10
NESSIE (New European Schemes for Signatures, Integrity and Encryption) was a European re- 11
search project funded from 2000–2003 to identify secure cryptographic primitives. The project 12
was comparable to the NIST AES selection process (Section3.19 on page 177) and the Japanese 13
Government-sponsored CRYPTREC project (Section3.22 on page 194) – but the three projects 14
did not necessarily reach the same conclusions. The NESSIE participants include some of the 15
foremost active cryptographers in the world, as does the CRYPTREC project. 16
NESSIE’s goal was to identify and evaluate quality cryptographic designs in several categories. 1
To that end a public call for submissions was issued in March 2000. Forty-two submissions 2
were received, and in February 2003 twelve submissions were selected. In addition, five publicly 3
known algorithms that were not submitted to the project were chosen as “selectees.” The project 4
has publicly announced that“no weaknesses were found in the selected designs.”
5
Details for all submissions can be obtained from thisweb page. Of the forty-two submissions, 6
seventeen were block ciphers: 7
• Six 64-bit block ciphers: CS-Cipher [SV98], Hierocrypt-L1 [OMSK00, Tos01], IDEA (Sec- 8
tion 3.6 on page 144), Khazad [BR02], MISTY-1 (see Section 3.18 on page 172), and Nim- 9
bus [Mac00]; 10
• Seven 128-bit block ciphers (none of which coming from the AES process): Anubis (Subsec- 11
tion3.21.3 on page 192), Camellia (Section3.18 on page 172), Grand Cru [Bor00], Hierocrypt- 12
3 [OMSK00,Tos02], Noekeon (Subsection3.21.4 on page 193), Q, and SC2000 [SYY+01] (see
13
also Section3.22 on page 194); 14
• One 160-bit block cipher: SHACAL (see below); and 15
• Three block ciphers with a variable block length: NUSH [LV00] (64, 128, and 256 bits), RC6 16
(at least 128 bits, see Section 3.15 on page 168), and SAFER++ (64 and 128 bits, see Sec- 17
tion3.8.3 on page 152). 18
The NESSIE list of recommended block ciphers includes: MISTY-1, Camellia, SHACAL-2, and 19
AES (Section3.20 on page 182). 20
With the exception of SHACAL, all the recommended block ciphers are described elsewhere in 21
this document. SHACAL will be described next, together with submissions Khazad, Anubis, 22
and NOEKEON. 23
3.21.1 SHACAL
24
SHACAL is a family of block ciphers developed by Gemplus, introduced by Helena Handschuh 25
and David Naccache. 26
SHACAL-1 is a 160-bit block cipher based on the hash function SHA-1. SHA-1 is designed 27
around acompression function, that takes as input a 160-bit state and a 512-bit data word and 28
outputs a new 160-bit state after 80 rounds. The hash function works by repeatedly calling 29
this compression function with successive 512-bit data blocks and each time updating the state 30
accordingly. For a fixed 512-bit data block, the transformation of the state is invertible, so the 31
compression function is in fact a block cipher where the 512-bit data word is the key used to 32
encrypt the 160-bit state. If keys shorter than 512 bits are to be used, these are first just padded 33
with zeros. 34
All full round attacks on SHACAL-1 to date are related-key attacks. The best one key attack so 35
far, by Jiqiang Lu, Jongsung Kim, Nathan Keller, and Orr Dunkelman in [LKKD06], breaks 52 36
internal rounds in time2493requiring about2160known plaintexts. 37
In [Saa03], Markku-Juhani Saarinen observed that it is possible to construct slid pairs in the com- 38
pression function of SHA-1 using about297chosen chaining values (for two different blocks of 39
message). Saarinen used the slid pairs to mount a related-key distinguishing attack against 1
SHACAL-1 requiring297 chosen plaintexts encrypted under two related keys and time com- 2
plexity of 297 encryptions. Eli Biham and Orr Dunkelman and Nathan Keller in [BDK07b] 3
exploit the property found by Saarinen to mount a related-key key recovery attack on the full 4
SHACAL-1, using from two to eight related keys. If𝑘 related keys are used, their attack has 5
complexitymax{(𝑘 − 1)⋅ 298.5, 2510−(𝑘−1)⋅62}. When a maximum of eight related keys are used, 6
the complexity becomes2101.3.
7
SHACAL-2 has a 256-bit block size and is based on SHA-256. It has not been broken yet. The 8
best attack, by Jiqiang Lu and Jongsung Kim, is a related-key attack that breaks 44 rounds out 9
of 80 [LK08]. 10
3.21.1.1 Intellectual Property 11
In the NESSIE submission package, the designers of the cipher declare:“We do not intend to apply
12
for any patent covering SHACAL and undertake to up date the NESSIE project whenever necessary.”
13
To our knowledge, no updates have been submitted to the NESSIE project. 14
3.21.2 Khazad (and Shark)
15
Paulo S.L.M. Barreto and Vincent Rijmen designed Khazad, a 64-bit block cipher with a 128-bit 16
key, and submitted it to the NESSIE project in the year 2000. The specification can be found 17
at the NESSIE submission web page. Khazad is a SPN designed according to the wide trail 18
strategy. Although it is not a Feistel cipher, the inverse operation of the cipher differs from the 19
forward operation in the key scheduling only. This is achieved choosing all round transforma- 20
tion components to be involutions. This property makes it possible to reduce the required chip 21
area in a hardware implementation, as well as the code and table size. 22
The cipher shares some design aspects with Rijndael, in that it is a wide trail bricklayer design. 23
The internal state is represented as 8 bytes, each byte is an element of 𝔽28, and diffusion is
24
provided by an8 × 8involutory MDS matrix over𝐹28with elements of low Hamming weight.
25
The S-box is involutory. It is recursively constructed using two smaller 4 × 4-bit S-boxes, as 26
depicted in Figure3.27. The two4 × 4components are involutory themselves and have been 27
generated pseudo-randomly. This S-box construction has left some legacy: the block cipher 28
CLEFIA (Section3.28 on page 203) also defines a 8-bit S-box recursively using two smaller4 × 4- 29
bit S-boxes, but the construction is different. The two “mini boxes” (as they are called by the 30
authors) are defined as follows: 31
𝑥: 0 1 2 3 4 5 6 7 8 9 A B C D E F
𝑃[𝑥]: 3 F E 0 5 4 B C D A 9 6 7 8 2 1
𝑄[𝑥]: 9 E 5 6 A 2 3 C F 0 4 D 7 B 1 8
The diffusion layer is a linear mapping𝜃 ∶ 𝔽8 28 𝔽
8
28corresponding to the[16, 8, 9]MDS code
32
with generator matrix 𝐺𝐻 = [𝐼 𝐻], where𝐻 = had(01𝑥,03𝑥,04𝑥,05𝑥,06𝑥,08𝑥,0b𝑥,07𝑥), is a 33
Figure 3.27: The Khazad/Anubis Composite S-box
𝑃 𝑄
𝑄 𝑃
𝑃 𝑄
Table 3.7: Differences between Khazad and Shark
SHARK KHAZAD
Rounds 6 8
Key schedule Affine mapping derived from Feistel key evolution using the the cipher itself in CFB mode cipher round function itself
𝔽28definition polynomial 𝑥
8+ 𝑥7+ 𝑥6+ 𝑥5+ 𝑥4+ 𝑥2+ 1 𝑥8+ 𝑥4+ 𝑥3+ 𝑥2+ 1
(1F5𝑥) (11D𝑥)
S-box Inversion inby affine transformation𝔽28, followed Recursive structure Origin of diffusion matrix Reed-Solomon code Involutional MDS code
Hadamard matrix 1 𝐻 = ⎛ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎝ 01𝑥 03𝑥 04𝑥 05𝑥 06𝑥 08𝑥 0B𝑥 07𝑥 03𝑥 01𝑥 05𝑥 04𝑥 08𝑥 06𝑥 07𝑥 0B𝑥 04𝑥 05𝑥 01𝑥 03𝑥 0B𝑥 07𝑥 06𝑥 08𝑥 05𝑥 04𝑥 03𝑥 01𝑥 07𝑥 0B𝑥 08𝑥 06𝑥 06𝑥 08𝑥 0B𝑥 07𝑥 01𝑥 03𝑥 04𝑥 05𝑥 08𝑥 06𝑥 07𝑥 0B𝑥 03𝑥 01𝑥 05𝑥 04𝑥 0B𝑥 07𝑥 06𝑥 08𝑥 04𝑥 05𝑥 01𝑥 03𝑥 07𝑥 0B𝑥 08𝑥 06𝑥 05𝑥 04𝑥 03𝑥 01𝑥 ⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠ ,
so that𝜃(𝑎) = 𝐻 ⋅𝑡𝑎. About the notation for the matrix enties: the hexadecimal numbers rep- 2
resent the field elements of𝔽28 = 𝔽[𝑥]/(𝑥8+ 𝑥4+ 𝑥3+ 𝑥2+ 1)as bytes, where the𝑖th bit is the
3
coefficient of (the image of)𝑥𝑖. For instance,01
𝑥represents1and03𝑥represents (the image of)
4
𝑥 + 1in𝔽28. A simple inspection shows that matrix𝐻 is symmetric and unitary. Therefore,𝜃
5
is an involution. 6
Shark [RDP+96] is very similar to Khazad and therefore we do not perceive the need to treat
7
both: the main differences are summarized in Table3.7. 8
Also Khazad (and Anubis) left a strong legacy on the design of CLEFIA (Section3.28 on page 203) 9
since one of the two S-boxes of the latter cipher is recursively constructed from smaller4 × 4 1
S-boxes, and the diffusion matrices are Hadamard matrices as well. 2
3.21.2.1 Cryptanalysis 3
Alex Biryukov has analysed involutional ciphers in [Bir03], including Khazad and Anubis. He 4
found that there is a variant of the slide with a twist attack (cf. Subsection2.6.3.2 on page 113) 5
which can be applied to this type of designs, i.e. ciphers with involutory data encryption path 6
where encryption and decryption necessarily differ only in the key schedule, and the round 7
are all equal (with the exception of a final round without linear mixing layer). The attack can 8
only work if some degree of symmetry can be enforced on the key schedule, which means that 9
the keys must be specially selected, i.e. they form a specific class of weak keys (see Section2.5 10
on page 107). An an application he broke five of Khazad’s eight rounds in time240requiring
11
𝑂(232)memory – but only for one in264keys. 12
Frédéric Muller [Mul03] has discovered an attack which can break five of Khazad’s eight rounds 13
for all keys in time291.
14
3.21.2.2 Advantages 15
Khazad can be implemented both in SW and HW in a very compact way. HW implementa- 16
tions can be both very performing and small: As it can be seen in Table4.1 on page 237, even 17
a fully unrolled and single cycle implementation of Khazad can be much smaller than other 18 comparable ciphers. 19 3.21.2.3 Disadvantages 20 None in particular. 21 3.21.2.4 Intellectual Property 22
In the NESSIE submission package, the designers of the cipher declare:“to the best of our knowl-
23
edge the practice of the Khazad algorithm, as well as the reference implementations we have submitted,
24
are not covered by any patents or patent applications worldwide.”
25
3.21.3 Anubis
26
Anubis (the specification can be found at the NESSIE submissionweb page), is a block cipher 27
designed by Vincent Rijmen and Paulo S.L.M. Barreto that operates on data blocks of length 28
128 bits, and uses keys of length 128 to 320 bits in steps of 32 bits. It is another member of the 29
SQUARE/Rijndael/Khazad family, and the main differences w.r.t. Rijndael are summarized in 30
Table3.8 on the next page. 31
The S-box is the same recursively defined S-box used in Khazad. The diffusion matrix is also a 32
Hadamard matrix. 33
There is to date no attack that has broken the cipher. The cipher was not admitted to round two 34
of the NESSIE selection process only because it was deemed too similar to Rijndael. 35
Table 3.8: Differences between Anubis and Rijndael
Rijndael Anubis
Key size (bits) 128, 192, or 256 128, 160, 192, 224, 256, 288, or 320 Block size (bits) 128, 192, or 256 always 128
Number of rounds 10, 12, or 14 12, 13, 14, 15, 16, 17, or 18 key evolution based on variant Key schedule dedicated a priori algorithm of round function, and extraction
using linear projection
𝔽28definition polynomial 𝑥
8+ 𝑥4+ 𝑥3+ 𝑥 + 1 𝑥8+ 𝑥4+ 𝑥3+ 𝑥2+ 1
(11B𝑥) (11D𝑥)
S-box Inversion in𝔽28, plus Recursive structure affine transformation
Origin of the round constants polynomials𝑥𝑖over𝔽
28 successive entries of the S-box
3.21.3.1 Intellectual Property 1
In the NESSIE submission package, the designers of the cipher declare:“to the best of our knowl-
2
edge the practice of the Anubis algorithm, as well as the reference implementations we have submitted,
3
are not covered by any patents or patent applications worldwide.”
4
3.21.4 NOEKEON
5
NOEKEON was designed and submitted to NESSIE by Joan Daemen, Michaël Peeters, Gilles 6
Van Assche, and Vincent Rijmen. This SPN cipher has 128-bit key and block sizes, with 16 7
rounds. 8
The cipher is extremely compact in both SW and HW. It is designed to be implemented using 9
only bit-wise Boolean operations and (cyclic) shift operations, similarly to 3-WAY and BASEK- 10
ING, which are described in Joan Daemen’s PhD Thesis [Dae95] and the AES proposal Serpent 11
(Section3.17 on page 170). Because of this it is possible to implement efficient DPA-resistant 12
software implementations. Also, since several operations operate in parallel on 32 nibbles, bit- 13
slicing implementations in SW or highly parallel HW architectures are possible. 14
Decryption can be performed by the same circuit/program as encryption. 15
The round function is composed of following steps: 16
1. Key mixing, a linear transformation, further key mixing; 17
2. A non-linear function called𝛤, sandwiched between two bit permutations. 18
𝛤 can be expressed as a 4-bit S-box or as a compact straight line program – in fact all non- 19
linearity is provided by the binary AND operator. The𝛤 layer can be implemented using bit- 20
slicing, allowing for very efficient implementations. 21
One peculiarity of NOEKEON is that the cipher can work in two different modes which can 22
be effectively considered as two different ciphers: “Direct-key mode” NOEKEON is to be used 23
for maximum efficiency where related-key attacks are not possible, and “indirect-key mode” 24
NOEKEON would be used when protocols are employed that can make related-key attacks 1
possible. The difference between the two modes is that in indirect-key mode a key schedule 2
algorithm is used that is based on the encryption cipher itself, whereas direct-key mode just 3
reuses the unchanged secret key as the subkey for all rounds. 4
During the NESSIE selection process, Lars R. Knudsen and Håvard Raddum [KR01b] raised 5
doubts about NOEKEON’s resistance under related-key attacks even if the key schedule is used. 6
As a result the cipher was not selected. Despite this, no concrete attack has been published and 7
the best cryptanalysis so far seems to be [ZRHD08], which breaks five rounds of NOEKEON 8
with a variant of integral attacks. 9
The complete specification of the cipher can be downloaded at the cipher’s web site [DPAR]. 10
3.21.4.1 Intellectual Property 11
In the NESSIE submission package, the designers of the cipher declare:“to the best of our knowl-
12
edge the practice of the Noekeon algorithm, as well as the reference implementations we have submitted,
13
are not covered by any patents or patent applications worldwide.”
14