The AES Contest - A Salad of Block Ciphers

This section serves as (i) an historical interlude, (ii) a prelude to the description of Rijndael, and (iii) a

placeholder to give brief descriptions and references to other block ciphers which were submitted to the

AES contest and are worth mentioning.

The US National Institute of Standards and Technology (NIST) launched in January 1997 a con- 36

test to find a block cipher to replace the aging DES. DES had become obsolete because its 56-bit 37

key size was inadequate to resist brute force attacks, given modern technology, the block length 38

was too short for several types of applications, for instance to construct hash functions, and was 39

also found to be vulnerable to several types of attacks. 1

On October 3rd, 2000 Rijndael (described in Section3.20) was chosen as the winning cipher. The 2

ratification of Rijndael as the new Advanced Encryption Standard, AES, took place on Novem- 3

ber 26th_{, 2001.}

The entire process was completely open; even the requirements document was first published 5

as a draft and comment or criticism invited before a final version was written, and all of the 6

later work toward the choice of a standard was public as well. Because of this, the process was 7

widely praised for its laudable goal of taking Kerckhoffs’ Principle into account – the security of 8

an encryption method should be based on key secrecy, not on the secrecy of (design aspects of) 9

the cipher. The final requirements specified a block cipher with 128-bit block size and support 10

for 128, 192 or 256-bit key sizes. Evaluation criteria included security, performance on a range of 11

platforms from 8-bit CPUs (e.g. in smart cards) to high end CPUs, and ease of implementation 12

in both software and hardware. 13

Fifteen submissions meeting basic criteria were received, from the whole world. All of the 14

entries were iterated block ciphers. Most designs were substitution-permutation networks or 15

Feistel structures, or variations of those. Several had proofs of resistance to various attacks. 16

In alphabetical order, the 15 first round candidates were: CAST-256 (Section3.7 on page 148), 17

CRYPTON [Lim99] (the very similar cipher mCrypton is described in Section3.25 on page 198), 18

DEAL (Subsection3.19.1 on the next page), DFC (Subsection3.19.2 on the facing page), E2 (dis- 19

cussed in Section 3.18 on Camellia), FROG (Subsection 3.19.3 on page 180), Hasty Pudding 20

(Subsection3.19.4 on page 180), LOKI97 (Subsection3.19.5 on page 181), MAGENTA (Subsec- 21

tion3.19.6 on page 181), MARS (Section3.16 on page 169), RC6 (see Section3.10 on page 158on 22

RC5), Rijndael (Section3.20 on page 182), SAFER+ (discussed in the section about SAFER, Sec- 23

tion3.8 on page 150), Serpent (Section3.17 on page 170), and Twofish (Section3.13 on page 164). 24

After intense scrutiny by many of the world’s best-known cryptographers, and two conferences, 25

the field was narrowed to five finalists: Twofish, MARS, Serpent, RC6, and Rjindael. One could 26

summarize the relative strengths and weaknesses of these five finalists as follows: 27

• MARS - very complex, complicated key schedule, reasonably fast but difficult to achieve 28

good performance and secure implementation in key schedule, good security margin; 29

• RC6 - very simple and quite fast, but low security margin; 30

• Rijndael - clean and well understood design, fast, high security margin; 31

• Serpent - slow, especially in SW and more so in constrained environments, clean design, 32

very high security margin; 33

• Twofish - complex, quite fast but not as fast as Rijndael, high security margin. 34

After another year of analysis and testing focused on the finalists, and another conference with 35

all of the finalist teams giving presentations, a winner was chosen by vote. And so, on October 2, 36

2000, NIST announced that it had chosen Rijndael as the AES. On November 26, 2001, AES was 37

formally approved as a US federal standard. 38

RC6 is the only one of the five finalists which does not have a completely open license; it is still 39

proprietary to RSA Security. The other finalists can be used freely. 40

In 2003 the NSA announced that it allows the use of AES to encrypt classified documents up to 1

the level SECRET for all key lengths, and up to the TOP SECRET level for key lengths of either 2

192 or 256 bits. Prior to that date, only non-public algorithms had been used for the encryption 3

of classified documents. 4

We already described many of the 15 submissions or ciphers strongly related to them. We briefly 5

comment here on the remaining algorithms, in alphabetical order, except for CRYPTON, for the 6

reasons that it is very similar to SQUARE and Rijndael and we shall discuss the also very similar 7

mCrypton in Section3.25 on page 198. 8

3.19.1 DEAL (and Ladder-DES)

DEAL, the Data Encryption Algorithm with Larger blocks, is a Feistel network which uses 10

DES as the F-function, similarly to its precursor Ladder-DES by Terry Ritter. The design was 11

proposed in a report by Lars Knudsen in 1998 [Knu98], and was submitted to the AES contest by 12

Richard Outerbridge (who notes that Knudsen had presented the design at the SAC conference 13

in 1997). 14

It did not make it into the finals, and was entered mainly to provide a baseline for comparison 15

to other ciphers. DEAL has approximately the overheads of Triple DES, making it too slow to 16

be a competitive candidate for AES. 17

It has a 128-bit block size and a variable key size of either 128, 192, or 256 bits. It uses 6 rounds for 18

key sizes of 128 and 192 bits, 8 rounds for 256-bit keys. Key schedule consists in concatenating a 19

sufficient number differently masked copies of the given private key, and DES-CBC encrypting 20

this buffer with fixed IV and key. 21

The interest of this cipher is that it is a proper exemplification of the Luby-Rackoff construction 22

(cf. Section1.3 on page 28). Using that construction, it is easy to double the block size of an 23

established cipher by using it as the F-function, at the price of a considerably slower operation 24

and potentially amplifying the effects of biases in the original cipher. Furthermore, since cryp- 25

tographic ciphers used in practice arenotperfect pseudorandom functions, three or four rounds 26

are often not sufficient. Indeed, Ladder-DES, which is a four round Luby-Rackoff construction, 27

was quickly broken by Eli Biham [Bih97a]. Ladder-DES uses four 56-bit keys, and therefore it is 28

expected that a meet-in-the-middle attack will have a complexity of2112. However, Eli Biham 29

showed hot to recover the complete key in time288. 30

Stefan Lucks analyzed the security of DEAL in [Luc99] and proved that the DEAL with with 31

128, 192, and 256 bits keys, can be broken in time2121,2121, and2224respectively. 32

3.19.2 DFC

Another theoretically interesting submission is DFC, the De-correlated Fast Cipher, described 34

in [GGH+98] and revised in [GNNV00]. 35

It is an eight-round Feistel cipher. 36

The secret key𝐾is first turned into a 1024-bit “Expanded Key” EK through an Expanding Func- 37

tion EF: these 1024 bits are then split into the eight 128-bit round keys used by the encryption. 38

The EF function performs a four round Feistel scheme using the same round function RF as 39

the encryption, where the inputs and the round keys are derived from𝐾and some predefined 40

constants. 1

The function RF is related to a Type IV decorrelation module (cf. Subsection1.10.3 on page 64) 2

that maps a 64-bit string onto a 64-bit string by using one 128-bit string parameter. It mixes 3

modular multiplication modulo264_{+ 13, reduction modulo}₂64_{and it uses a single}_{6 × 32}_bits

S-box to determine a 32-bit value to mix in according to six bits of the input. 5

All the constant used in the cipher are taken from the expansion of Napier’s constant𝑒. 6

This cipher was based on Serge Vaudenay’s theoretical work on decorrelation theory. That 7

theory gives methods of constructing ciphers which are provably immune to differential crypt- 8

analysis, linear cryptanalysis, and any other attacks that meet some fairly broad assumptions. 9

However, some attacks on DFC were found by going outside those assumptions, such as a 10

variant of differential analysis [KR99a]. 11

3.19.3 FROG

FROG is a variable size block cipher. It supports block sizes from 8 to 128 bytes and key sizes 13

from 5 to 125 bytes. 14

Its design is very unorthodox: it uses data derived from the primary key as a program for an 15

interpreter, so that each round can use a different sequence of operations. Eight rounds are 16

used. Encryption and decryption are fast, but the key schedule is rather slow because it has to 17

build a program for the interpreter. 18

Despite the fact that the sequence of computations is variable, David Wagner, Niels Ferguson, 19

and Bruce Schneier in [WFS99] broke it using differential cryptanalysis - and also found that 20

it is faster to attack decryption than encryption. Also, the design makes it very difficult to 21

implement both the key schedule and the ciphering operations resistant against power analysis. 22

3.19.4 Hasty Pudding

Rich Schroeppel’s Hasty Pudding Cipher or HPC is a variable size block cipher; blocks can be 24

any size the application requires. It therefore might be ideal for things like encrypting disk 25

blocks. Key size is also variable; any integer number of bits. It is designed for architectures 26

with 64-bit operations. 27

The design of the cipher is obscure and it is not well understood. It has a very expensive key 28

setup. These two factors led to the cipher not being admitted to the final round. 29

Hasty Pudding’s interest lies in the fact that it is the first tweakable block cipher, and it was 30

designed before that term was actually introduced. 31

Atweakableblock cipher [LRW02,LRW11] is a block cipher that accepts athirdinput called 32

the tweak. The tweak, along with the key, selects the permutation computed by the cipher. 33

Changing the key can be expensive, but changing the tweak should remain a lightweight oper- 34

ation. A tweak makes creating modes of operation for block ciphers easier to construct and to 35

analyse. In the case of a tweakable block cipher, to be secure means that an adversary should 36

not be able to break the cipher even with control of the tweak input. 37

The tweak in Hasty Pudding is called “spice.” 38

3.19.5 LOKI97

LOKI97 was the first published candidate in the AES contest [BP98]. The design and analysis 2

of LOKI97 was performed by Lawrie Brown with assistance and critique from Josef Pieprzyk – 3

that also designed the S-box functions – and Jennifer Seberry. 4

It is a 16-round Feistel cipher with an F-function that is basically two rounds of an SPN – 5

whereas in DES the F-function is a single SP round. We recall that the F-function has two 6

inputs, a half of the cipher state (𝐿) and a round key𝑘. So, we use the notation𝐹 = 𝐹(𝐿, 𝑘). The 7

F-function uses two large 11- and 13- bit S-boxes. 8

The key schedule is a source heavy 4-branch Feistel network. The input is quartet of words 9

[𝑘₄, 𝑘₃, 𝑘₂, 𝑘₀], where each𝑘_𝑖is a 64-bit value. Initially this is the encryption key, padded to 256 10

bits for shorter keys. The quartet is then updated using same F-function as the encryption, as 11

follows: first the next round key𝜎 𝐹₍𝑘₁⊕𝑘₃⊕(𝑖⋅𝛥), 𝑘₂₎⊕𝑘₄is computed, then the substitution 12

[𝑘₄, 𝑘₃, 𝑘₂, 𝑘₁] [𝑘₃, 𝑘₂, 𝑘₁, 𝜎]is performed. The constant𝛥is⌊₍√5 − 1₎⋅ 263⌋. 13

For each round of the cipher, a totalthreeround keys have to be generated: one as the key to 14

the keyed F-function and two to be directly mixed to the branches via modular additions. The 15

Feistel round itself uses a XOR to mix the output of the F-function. 16

This description makes it clear that the cipher is computationally heavy and in fact, according 17

to Schneier, it ranked 12thin performance among the 15 AES candidates. Also, the key schedule 18

can run in parallel with encryption, but not with decryption. 19

The cipher was broken by Lars Knudsen and Vincent Rijmen [KR99b] using both linear crypt- 20

analysis and differential cryptanalysis. Both attack require only about256known plaintexts. 21

Further cryptanalysis includes [WLFQ99] (where also AES candidates DFC and MAGENTA 22

are analysed) and [WLFQ00]. 23

3.19.6 MAGENTA

TheMultifunctional Algorithm for General-purpose Encryption and Network Telecommunication Ap-

plicationswas Deutsche Telekom’s entry in the AES competition [JH98]. 26

MAGENTA has a block size of 128 bits.It is a Feistel cipher with six rounds for the key size of 27

128 and 192 bits, and eight rounds for the key size of 256 bits. 28

It is often cited as an example of Kerckhoffs’ Principle, a demonstration of why unpublished 29

and therefore unanalysed ciphers cannot be trusted. Unlike all other candidates, this cipher was 30

made available to the conference attendees only on the day of presentation. Its presentation was 31

given on the morning of August 20th_{, 1998, to an audience that included many of the world’s}

top cryptographers. Some saw flaws, and there was intense discussion over lunch. By that 33

evening, a draft paper on breaking the cipher was circulating and the final version [BBF+99] 34

was presented at the second AES conference. 35

The S-box is constructed in an interesting way, inspired by the exponential S-boxes found in 36

ciphers like SAFER (Section 3.8 on page 150): The S-box is essentially the map ℕ → 𝔽₂8 =

𝔽₂[𝑥]/(𝜙(𝑥))where𝑛 𝑥𝑛 _{mod 𝜙}₍_𝑥₎_and_𝜙₍_𝑥₎_{= 𝑥}8_{+ 𝑥}6_{+ 𝑥}5_{+ 𝑥}2_{+ 1, except for the last entry}

𝜙(255) = 0. This S-box present decent differential properties (but far from those of AES), but 39

bad linear properties. 40

Another design principle of MAGENTA worth mentioning is the construction of the F-function. 1

The F-function first concatenates a 8-byte branch of the Feistel network with an 8-byte round 2

key - resulting in a 16 byte vector𝑤₀. The resulting 16-byte vector is then shuffled (the first eight 3

bytes are interleaved with the last eight), and the 8 pairs of adjacent bytes are transformed as 4

(𝑥, 𝑦) ₍𝜙(𝑥 ⊕ 𝜙(𝑦)), 𝜙(𝑦 ⊕ 𝜙(𝑥₎₎₎. The combination of shuffling and substitution is called the𝛱 5

operation in MAGENTA. In order to guarantee diffusion,𝛱 is performed four times in a row, 6

this giving rise to a modified FHT (fast Hadamard transform). 7

Then𝑤₀is XORed to the state,𝛱 is applies again four times,𝑤₀ XORed to the state a second 8

time,𝛱 is applies another four times. The value of the F-function is formed by concatenating 9

the bytes in the even numbered positions of the final state. 10

The key schedule is perhaps the biggest weakness of the design. If a 64 𝑡-bit key𝐾 is used, it 11

is first split into 64-bit chunks 𝑘_𝑖 for1 ⩽ 𝑖 ⩽ 𝑡, which are then used as the round keys. For 12

128, resp. 192 and 256-bit key the sequences are[𝑘₁, 𝑘₁, 𝑘₂, 𝑘₂, 𝑘₁, 𝑘₁]; [𝑘₁, 𝑘₂, 𝑘₃, 𝑘₃, 𝑘₂, 𝑘₁]; and 13

[𝑘₁, 𝑘₂, 𝑘₃, 𝑘₄, 𝑘₄, 𝑘₃, 𝑘₂, 𝑘₁]. This immediately leads to splice-and-cut attacks (Subsection2.4.4 on 14

page 102): MAGENTA-128 can be broken using264chosen plaintexts in time264, MAGENTA- 15

192 can be broken using264_{chosen plaintexts in time}₂128_{, and MAGENTA-256 can be broken}

using2128chosen plaintexts in time2128. All these attacks can be turned into known plaintext 17

attacks with different tradeoffs, for instance reducing the memory usage by𝑛bits while increas- 18

ing the attack complexity by about𝑛bits. These attack were presented (without recognising 19

them as Merkle-Hellman attacks and the corresponding van Oorschot-Wiener known plaintext 20

variants) already in [BBF+99]. 21

Another remark, made also by the designer of the cipher themselves, is that, due to the sym- 22

metry of the key scheduling, encryption and decryption are identical except for the order of 23

the two halves of the plaintexts and ciphertexts. Given a ciphertext, it be can decrypted just by 24

swapping its two halves, reencrypting the result, and swapping again. The main consequence 25

is that MAGENTA cannot be used in scenarios where an attacker has access to an encryption 26

oracle, considerably reducing its fields of application. Also, for any fixed key, the cipher (with- 27

out final swap) will have an expected number of264_{fixed points which means that blocks of}

plaintexts may be revealed with a significantly higher likelihood than the claimed security level. 29

3.20 AES (Rijndael)

Rijndael [DR02a,DR02b], the winner of the AES contest, was designed by Joan Daemen and 31

Vincent Rijmen. As AES, Rijndael’s block size is 128 bits (additional block sizes are supported by 32

the original submission). It is a SP network with 10, 12, or 14 rounds for key sizes of 128, 192, and 33

256 bits respectively. The cipher is designed according to the wide trails strategy (Section1.4 34

on page 34), and in particular it is directly derived from SQUARE (Section3.11 on page 160). 35

The 128-bit state is represented as a4 × 4matrix of bytes 36 ⎛ ⎜ ⎜ ⎜ ⎝ 𝑎_0,0 𝑎_0,1 𝑎_0,2 𝑎_0,3 𝑎_1,0 𝑎_1,1 𝑎_1,2 𝑎_1,3 𝑎_2,0 𝑎_2,1 𝑎_2,2 𝑎_2,3 𝑎_3,0 𝑎_3,1 𝑎_3,2 𝑎_3,3 ⎞ ⎟ ⎟ ⎟ ⎠ .

The entries can be interpreted as machine bytes as well as elements of the Galois field𝔽₂8. The

latter is represented using a polynomial basis defined by the polynomial𝑥8_{+ 𝑥}4_{+ 𝑥}3_{+ 𝑥 + 1.}

A byte is interpreted as an element of 𝔽₂8 in the following way: the𝑖-th bit of the byte is the

coefficient of𝑥𝑖. 3

The rounds are constructed from following operations: 4

(a) AddRoundKey: Mixing (XOR) of key derived material. The state is considered as a 128-bit 5

value which is then bitwise XORed to a round key. 6

(b) SubBytes: Run all entries through an 8-bit S-box. The Rijndael S-box is derived from the 7

inversion operation, i.e. the input is considered as an element of𝔽₂8 and any non-zero ele-

ment is mapped to its inverse; the zero is mapped to zero. (This choice has been influenced 9

by Kaysa Nyberg’s theoretical groundwork [Nyb93].) In order to avoid fix points, the inver- 10

sion is composed with an affine operation. 11

(c) ShiftRows: Cyclicly shift each row by0,1,2and3positions respectively. In mathematical 12 notation 13 ⎛ ⎜ ⎜ ⎜ ⎝ 𝑎0,0 𝑎0,1 𝑎0,2 𝑎0,3 𝑎_1,0 𝑎_1,1 𝑎_1,2 𝑎_1,3 𝑎_2,0 𝑎_2,1 𝑎_2,2 𝑎_2,3 𝑎3,0 𝑎3,1 𝑎3,2 𝑎3,3 ⎞ ⎟ ⎟ ⎟ ⎠ ⎛ ⎜ ⎜ ⎜ ⎝ 𝑎0,0 𝑎0,1 𝑎0,2 𝑎0,3 𝑎_1,1 𝑎_1,2 𝑎_1,3 𝑎_1,0 𝑎_2,2 𝑎_2,3 𝑎_2,0 𝑎_2,1 𝑎3,3 𝑎3,0 𝑎3,1 𝑎3,2 ⎞ ⎟ ⎟ ⎟ ⎠ .

(d) MixColumns: Multiply the state matrix by a fixed MDS matrix, as follows 14 ⎛ ⎜ ⎜ ⎜ ⎝ 𝑎_0,0 𝑎_0,1 𝑎_0,2 𝑎_0,3 𝑎_1,0 𝑎_1,1 𝑎_1,2 𝑎_1,3 𝑎_2,0 𝑎_2,1 𝑎_2,2 𝑎_2,3 𝑎_3,0 𝑎_3,1 𝑎_3,2 𝑎_3,3 ⎞ ⎟ ⎟ ⎟ ⎠ ⎛ ⎜ ⎜ ⎜

In document A Salad of Block Ciphers (Page 181-192)