WID†olume SRU of

ve™ture xotes in gomputer ƒ™ien™eDppF IU{QVF ƒpringerE†erl—gD ferlinD reidel˜ ergD

xew ‰orkD IWWIF

‘wWR“ wF w—tsuiF vine—r grypt—n—lysis wetho d for hiƒ gipherF sn „F rellesethD editorD

edv—n™es in gryptology | i ‚yg‚‰€„9WQD†olume UTS of ve™ture xotes in gomE

puter ƒ™ien™eD ppF QVT{QWUF ƒpringerE†erl—gD ferlinD reidel˜ ergD xew ‰orkD IWWRF

@e prelimin—ry version written in t—p—nese w—s presented —t ƒgsƒWQEQgAF

‘wWS“ wF w—tsuiF yn gorrel—tion fetween the yrder of ƒE˜ oxes —nd the ƒtrength of

hiƒF sn eF hF ƒ—ntisD editorD edv—n™es in gryptology | i ‚yg‚‰€„9WRD†olume

WSH of ve™ture xotes in gomputer ƒ™ien™eD ppF QTT{QUSF ƒpringerE†erl—gD ferlinD

reidel˜ ergD xew ‰orkD IWWSF

‘wWU“ wF w—tsuiF xew flo ™k in™ryption elgorithm wsƒ„‰F sn iF fih—mD editorD

p—st ƒoftw—re in™ryption | Rth sntern—tion—l ‡orkshopD pƒi9WUD †olume IPTU

of ve™ture xotes in gomputer ƒ™ien™eD ppF SR{TVD ferlinD reidel˜ ergD xew ‰orkD

IWWUF ƒpringerE†erl—gF @e prelimin—ry version written in t—p—nese w—s presented —t

sƒigWTEIIAF

‘wWW“ wF w—tsuiF hierenti—l €—th ƒe—r™h of the flo ™k gipher iPF „e™hni™—l ‚ep ort

sƒigWWEIWD „he snstitute of ile™troni™sD snform—tion —nd gommuni™—tion ingineersD

IWWWF @in t—p—neseAF

‘ws‰‰VV“ wF w—tsuiD „F snoueD eF ‰—m—gishiD —nd rF ‰oshid—F e note on ™—l™ul—tion ™ir™uits

Pn

over qp@P AF „e™hni™—l ‚ep ort s„VVEIRD „he snstitute of ile™troni™sD snform—tion

—nd gommuni™—tion ingineersD IWVVF @in t—p—neseAF

‘wƒeuHH“ ƒF wori—iD wF ƒugit—D uF eokiD —nd wF u—nd—F ƒe™urity of iP —g—inst „run™—ted

hierenti—l grypt—n—lysisF sn rF reys —nd gF ed—msD editorsD ƒele™ted ere—s in

gryptogr—phy | Tth ennu—l sntern—tion—l ‡orkshopD ƒeg9WWD†olume IUSV of ve™E

ture xotes in gomputer ƒ™ien™eD ppF IHT{IIUD ferlinD reidel˜ ergD xew ‰orkD PHHHF

ƒpringerE†erl—gF

‘w„WW“ wF w—tsui —nd „F „okit—F grypt—n—lysis of — ‚edu™ed †ersion of the flo ™k gipher

iPF sn vF unudsenD editorD p—st ƒoftw—re in™ryption | Tth sntern—tion—l ‡orkshopD

pƒi9WWD †olume ITQT of ve™ture xotes in gomputer ƒ™ien™eD ppF UI{VHD ferlinD

reidel˜ ergD xew ‰orkD IWWWF ƒpringerE†erl—gF @t—p—nese version w—s presented —t

ƒgsƒWWFAF QW

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

C

‘‚h€ WT“ †F ‚ijmenD tF h—emenD fF €reneelD eF fossel—ersD —nd iF he ‡inF „he gipher

ƒre‚uF sn hF qollm—nnD editorD p—st ƒoftw—re in™ryption | „hird sntern—E

tion—l ‡orkshopD†olume IHQW of ve™ture xotes in gomputer ƒ™ien™eDppF WW{IIIF

ƒpringerE†erl—gD ferlinD reidel˜ ergD xew ‰orkD IWWTF

‘ƒusHI“ wF ƒugit—D uF uo˜—r—D —nd rF sm—iF ƒe™urity of ‚edu™ed †ersion of the flo ™k gipher

g—melli— —g—inst „run™—ted —nd smp ossi˜le hierenti—l grypt—n—lysisF su˜mitted to

eƒseg‚‰€„ PHHID PHHIF

‘‡WW“ hF ‡—gnerF „he fo omer—ng ett—™kF sn vF ‚F unudsenD editorD p—st ƒoftw—re inE

™ryption | Tth sntern—tion—l ‡orkshopD pƒi9WWD†olume ITQT of ve™ture xotes in

gomputer ƒ™ien™eD ppF IST{IUHD ferlinD reidel˜ ergD xew ‰orkD IWWWF ƒpringerE

†erl—gF

‘‰HI—“ gFErF ‰—ngF €erform—n™e iv—lu—tion of eiƒGhiƒGg—melli— on the TVHS —nd rVGQHH

g€ sF sn €ro™eedings of the PHHI ƒymposium on gryptogr—phy —nd snform—tion

ƒe™urityD†olume s s of ƒgsƒPHHIDppF UPU{UQHD yisoD t—p—nD PHHIF „e™hni™—l qroup

on snform—tion ƒe™urity @sisgiAF

‘‰HI˜“ gFErF ‰—ngF ƒupplement—ry inform—tion for gFrF ‰—ng ƒgsƒ PHHI p—p erF

httpXGGwwwFgeo ™itiesF™omG™hy—ngHHGƒgsƒPHHID PHHIF RH

gopyright x„„ —nd witsu˜ishi ile™tri™ gorp or—tion PHHHEPHHI

e ristory

†er PFH @ƒeptem˜ er PTD PHHIA

 e˜str—™t w—s renewed with the l—test p erform—n™e guresF

 ƒe™tion ID the p—r—gr—ph of ’puture developments4 w—s renewed ˜—sed on the ™urrent

st—tusF „he title w—s —lso ™h—nged into ’ƒt—nd—rdiz—tion —™tivities4F

 ƒe™tion Q w—s renewed with the l—test p erform—n™e guresF

 sn ƒe™tion RFPFUD the equ—tion to ™—l™ul—te iqF@QA using only four t—˜lesD ƒ€ Yƒ€ Yƒ€ Yƒ€ D

I P Q R

w—s ™orre™tedF

 ƒe™tion S w—s renewed ˜y —dding the l—test inform—tion on h—rdw—re ev—lu—tionsF

 sn ƒe™tion TFI @hierenti—l —nd vine—r grypt—n—lysisAD —n err—tum in „—˜leIH ’ pp er

˜ounds of dierenti—l ™h—r—™teristi™ pro˜—˜ility of g—melli—4 @in the row of ’without

I

pvapv Efun™tions4A w—s xedF

 ƒe™tion TFP @„run™—ted hierenti—l grypt—n—lysisA w—s renewed ˜y —dding the re™ent resultF

 ƒe™tion TFR @grypt—n—lysis with smp ossi˜le hierenti—lA w—s renewed ˜y —dding the re™ent

resultF en err—tumw —s —lso xedX ’more th—n T rounds4 3 ’more th—n S rounds4

 ƒe™tion TFT @righer yrder hierenti—l ett—™kA w—s renewed ˜—sed on the re™ent resultF

 ƒe™tion TFU @ƒqu—re ett—™kA w—s —ddedF

 ƒe™tion TFIP @ƒt—tisti™—l „estsA w—s renewed ˜y —dding more inform—tionF RI

Top View