Susan Landau Designing Cryptography for the New Century
ryptography was once the domain of generals is 56 bits. With narrow exceptions, products incorpo- and curious children, but the advent of the rating DES could not be exported. A 1996 National CInformation Age changed that. In the early Research Council report on cryptography policy rec- 1970s the National Security Agency (NSA) and the ommended an immediate loosening of export con- National Bureau of Standards (NBS) realized that trols. No changes occurred until 1998, when a non-combatant adults needed to protect their sen- $250,000 special-purpose machine built by the Elec- sitive, but unclassified, information. Though NSA tronic Frontier Foundation cracked a DES-encrypted is the usual government agency for building cryp- message in 56 hours [5]. (This has since been tosystems, the agency was unwilling to design a improved to 22 hours through a combination of cryptosystem for public use. Instead NBS issued a 100,000 networked PCs and the EFF machine.) At public solicitation for a cryptosystem. IBM that point, U.S. export controls were relaxed to per- responded. The company submitted a cryptosys- mit DES in exported products. In recent months tem with a 56-bit key. The new algorithm became export controls have been further eased. the Data Encryption Standard (DES). Many in industry and academia were skeptical of A New Standard DES. Concern centered on whether NSA had placed A DES replacement was overdue. In 1997 the a trapdoor, a shortcut to decryption, in the algorithm. National Institute of Standards and Technology There were also objections to DES’s key length; crit- (NIST) announced a competition for the algorith- 1 ics believed the relatively short key length had been m’s replacement, and held public meetings to discuss chosen so that NSA could read DES-encrypted traffic. the criteria for a proposed Advanced Encryption (IBM said its own engineers had insisted on parity bits Standard (AES). Key length was most important. A for the register-to-register transfer of key data, thus 1996 ad hoc committee had argued 90 bits was cur- decreasing the key length to 56 from the original 64.) rently the minimum key length needed to provide During the next two decades there were frequent data security for 20 years [1]. NIST sought that battles over cryptography. Using export controls and much security and more—encrypted files should threats of other legal action, the U.S. government remain confidential well after AES was retired. attempted to stop the spread of strong cryptography. NIST settled on a minimum key length of 128 bits.2 Seeking to build secure computer systems, industry Given the government’s intransigence over export- found export controls on cryptography to be a serious ing strong cryptography, initial reaction was mistrust- blockage (though, to be sure, not the only one). [4] ful. One concern was the role of the NSA in the Industry battles centered on bits: how many would process. Another was foreign participation; after all, the government allow in exported products? Under a cryptanalysis expertise is international. Both concerns 1992 agreement, the magic number was 40 bits. DES seem to have been allayed. While NSA is—appropri-
1 2 DES is a private-key, or symmetric, cryptographic system, in which encryption and Triple-DES—-three iterations of DES with either two keys (K1, K2, K1) or three decryption use the same key. Public-key cryptography typically needs significantly (K1, K2, K3)—had become popular. But triple-DES does not take optimal advantage more bits to achieve the same level of security as a private-key algorithm. of 32-bit processors and is too slow.
COMMUNICATIONS OF THE ACM May 2000/Vol. 43, No. 5 115
ately enough—studying the candidates, there have Cryptosystem Design been no complaints about its part in NIST’s evalua- The simplest techniques for encrypting a block of tion. And NIST allowed foreign participation in the symbols are substitution and transposition. Substi- AES competition. tution replaces a symbol by another; transposition After public input, NIST settled on straight- permutes the symbols of a block around. Crypt- forward requirements: the algorithm must implement analysis can be viewed as trying to determine the symmetric (secret) key cryptography, the algorithm plaintext by approximating the encryption function. must be a block cipher, and the algorithm must work Viewed this way, linear functions of the input and on 128-bit blocks and with three key sizes: 128, 192, key are poor design choices; such functions can be and 256 bits. If selected, candidates would have to be easily solved. Thus nonlinear functions form the available worldwide on a nonexclusive, royalty-free basis of cryptographic design. But cryptographic basis. Evaluations would be on security, cost, and functions must be invertible, fast to compute, and implementation flexibility. As simplicity aids in should have small key size and memory require- understanding, implementing, and assessing the secu- ments. So linear functions end up playing an essen- rity of the candidates, design simplicity would count. tial role. A proper combination of simple operations The winner should work in a variety of venues, such as XOR (exclusive or addition modulo 2, including 8-bit processors, smartcards, ATM net- sometimes written as �), substitution, and permu- works, HDTV, voice, and satellite communications. tation, produces a cryptosystem whose strength is A year into the evaluation procedure, NIST would greater than the sum of its parts. determine five finalists, a year later, the winner (or These operations are all that is behind DES, which winners—NIST might pick more than one). NIST’s is an iterated block cipher, a cryptosystem on a block biggest challenge was determining the candidates’ of symbols that sequentially repeats an internal func- strength. Cryptanalysis is a young science without an tion, called a round. It is currently customary to overarching theory. Certifying a 128-bit symmetric encrypt data using a primitive that operates on a key algorithm is a voyage into the unknown. NIST block of symbols of moderate size. Although there are could use mathematical arguments and various mea- non-iterative block ciphers (RSA), iteration is a nat- sures (for example, how much a candidate’s output ural way to procede because that yields a small object was indistinguishable from a random permutation) to (this is useful in hardware) with good complexity. establish an algorithm’s security. But such approaches Some version of self invertibility is also useful. This are only as strong as the imagined attack model. At enables one object (a chip, a piece of software) to both the end one is left with statements of the form: “We encrypt and decrypt. Feistel ciphers, in which the tried, and algorithm X could not be attacked by 2t–bit input is split into t-bit halves L0, R0 and methods D, L, or S.” Such an approach does not mapped after r rounds to Lr, Rr, succinctly accomplish inspire confidence. this. In the ith round, the right half of the previous
If an algorithm uses a k-bit key, the measure of round becomes the new left half, Li <— Ri–1, while the k security is how close the algorithm is to being 2 - new right half Ri is a function of a round subkey Ki secure, that is, whether there are significantly better (derived from the key K), and both halves from the � methods for breaking the system than a brute-force previous round, Ri <— Li–1 f (Ri–1, Ki ) where f is an search of the entire key space. (An assumption, first arbitrary function. Decryption is the algorithm run in codified by Kerckhoffs in the 18th century, holds reverse, with subkeys used in the opposite order. DES that security of a cryptosystem should rest entirely in is a 16-round Feistel cipher. the secrecy of the key, and not in the secrecy of the One school of thought in cryptosystem design lets algorithm.) Sometimes an algorithm’s weakness is technology strongly guide the choice of operations, readily apparent, but frequently weaknesses may take thereby obtaining algorithmic complexity with high- years to discover. With DES, one strong form of speed performance. NSA takes a different tack. Any attack—differential cryptanalysis—had apparently widely deployed system will be implemented across a been known to the algorithm’s designers, but linear variety of hardware and software systems, so the cryptanalysis, discovered in 1993, seems to be new. agency believes in “keep it simple,” and prefers to use DES was indeed at least theoretically vulnerable to elementary primitives such as XOR and table look- this type of attack. up. As opposed to more complex operations such as
116 May 2000/Vol. 43, No. 5 COMMUNICATIONS OF THE ACM
floating-point arithmetic, these functions act the same bits that reveal information about the key. th way regardless of system architecture. There are Let B[i] denote the i bit of an array B, and B[i1, i2, � � � countless other tradeoffs, with perhaps the most fun- …, ik] = B[i1] B[i2] … B[ikk], and P, C and K damental being between those algorithms that are be the plaintext, ciphertext, and key respectively. Fun- simpler to verify, and those that are more complex but damentally one is seeking relationships of the form: � more difficult to verify. In a block-structured cryp- P[i1, i2, …, ia] C[j1, j2,… jb] = K[k1, k2, …, kc]. tosystem, this particular issue plays out on the ques- In the case of DES, both differential and linear tion of rounds: should there be many simple rounds cryptanalysis are theoretical rather than practical or fewer, more complex ones? Even relatively simple attacks. Yet these are very powerful cryptanalytic tech- cryptosystems can be secure when run for 32 rounds. niques that cannot be ignored. System designers typically begin with a set of capa- No mathematical theory accounts for attacks that bilities (this may be the architectures or processors on are “out of the box.” Paul Kocher successfully broke a which the algorithm will run) and a set of perfor- number of secure algorithms using timing and power- mance constraints. While cryptosystem design should analysis attacks. Using a known-ciphertext attack, be a standardized procedure in much the way that Kocher timed decryption to determine which opera- bridge building is, the fact is bridge building is much tions were being used. This revealed which decryption better understood. The purpose of a cryptosystem is key bits were a “1.” Using this approach, Kocher to make decryption of messages extremely difficult found the exponents used in the Diffie-Hellman key- without the key. The design of a cryptosystem has a exchange algorithm and factored the modulus used dual objective: ensure cryptanalysis is difficult while for the RSA algorithm [6]. Power-analysis attacks rely enabling certification of the algorithm’s security. The on the remarkably effective observation that the complexity of the two tasks and a lack of knowledge power consumed during encryption and decryption about how to achieve the second generally results in depends on the operation being performed and the cryptosystems being designed with cryptanalysis well data being processed [7]. Kocher’s attacks, which rely in mind, system certifiability much less so. on the physical aspects of the implementation, had Some rules of thumb are standard. No output bit not been part of any model previous considered by should be a linear function of the input bits; indeed, cryptographers. no linear function of the output bits should be a lin- ear function of the input bits [3]. This does not mean The AES Candidates that linear functions cannot be part of a cryptosystem, AES candidates were due June, 15, 1998. Of the 21 but that the system must include nonlinearity. In submitted, 15 met NIST’s criteria: LOKI97 (Aus- block-structured algorithms nonlinearity is frequently tralia), Rijndael (Belgium), CAST-256 and DEAL achieved by using look-up tables called S-boxes (for (Canada), FROG (Costa Rica), DFC (France), substitution boxes). Magenta (Germany), E2 (Japan), CRYPTON (Korea), Hasty Pudding Cipher (U.S.), MARS, Cryptanalytic Attacks RC6, SAFER+ and Twofish (U.S.), and Serpent 3 The most serious attacks on block-structured algo- (U.K., Israel, Norway). In August 1999, NIST rithms to date are differential and linear cryptanaly- announced the five finalists: MARS, RC6, Rijndael, sis. Differential cryptanalysis, first reported publicly Serpent, and Twofish. These were widely accepted— by Israeli researchers Eli Biham and Adi Shamir, is a along with some support for E2—as the “best” sub- chosen-plaintext attack that relies on the idea that a missions, and NIST reported that NSA called these fixed input difference may, with high probability, “appropriate choices.” The winner—or winners— generate a particular output difference. By encrypt- will be determined this summer. ing pairs of plaintexts X, X’ with prescribed bitwise For the winners, different cooks added their own difference �X = X � X’, and seeing which key bits ingredients to the cryptographic brew. The five final- are “suggested” by the output difference, key bits are ists, for example, include an “extended” Feistel net- determined. work (MARS), two standard Feistel networks (RC6, Linear cryptanalysis, discovered by Japanese cryp- Twofish), a substitution-permutation network (Ser- tographer Mitsuru Matsui, works by finding linear 3Except for the Hasty Pudding Cipher, all of the U.S.-candidates included non-U.S. relationships between plaintext, ciphertext, and key nationals on their design team.
COMMUNICATIONS OF THE ACM May 2000/Vol. 43, No. 5 117
pent), and an algorithm that relies on finite field oper- words in pairs, (A, B), (C, D), and permutes the pairs ations to construct the S-box (Rijndael). MARS and in the last step of each round (A, B, C, D) <— (B, C, RC6 use multiplication to perform diffusion, but D, A), thus mixing them: MARS multiplies key words by data words, while
RC6 multiplies words that are a combination of key B = B + K0 and data. Twofish uses “key-dependent” S-boxes that D = D + K1 are constructed on the fly. In any given round, Ser- for i = 1 to r do : pent implements one S-box in parallel—32 copies of t = (B � (2B + 1)) <<< 5 it. No other finalist (or candidate) does that. u = (D � (2D + 1)) <<< 5 � A = ((A t) <<< u) + K2i � The AES Finalists C = ((C u) <<< t) + K2i+1 I will briefly describe each of the finalists, explaining (A, B, C, D) = (B, C, D, A) the design principles behind them. Full descriptions, including implementation details, are available at where a <<< b, a “data-dependent” rotation, means the NIST Web site (aes.nist.gov). rotate the w-bit word a to the left by the amount In MARS, IBM designers use the well-established given by the least significant log w bits of b, and the
Feistel network, the reasonable idea that multiplica- Ki ’s are round subkeys. (Although at first RC6 does tion provides good diffusion properties, the fact that not appear to be a Feistel cipher, during a round the all modern processors support multiplication of 32- only action on blocks B and D are rotations to blocks bit numbers, and their intuition that an algorithm in A and C. Thus one can model L = (B, D), R = (A, C) which the top and bottom rounds of a cipher employ and RC6 is a standard Feistel network.) Aside from different functions than the middle ones is better pre-whitening and post-whitening steps. Whitening resistant to differential and linear cryptanalysis. is simple: XOR key material with the input (or out- Symmetry in a cryptosystem (symmetry within a put) to a block algorithm. This is to prevent attackers round function, the same round functions at the begin- from acquiring plaintext/ciphertext pairs. ning and end of the algorithm), simplifies the system’s RC6’s key schedule is simple. RC6’s strength lies in the architecture and its security analysis. But to thwart var- resistance to differential and linear cryptanalysis provided ious types of attacks, MARS designers chose to make by the data-dependent rotations and in the diffusion pro- their algorithm asymmetric; the last eight rounds of vided by the quadratic function f(x)= x(2x+1). MARS process words in a different order than the first Twofish, proposed by Counterpane Systems, a eight. And the central 16 rounds—the core—are dif- U.S.-based cryptographic consulting firm, is a 16- ferent from the first and last eight mixing rounds. round Feistel network with two modifications. One is MARS’s S-boxes were built using SHA-1 (SHA-1, the a one-bit rotation before and after the data enters the Secure Hash Algorithm, is a Federal Information Pro- round function proper. The other alteration is key- cessing Standard) applied to some fixed constants, based S-boxes. Twofish’s designers believe dynami- specifically, expansions of the fractional parts of � and cally varying S-boxes enhance security. �. (To assure users the algorithm has no trapdoors, Key-dependent S-boxes are unusual. While ran- algorithm designers are careful to explain their choice domly constructed S-boxes are vulnerable to differen- of fixed parameters.) tial-cryptanalysis attacks, DES’s S-boxes were explicitly The mixing rounds employ �, rotation, and addi- constructed to resist differential cryptanalysis. In any tion, while the core uses �, multiplication, data- particular instantiation of Twofish, some key-depen- dependent rotations, and S-box lookup. Both the dent S-boxes may be weak, but the fact that the S-boxes mixing and core rounds of MARS are complex, and are dynamically constructed complicates differential the algorithm’s key schedule is also intricate. NIST and linear cryptanalysis attacks. The four S-boxes are commented that MARS’s “complexity makes analysis distinct and are constructed from permutations that sat- difficult in a restricted timeframe” [8]. This complex- isfy good differential and linear properties. ity may work against MARS being chosen as an AES. The S-box operation is followed by matrix multi- 32 RC6, a 20-round Feistel cipher out of RSA Secu- plication, addition modulo 2 , and addition of key rity, is much simpler. RC6 operates on four registers bits. Bit rotations are put in to thwart an attack that (A, B, C, D) of 32-bit words. RC6 treats the four relies on the byte alignment of the S-boxes and matrix
118 May 2000/Vol. 43, No. 5 COMMUNICATIONS OF THE ACM
multiplications. Matrix multiplication diffuses bits. ments of the field. The data is placed in a 4 � 4 array 32 8 And addition mod 2 provides further mixing. of elements of GF(2 ). Twofish’s key schedule is relatively straightforward. But Rijndael has 10 rounds, each consisting of four NIST warned that Twofish’s overall complexity “has operations: ByteSub, ShiftRow, MixColumn, and drawn some concern” (see [8], p. 53). AddRoundKey (the last round skips the MixColumn Serpent, created by three cryptographers from the operation). ByteSub, the S-box operation, views indi- 8 U.K., Israel, and Denmark, is a conservative design. vidual bytes as elements of GF(2 ), and first inverts There are 32 rounds—a high number—each of them (0 is sent to 0), and then maps the elements via which consists of XORing the key and the intermedi- an affine function. ByteSub operations were chosen ate data, a pass through S-boxes, and a linear function for their resistance to differential and linear crypt- that combines fixed rotations and XOR (in the last analysis. ShiftRow cyclicly shifts the elements of the round, the linear function is replaced by a key-mixing ith row of the array i elements to the right, while Mix- operation). While the rules used to generate the linear Column diffuses the bits of a column by viewing the transformation appear ad hoc (a <<< 7 here, an � elements of the column as coefficients of a polyno- there), they function as advertised: the linear transfor- mial and performing a polynomial multiplication. mation increases avalanche. After three rounds, each Finally RoundKey XORs the key with the array ele- plaintext bit affects all data bits. ments. The key schedule for Rijndael is a simple Each round of Serpent has 32 identical S-boxes expansion using XOR and cyclic shift. (each 4-bit to 4-bit) applied in parallel. And herein lies the cleverness of Serpent. The bits are operated Determining the Winner(s) upon independently, and a 32-bit processor neatly The finalists have varying strengths and weaknesses. works on the 128-bit data segment. The fact that each RC6 and Rijndael have simple definitions; MARS round uses 32 identical S-boxes means the action of and, to a lesser extent, Twofish have designs that the S-boxes on bits 0, 1, 2, 3 is identical to the action complicate analysis. Serpent is slow on virtually all on bits 4, 5, 6, 7; bits 8, 9, 10, 11; and so forth. So platforms, but the algorithm has a large “security bits 0, 1, 2, 3 are fed to the first input of the proces- margin” (a high number of rounds relative to differ- sor and operated upon through a series of Boolean ential and linear attacks that are successful on operations, while simultaneously bits 4, 5, 6, 7 are fed reduced-round versions of the algorithm). RC6 has to the second input of the processor and operated a low security margin, MARS, a large one. upon by the same set of operations, and so forth. The The successful candidates are not perfect. All have result is bits 0, 4, …, 124 of the output. Now the serious problems in smart cards, where the attacker has processor can compute the next set of outputs. The limited access to the card’s performance while encrypt- inputs have already been fed in. Again, since the S- ing. Their use of multiplication and rotation makes boxes are replicated, the same operation is done on all MARS and RC6 vulnerable to timing attacks. So is 32 bits of the processor. The outputs are bits 1, 5, …, Twofish, although less so. But a differential power- 125 of the output. This process is repeated twice analysis attack exhibited far more serious problems. Tak- more, and thus all 128 bits of output are computed. ing power samples of the whitening process from 100 This is followed by the linear transformation that dif- independent block encryptions, a rogue smart-card fuses the results of the bits. During these operations, implementation leaked all 128 bits of Twofish’s key [2]. the processor is used to its fullest. This was not due to a peculiarity of Twofish—all the The S-boxes are created from DES’s via a simple round-one AES candidates were equally vulnerable to program, and Serpent’s key schedule is simple. The this attack. There are ways around such penetrabilities, algorithm’s security is based on high number of but these come at a cost of time and space, neither of rounds, which provides strong resistance to differen- which is in great supply in smart cards. Perhaps smart tial and linear cryptanalysis. cards are not an appropriate venue for the same algo- Rijndael, developed by two Belgian cryptogra- rithm expected to secure international ecommerce. A phers, relies more directly on algebraic constructs special-purpose algorithm might serve better. 8 than the other algorithms. Let GF(2 ) be the finite When NBS put forth DES in 1975 the electronic 8 4 3 field defined by the irreducible polynomial x + x +x + world was in a fledgling state. Few anticipated the x +1 over GF(2); view the 128 bits = 16 bytes as ele- phenomenal growth of the Internet and e-commerce.
COMMUNICATIONS OF THE ACM May 2000/Vol. 43, No. 5 119
AES is an ambitious undertaking. It is only two 3. Coppersmith, D. The data encryption standard (DES) and its strength decades since public work on cryptography numbered against attacks. IBM J. Res. Develop. 38 (1994), 243–250. 4 4. Diffie, W. and Landau, S. Privacy on the Line: The Politics of Wiretapping more than a handful of researchers. NIST’s venture is and Encryption. MIT Press, Cambridge, Mass., 1998. predicated on the idea that in the more than 20 years 5. Electronic Frontier Foundation. Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design. O’Reilly and Associates. since the sanctification of DES and the birth of pub- 6. Kocher, P. Timing attacks on implementations of Diffie-Hellman, RSA, lic-key cryptography, cryptographic expertise outside DSS, and other systems. In Proceedings of Advances in Cryptology, Crypto96, Springer-Verlag, 1996, pp. 104–113. the spy agencies has grown to the point that an algo- 7. Kocher, P., Jaffe, J. Jun, B. Differential power analysis. In Proceedings of rithm to protect international commerce and com- Advances in Cryptology, Crypto99, Springer Verlag, 1999, pp. 388–397. munications can be developed by the public sector. 8. Nechvatal, J. et al. Status report on the first round of the development of the Advanced Encryption Standard. Computer Security Division, AES is an interesting experiment—and a strong information technology laboratory. National Institute of Standards and endorsement of the public expertise that has devel- Technology, NIST Journal of Research, to appear. oped in so brief a time. c Further Reading References Menezes, A., Oorschot, P. van and Vanstone, S. Handbook of Applied Cryp- 1. Blaze, M. et al. Minimal key lengths for symmetric ciphers to provide tography. CRC Press, 1996. adequate commercial security. A report by an ad hoc group of cryptog- Schneier, B. Applied Cryptography: Protocols, Algorithms, and Source Code in C, raphers and computer scientists; www.crypto.com/papers/keylength.txt. 2d Edition. John Wiley and Sons, New York, 1996. 2. Chari, S. Jutla, C. Rao, J. and Rohatgi, P. A cautionary note regarding evaluation of AES candidates on smart-cards. The Second Advanced Encryp- Susan Landau tion Standard Candidate Conference. March 22–23, 1999. is senior staff engineer at Sun Microsystems Laboratories. She is a fellow of the American Association for the Advancement of Science. 4The first open meeting on cryptographic research occurred in Santa Barbara in 1981 and was attended by fewer than 50 people. This annual meeting, “CRYPTO,” now draws upwards of 500 attendees and is one of several international meetings and numerous workshops on cryptography. © 2000 ACM 0002-0782/00/0500 $5.00
PLUG www.acm.org/dl into acmdigital the LIBRARY ultimate -Over 20 high-tech publications -Up to 15 years of publication archives -15 years of conference proceedings -350,000 pages of text online -State-of-the-art search engine resource Association for Computing Machinery The First Society in Computing
120 May 2000/Vol. 43, No. 5 COMMUNICATIONS OF THE ACM