Security margin and speed

With the same cipher, increasing the number of rounds qualitatively enhances security and reduces the encryption speed. Theoretical break means that a cipher can be attacked with the computational complexity that is smaller than the exhaustive key search and with a plaintext required for attack that is less than the total number of plaintexts. For each cipher, the ratio between the number of rounds that can be theoretically broken and the actual number of rounds is indicated as a security margin, and the speed measurement obtained in the evaluation is expressed as a relative speed versus Triple DES. This is summarized in Table 3.12. Note that the speed indicated is the average of the fastest speeds for encryption and decryption.

Table 3.12 Security margin and processing speed ratio for 64-bit block ciphers [Pentium III]

Security margin = Number of

rounds/number of rounds that can be break (data randomization part)Processing speed ratio (including key schedule part) Processing speed ratio

UNI-E 16 / -* 0.60 0.82

HC=L1 6 / 3.5 4.25 3.97

MISTY1 8 / 5 4.07 5.57

Triple DES 48 / 48 1.00 1.00

* For CIPHERUNICORN-E, the number of rounds that can be theoretically broken is not yet known.

3.2.2 128-bit block ciphers

The seven evaluated ciphers are AES (Rijndael), Camellia, CIPHERUNICORN-A, Hierocrypt-3, RC6 BlockCipher*1, and SC2000. The six ciphers from Camellia to SC2000 were submitted for evaluation, and AES were added as a cipher considered to be evaluated in 2001. The overview of the evaluation is shown below.

Characteristics

The organization that proposed the technique, the year it was announced, its structural characteristics, and the characteristics such as the operations used in the data randomization part were listed. For those techniques that use variable parameters such as number of rounds, the values recommended by the proposing organizations were listed.

Security

Security is discussed from the following three viewpoints: resistance to differential/linear cryptanalysis, resistance to algebraic and other attacks, and avalanche effect characteristics.

• In resistance to differential/linear cryptanalysis, the maximum differential/linear probability or the maximum differential/linear characteristic probability is indicated as the index of strength against differential/linear cryptanalysis.

*1 _{With a note dated October 16, 2002 from RSA Security Japan Ltd., the CRYPTREC secretariat received information}

130 Chapter 3 Evaluation of symmetric-key cryptographic techniques

• In resistance to algebraic and other attacks, resistances to algebraic methods such as higher order differential attack, interpolation attack, and SQUARE attack, as well as the resistance to

other attacks such as related-key attack and mod n attacks are described. The evaluation of higher order differential attack and interpolation attack is a method to search for basic weakness of a cipher from the algebraic point of view. If the number of rounds is large, an attack based on this method rarely causes problems. However, the weakness revealed by those attacks may affect the ultimate cipher strength, if other attacks can be combined with them.

• Avalanche effect evaluation statistically captures how data is shuffled in each cipher, and although it does not directly lead to cryptanalysis in most instances, it provides a clue to search for weaknesses of the partial function of a cipher.

Software implementation evaluation

These evaluations excluding the smart card environment were conducted in 2000. A cipher must be evaluated not only from the security aspects but also from implementation aspects by assuming the actual usage conditions. Although the requirements for implementation of ciphers in e-Government have not been made clear yet, our software implementation evaluation was performed assuming the following three environments: a PC environment (mandatory) that was considered to be popular at the time of evaluation, a server environment (optional) that is currently most widely used, and a high-end environment (optional) that has achieved high performance. Measurements were taken in two parts: data randomization and key schedule + data randomization. For evaluation in the smart card environment, we measured the processing time of the key schedule part + data randomization part of some algorithms for the smart card environment evaluation.

Hardware implementation evaluation

Implementation was actually made on FPGA for an operation check during the hardware implementation evaluation performed in 2002 to confirm "whether the third-parties can perform proper implementations with reference only to the application documents (algorithm specifications and test vector)."

The main object of this implementation is a system operation check. Therefore, it is formed as a straightforward architecture with no special circuit scale reduction or improvement in operation speed in consideration of the characteristics of each algorithm. This is not necessarily an optimal implementation and an impartial comparative evaluation of the circuit implementation efficiency of each algorithm cannot be conducted. Therefore, the relative comparison with Triple DES but also the numerical value of a circuit scale and an operation speed shall not be disclosed. However, a 33 MHz operation is confirmed in either cipher algorithm under the above FPGA development environment. For the outline of the FPGA implementation environment, see "3.1.3 hardware implementation evaluation".

3.2 Overview of evaluation results 131 Overall evaluation

Tables 3.13 show the overall evaluation results of security and implementation.

Table 3.13 Evaluation results of 128-bit block ciphers (1/2)

Characteristics · NIST (2000)

· SPN structure, 10 rounds (128-bit key), 12 rounds (192-bit key), 14 rounds (256-bit key). One type of 8×8 S-box, designed based on inverse number operations on GF(28_{) and has} resistance against differential/linear attacks. A diffusion layer P has a structure of byte-by-byte permutation (ShiftRow) and diffusion in 4 bytes (MixColumn) by byte processing.

· Table lookup, EXOR, and AND are used.

· Next generation of Square ciphers. The active S-box theory is used to evaluate the p-layer design. The design of the P-layer was evaluated based on the concept of the number of active S-boxes.

Overall evaluation AES (Rijndael)

No security problem has so far been found. Belongs to a group with fast processing speed.

Characteristics

· NTT, Mitsubishi (2000)

· Feistel structure, 18 rounds (128-bit key), 24 rounds (192/256-bit key), FL/FL-1_-function is inserted for every sixth round. Expanded keys XOR as the initial and final

processing. The round function has 8 S-boxes and a P-layer of byte-unit operations. One type of 8×8 S-box, designed based on power multiplication operations on GF(28₎ and has resistance against differential/linear cryptanalysis.

· Table look up, XOR, AND, OR, and cyclic shift operation are used.

· The design of the P-layer was evaluated based on the concept of the number of active S-boxes.

Overall evaluation Camellia

No security problem has so far been found. Belongs to a group with fast processing speed.

Characteristics · NEC (2000)

· Feistel structure, 16 rounds. The round function F is complex. Consists of a main stream and a temporary key-generation part to be expected to enhance security. The round function uses S-box as the basic component and consists of T- and A-functions. Four types of 8×8 S-boxes, based on power multiplication operations on GF(28_{) and has} resistance against differential/linear cryptanalysis.

· Table look up, addition, multiplication, XOR, AND, and cyclic shift operation are used. · Designed with a round function structure to make significant correlation invisible from

the cipher-evaluation system. Overall evaluation

CIPHERUNICORN -A

No security problem has so far been found. Belongs to a group with slow processing speed.

132 Chapter 3 Evaluation of symmetric-key cryptographic techniques

Table 3.13 Evaluation results of 128-bit block ciphers (2/2)

Characteristics · Toshiba (2000)

· Recursive SPN structure, six rounds (128-bit key), seven rounds (192-bit key), and eight rounds (256-bit key). Each round consists of two parallel XS-functions and a P-layer. XS-function has a structure in which a P-layer is sandwiched between four parallel S-boxes of two layers. One type of 8×8 S-box based on power multiplication operations on GF(28_{) and has resistance against differential/linear cryptanalysis.} · Table look up, XOR, and AND are used.

· Has a structure similar to that of Hierocrypt-L1. The design of the P-layer was evaluated based on the concept of the number of active S-boxes.

Overall evaluation Hierocrypt-3

No security problem has so far been found. Belongs to a group with fast processing speed.

Characteristics · RSA Security (1998)

· Modified Feistel structure consisting of four 32-bit blocks, 20 rounds. The round function F has a simple structure with 32-bit input and (32+5)-bit output. Two blocks are affected by XOR and data-dependent cyclic shift operation.

· F-function consists of multiplication, addition, and cyclic shift operation. · All operations are done in 32-bit words, i.e., the structure assumes a 32-bit CPU.

Variable parameter structure that allows the selection of word length, number of rounds, and key length. Inherits the design concept of RC5.

Overall evaluation RC6

No security problem has so far been found. Although RC6 provides the fastest encryption speed on Pentium III, software-processing speed greatly depends on the platform. With a note dated October 16, 2002 from RSA Security Japan Ltd., the CRYPTREC secretariat received information indicating that it would no longer perform RC6 promotion activities hereafter due to intellectual property right issues.

Characteristics · Fujitsu (2000)

· Combination of Feistel structure and SPN structure. Number of rounds in the data randomization part is 19 rounds (128-bit key) and 22 rounds (192/256-bit key). Uses 4x4 S-box in the SPN structure, and 5x5 and 6x6 S-boxes in the Feistel structure. S-boxes are based on power multiplication operations on an extension field and has resistance against differential/linear cryptanalysis.

· Table look up, XOR, and AND are used.

· Bitslice method, which is a high-speed implementation method, can be applied to the SPN structure. The design of the P-layer was evaluated based on the concept of the number of active S-boxes.

Overall evaluation SC2000

No security problem has so far been found. Belongs to a group with fast processing speed.

3.2 Overview of evaluation results 133

3.2.2.1 General review of security evaluation results