Symmetric Ciphers

Key scheduling

If the subkeys are not in fact random and independent (to a close-enough approximation), the cipher may become vulnerable to related-key attacks, and therefore particular care is needed from the application designer in choosing how to generate subkeys.

Subkeys are encoded in the order in which they are used for encryption (or if this is ambiguous, the order in which they are presented or numbered in the original document specifying the cipher). Where applicable, they have the same byte order as is used in the rest of the cipher. However, in some cases these conventions may still not be sufficient to decide how to encode the subkeys; if you wish to use a "-Direct" algorithm where the subkey encoding is not clear, ask for a comment to be added to the algorithm definition.

3-Way Block Cipher

Designer: Joan Daemen Published: 1994 Alias: "ThreeWay" (use for identifiers) References: [ Def, An ] Joan Daemen,

"Cipher and Hash Function Design, Strategies based on linear and differential cryptanalysis,"

Ph.D. Thesis, Katholieke Universiteit Leuven, March 1995. http://www.esat.kuleuven.ac.be/~cosicart/ps/JD-9500/

(in particular see chapter 7, "block cipher design").

] Joan Daemen, "Cipher and Hash Function Design, Strategies based on linear and differential cryptanalysis," Ph.D. Thesis, Katholieke Universiteit Leuven, March 1995. http://www.esat.kuleuven.ac.be/~cosicart/ps/JD-9500/ (in particular see chapter 7, "block cipher design"). [ Def, An ] J. Daemen, R. Govaerts, J. Vandewalle,

"A New Approach to Block Cipher Design,"

Fast Software Encryption, Cambridge Security Workshop Proceedings , Volume 809 of Lecture Notes in Computer Science (Ross Anderson, ed.), pp. 18-32. Springer-Verlag, 1994.

] J. Daemen, R. Govaerts, J. Vandewalle, "A New Approach to Block Cipher Design," , Volume 809 of Lecture Notes in Computer Science (Ross Anderson, ed.), pp. 18-32. Springer-Verlag, 1994. [ Inf ] Bruce Schneier,

"Section 14.5 3-Way,"

Applied Cryptography, Second Edition , John Wiley & Sons, 1996.

] Bruce Schneier, "Section 14.5 3-Way," , John Wiley & Sons, 1996. [ An ] John Kelsey, Bruce Schneier, David Wagner,

"Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES".

http://www.counterpane.com/key_schedule.html

] John Kelsey, Bruce Schneier, David Wagner, "Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES". http://www.counterpane.com/key_schedule.html [ An ] John Kelsey, Bruce Schneier, David Wagner,

"Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA",

ICICS '97 Proceedings , Springer-Verlag, November 1997.

http://www.counterpane.com/related-key_cryptanalysis.html

] John Kelsey, Bruce Schneier, David Wagner, "Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA", , Springer-Verlag, November 1997. http://www.counterpane.com/related-key_cryptanalysis.html [Test] Wei Dai,

Crypto++ 3.0, file 3wayval.dat

http://www.eskimo.com/~weidai/cryptlib.html Key length: 96 bits. Block size: 12 bytes. Comment: The byte ordering convention is as follows: within each 12-byte block, the 32-bit words are represented in the same order as they are written in chapter 7 of Joan Daemen's thesis. Within each 32-bit word, the bytes are in big-endian order. This is consistent with the four test vectors in Crypto++ (note that the same four test vectors are included on page 659 of Applied Cryptography, 2nd edition , with the words written in the opposite order). For reference, the fourth test vector in this set is: key = <D2F05B5ED6144138CAB920CD> plaintext = <4059C76E83AE9DC4AD21ECF7> ciphertext = <478EA8716B13F17C15B155ED> Security comment: 3-Way is vulnerable to related-key attacks, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

AES128 Block Cipher

Designers: Joan Daemen, Vincent Rijmen Alias: "OpenPGP.Cipher.7" Object Identifiers: 2.16.840.1.101.3.4.1.1 for AES128/ECB/NoPadding

2.16.840.1.101.3.4.1.2 for AES128/CBC/PKCSPadding

2.16.840.1.101.3.4.1.3 for AES128/CFB

2.16.840.1.101.3.4.1.4 for AES128/OFB Description: AES128 is defined as Rijndael with a 128-bit block size and 10 rounds. References: [see references for Rijndael]

[ Inf ] NIST,

AES Home Page ,

http://www.nist.gov/aes/

] NIST, , http://www.nist.gov/aes/ [ Inf ] AES Round 1 Information ,

http://csrc.nist.gov/encryption/aes/round1/round1.htm

] , http://csrc.nist.gov/encryption/aes/round1/round1.htm [ Inf ] AES Round 2 Information ,

http://csrc.nist.gov/encryption/aes/round2/round2.htm

] , http://csrc.nist.gov/encryption/aes/round2/round2.htm [ Inf ] The CAESAR - Candidate AES for Analysis and Reviews project,

http://www.dice.ucl.ac.be/crypto/CAESAR/caesar.html

] The project, http://www.dice.ucl.ac.be/crypto/CAESAR/caesar.html [ Inf ] Lars Knudsen, Vincent Rijmen,

The Block Cipher Lounge - AES ,

http://www.ii.uib.no/~larsr/aes.html

] Lars Knudsen, Vincent Rijmen, , http://www.ii.uib.no/~larsr/aes.html [ Inf ] John Savard,

Towards the 128-bit Era - AES Candidates ,

http://fn2.freenet.edmonton.ab.ca/~jsavard/crypto/co0408.htm

] John Savard, , http://fn2.freenet.edmonton.ab.ca/~jsavard/crypto/co0408.htm [ An ] Eli Biham,

"A Note on Comparing the AES Candidates,"

Presented at the 2nd AES Conference.

http://csrc.nist.gov/encryption/aes/round1/conf2/papers/biham2.pdf

] Eli Biham, "A Note on Comparing the AES Candidates," Presented at the 2nd AES Conference. http://csrc.nist.gov/encryption/aes/round1/conf2/papers/biham2.pdf [ An ] Olivier Baudron, Henri Gilbert, Louis Granboulan, Helena Handschuh, Antoine Joux, Phong Nguyen, Fabrice Noilhan, David Pointcheval, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay,

"Report on the AES Candidates,"

Presented at the 2nd AES Conference.

http://csrc.nist.gov/encryption/aes/round1/conf2/papers/baudron1.pdf

] Olivier Baudron, Henri Gilbert, Louis Granboulan, Helena Handschuh, Antoine Joux, Phong Nguyen, Fabrice Noilhan, David Pointcheval, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay, "Report on the AES Candidates," Presented at the 2nd AES Conference. http://csrc.nist.gov/encryption/aes/round1/conf2/papers/baudron1.pdf [ An ] G. Carter, E. Dawson, L. Nielsen,

"Key Schedule Classification of the AES Candidates,"

Presented at the 2nd AES Conference.

http://csrc.nist.gov/encryption/aes/round1/conf2/papers/carter.pdf

] G. Carter, E. Dawson, L. Nielsen, "Key Schedule Classification of the AES Candidates," Presented at the 2nd AES Conference. http://csrc.nist.gov/encryption/aes/round1/conf2/papers/carter.pdf [ An ] B. Preneel, A. Bosselaers, V. Rijmen, B. Van Rompay, L. Granboulan, J. Stern, S. Murphy, M. Dichtl, P. Serf, E. Biham, O. Dunkelman, V. Furman, F. Koeune, G. Piret, J-J. Quisquater, L. Knudsen, H. Raddum,

"Comments by the NESSIE Project on the AES Finalists,"

Submitted to NIST as an AES comment, May 2000.

http://csrc.nist.gov/encryption/aes/round2/comments/20000524-bpreneel.pdf

] B. Preneel, A. Bosselaers, V. Rijmen, B. Van Rompay, L. Granboulan, J. Stern, S. Murphy, M. Dichtl, P. Serf, E. Biham, O. Dunkelman, V. Furman, F. Koeune, G. Piret, J-J. Quisquater, L. Knudsen, H. Raddum, "Comments by the NESSIE Project on the AES Finalists," Submitted to NIST as an AES comment, May 2000. http://csrc.nist.gov/encryption/aes/round2/comments/20000524-bpreneel.pdf [An] Thomas S. Messerges,

"Securing the AES Finalists Against Power Analysis Attacks,"

Presented at Fast Software Encryption 2000 , New York. Key length: 128 bits. Block size: 16 bytes.

AES192 Block Cipher

Designers: Joan Daemen, Vincent Rijmen Alias: "OpenPGP.Cipher.8" Object Identifiers: 2.16.840.1.101.3.4.1.21 for AES192/ECB/NoPadding

2.16.840.1.101.3.4.1.22 for AES192/CBC/PKCSPadding

2.16.840.1.101.3.4.1.23 for AES192/CFB

2.16.840.1.101.3.4.1.24 for AES192/OFB Description: AES192 is defined as Rijndael with a 128-bit block size and 12 rounds. References: [see references for AES128 and Rijndael] Key length: 192 bits. Block size: 16 bytes.

AES256 Block Cipher

Designers: Joan Daemen, Vincent Rijmen Alias: "OpenPGP.Cipher.9" Object Identifiers: 2.16.840.1.101.3.4.1.41 for AES256/ECB/NoPadding

2.16.840.1.101.3.4.1.42 for AES256/CBC/PKCSPadding

2.16.840.1.101.3.4.1.43 for AES256/CFB

2.16.840.1.101.3.4.1.44 for AES256/OFB Description: AES256 is defined as Rijndael with a 128-bit block size and 14 rounds. References: [see references for AES128 and Rijndael] Key length: 256 bits. Block size: 16 bytes.

Anubis Block Cipher

Designers: Paulo Barreto, Vincent Rijmen Published: November 2000 References: [ Def, An ] Paulo Barreto, Vincent Rijmen,

The Anubis Block Cipher ,

Presented at the First Open NESSIE Workshop, November 2000.

https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/anubis.zip

] Paulo Barreto, Vincent Rijmen, , Presented at the First Open NESSIE Workshop, November 2000. https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/anubis.zip [ Inf, Test ] Paulo Barreto, Vincent Rijmen,

The Anubis Page ,

http://www.esat.kuleuven.ac.be/~rijmen/anubis/



] Paulo Barreto, Vincent Rijmen, , http://www.esat.kuleuven.ac.be/~rijmen/anubis/ [Test] Paulo Barreto, Vincent Rijmen,

Anubis Test Values ,

https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/anubis.zip Key length: Minimum 128, maximum 320, multiple of 32 bits; default 128 bits. Block size: 16 bytes.

Blowfish Block Cipher

Designer: Bruce Schneier Published: 1994 Alias: "OpenPGP.Cipher.4" References: [ Def ] Bruce Schneier,

"Description of a New Variable-Length Key, 64-Bit Cipher (Blowfish),"

Fast Software Encryption, Cambridge Security Workshop Proceedings , pp. 191-204. Springer-Verlag, 1994.

http://www.counterpane.com/bfsverlag.html

] Bruce Schneier, "Description of a New Variable-Length Key, 64-Bit Cipher (Blowfish)," , pp. 191-204. Springer-Verlag, 1994. http://www.counterpane.com/bfsverlag.html [ Inf, Impl ] Bruce Schneier,

The Blowfish Encryption Algorithm page ,

http://www.counterpane.com/blowfish.html

] Bruce Schneier, , http://www.counterpane.com/blowfish.html [ Inf ] Bruce Schneier,

"Blowfish -- One Year Later,"

Dr. Dobb's Journal , September 1995.

http://www.counterpane.com/bfdobsoyl.html

] Bruce Schneier, "Blowfish -- One Year Later," , September 1995. http://www.counterpane.com/bfdobsoyl.html [ Inf ] Bruce Schneier,

"Section 14.3 Blowfish,"

Applied Cryptography, Second Edition , John Wiley & Sons, 1996.

(Note: the C source in the appendix contains a bug; this bug is not present in Eric Young's C reference implementation.)

] Bruce Schneier, "Section 14.3 Blowfish," , John Wiley & Sons, 1996. (Note: the C source in the appendix contains a bug; this bug is not present in Eric Young's C reference implementation.) [ An ] Serge Vaudenay,

"On the weak keys of Blowfish,"

Fast Software Encryption, Third International Workshop , Volume 1008 of Lecture Notes in Computer Science (B. Preneel, ed.), pp. 286-297. Springer-Verlag, 1995.

] Serge Vaudenay, "On the weak keys of Blowfish," , Volume 1008 of Lecture Notes in Computer Science (B. Preneel, ed.), pp. 286-297. Springer-Verlag, 1995. [Test] Eric Young,

Blowfish test vectors ,

http://www.counterpane.com/vectors.txt (also in C syntax) Key length: Minimum 32, maximum 448, multiple of 8 bits; default 128 bits. Block size: 8 bytes. Security comment: The weak keys described in Vaudenay's paper do not appear to be significant for full (16-round) Blowfish. Variant: "Blowfish-Direct" or "Blowfish-ISK" - the subkeys are specified (using the notation of Applied Cryptography ) as P 1..18 first, followed by S 1, 0..255 , S 2, 0..255 , S 3, 0..255 , and S 4, 0..255 . Each entry is represented as 4 bytes in big-endian order. Weak keys may be avoided by ensuring that no S-box has duplicate entries (i.e. that there does not exist i, j, k where j != k such that S i, j = S i, k ).

BMGL Stream Cipher

Designers: Johan Håstad, Mats Näslund Published: October 2000 Description: BMGL is an alias for "Rijndael-256/KFB(40)"; that is, Rijndael with a 256-bit block size, used in KFB mode, with 40 bits of keystream taken for each application of Rijndael. See the description of KFB mode for further detail. References: [ Def, An ] Johan Håstad, Mats Näslund,

BMGL: Synchronous Key-stream Generator with Provable Security ,

https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/bmgl.zip

] Johan Håstad, Mats Näslund, , https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/bmgl.zip [Test] Johan Håstad, Mats Näslund,

BMGL Test Values ,

https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/bmgl.zip Key length: Minimum 128, maximum 320, multiple of 32 bits; default 128 bits. Security comment: The security bounds proven for BMGL in Corollary 13 of Håstad and Näslund's paper, hold provided that less than 230 bits (128 MBytes) of output are used. The "provable security" referred to in the paper is in the sense of a proven reduction from predicting the keystream generator, to breaking Rijndael-256 as a one-way function.

CAST-128 Block Cipher

Designers: Carlisle Adams, Stafford Tavares Published: 1997 Aliases: "CAST5", "OpenPGP.Cipher.3" References: [ Def, Test ] Carlisle Adams,

"The CAST-128 Encryption Algorithm,"

RFC 2144 , May 1997.

] Carlisle Adams, "The CAST-128 Encryption Algorithm," , May 1997. [ Inf, An ] CAST Encryption Algorithm Related Publications ,

http://adonis.ee.queensu.ca:8000/cast/

] , http://adonis.ee.queensu.ca:8000/cast/ [ Inf ] Carlisle Adams,

"Constructing Symmetric Ciphers Using the CAST Design Procedure,"

Selected Areas in Cryptography (E. Kranakis and P. van Oorschot, ed.), pp. 71-104. Kluwer Academic Publishers, 1997, and

Designs, Codes, and Cryptography , Vol. 12, No. 3, pp. 283-316, 1997.

http://www.entrust.com/resourcecenter/pdf/cast.pdf

Also "CAST Design Procedure Addendum,"

http://www.entrust.com/downloads/castadd.pdf

] Carlisle Adams, "Constructing Symmetric Ciphers Using the CAST Design Procedure," (E. Kranakis and P. van Oorschot, ed.), pp. 71-104. Kluwer Academic Publishers, 1997, and , Vol. 12, No. 3, pp. 283-316, 1997. http://www.entrust.com/resourcecenter/pdf/cast.pdf Also "CAST Design Procedure Addendum," http://www.entrust.com/downloads/castadd.pdf [Patent] Carlisle Adams,

"Symmetric cryptographic system for data encryption,"

U.S. Patent 5,511,123, filed August 4 1994, issued April 23 1996.

Also see:

Canadian Patent Application 2,134,410.

Japanese Patent Application 6-295746.

U.S. Patent Application 08/761,763.

Canadian Patent Application 2,164,768.

PCT Patent Application CA96/00782.

U.S. Patent Application 08/895,875. Key length: Minimum 40, maximum 128, multiple of 8 bits; default 128 bits. Block size: 8 bytes. Comment: Strictly speaking the alias "CAST5" only applies to CAST-128 with a key size of 80 or 128 bits. Implementations MAY enforce this. Patent status: The design procedure that was used to obtain the CAST S-boxes is patented by Entrust Technologies, Inc.. However, quoting from RFC 2144, The CAST-128 cipher described in this document is available worldwide on a royalty-free basis for commercial and non-commercial uses.

CAST-256 Block Cipher

Designer: Carlisle Adams, Howard Heys, Stafford Tavares, Michael Wiener Published: June 1998 Alias: "CAST6" References: [ Def, An ] Carlisle Adams,

The CAST-256 Encryption Algorithm ,

http://www.entrust.com/resources/pdf/cast-256.pdf

] Carlisle Adams, , http://www.entrust.com/resources/pdf/cast-256.pdf [ Def, Test ] Carlisle Adams, Jeff Gilchrist,

"The CAST-256 Encryption Algorithm,"

RFC 2612 , June 1999.

] Carlisle Adams, Jeff Gilchrist, "The CAST-256 Encryption Algorithm," , June 1999. [ Inf ] Carlisle Adams,

"Constructing Symmetric Ciphers Using the CAST Design Procedure,"

Selected Areas in Cryptography (E. Kranakis and P. van Oorschot, ed.), pp. 71-104. Kluwer Academic Publishers, 1997, and

Designs, Codes, and Cryptography , Vol. 12, No. 3, pp. 283-316, 1997.

http://www.entrust.com/resources/pdf/cast.pdf

Also "CAST Design Procedure Addendum,"

http://www.entrust.com/resources/pdf/castadd.pdf

(This does not describe CAST-256, but is relevant to its design.)

] Carlisle Adams, "Constructing Symmetric Ciphers Using the CAST Design Procedure," (E. Kranakis and P. van Oorschot, ed.), pp. 71-104. Kluwer Academic Publishers, 1997, and , Vol. 12, No. 3, pp. 283-316, 1997. http://www.entrust.com/resources/pdf/cast.pdf Also "CAST Design Procedure Addendum," http://www.entrust.com/resources/pdf/castadd.pdf (This does not describe CAST-256, but is relevant to its design.) [ An ] C. Adams, H. Heys, S. Tavares, M. Wiener,

"An Analysis of the CAST-256 Cipher,"

Proceedings of IEEE Canadian Conference on Electrical and Computer Engineering, 1999.

http://www.engr.mun.ca/~howard/PAPERS/cast256.ps

] C. Adams, H. Heys, S. Tavares, M. Wiener, "An Analysis of the CAST-256 Cipher," Proceedings of IEEE Canadian Conference on Electrical and Computer Engineering, 1999. http://www.engr.mun.ca/~howard/PAPERS/cast256.ps [ Patent ] Carlisle Adams,

"Symmetric cryptographic system for data encryption,"

U.S. Patent 5,511,123, filed August 4 1994, issued April 23 1996.

Also see:

Canadian Patent Application 2,134,410.

Japanese Patent Application 6-295746.

U.S. Patent Application 08/761,763.

Canadian Patent Application 2,164,768.

PCT Patent Application CA96/00782.

U.S. Patent Application 08/895,875.

] Carlisle Adams, "Symmetric cryptographic system for data encryption," U.S. Patent 5,511,123, filed August 4 1994, issued April 23 1996. Also see: Canadian Patent Application 2,134,410. Japanese Patent Application 6-295746. U.S. Patent Application 08/761,763. Canadian Patent Application 2,164,768. PCT Patent Application CA96/00782. U.S. Patent Application 08/895,875. [Test] NIST,

CAST-256 Test Values ,

http://www-08.nist.gov/encryption/aes/round1/testvals/cast-256-vals.zip Key length: Minimum 128, maximum 256, multiple of 32 bits; default 128 bits. Block size: 16 bytes. Patent status: The design procedure that was used to obtain the CAST S-boxes is patented by Entrust Technologies, Inc.. However, quoting from RFC 2612, The CAST-256 cipher described in this document is available worldwide on a royalty-free and licence-free basis for commercial and non-commercial uses.

CRYPTON-0.5 Block Cipher

Designer: Chae Hoon Lim Published: 1998 Alias: "CRYPTONv05" (use for identifiers) Description: This is the version of CRYPTON originally submitted to NIST as an AES candidate. References: [ Def, An ] Chae Hoon Lim, Hyo Sun Hwang,

CRYPTON: A New 128-bit Block Cipher - Specification and Analysis (Version 0.5),

http://crypt.future.co.kr/~chlim/pub/cryptonv05.ps (PDF version).

] Chae Hoon Lim, Hyo Sun Hwang, (Version 0.5), http://crypt.future.co.kr/~chlim/pub/cryptonv05.ps (PDF version). [ Inf, Test ] The CRYPTON: A new 128-bit block cipher page.

http://crypt.future.co.kr/~chlim/crypton.html

] The page. http://crypt.future.co.kr/~chlim/crypton.html [ An ] D'Halluin, Bijnens, Rijmen, Preneel,

"Attack on six rounds of CRYPTON,"

Presented at Fast Software Encryption '99 , Rome.

] D'Halluin, Bijnens, Rijmen, Preneel, "Attack on six rounds of CRYPTON," Presented at , Rome. [Test] NIST,

CRYPTON v0.5 Test Values ,

http://www-08.nist.gov/encryption/aes/round1/testvals/crypton-vals.zip Comment: "CRYPTON: A New 128-bit Block Cipher - Specification and Analysis" contains an error in the description of the byte permutation phi: on the right hand side of figure 4, b 33 should be b 03 . Key length: Minimum 64, maximum 256, multiple of 32 bits; default 128 bits. Block size: 16 bytes. Security comments: [[need reference to key schedule attacks]]

CRYPTON-0.5 has been superceded by CRYPTON-1.0.

CRYPTON-1.0 Block Cipher

Designer: Chae Hoon Lim Published: December 1998 Alias: "CRYPTONv10" (use for identifiers) Description: This is version 1.0 of CRYPTON (the current version, at time of writing). References: [ Def, An ] Chae Hoon Lim, Hyo Sun Hwang,

CRYPTON: A New 128-bit Block Cipher - Specification and Analysis (Version 1.0),

http://crypt.future.co.kr/~chlim/pub/cryptonv10.ps.

] Chae Hoon Lim, Hyo Sun Hwang, (Version 1.0), http://crypt.future.co.kr/~chlim/pub/cryptonv10.ps. [ Inf, Test ] The CRYPTON: A new 128-bit block cipher page.

http://crypt.future.co.kr/~chlim/crypton.html

] The page. http://crypt.future.co.kr/~chlim/crypton.html [An] Marine Minier, Henri Gilbert,

"Stochastic Cryptanalysis of Crypton,"

Presented at Fast Software Encryption 2000 , New York. Key length: Minimum 0, maximum 256, multiple of 8 bits; default 128 bits.

(Note that this is different from CRYPTON-0.5.) Block size: 16 bytes.

CS-Cipher Block Cipher

Designers: Jacques Stern, Serge Vaudenay Published: 1998 References: [ Def, An, Test, Impl ] Serge Vaudenay, Jacques Stern,

"CS-Cipher,"

Presented at Fast Software Encryption '98 , Paris, France. Lecture Notes in Computer Science No. 1372, pp. 189-205, Springer-Verlag, 1998.

http://lasecwww.epfl.ch/query.msql?ref=SV98

] Serge Vaudenay, Jacques Stern, "CS-Cipher," Presented at , Paris, France. Lecture Notes in Computer Science No. 1372, pp. 189-205, Springer-Verlag, 1998. http://lasecwww.epfl.ch/query.msql?ref=SV98 [ An ] Serge Vaudenay,

"On the Security of CS-Cipher,"

Presented at Fast Software Encryption '99 , Rome. To appear in Lecture Notes in Computer Science, Springer-Verlag.

http://lasecwww.epfl.ch/query.msql?ref=Vau99b

] Serge Vaudenay, "On the Security of CS-Cipher," Presented at , Rome. To appear in Lecture Notes in Computer Science, Springer-Verlag. http://lasecwww.epfl.ch/query.msql?ref=Vau99b [An] Bart van Rompey, Vincent Rijmen, Jorge Nakahara Jr.,

"A First Report on CS-Cipher, Hierocrypt, Grand Cru, SAFER++ and SHACAL,"

NESSIE Project public report, March 12, 2001.

https://www.cosic.esat.kuleuven.ac.be/nessie/reports/kulwp3-006-1.pdf Key length: Minimum 0, maximum 128, multiple of 8 bits; default 128 bits. Block size: 8 bytes. Patent status: CS-Cipher may be subject to patents by the Compagnie des Signaux.

DEAL Block Cipher

Designer: Lars Knudsen Published: May 1998 References: [ Def, An ] Lars Knudsen,

DEAL: A 128-bit Block Cipher , February 1998 (revised May 15, 1998).

http://www.ii.uib.no/~larsr/newblock.html

(Note: this paper contains an error; see the comments below.)

] Lars Knudsen, , February 1998 (revised May 15, 1998). http://www.ii.uib.no/~larsr/newblock.html (Note: this paper contains an error; see the comments below.) [ An ] Stefan Lucks,

On the Security of the 128-Bit Block Cipher DEAL .

http://th.informatik.uni-mannheim.de/m/lucks/papers.html

] Stefan Lucks, . http://th.informatik.uni-mannheim.de/m/lucks/papers.html [ An ] John Kelsey, Bruce Schneier,

"Key-Schedule Cryptanalysis of DEAL,"

Sixth Annual Workshop on Selected Areas in Cryptography ,

Springer-Verlag, August 1999, to appear.

http://www.counterpane.com/deal.html

] John Kelsey, Bruce Schneier, "Key-Schedule Cryptanalysis of DEAL," , Springer-Verlag, August 1999, to appear. http://www.counterpane.com/deal.html [Test] NIST,

DEAL Test Values ,

http://www-08.nist.gov/encryption/aes/round1/testvals/deal-vals.zip Key length: 128, 192 or 256 bits; default 128 bits. Block size: 16 bytes. Comment: The paper "DEAL: A 128-bit Block Cipher" contains an error in the description of key scheduling: the three occurrences of "<4>" should be replaced by "<3>", and the two occurrences of "<8>" should be replaced by "<4>". In other words, the constants to be XOR'd with the input keys are 0x8000000000000000, 0x4000000000000000, 0x2000000000000000 and 0x1000000000000000. Security comments: The paper "On the Security of the 128-Bit Block Cipher DEAL," describes some certificational weaknesses of DEAL with a key size of 192 bits; these attacks are impractical.

John Kelsey of Counterpane Systems has found some related-key attacks and equivalent keys for DEAL (described in the DEAL AES forum on NIST's web site, and in the paper "Key-Schedule Cryptanalysis of DEAL"). These appear to be impractical when DEAL is used as a cipher (as opposed to a hash function using a construction such as Davies-Meyer).

DES Block Cipher

Designers: Don Coppersmith, Horst Feistel, Walt Tuchmann, U.S. National Security Agency Published: 1976 References: [ Def ] U.S. National Institute of Standards and Technology,

NIST FIPS PUB 46-2 (supercedes FIPS PUB 46-1), "Data Encryption Standard", U.S. Department of Commerce, December 1993.

http://www.itl.nist.gov/div897/pubs/fip46-2.htm

] U.S. National Institute of Standards and Technology, NIST FIPS PUB 46-2 (supercedes FIPS PUB 46-1), "Data Encryption Standard", U.S. Department of Commerce, December 1993. http://www.itl.nist.gov/div897/pubs/fip46-2.htm [ Inf , Test ] U.S. National Institute of Standards and Technology,

NIST FIPS PUB 74, "Guidelines for Implementing and Using the NBS Data Encryption Standard".

, ] U.S. National Institute of Standards and Technology, NIST FIPS PUB 74, "Guidelines for Implementing and Using the NBS Data Encryption Standard". [ Inf ] Bruce Schneier,

"Chapter 12 Data Encryption Standard,"

Applied Cryptography, Second Edition , John Wiley & Sons, 1996.

] Bruce Schneier, "Chapter 12 Data Encryption Standard," , John Wiley & Sons, 1996. [ Inf , Test ] A. Menezes, P.C. van Oorschot, S.A. Vanstone,

"Section 7.4 DES,"

Handbook of Applied Cryptography , CRC Press, 1997.

http://www.cacr.math.uwaterloo.ca/hac/about/chap7.pdf, .ps

, ] A. Menezes, P.C. van Oorschot, S.A. Vanstone, "Section 7.4 DES," , CRC Press, 1997. http://www.cacr.math.uwaterloo.ca/hac/about/chap7.pdf, .ps [ An ] Eli Biham, Adi Shamir,

"Differential Cryptanalysis of the Full 16-Round DES,"

CS 708, Proceedings of CRYPTO '92 , Volume 740 of Lecture Notes in Computer Science, December 1991.

http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1991/CS/CS0708.ps

] Eli Biham, Adi Shamir, "Differential Cryptanalysis of the Full 16-Round DES," , Volume 740 of Lecture Notes in Computer Science, December 1991. http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1991/CS/CS0708.ps [ An ] Eli Biham, Adi Shamir,

"Differential cryptanalysis of DES-like cryptosystems,"

Technical report CS90-16 , Weizmann Institute of Science.

Advances in Cryptology - CRYPTO '90 Proceedings and

Journal of Cryptology, Vol. 4, No. 1 , pp. 3-72, 1991.

http://www.cs.technion.ac.il/~biham/Reports/Weizmann/cs90-16.ps.gz

] Eli Biham, Adi Shamir, "Differential cryptanalysis of DES-like cryptosystems," , Weizmann Institute of Science. and , pp. 3-72, 1991. http://www.cs.technion.ac.il/~biham/Reports/Weizmann/cs90-16.ps.gz [ An ] Eli Biham, Adi Shamir,

Differential Cryptanalysis of the Data Encryption Standard ,

Springer-Verlag, 1993.

] Eli Biham, Adi Shamir, , Springer-Verlag, 1993. [ An ] M. Matsui,

"Linear cryptanalysis method for DES cipher,"

Advances in Cryptology - EUROCRYPT '93 Proceedings , Volume 765 of Lecture Notes in Computer Science (T. Helleseth, ed.), pp. 386-397. Springer-Verlag, 1994.

] M. Matsui, "Linear cryptanalysis method for DES cipher," , Volume 765 of Lecture Notes in Computer Science (T. Helleseth, ed.), pp. 386-397. Springer-Verlag, 1994. [ An ] M. Matsui,

"The First Experimental Cryptanalysis of the Data Encryption Standard,"

Advances in Cryptology - CRYPTO '94 Proceedings , Volume 839 of Lecture Notes in Computer Science, Springer-Verlag, 1994.

] M. Matsui, "The First Experimental Cryptanalysis of the Data Encryption Standard," , Volume 839 of Lecture Notes in Computer Science, Springer-Verlag, 1994. [ An ] M. Matsui,

"On Correlation Between the Order of S-boxes and the Strength of DES,"

Advances in Cryptology - EUROCRYPT '94 Proceedings , Volume 950 of Lecture Notes in Computer Science, Springer-Verlag, 1995.

] M. Matsui, "On Correlation Between the Order of S-boxes and the Strength of DES," , Volume 950 of Lecture Notes in Computer Science, Springer-Verlag, 1995. [ An ] Eli Biham, A. Biryukov,

"An Improvement of Davies' Attack on DES,"

CS 817, EUROCRYPT '94 Proceedings (May 1994), Volume 950 of Lecture Notes in Computer Science (A. De Santis, ed.), Springer Verlag, 1995, and

Journal of Cryptology , Vol. 10, No. 3, pp. 195-206, 1997.

http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1994/CS/CS0817.ps

] Eli Biham, A. Biryukov, "An Improvement of Davies' Attack on DES," (May 1994), Volume 950 of Lecture Notes in Computer Science (A. De Santis, ed.), Springer Verlag, 1995, and , Vol. 10, No. 3, pp. 195-206, 1997. http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1994/CS/CS0817.ps [ An ] Lars Knudsen,

"New potentially weak keys for DES and LOKI,"

Advances in Cryptology - EUROCRYPT '94 Proceedings , Volume 950 of Lecture Notes in Computer Science (A. De Santis, ed.), pp. 419-424. Springer Verlag, 1995.

ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/potential.ps.Z

] Lars Knudsen, "New potentially weak keys for DES and LOKI," , Volume 950 of Lecture Notes in Computer Science (A. De Santis, ed.), pp. 419-424. Springer Verlag, 1995. ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/potential.ps.Z [ An ] Lars Knudsen, John Erik Mathiassen,

"A Chosen-Plaintext Linear Attack on DES,"

Proceedings of Fast Software Encryption 2000 , Volume 1978 of Lecture Notes in Computer Science. Springer-Verlag, 2001.

http://link.springer.de/link/service/series/0558/bibs/1978/19780262.htm

(requires subscription)

] Lars Knudsen, John Erik Mathiassen, "A Chosen-Plaintext Linear Attack on DES," , Volume 1978 of Lecture Notes in Computer Science. Springer-Verlag, 2001. http://link.springer.de/link/service/series/0558/bibs/1978/19780262.htm (requires subscription) [Test] U.S. National Institute of Science and Technology,

NIST Special Publication 800-17 , pp. 124 et seq.

http://csrc.nist.gov/nistpubs/800-17.pdf Key length: 64 bits as encoded; 56 bits excluding parity bits. Block size: 8 bytes. Comment: Implementations MUST ignore (i.e. not check) the parity bits of keys. KeyGenerators for DES MUST, however, output keys with correct parity. Security comment: The fixed 56-bit effective key length is too short to prevent brute-force attacks.

DESede Block Cipher

Designers: Whitfield Diffie, Martin Hellman, Walt Tuchmann Published: 1978-79 Aliases: "DES-EDE2" (always 2-key)

"DES-EDE3", "OpenPGP.Cipher.2" (always 3-key)

"TripleDES", "3DES" (default key length implemented inconsistently by different providers) References: [ Def ] U.S. National Institute of Standards and Technology,

DRAFT FIPS PUB 46-3, "Data Encryption Standard",

U.S. Department of Commerce, 1999.

http://csrc.nist.gov/cryptval/des/fr990115.htm

] U.S. National Institute of Standards and Technology, DRAFT FIPS PUB 46-3, "Data Encryption Standard", U.S. Department of Commerce, 1999. http://csrc.nist.gov/cryptval/des/fr990115.htm [ Inf ] Walt Tuchman,

"Hellman Presents No Shortcut Solutions To DES,"

IEEE Spectrum, v. 16, n. 7, July 1979, pp. 40-41.

] Walt Tuchman, "Hellman Presents No Shortcut Solutions To DES," IEEE Spectrum, v. 16, n. 7, July 1979, pp. 40-41. [ Inf ] U.S. National Institute of Standards and Technology,

NIST FIPS PUB 46-2, "Data Encryption Standard",

U.S. Department of Commerce, December 1993.

http://www.itl.nist.gov/div897/pubs/fip46-2.htm

] U.S. National Institute of Standards and Technology, NIST FIPS PUB 46-2, "Data Encryption Standard", U.S. Department of Commerce, December 1993. http://www.itl.nist.gov/div897/pubs/fip46-2.htm [ Inf ] Bruce Schneier,

"Chapter 12 Data Encryption Standard," and "Section 15.2 Triple Encryption,"

Applied Cryptography, Second Edition , John Wiley & Sons, 1996.

] Bruce Schneier, "Chapter 12 Data Encryption Standard," and "Section 15.2 Triple Encryption," , John Wiley & Sons, 1996. [ Inf, An ] Ralph C. Merkle,

Secrecy, authentication, and public key systems ,

UMI Research Press, Ann Arbor, Michigan, 1979.

] Ralph C. Merkle, , UMI Research Press, Ann Arbor, Michigan, 1979. [ Inf, An ] Ralph C. Merkle, Martin Hellman,

"On the Security of Multiple Encryption,"

Communications of the ACM , vol. 24 no. 7, 1981, pp. 465-467.

] Ralph C. Merkle, Martin Hellman, "On the Security of Multiple Encryption," , vol. 24 no. 7, 1981, pp. 465-467. [ An ] Paul van Oorshot, Michael Wiener,

"A Known-Plaintext Attack on Two-Key Triple Encryption,"

Advances in Cryptology - EUROCRYPT '90 Proceedings , Volume 473 of Lecture Notes in Computer Science (I.B. Damgård, ed.), pp. 318-325. Springer-Verlag, 1991.

] Paul van Oorshot, Michael Wiener, "A Known-Plaintext Attack on Two-Key Triple Encryption," , Volume 473 of Lecture Notes in Computer Science (I.B. Damgård, ed.), pp. 318-325. Springer-Verlag, 1991. [ An ] John Kelsey, Bruce Schneier, David Wagner,

"Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES".

http://www.counterpane.com/key_schedule.html

] John Kelsey, Bruce Schneier, David Wagner, "Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES". http://www.counterpane.com/key_schedule.html [ An ] Stefan Lucks,

"Attacking Triple Encryption,"

Fast Software Encryption '98 ,

Volume 1372 of Lecture Notes in Computer Science (Serge Vaudenay, ed.), Springer-Verlag, 1998.

http://th.informatik.uni-mannheim.de/m/lucks/papers.html

] Stefan Lucks, "Attacking Triple Encryption," , Volume 1372 of Lecture Notes in Computer Science (Serge Vaudenay, ed.), Springer-Verlag, 1998. http://th.informatik.uni-mannheim.de/m/lucks/papers.html [ An ] Helena Handschuh, Bart Preneel,

"On the security of double and 2-key triple modes of operation."

Fast Software Encryption 6 ,

Volume 1636 of Lecture Notes in Computer Science (L. Knudsen, ed.), Springer-Verlag, 1999.

http://perso.enst.fr/~handschu/fse6.ps

] Helena Handschuh, Bart Preneel, "On the security of double and 2-key triple modes of operation." , Volume 1636 of Lecture Notes in Computer Science (L. Knudsen, ed.), Springer-Verlag, 1999. http://perso.enst.fr/~handschu/fse6.ps [ Test ] U.S. National Institute of Standards and Technology,

Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures ,

NIST Special Publication 800-20, April 2000.

http://csrc.nist.gov/publications/nistpubs/800-20/800-20.pdf

] U.S. National Institute of Standards and Technology, , NIST Special Publication 800-20, April 2000. http://csrc.nist.gov/publications/nistpubs/800-20/800-20.pdf [Test] U.S. National Institute of Standards and Technology,

Triple DES Test Vectors ,

http://csrc.nist.gov/cryptval/des/tripledes-vectors.zip Key length: 128 or 192 bits, as encoded (112 or 168 bits excluding parity). The default key length depends on the name of the KeyGenerator: 128 bits for DES-EDE2, and 192 bits for DES-EDE3 or OpenPGP.Cipher.2. The default key length for DESede and the other aliases is implemented inconsistently between different providers, and therefore if an application needs to create a specific length of DESede key in a way that is guaranteed to work across providers, it should explicitly create a SecretKeySpec. Block size: 8 bytes. Comments: If the key length is 128 bits including parity (i.e. two-key triple DES), the first 8 bytes of the encoding represent the key used for the two outer DES operations, and the second 8 bytes represent the key used for the inner DES operation.

If the key length is 192 bits including parity (i.e. three-key triple DES), then three independent DES keys are represented, in the order in which they are used for encryption.

Implementations MUST ignore (i.e. not check) the parity bits of keys. KeyGenerators for DESede MUST, however, output keys with correct parity. Security comment: Quoting from the paper "Attacking Triple Encryption" cited above: [A]bout 2108 steps of computation are sufficient to break three-key triple DES. If one concentrates on the number of single DES operations and assumes the other operations to be much faster, 290 of these are enough. Better attacks than this are available against two-key triple DES (which should only be used for backward compatibility, if at all).

DESX Block Cipher

Designer: Ron Rivest Description: If K, K1 and K2 are the subkeys encoded as described below, then encryption and decryption are defined by: E DESX[K, K1, K2] (P) = E DES[K] (P XOR K1) XOR K2

D DESX[K, K1, K2] (C) = D DES[K] (C XOR K3) XOR K2 If the user key length is 24 bytes, the first 8 bytes represent the key K used for the DES operation, and the two subsequent blocks of 8 bytes represent the "whitening" keys K1 and K2, in that order. If the user key length is 16 bytes, the first 8 bytes represent the key K used for the DES operation, the second 8 bytes represent the whitening key K1, and K2 is derived from K and K1 as specified in the first reference below. References: [ Def ] Mark Riordan,

Subject: Re: Ladder DES .

Posting to Usenet newsgroup sci.crypt, 1 Mar 1994.

(Message-ID: <2ku9uc$sr8@msuinfo.cl.msu.edu>)

Archived at ftp://ftp.replay.com/pub/replay/mirror/ftp.cryptography.org/DESX/

desx.algorithm.description

] Mark Riordan, . Posting to Usenet newsgroup sci.crypt, 1 Mar 1994. (Message-ID: <2ku9uc$sr8@msuinfo.cl.msu.edu>) Archived at ftp://ftp.replay.com/pub/replay/mirror/ftp.cryptography.org/DESX/ desx.algorithm.description [ An ] Joe Kilian, Phillip Rogaway,

"How to protect DES against exhaustive key search,"

Earlier version in Advances in Cryptology - CRYPTO '96 , Volume 1109 of Lecture Notes in Computer Science (N. Koblitz, ed.), pp. 252-267. Springer-Verlag, 1996.

Full version: http://wwwcsif.cs.ucdavis.edu/~rogaway/papers/desx.ps

] Joe Kilian, Phillip Rogaway, "How to protect DES against exhaustive key search," Earlier version in , Volume 1109 of Lecture Notes in Computer Science (N. Koblitz, ed.), pp. 252-267. Springer-Verlag, 1996. Full version: http://wwwcsif.cs.ucdavis.edu/~rogaway/papers/desx.ps [ Inf ] U.S. National Institute of Standards and Technology,

NIST FIPS PUB 46-2 (supercedes FIPS PUB 46-1), "Data Encryption Standard", U.S. Department of Commerce, December 1993.

http://www.itl.nist.gov/div897/pubs/fip46-2.htm

] U.S. National Institute of Standards and Technology, NIST FIPS PUB 46-2 (supercedes FIPS PUB 46-1), "Data Encryption Standard", U.S. Department of Commerce, December 1993. http://www.itl.nist.gov/div897/pubs/fip46-2.htm [ Inf ] Bruce Schneier,

"Chapter 12 Data Encryption Standard,"

Applied Cryptography, Second Edition , John Wiley & Sons, 1996.

] Bruce Schneier, "Chapter 12 Data Encryption Standard," , John Wiley & Sons, 1996. [An] John Kelsey, Bruce Schneier, David Wagner,

"Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA",

ICICS '97 Proceedings , Springer-Verlag, November 1997.

http://www.counterpane.com/related-key_cryptanalysis.html Key length: 128 or 192 bits; default 192 bits, as encoded. See security comments for the effective key length. Block size: 8 bytes. Comments: Implementations MUST ignore (i.e. not check) the parity bits of the single-DES key. KeyGenerators for DESX SHOULD generate entirely random keys (possibly avoiding DES weak keys). In the case of a 16-byte key, the input to the "hash procedure" which generates K2 is the original user key, without any adjustment to parity.

There do not appear to be any "official" test vectors for DESX, so for reference we provide the following (the first was calculated using Mark Riordan's C implementation, and the second by hand based on official DES test data): key = <0123456789ABCDEF1011121314151617> plaintext = <4445535864657378> ciphertext = <D8FA5084FAD4B35C> key = <01010101010101010123456789ABCDEF1011121314151617> plaintext = <94DBE082549A14EF> ciphertext = <9011121314151617> Security comments: The paper "How to protect DES against exhaustive key search" proves that attacks on DESX that assume a "black-box" model for DES require a work factor of 2 118 . This does not take into account any possible weaknesses of DES, apart from the key complementation property. In particular, DESX is no more secure than DES against linear and differential cryptanalysis.

. This does not take into account any possible weaknesses of DES, apart from the key complementation property. In particular, DESX is no more secure than DES against linear and differential cryptanalysis. DESX is vulnerable to related-key attacks, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

DFC Block Cipher

Designers: Henri Gilbert, Marc Girault, Philippe Hoogvorst, Fabrice Noilhan, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay Published: May 1998 References: [ Def, An ] Henri Gilbert, Marc Girault, Philippe Hoogvorst, Fabrice Noilhan, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay,

Decorrelated Fast Cipher: an AES Candidate ,

http://lasecwww.epfl.ch/query.msql?ref=GG%2B98b

(also see errata at the DFC home page)

] Henri Gilbert, Marc Girault, Philippe Hoogvorst, Fabrice Noilhan, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay, , http://lasecwww.epfl.ch/query.msql?ref=GG%2B98b (also see errata at the DFC home page) [ Inf ] The Decorrelated Fast Cipher Home Page ,

http://lasecwww.epfl.ch/dfc.shtml.

] , http://lasecwww.epfl.ch/dfc.shtml. [ Inf ] Serge Vaudenay,

"The Decorrelation Technique,"

http://lasecwww.epfl.ch/decorrelation.shtml

] Serge Vaudenay, "The Decorrelation Technique," http://lasecwww.epfl.ch/decorrelation.shtml [ An ] Lars Knudsen, Vincent Rijmen,

"On the decorrelated fast cipher (DFC) and its theory,"

Presented at Fast Software Encryption '99 , Rome.

] Lars Knudsen, Vincent Rijmen, "On the decorrelated fast cipher (DFC) and its theory," Presented at , Rome. [ Patent ] Serge Vaudenay,

"Procédé de décorrélation des données,"

French patent application num. 96 13411. Requested on 4 November 1996. (Extension to other countries in process.)

] Serge Vaudenay, "Procédé de décorrélation des données," French patent application num. 96 13411. Requested on 4 November 1996. (Extension to other countries in process.) [Test] NIST,

DFC Test Values ,

http://www-08.nist.gov/encryption/aes/round1/testvals/dfc-vals.zip Key length: Minimum 0, maximum 256 bits, multiple of 8 bits; default 128 bits. Block size: 16 bytes. Patent status: DFC itself is unpatented, but the decorrelation technique it uses may be covered by the patent application referenced above.

DFCv2-128(rounds,s) Block Cipher

Designers: Louis Granboulan, Phong Nguyen, Fabrice Noilhan, Serge Vaudenay Published: August 2000 References: [ Def, An, Test ] Louis Granboulan, Phong Nguyen, Fabrice Noilhan, Serge Vaudenay,

"DFCv2,"

In Selected Areas in Cryptography - Proceedings of SAC '2000 (D. Stinson and S. Tavares, eds.), Waterloo, Ontario, Canada, August 14-15 2000. To appear in Lecture Notes in Computer Science, Springer-Verlag.

http://www.di.ens.fr/~granboul/recherche/publications/

] Louis Granboulan, Phong Nguyen, Fabrice Noilhan, Serge Vaudenay, "DFCv2," In (D. Stinson and S. Tavares, eds.), Waterloo, Ontario, Canada, August 14-15 2000. To appear in Lecture Notes in Computer Science, Springer-Verlag. http://www.di.ens.fr/~granboul/recherche/publications/ [ Inf ] The Decorrelated Fast Cipher Home Page ,

http://lasecwww.epfl.ch/dfc.shtml.

] , http://lasecwww.epfl.ch/dfc.shtml. [ Inf ] Serge Vaudenay,

"The Decorrelation Technique,"

http://lasecwww.epfl.ch/decorrelation.shtml

] Serge Vaudenay, "The Decorrelation Technique," http://lasecwww.epfl.ch/decorrelation.shtml [ Inf ] Olivier Baudron, Henri Gilbert, Louis Granboulan, Helena Handschuh, Robert Harley, Antoine Joux, Phong Nguyen, Fabrice Noilhan, David Pointcheval, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay,

"DFC Update,"

Presented at the 2nd AES Conference.

http://lasecwww.epfl.ch/query.msql?ref=BG%2B99b

] Olivier Baudron, Henri Gilbert, Louis Granboulan, Helena Handschuh, Robert Harley, Antoine Joux, Phong Nguyen, Fabrice Noilhan, David Pointcheval, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay, "DFC Update," Presented at the 2nd AES Conference. http://lasecwww.epfl.ch/query.msql?ref=BG%2B99b [ An ] Lars Knudsen, Vincent Rijmen,

"On the decorrelated fast cipher (DFC) and its theory,"

Presented at Fast Software Encryption '99 , Rome.

] Lars Knudsen, Vincent Rijmen, "On the decorrelated fast cipher (DFC) and its theory," Presented at , Rome. [Patent] Serge Vaudenay,

"Procédé de décorrélation des données,"

French patent application num. 96 13411. Requested on 4 November 1996. (Extension to other countries in process.) Parameters: Integer rounds [creation/read, no default] - the number of rounds to be performed (minimum 8, default 12, multiple of 2)

[creation/read, no default] - the number of rounds to be performed (minimum 8, default 12, multiple of 2) Integer s [creation/read] - adjustment to key scheduling (minimum 4, default 4?) Key length: 128, 192 or 256 bits; default 128 bits. Block size: 16 bytes. Comments: Note that DFCv2 is not the same as the algorithm defined in the "DFC Update" paper (which did not have a sufficiently well-specified key schedule). That paper is included in the references only for comparison. Patent status: DFCv2 itself is unpatented, but the decorrelation technique it uses may be covered by the patent application referenced above.

Diamond2(rounds) Block Cipher

Designer: Michael Paul Johnson Published: 1995 References: [ Def ] Michael Paul Johnson,

"The Diamond2 Block Cipher,"

diamond2.{ps,doc} in ftp://ftp.zedz.com/pub/cryptoI/mirror/ftp.cryptography.org/libraries/dlock2.zip

] Michael Paul Johnson, "The Diamond2 Block Cipher," in ftp://ftp.zedz.com/pub/cryptoI/mirror/ftp.cryptography.org/libraries/dlock2.zip [ Inf ] Michael Paul Johnson,

"Beyond DES: Data Compression and the MPJ Encryption Algorithm,"

Master's Thesis at the University of Colorado at Colorado Springs , 1989.

thesis.txt in ftp://ftp.zedz.com/pub/cryptoI/mirror/ftp.cryptography.org/libraries/dlock2.zip

(Note: this describes an earlier version of Diamond, not Diamond2.)

] Michael Paul Johnson, "Beyond DES: Data Compression and the MPJ Encryption Algorithm," , 1989. in ftp://ftp.zedz.com/pub/cryptoI/mirror/ftp.cryptography.org/libraries/dlock2.zip (Note: this describes an earlier version of Diamond, not Diamond2.) [Impl, Test] Michael Paul Johnson,

Diamond2 reference implementation (in C++) ,

ftp://ftp.zedz.com/pub/cryptoI/mirror/ftp.cryptography.org/libraries/dlock2.zip Parameters: Integer rounds [creation/read, no default] - the number of rounds to be performed (minimum 10) Key length: Minimum 8, maximum 65536, multiple of 8 bits; default 128 bits. Block size: 16 bytes. Comments: The paper "The Diamond2 Block Cipher" does not appear to specify a recommended number of rounds, only a minimum number of rounds. For that reason, the rounds parameter has been made mandatory.

parameter has been made mandatory. The "Diamond2 Lite" variant does not have a standard name.

E2 Block Cipher

Designers: Kazumaro Aoki, Masayuki Kanda, Tsutomu Matsumoto, Shiho Moriai, Kazuo Ohta, Miyako Ookubo, Youichi Takashima, Hiroki Ueda Published: June 1998 References: [ Def, An ] Specification of E2 - a 128-bit Block Cipher ,

http://info.isl.ntt.co.jp/e2/E2spec.pdf

] , http://info.isl.ntt.co.jp/e2/E2spec.pdf [ Inf ] The E2 Home Page ,

http://info.isl.ntt.co.jp/e2/

] , http://info.isl.ntt.co.jp/e2/ [ Inf ] Supporting Document on E2 ,

(corrected version, April 16 1999)

http://info.isl.ntt.co.jp/e2/E2support.pdf

] , (corrected version, April 16 1999) http://info.isl.ntt.co.jp/e2/E2support.pdf [ Inf ] Kazumaro Aoki, Hiroki Ueda,

"Optimized Software Implementations of E2,"

Presented at the 2nd AES Conference.

http://csrc.nist.gov/encryption/aes/round1/conf2/papers/aoki.pdf

] Kazumaro Aoki, Hiroki Ueda, "Optimized Software Implementations of E2," Presented at the 2nd AES Conference. http://csrc.nist.gov/encryption/aes/round1/conf2/papers/aoki.pdf [ Inf ] Kazumaro Aoki, Hiroki Ueda,

"Optimized Software Implementations of E2,"

Revised April 15, 1999.

http://info.isl.ntt.co.jp/e2/RelDocs/implE2.pdf

] Kazumaro Aoki, Hiroki Ueda, "Optimized Software Implementations of E2," Revised April 15, 1999. http://info.isl.ntt.co.jp/e2/RelDocs/implE2.pdf [ Def, An ] M. Kanda, Y. Takashima, T. Matsumoto, K. Aoki, K. Ohta,

"A Strategy for Constructing Fast Round Functions with Practical Security against Differential and Linear Cryptanalysis,"

Presented at the 5th annual workshop on Selected Areas in Cryptography (SAC '98) in August, 1998.

] M. Kanda, Y. Takashima, T. Matsumoto, K. Aoki, K. Ohta, "A Strategy for Constructing Fast Round Functions with Practical Security against Differential and Linear Cryptanalysis," Presented at the (SAC '98) in August, 1998. [ An ] Makoto Sugita, Kazukuni Kobara, Hideki Imai,

"Pseudorandomness and Maximum Average of Differential Probability of Block Ciphers with SPN-Structures like E2,"

Presented at the 2nd AES Conference.

http://csrc.nist.gov/encryption/aes/round1/conf2/papers/sugita.pdf

] Makoto Sugita, Kazukuni Kobara, Hideki Imai, "Pseudorandomness and Maximum Average of Differential Probability of Block Ciphers with SPN-Structures like E2," Presented at the 2nd AES Conference. http://csrc.nist.gov/encryption/aes/round1/conf2/papers/sugita.pdf [ An ] Yuji Hori, Toshinobu Kaneko,

"A study of E2 by higher order differential attack,"

Technical report of IEICE. ISEC98-39, Science University of Tokyo

(in Japanese - brief English summary here).

] Yuji Hori, Toshinobu Kaneko, "A study of E2 by higher order differential attack," Technical report of IEICE. ISEC98-39, Science University of Tokyo (in Japanese - brief English summary here). [ An ] Mitsuru Matsui, Toshio Tokita,

"On cryptanalysis of a byte-oriented cipher,"

The 1999 Symposium on Cryptography and Information Security, SCIS99-W2-1.5

(in Japanese - brief English summary here).

] Mitsuru Matsui, Toshio Tokita, "On cryptanalysis of a byte-oriented cipher," The 1999 Symposium on Cryptography and Information Security, SCIS99-W2-1.5 (in Japanese - brief English summary here). [ An ] Mitsuru Matsui, Toshio Tokita,

"Cryptanalysis of a Reduced Version of the Block Cipher E2,"

Fast Software Encryption '99 (March 1999), pp. 70-79 (abstract here).

] Mitsuru Matsui, Toshio Tokita, "Cryptanalysis of a Reduced Version of the Block Cipher E2," (March 1999), pp. 70-79 (abstract here). [ An ] NTT Laboratories,

"Security of E2 aginst Truncated Differential Cryptanalysis (in progress),"

April 15 1999.

http://info.isl.ntt.co.jp/e2/RelDocs/E2trunc.pdf

] NTT Laboratories, "Security of E2 aginst Truncated Differential Cryptanalysis (in progress)," April 15 1999. http://info.isl.ntt.co.jp/e2/RelDocs/E2trunc.pdf [ An ] Makoto Sugita, Kazukuni Kobara, Kazuhiro Uehara, Shuji Kubota, Hideki Imai,

"Relationships among Differential, Truncated Differential, Impossible Differential Cryptanalyses against Word-Oriented Block Ciphers like Rijndael, E2,"

Presented at the 3rd AES Candidate Conference.

http://csrc.nist.gov/encryption/aes/round2/conf3/papers/32-msugita.pdf

] Makoto Sugita, Kazukuni Kobara, Kazuhiro Uehara, Shuji Kubota, Hideki Imai, "Relationships among Differential, Truncated Differential, Impossible Differential Cryptanalyses against Word-Oriented Block Ciphers like Rijndael, E2," Presented at the 3rd AES Candidate Conference. http://csrc.nist.gov/encryption/aes/round2/conf3/papers/32-msugita.pdf [ An ] Matsui, Tokita,

"Cryptanalysis of block cipher E2,"

Presented at Fast Software Encryption '99 , Rome.

] Matsui, Tokita, "Cryptanalysis of block cipher E2," Presented at , Rome. [ Patent ] NTT (assignee),

"Data Randomize Device and Symmetric Cipher Devices (translated),"

Japanese Patent Application JP 173672/1997.

] NTT (assignee), "Data Randomize Device and Symmetric Cipher Devices (translated)," Japanese Patent Application JP 173672/1997. [ Patent ] NTT (assignee),

[[need patent titles]]

Japanese Patent Application JP 013572/1998.

Japanese Patent Application JP 013573/1998.

Japanese Patent Application JP 153066/1998.

Japanese Patent Application JP 147479/1998.

(Corresponding applications will be filed in other countries.)

] NTT (assignee), [[need patent titles]] Japanese Patent Application JP 013572/1998. Japanese Patent Application JP 013573/1998. Japanese Patent Application JP 153066/1998. Japanese Patent Application JP 147479/1998. (Corresponding applications will be filed in other countries.) [Test] NIST,

E2 Test Values ,

http://www-08.nist.gov/encryption/aes/round1/testvals/e2-vals.zip Key length: 128, 192 or 256 bits; default 128 bits. Block size: 16 bytes. Patent status: NTT has several patents pending on E2 (see references).

? FROG [(blockSize[,rounds])] Block Cipher

Designers: Dianelos Georgoudis, Damian Leroux, Billy Simón Chaves Published: 1998 References: [ Def, An, Impl ] Dianelos Georgoudis, Damian Leroux, Billy Simón Chaves,

The "FROG" Encryption Algorithm ,

June 15, 1998.

http://www.tecapro.com/aesfrog.htm

] Dianelos Georgoudis, Damian Leroux, Billy Simón Chaves, , June 15, 1998. http://www.tecapro.com/aesfrog.htm [ An ] F. Koeune, G.F. Piret, J.J. Quisquater,

Our first few comments about FROG ,

August 1998.

http://www.dice.ucl.ac.be/crypto/CAESAR/frog.html

] F. Koeune, G.F. Piret, J.J. Quisquater, , August 1998. http://www.dice.ucl.ac.be/crypto/CAESAR/frog.html [ An ] David Wagner, Niels Ferguson, Bruce Schneier,

Cryptanalysis of FROG ,

Corrected version, March 16, 1999. Presented at the 2nd AES Conference.

http://www.cs.berkeley.edu/~daw/papers/frog-final.ps

(slides: http://www.cs.berkeley.edu/~daw/papers/frog-slides.ps)

[Also see: http://www.counterpane.com/frog.html - is this the earlier version?]

] David Wagner, Niels Ferguson, Bruce Schneier, , Corrected version, March 16, 1999. Presented at the 2nd AES Conference. http://www.cs.berkeley.edu/~daw/papers/frog-final.ps (slides: http://www.cs.berkeley.edu/~daw/papers/frog-slides.ps) [Also see: http://www.counterpane.com/frog.html - is this the earlier version?] [Test] NIST,

FROG Test Values ,

http://www-08.nist.gov/encryption/aes/round1/testvals/frog-vals.zip Parameters: Integer blockSize [creation/read, default 16] - the length of a block in bytes (8 to 128)

[creation/read, default 16] - the length of a block in bytes (8 to 128) Integer rounds [creation/read, default 8] - the number of rounds to be performed (minimum 8) Key length: Minimum 40, maximum 1000, multiple of 8 bits; default 128 bits. Block size: As given by the blockSize parameter (in bytes). Missing information: Test vectors for block sizes other than 16 bytes. Comment: The original C reference code uses an unconventional byte order when printing test vectors (the order of bytes is reversed across the whole block). The correct byte order is that defined by the Java reference implementation, and by the NIST test vectors referenced above. Security comment: The paper " Cryptanalysis of FROG " describes the following attacks on weak keys: A differential attack requiring 2 58 chosen plaintexts and very little time for the analysis; it works for about 2 -33.0 of the keyspace.

chosen plaintexts and very little time for the analysis; it works for about 2 of the keyspace. A linear attack that uses 2 56 known texts and works for 2 -31.8 of the keyspace.

known texts and works for 2 of the keyspace. A ciphertext-only linear attack using 2 64 ciphertexts (also for 2 -31.8 of the keyspace).

ciphertexts (also for 2 of the keyspace). A differential attack on the decryption function that requires 236 chosen ciphertexts and works for 2-29.3 of the keyspace.

? GOST Block Cipher

Alias: "GOST-28147-89" Published: 1989 References: [ Def ] GOST, Gosudarstvennyi Standard 28147-89,

"Cryptographic Protection for Data Processing Systems,"

Government Committee of the USSR for Standards, 1989 (in Russian).

] GOST, Gosudarstvennyi Standard 28147-89, "Cryptographic Protection for Data Processing Systems," Government Committee of the USSR for Standards, 1989 (in Russian). [ Def, Inf ] Bruce Schneier,

"Section 14.1 GOST,"

Applied Cryptography, Second Edition , John Wiley & Sons, 1996.

] Bruce Schneier, "Section 14.1 GOST," , John Wiley & Sons, 1996. [ Inf ] J. Pieprzyk, L. Tombak,

"Soviet Encryption Algorithm,"

Preprint 94-10, Department of Computer Science, The University of Wollongong, 1994.

ftp://ftp.cs.uow.edu.au/pub/papers/1994/tr-94-10.ps.Z

] J. Pieprzyk, L. Tombak, "Soviet Encryption Algorithm," Preprint 94-10, Department of Computer Science, The University of Wollongong, 1994. ftp://ftp.cs.uow.edu.au/pub/papers/1994/tr-94-10.ps.Z [ An ] Markku-Juhani Saarinen,

A chosen key attack against the secret S-boxes of GOST ,

http://www.cc.jyu.fi/~mjos/gost_cka.ps

] Markku-Juhani Saarinen, , http://www.cc.jyu.fi/~mjos/gost_cka.ps [ An ] C. Charnes, L. O'Connor, J. Pieprzyk, R. Savafi-Naini, Y. Zheng,

"Comments on Soviet encryption algorithm,"

Advances in Cryptology - EUROCRYPT '94 Proceedings , Volume 950 of Lecture Notes in Computer Science (A. De Santis, ed.), pp. 433-438. Springer Verlag, 1995.

] C. Charnes, L. O'Connor, J. Pieprzyk, R. Savafi-Naini, Y. Zheng, "Comments on Soviet encryption algorithm," , Volume 950 of Lecture Notes in Computer Science (A. De Santis, ed.), pp. 433-438. Springer Verlag, 1995. [ An ] C. Charnes, L. O'Connor, J. Pieprzyk, R. Safavi-Naini, Y. Zheng,

"Further comments on GOST encryption algorithm,"

Preprint 94-9, Department of Computer Science, The University of Wollongong, 1994.

ftp://ftp.cs.uow.edu.au/pub/papers/1994/tr-94-9.ps.Z

] C. Charnes, L. O'Connor, J. Pieprzyk, R. Safavi-Naini, Y. Zheng, "Further comments on GOST encryption algorithm," Preprint 94-9, Department of Computer Science, The University of Wollongong, 1994. ftp://ftp.cs.uow.edu.au/pub/papers/1994/tr-94-9.ps.Z [ An ] John Kelsey, Bruce Schneier, David Wagner,

"Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES,"

Advances in Cryptology - CRYPTO '96 Proceedings . Springer-Verlag, August 1996.

http://www.cs.berkeley.edu/~daw/papers/keysched-crypto96.ps

] John Kelsey, Bruce Schneier, David Wagner, "Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES," . Springer-Verlag, August 1996. http://www.cs.berkeley.edu/~daw/papers/keysched-crypto96.ps [Inf] Markku-Juhani Saarinen,

C implementation and test vectors for GOST hash function ,

http://www.tcs.hut.fi/~mjos/gosthash.tar.gz

[The implementation is of GOST-Hash, but this archive also contains a draft translation into English of the GOST 28147-89 standard.] Parameters: byte[][] sboxes [write only, default as given in Applied Cryptography] - the S-boxes to be used by this cipher instance. sboxes[i-1][j] represents the output of S-box i, for an input value j.

The implementation may or may not copy the contents of arrays used to set this parameter. If any such arrays are subsequently changed, the output of the cipher is undefined (it is therefore the responsibility of the caller to make sure that references to these arrays are not accessible to untrusted code). Setting this parameter will reset the current key and feedback vector, if applicable. Key length: 256 bits. Block size: 8 bytes. Missing information: Test vectors. Security comment: The paper " A chosen key attack against the secret S-boxes of GOST " cited above describes how to recover the S-boxes in about 232 encryptions. The main significance of this is on tamperproof hardware implementations where the S-boxes were assumed to be secret; for a software implementation, they should be assumed to be public in any case.

HPC-1(blockSize[,backup]) Block Cipher

Designer: Rich Schroeppel Published: 1998 Description: This is the original HPC cipher submitted as a first round AES candidate. References: [ Def ] Rich Schroeppel, Hilarie Orman,

Specification for the Hasty Pudding Cipher ,

http://www.cs.arizona.edu/~rcs/hpc/hpc-spec

] Rich Schroeppel, Hilarie Orman, , http://www.cs.arizona.edu/~rcs/hpc/hpc-spec [ Inf, Test ] Rich Schroeppel,

The Hasty Pudding Cipher page ,

http://www.cs.arizona.edu/~rcs/hpc/

] Rich Schroeppel, , http://www.cs.arizona.edu/~rcs/hpc/ [ An ] David Wagner,

Equivalent keys for HPC ,

Rump session talk at the 2nd AES Conference.

Slides at: http://www.cs.berkeley.edu/~daw/papers/hpc-aes99-slides.ps

] David Wagner, , Rump session talk at the 2nd AES Conference. Slides at: http://www.cs.berkeley.edu/~daw/papers/hpc-aes99-slides.ps [ An ] Carl D'Halluin, Gert Bijnens, Bart Preneel, Vincent Rijmen,

Equivalent keys of HPC ,

Katholieke Universiteit Leuven, ESAT-COSIC.

http://www.esat.kuleuven.ac.be/~rijmen/pub99.html

] Carl D'Halluin, Gert Bijnens, Bart Preneel, Vincent Rijmen, , Katholieke Universiteit Leuven, ESAT-COSIC. http://www.esat.kuleuven.ac.be/~rijmen/pub99.html [ Inf ] Rich Schroeppel,

"The Hasty Pudding Cipher: One Year Later,"

June 12, 1999.

http://www.cs.arizona.edu/~rcs/hpc/hpc-oneyearlater

] Rich Schroeppel, "The Hasty Pudding Cipher: One Year Later," June 12, 1999. http://www.cs.arizona.edu/~rcs/hpc/hpc-oneyearlater [Test] NIST,

HPC Test Values ,

http://www-08.nist.gov/encryption/aes/round1/testvals/hpc-vals.zip Parameters: Integer blockSize [creation/read, default 16] - the length of a block in bytes (minimum 1)

[creation/read, default 16] - the length of a block in bytes (minimum 1) Integer backup [creation/read, default 0] - a parameter that can be increased to make the cipher more conservative, at the cost of speed (minimum 0)

[creation/read, default 0] - a parameter that can be increased to make the cipher more conservative, at the cost of speed (minimum 0) long[] spice [write, default all-zeroes] - an array of 8 64-bit words containing a diversifier.

The implementation may or may not copy the contents of arrays used to set this parameter. If any such array is subsequently changed, the output of the cipher is undefined, unless the parameter is set again immediately (it is therefore the responsibility of the caller to make sure that a reference to this array is not accessible to untrusted code). Setting this parameter will not reset the current key and feedback vector. Key length: Minimum 0, maximum 65536 bits; default 128 bits. Block size: As given by the blockSize parameter (in bytes). Note that while HPC supports block sizes that are not a multiple of 8 bits, the JCE API does not. Comment: The convention for encoding keys that are not a multiple of 8 bits in length, is for the last ( effectiveBitLength % 8) bits of the key to be packed in the high-order bits of the last byte of the encoding. Any unused low-order bits of the last byte are ignored. For example, the key given by the 11-bit sequence <01010101 010> 2 , would be encoded as the byte array { 0x55, 0x40 | junk } , where junk & 0xE0 == 0 . The value of the key's effectiveBitLength parameter is used to determine how many bits of the encoding are significant. Security comments: The paper "Equivalent keys of HPC" by D'Halluin et al, describes an attack which, for 128-bit keys, has an expected work factor of 2 89 , and works for 1/256 of the keyspace. The analysis is extended to HPC with a 192-bit key and a 256-bit key, with similar results. For some other key lengths (including 56 bits), all keys are shown to be weak. The "tweak" described in "Tweaking the Hasty Pudding Cipher," (see HPC-2) is intended to correct this problem, but has not yet had a significant amount of analysis.

, and works for 1/256 of the keyspace. The analysis is extended to HPC with a 192-bit key and a 256-bit key, with similar results. For some other key lengths (including 56 bits), all keys are shown to be weak. The "tweak" described in "Tweaking the Hasty Pudding Cipher," (see HPC-2) is intended to correct this problem, but has not yet had a significant amount of analysis. Also note that with the default all-zeroes spice value, much of the work being done by the cipher has no cryptographic effect.

? HPC-2 (blockSize[,backup]) Block Cipher

Designer: Rich Schroeppel Published: June 1999 Description: This is the "tweaked" version of HPC, with a modified key schedule. References: [ Def ] Rich Schroeppel,

"Tweaking the Hasty Pudding Cipher,"

http://www.cs.arizona.edu/~rcs/hpc/tweak

] Rich Schroeppel, "Tweaking the Hasty Pudding Cipher," http://www.cs.arizona.edu/~rcs/hpc/tweak [ Inf ] Rich Schroeppel,

"The Hasty Pudding Cipher: One Year Later,"

June 12, 1999.

http://www.cs.arizona.edu/~rcs/hpc/hpc-oneyearlater

] Rich Schroeppel, "The Hasty Pudding Cipher: One Year Later," June 12, 1999. http://www.cs.arizona.edu/~rcs/hpc/hpc-oneyearlater [see references for HPC-1] Parameters: Integer blockSize [creation/read, default 16] - the length of a block in bytes (minimum 1)

[creation/read, default 16] - the length of a block in bytes (minimum 1) Integer backup [creation/read, default 0] - a parameter that can be increased to make the cipher more conservative, at the cost of speed (minimum 0)

[creation/read, default 0] - a parameter that can be increased to make the cipher more conservative, at the cost of speed (minimum 0) long[] spice [write, default all-zeroes] - an array of 8 64-bit words containing a diversifier.

The implementation may or may not copy the contents of arrays used to set this parameter. If any such array is subsequently changed, the output of the cipher is undefined, unless the parameter is set again immediately (it is therefore the responsibility of the caller to make sure that a reference to this array is not accessible to untrusted code). Setting this parameter will not reset the current key and feedback vector. Key length: Minimum 0, maximum 65536 bits; default 128 bits. Block size: As given by the blockSize parameter (in bytes). Note that while HPC supports block sizes that are not a multiple of 8 bits, the JCE API does not. Missing information: Test vectors. Comment: [see comment for HPC-1] Security comment: Note that with the default all-zeroes spice value, much of the work being done by the cipher has no cryptographic effect.

ICE Block Cipher

Designer: Matthew Kwan Published: 1997 References: [ Def, Test ] Matthew Kwan,

"The Design of the ICE Encryption Algorithm,"

Proceedings of Fast Software Encryption - Fourth International Workshop , Haifa, Israel, pp. 69-82. Springer-Verlag, 1997.

http://www.darkside.com.au/ice/paper.html

] Matthew Kwan, "The Design of the ICE Encryption Algorithm," , Haifa, Israel, pp. 69-82. Springer-Verlag, 1997. http://www.darkside.com.au/ice/paper.html [ Inf, Impl ] The ICE Home Page ,

http://www.darkside.com.au/ice/

] , http://www.darkside.com.au/ice/ [ An ] Matthew Kwan,

Cryptanalysis of ICE ,

http://www.darkside.com.au/ice/cryptanalysis.html

] Matthew Kwan, , http://www.darkside.com.au/ice/cryptanalysis.html [An] B. Van Rompay, Lars Knudsen, Vincent Rijmen,

"Differential cryptanalysis of the ICE encryption algorithm,"

Fast Software Encryption , Volume 1372 of Lecture Notes in Computer Science (Serge Vaudenay, ed.), pp. 270-283. Springer-Verlag, 1998.

ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/vrompay/fse98.ps.gz Key length: Minimum 64, multiple of 64 bits; default 128 bits. Block size: 8 bytes. Comment: The length of the key defines the "level" parameter (note that the "Thin ICE" variant is not included). Security comment: The paper " Differential cryptanalysis of the ICE encryption algorithm " describes several differential attacks, including an attack against a variant reduced to 15 rounds, with 256 work and at most 256 chosen plaintexts. (The full algorithm has n/4 rounds when the key length is n bits.) The paper concludes: [...] The main conclusion of this paper is that keyed permutation does not prevent differential cryptanalysis. Although the analysis is more complicated and becomes key dependent, in our opinion the intention of the design has not been reached. The best 3-round iterative characteristic that can be used in our attack has a probability of 2-13, which is higher than the probability of 2-16 of the best 3-round characteristic for LOKI91 (a similar block cipher that makes use of four identical 12 to 8-bit S-boxes). These attacks are probably not practical when the number of rounds is 32 or higher (i.e. the key is 128 bits or longer). However, in that case ICE is slower than DES.

IDEA Block Cipher

Designers: Xuejia Lai, James Massey Published: 1992 Alias: "OpenPGP.Cipher.1" Object Identifiers: 1.3.6.1.4.1.188.7.1.1.1 for IDEA/ECB

1.3.6.1.4.1.188.7.1.1.2 for IDEA/CBC

1.3.6.1.4.1.188.7.1.1.3 for IDEA/CFB

1.3.6.1.4.1.188.7.1.1.4 for IDEA/OFB

(source for OIDs) References: [ Def, An ] X. Lai,

"On the design and security of block ciphers",

ETH Series in Information Processing (J.L. Massey, ed.), Vol. 1, Hartung-Gorre Verlag, Konstanz Technische Hochschule (Zurich), 1992.

] X. Lai, "On the design and security of block ciphers", (J.L. Massey, ed.), Vol. 1, Hartung-Gorre Verlag, Konstanz Technische Hochschule (Zurich), 1992. [ Inf, An ] X. Lai, J.L. Massey, S. Murphy,

"Markov Ciphers and Differential Cryptanalysis,"

Advances in Cryptology - EUROCRYPT '91 , Volume 547 of Lecture Notes in Computer Science (D.W. Davies, ed.), pp. 17-38. Springer-Verlag, 1991.

] X. Lai, J.L. Massey, S. Murphy, "Markov Ciphers and Differential Cryptanalysis," , Volume 547 of Lecture Notes in Computer Science (D.W. Davies, ed.), pp. 17-38. Springer-Verlag, 1991. [ Inf ] The IDEA Algorithm page .

http://www.mediacrypt.com/

Older version archived at http://web.archive.org/web/20000816173927/http://www.ascom.ch/infosec/idea/oid.html

] . http://www.mediacrypt.com/ Older version archived at http://web.archive.org/web/20000816173927/http://www.ascom.ch/infosec/idea/oid.html [ Inf ] Bruce Schneier,

"Section 13.9 IDEA,"

Applied Cryptography, Second Edition , John Wiley & Sons, 1996.

(Note: there is an error in the description; the diagram is correct.)

] Bruce Schneier, "Section 13.9 IDEA," , John Wiley & Sons, 1996. [ Inf ] A. Menezes, P.C. van Oorschot, S.A. Vanstone,

"Section 7.6 IDEA,"

Handbook of Applied Cryptography , CRC Press, 1997.

http://www.cacr.math.uwaterloo.ca/hac/about/chap7.pdf, .ps

] A. Menezes, P.C. van Oorschot, S.A. Vanstone, "Section 7.6 IDEA," , CRC Press, 1997. http://www.cacr.math.uwaterloo.ca/hac/about/chap7.pdf, .ps [ An ] Joan Daemen, René Govaerts, Joos Vandewalle,

"Weak Keys of IDEA,"

Advances in Cryptology - CRYPTO '93 Proceedings , Volume 773 of Lecture Notes in Computer Science (D. Stinson, ed.), pp. 224-231. Springer-Verlag, 1994.

http://www.esat.kuleuven.ac.be/~cosicart/ps/JD-9304.ps.gz

] Joan Daemen, René Govaerts, Joos Vandewalle, "Weak Keys of IDEA," , Volume 773 of Lecture Notes in Computer Science (D. Stinson, ed.), pp. 224-231. Springer-Verlag, 1994. http://www.esat.kuleuven.ac.be/~cosicart/ps/JD-9304.ps.gz [ An ] Joan Daemen, René Govaerts, Joos Vandewalle,

"Cryptanalysis of 2.5 Rounds of IDEA,"

ESAT-COSIC Technical Report 93/1 , 1993.

http://www.esat.kuleuven.ac.be/~cosicart/ps/JD-9306.ps.gz

] Joan Daemen, René Govaerts, Joos Vandewalle, "Cryptanalysis of 2.5 Rounds of IDEA," , 1993. http://www.esat.kuleuven.ac.be/~cosicart/ps/JD-9306.ps.gz [ An ] J. Borst, L. Knudsen, V. Rijmen,

"Two attacks on reduced IDEA,"

Advances in Cryptology - EUROCRYPT '97 Proceedings , Volume 1233 of Lecture Notes in Computer Science (W. Fumy, ed.), pp. 1-13. Springer-Verlag, 1997.

ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/idea.ps.gz

] J. Borst, L. Knudsen, V. Rijmen, "Two attacks on reduced IDEA," , Volume 1233 of Lecture Notes in Computer Science (W. Fumy, ed.), pp. 1-13. Springer-Verlag, 1997. ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/idea.ps.gz [ An ] L. Knudsen, V. Rijmen,

"Truncated Differentials of IDEA,"

ESAT-COSIC Technical Report 97-1 .

ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/idea_trunc.ps.Z

] L. Knudsen, V. Rijmen, "Truncated Differentials of IDEA," . ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/idea_trunc.ps.Z [ An ] John Kelsey, Bruce Schneier, David Wagner,

"Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES".

http://www.counterpane.com/key_schedule.html

] John Kelsey, Bruce Schneier, David Wagner, "Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES". http://www.counterpane.com/key_schedule.html [ An ] Phillip Hawkes,

"Differential-Linear Weak Key Classes of IDEA,"

Advances in Cryptology - EUROCRYPT '98 Proceedings , pp. 112-126, Springer-Verlag, 1998.

] Phillip Hawkes, "Differential-Linear Weak Key Classes of IDEA," , pp. 112-126, Springer-Verlag, 1998. [ An ] E. Biham, A. Biruykov, A. Shamir,

"Miss in the middle attacks on IDEA, Khufu and Khafre,"

Presented at Fast Software Encryption '99 , Rome.

] E. Biham, A. Biruykov, A. Shamir, "Miss in the middle attacks on IDEA, Khufu and Khafre," Presented at , Rome. [ An ] John Kelsey, Bruce Schneier, David Wagner, Chris Hall,

"Side Channel Cryptanalysis of Product Ciphers",

ESORICS '98 Proceedings pp. 97-110, Springer-Verlag, September 1998.

http://www.counterpane.com/side_channel.html

] John Kelsey, Bruce Schneier, David Wagner, Chris Hall, "Side Channel Cryptanalysis of Product Ciphers", pp. 97-110, Springer-Verlag, September 1998. http://www.counterpane.com/side_channel.html [ Inf, An ] Ascom Systec, Ltd.

"Side Channel Attack Hardening of the IDEA TM Cipher,"

Ascom Systec White Paper (corrected version, May 1999).

http://web.archive.org/web/20000823133119/www.ascom.ch/infosec/downloads/sidechannel.pdf

] Ascom Systec, Ltd. "Side Channel Attack Hardening of the IDEA Cipher," (corrected version, May 1999). http://web.archive.org/web/20000823133119/www.ascom.ch/infosec/downloads/sidechannel.pdf [ An ] Jorge Nakahara Jr., Paulo Barreto, Bart Preneel, Joos Vandewalle, Hae Y. Kim,

"SQUARE Attacks on Reduced-Round PES and IDEA Block Ciphers,"

NESSIE Project phase 2 public report, 19 November 2001.

https://www.cosic.esat.kuleuven.ac.be/nessie/reports/phase2/nessie-idea.pdf

] Jorge Nakahara Jr., Paulo Barreto, Bart Preneel, Joos Vandewalle, Hae Y. Kim, "SQUARE Attacks on Reduced-Round PES and IDEA Block Ciphers," NESSIE Project phase 2 public report, 19 November 2001. https://www.cosic.esat.kuleuven.ac.be/nessie/reports/phase2/nessie-idea.pdf [ An ] Alex Biryukov, Jorge Nakahara Jr., Bart Preneel, Joos Vandewalle,

"New Weak Key Classes of IDEA,"

NESSIE Project phase 2 public report, 29 June 2002.

https://www.cosic.esat.kuleuven.ac.be/nessie/reports/phase2/keyidea5.pdf

] Alex Biryukov, Jorge Nakahara Jr., Bart Preneel, Joos Vandewalle, "New Weak Key Classes of IDEA," NESSIE Project phase 2 public report, 29 June 2002. https://www.cosic.esat.kuleuven.ac.be/nessie/reports/phase2/keyidea5.pdf [ Patent ] James Massey, Xuejia Lai,

"Device for Converting a Digital Block and the Use Thereof",

International Patent WO09118459A2, filed May 16 1991, issued November 28 1991.

] James Massey, Xuejia Lai, "Device for Converting a Digital Block and the Use Thereof", International Patent WO09118459A2, filed May 16 1991, issued November 28 1991. [ Patent ] James Massey, Xuejia Lai,

"Device for Converting a Digital Block and the Use Thereof,"

European Patent EP00482154A1, filed May 16 1991, issued April 29 1992.

] James Massey, Xuejia Lai, "Device for Converting a Digital Block and the Use Thereof," European Patent EP00482154A1, filed May 16 1991, issued April 29 1992. [ Patent ] James Massey, Xuejia Lai,

"Device for Converting a Digital Block and the Use Thereof,"

European Patent EP00482154B1, filed May 16 1991, issued June 30 1993.

] James Massey, Xuejia Lai, "Device for Converting a Digital Block and the Use Thereof," European Patent EP00482154B1, filed May 16 1991, issued June 30 1993. [ Patent ] James Massey, Xuejia Lai,

"Device for the Conversion of a Digital Block and Use of Same",

U.S. Patent 5,214,703, filed January 7 1992, issued May 25 1993.

] James Massey, Xuejia Lai, "Device for the Conversion of a Digital Block and Use of Same", U.S. Patent 5,214,703, filed January 7 1992, issued May 25 1993. [ Patent ] James Massey, Xuejia Lai,

[[filed Japanese Patent Application No. 508119/1991]]

] James Massey, Xuejia Lai, [[filed Japanese Patent Application No. 508119/1991]] [Impl, Test] Ascom Systec, Ltd.

IDEA C Source Code and Test Data (corrected version, May 1999).

http://web.archive.org/web/20000816173624/www.ascom.ch/infosec/downloads.html Key length: 128 bits. Block size: 8 bytes. Comments: A version of the IDEA C reference code available in April and early May 1999 contained a bug in the code for multiplication mod 2 16 +1, which occurs when multiplying two zero words; this bug is not caught by the standard test vectors. An additional test vector that does catch the bug (and incidentally demonstrates a weakness of IDEA's key schedule, but that's beside the point) is: key = <00000000000000000000000000000000> plaintext = <0000000000000000> ciphertext = <0001000100000000>

+1, which occurs when multiplying two zero words; this bug is not caught by the standard test vectors. An additional test vector that does catch the bug (and incidentally demonstrates a weakness of IDEA's key schedule, but that's beside the point) is: The test vectors, reference implementation and papers that were previously available from the Ascom web site (including the important paper on side channel attack hardening) have all disappeared from that site. Congratulations to Ascom, iT_Security, Mediacrypt, or whatever its name is this week, for providing an excellent example of how not to handle web site reorganisations. Fortunately all of these files were recoverable from web.archive.org (thanks to Jason Harris for pointing this out). Security comment: IDEA is vulnerable to key schedule attacks, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function). Patent status: IDEA is patented in the U.S and 9 European countries by Ascom Systec Ltd., with a patent pending in Japan.

× ISAAC-BE Stream Cipher

Designer: Robert J. Jenkins Jr. Published: 1996 References: [ Def, An ] Robert J. Jenkins Jr.,

ISAAC and RC4 ,

http://www.burtleburtle.net/bob/rand/isaac.html

] Robert J. Jenkins Jr., , http://www.burtleburtle.net/bob/rand/isaac.html [ Inf , An , Test , Impl ] Robert J. Jenkins Jr.,

ISAAC: a fast cryptographic random number generator ,

http://www.burtleburtle.net/bob/rand/isaacafa.html

, , , ] Robert J. Jenkins Jr., , http://www.burtleburtle.net/bob/rand/isaacafa.html [Inf] Robert J. Jenkins Jr.,

"ISAAC,"

Fast Software Encryption, Third International Workshop , Volume 1039 of Lecture Notes in Computer Science (D. Gollman, ed.), pp. 41-49. Springer-Verlag, 1996. Key length: ? Missing information: ISAAC does not appear to have a standard key schedule; this would need to be specified for it to be usable as a SCAN algorithm. Test vectors would also be needed.

× ISAAC-LE Stream Cipher

× ISAAC-64-BE Stream Cipher

Designer: Robert J. Jenkins Jr. Published: 1996 References: [Def, An] Robert J. Jenkins Jr.,

ISAAC and RC4 ,

http://www.burtleburtle.net/bob/rand/isaac.html Key length: ? Missing information: ISAAC-64 does not appear to have a standard key schedule; this would need to be specified for it to be usable as a SCAN algorithm. Test vectors would also be needed.

× ISAAC-64-LE Stream Cipher

? JEROBOAM Stream Cipher

Designers: Hervé Chabanne, Emmanuel Michon Published: 1998 Description: This algorithm refers to JEROBOAM version 2.0. Alias: "JEROBOAM-2.0" References: [ Def, An ] Hervé Chabanne, Emmanuel Michon,

"JEROBOAM",

Fast Software Encryption '98 , Volume 1372 of Lecture Notes in Computer Science (Serge Vaudenay, ed.), pp. 49-59. Springer-Verlag, 1998.



] Hervé Chabanne, Emmanuel Michon, "JEROBOAM", , Volume 1372 of Lecture Notes in Computer Science (Serge Vaudenay, ed.), pp. 49-59. Springer-Verlag, 1998. [Def, An] Emmanuel Michon,

Rapport de stage d'option scientifique: étude cryptologique du chiffreur JEROBOAM,

Ecole Polytechnique, June 1997. Key length: 128 or 248 bits Missing information: I have not yet read either of the referenced papers, so I don't know whether byte-order is specified, status of test vectors, etc.

× LEVIATHAN-BE Stream Cipher

Designers: David McGrew, Scott Fluhrer Published: October 2000 Description: This is LEVIATHAN using big-endian byte order, when XORing the keystream with the plaintext for encryption. References: [ Def, An ] David McGrew, Scott Fluhrer,

The Stream Cipher LEVIATHAN - Specification and Supporting Documentation ,

Presented at the First Open NESSIE Workshop, November 2000.

https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/leviathan.zip

] David McGrew, Scott Fluhrer, , Presented at the First Open NESSIE Workshop, November 2000. https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/leviathan.zip [Def, An] Paul Crowley,

Analysis of LEVIATHAN ,

http://www.cluefactory.org.uk/paul/crypto/leviathan.html Key length: 128 or 256 bits Security comment: The output of LEVIATHAN can be distinguished from a random stream given about ??? MBytes of output.

× LEVIATHAN-LE Stream Cipher

Designers: David McGrew, Scott Fluhrer Published: October 2000 Description: This is LEVIATHAN using little-endian byte order, when XORing the keystream with the plaintext for encryption. References: [see references for LEVIATHAN-BE] Key length: 128 or 256 bits Security comment: [see Security comment for LEVIATHAN-BE]

LOKI91 Block Cipher

Designers: Laurence Brown, Matthew Kwan, Josef Pieprzyk, Jennifer Seberry Published: 1991-92 References: [ Def, An ] Laurence Brown, Matthew Kwan, Josef Pieprzyk, Jennifer Seberry,

"Improving Resistance to Differential Cryptanalysis and the Redesign of LOKI,"

Advances in Cryptology - ASIACRYPT '91 Proceedings , Springer-Verlag, 1993, pp. 36-50.

] Laurence Brown, Matthew Kwan, Josef Pieprzyk, Jennifer Seberry, "Improving Resistance to Differential Cryptanalysis and the Redesign of LOKI," , Springer-Verlag, 1993, pp. 36-50. [ Inf ] Bruce Schneier,

"Section 13.6 LOKI,"

Applied Cryptography, Second Edition , John Wiley & Sons, 1996.

] Bruce Schneier, "Section 13.6 LOKI," , John Wiley & Sons, 1996. [ An ] Eli Biham,

"New Types of Cryptanalytic Attacks Using Related Keys,"

CS 753, Computer Science Department, Technion -- Israel Institute of Technology , September 1992.

http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1992/CS/CS0753.ps

] Eli Biham, "New Types of Cryptanalytic Attacks Using Related Keys," , September 1992. http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1992/CS/CS0753.ps [ An ] Lars Knudsen,

"Cryptanalysis of LOKI91,"

Volume 718 of Lecture Notes in Computer Science , pp. 196-208. Springer-Verlag, 1992.

ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/loki91.ps.Z

] Lars Knudsen, "Cryptanalysis of LOKI91," , pp. 196-208. Springer-Verlag, 1992. ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/loki91.ps.Z [ An ] Lars Knudsen,

"Block ciphers - analysis, design and applications,"

PhD. Thesis, DAIMI PB 485, Aarhus University, 1994.

] Lars Knudsen, "Block ciphers - analysis, design and applications," PhD. Thesis, DAIMI PB 485, Aarhus University, 1994. [ An ] Toshio Tokita, Tohru Sorimachi, Mitsuru Matsui,

"Linear cryptanalysis of LOKI and S2DES,"

Volume 917 of Lecture Notes in Computer Science , pp. 293-306. Springer-Verlag, 1994.

] Toshio Tokita, Tohru Sorimachi, Mitsuru Matsui, "Linear cryptanalysis of LOKI and S2DES," , pp. 293-306. Springer-Verlag, 1994. [ An ] Lars Knudsen, M.J.B. Robshaw,

"Non-linear Approximations in Linear Cryptanalysis,"

Volume 1070 of Lecture Notes in Computer Science , pp. 224-236. Springer-Verlag, 1996.

ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/nonlinear.ps.Z

] Lars Knudsen, M.J.B. Robshaw, "Non-linear Approximations in Linear Cryptanalysis," , pp. 224-236. Springer-Verlag, 1996. ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/nonlinear.ps.Z [ An ] Kouichi Sakurai, Souichi Furuya,

"Improving Linear Cryptanalysis of LOKI91 by Probabalistic Counting Method,"

Volume ??? of Lecture Notes in Computer Science . Springer-Verlag, 1997.

] Kouichi Sakurai, Souichi Furuya, "Improving Linear Cryptanalysis of LOKI91 by Probabalistic Counting Method," . Springer-Verlag, 1997. [An] Lars Knudsen,

"New potentially weak keys for DES and LOKI,"

Advances in Cryptology - EUROCRYPT '94 Proceedings , Volume 950 of Lecture Notes in Computer Science (A. De Santis, ed.), pp. 419-424. Springer Verlag, 1995.

ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/potential.ps.Z Key length: 64 bits. Block size: 8 bytes. Security comments: LOKI91 is vulnerable to related-key attacks, with a work factor of about 2 60 operations, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

operations, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function). The attacks cited above based on Linear Cryptanalysis, are effective against reduced-round variants of LOKI91 with up to 12 rounds (the full cipher has 16 rounds).

The fixed 64-bit key length is too short to prevent brute-force attacks.

LOKI97 Block Cipher

Designers: Laurence Brown, Josef Pieprzyk, Jennifer Seberry Published: 1997 References: [ Def, An ] Laurence Brown, Josef Pieprzyk,

Introducing the new LOKI97 Block Cipher ,

http://www.adfa.oz.au/~lpb/research/loki97/loki97spec.ps

] Laurence Brown, Josef Pieprzyk, , http://www.adfa.oz.au/~lpb/research/loki97/loki97spec.ps [ Inf, Impl ] Laurence Brown,

The LOKI97 Block Cipher page,

http://www.adfa.oz.au/~lpb/research/loki97/

] Laurence Brown, page, http://www.adfa.oz.au/~lpb/research/loki97/ [ An ] Vincent Rijmen, Lars Knudsen,

Weaknesses in LOKI97 ,

ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/loki97.pdf

] Vincent Rijmen, Lars Knudsen, , ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/loki97.pdf [Test] NIST,

LOKI97 Test Values ,

http://www-08.nist.gov/encryption/aes/round1/testvals/loki97-vals.zip Key length: 128, 192 or 256 bits; default 128 bits. Block size: 16 bytes. Security comment: The paper " Weaknesses in LOKI97 " describes an attack using Differential Cryptanalysis, estimated as requiring at most 256 chosen plaintexts, and an attack using Linear Cryptanalysis, estimated as requiring at most 256 known plaintexts.

MAGENTA Block Cipher

Designers: Michael Jacobson Jr., Klaus Huber Published: August 1998 References: [ Def, An ] M.J. Jacobson Jr., K. Huber,

The MAGENTA Block Cipher Algorithm ,

http://www.gel.ulaval.ca/~klein/maitrise/aes/magenta.pdf

] M.J. Jacobson Jr., K. Huber, , http://www.gel.ulaval.ca/~klein/maitrise/aes/magenta.pdf [ An ] Eli Biham, Alex Biryukov, Niels Ferguson, Lars Knudsen, Bruce Schneier, Adi Shamir,

"Cryptanalysis of Magenta,"

Distributed at the first AES conference, August 20, 1998.

http://www.counterpane.com/magenta.html

] Eli Biham, Alex Biryukov, Niels Ferguson, Lars Knudsen, Bruce Schneier, Adi Shamir, "Cryptanalysis of Magenta," Distributed at the first AES conference, August 20, 1998. http://www.counterpane.com/magenta.html [ Patent ] [[need patent title]]

German Patent DE 44 25 158 A1 , [[need date]].



] [[need patent title]] , [[need date]]. [Test] NIST,

MAGENTA Test Values ,

http://www-08.nist.gov/encryption/aes/round1/testvals/magenta-vals.zip Key length: 128, 256, or 256 bits; default 128 bits. Block size: 16 bytes. Security comment: The paper " Cryptanalysis of Magenta " describes a chosen plaintext attack using 264 chosen plaintexts, and 264 work. It also notes that "given a ciphertext, one can decrypt it by swapping its two halves, re-encrypting the result, and swapping again". This would be a fatal weakness for some applications, even though it does not allow obtaining the key. Patent status: MAGENTA may be patented (see references).

MARS Block Cipher

Designers: Carolynn Burwick, Don Coppersmith, Edward D'Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas Jr., Luke O'Connor, Mohammad Peyravian, David Safford, Nevenko Zunicof Published: August? 1999 Description: This is the "tweaked" version of MARS submitted as a second round AES candidate. Alias: "MARS-2" References: [ Def, An ] Carolynn Burwick, Don Coppersmith, Edward D'Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas Jr., Luke O'Connor, Mohammad Peyravian, David Safford, Nevenko Zunicof,

"MARS - A candidate cipher for AES," (corrected version).

Available from http://www.research.ibm.com/security/mars.html

[Note that the key schedule described here (in mars.pdf/.ps) is for the initial version of MARS submitted as a first round AES candidate.]

] Carolynn Burwick, Don Coppersmith, Edward D'Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas Jr., Luke O'Connor, Mohammad Peyravian, David Safford, Nevenko Zunicof, "MARS - A candidate cipher for AES," (corrected version). Available from http://www.research.ibm.com/security/mars.html [Note that the key schedule described here (in mars.pdf/.ps) is for the initial version of MARS submitted as a first round AES candidate.] [ Def ] Shai Halevi,

"MARS key setup,"

http://www.research.ibm.com/security/key-setup.txt

] Shai Halevi, "MARS key setup," http://www.research.ibm.com/security/key-setup.txt [ An ] Scott Contini, Yiqun Lisa Yin,

"On Differential Properties of Data-Dependent Rotations and Their Use in MARS and RC6,"

Presented at the 2nd AES Conference.

http://csrc.nist.gov/encryption/aes/round1/conf2/papers/contini.pdf

] Scott Contini, Yiqun Lisa Yin, "On Differential Properties of Data-Dependent Rotations and Their Use in MARS and RC6," Presented at the 2nd AES Conference. http://csrc.nist.gov/encryption/aes/round1/conf2/papers/contini.pdf [ An ] John Kelsey, Bruce Schneier,

"MARS Attacks! Preliminary Cryptanalysis of Reduced-Round MARS Variants,"

Presented at the 3rd AES Candidate Conference.

http://www.counterpane.com/mars-attacks.html

] John Kelsey, Bruce Schneier, "MARS Attacks! Preliminary Cryptanalysis of Reduced-Round MARS Variants," Presented at the 3rd AES Candidate Conference. http://www.counterpane.com/mars-attacks.html [ An ] Eli Biham, Vladimir Furman,

"Impossible Differential on 8-Round MARS' Core,"

March 15, 2000. Presented at the 3rd AES Candidate Conference.

http://csrc.nist.gov/encryption/aes/round2/conf3/papers/07-ebiham.pdf

] Eli Biham, Vladimir Furman, "Impossible Differential on 8-Round MARS' Core," March 15, 2000. Presented at the 3rd AES Candidate Conference. http://csrc.nist.gov/encryption/aes/round2/conf3/papers/07-ebiham.pdf [ An ] L. Burnett, G. Carter, E. Dawson, W. Millan,

"Efficient methods for generating MARS-like S-boxes,"

Presented at Fast Software Encryption 2000 .

] L. Burnett, G. Carter, E. Dawson, W. Millan, "Efficient methods for generating MARS-like S-boxes," Presented at . [ An ] L. Knudsen, H. Raddum,

"Linear Approximations to MARS S-Box,"

Submitted to NIST as an AES comment, April 2000.

http://csrc.nist.gov/encryption/aes/round2/comments/20000407-lknudsen.pdf

] L. Knudsen, H. Raddum, "Linear Approximations to MARS S-Box," Submitted to NIST as an AES comment, April 2000. http://csrc.nist.gov/encryption/aes/round2/comments/20000407-lknudsen.pdf [ An ] M. Robshaw, Y. Lin,

"Potential Flaws in the Conjectured Resistance of MARS to Linear Cryptanalysis,"

Submitted to NIST as an AES comment, May 2000.

http://csrc.nist.gov/encryption/aes/round2/comments/20000502-mrobshaw.pdf

] M. Robshaw, Y. Lin, "Potential Flaws in the Conjectured Resistance of MARS to Linear Cryptanalysis," Submitted to NIST as an AES comment, May 2000. http://csrc.nist.gov/encryption/aes/round2/comments/20000502-mrobshaw.pdf [ An ] B. Preneel, A. Bosselaers, V. Rijmen, B. Van Rompay, L. Granboulan, J. Stern, S. Murphy, M. Dichtl, P. Serf, E. Biham, O. Dunkelman, V. Furman, F. Koeune, G. Piret, J-J. Quisquater, L. Knudsen, H. Raddum,

"Comments by the NESSIE Project on the AES Finalists,"

Submitted to NIST as an AES comment, May 2000.

http://csrc.nist.gov/encryption/aes/round2/comments/20000524-bpreneel.pdf

] B. Preneel, A. Bosselaers, V. Rijmen, B. Van Rompay, L. Granboulan, J. Stern, S. Murphy, M. Dichtl, P. Serf, E. Biham, O. Dunkelman, V. Furman, F. Koeune, G. Piret, J-J. Quisquater, L. Knudsen, H. Raddum, "Comments by the NESSIE Project on the AES Finalists," Submitted to NIST as an AES comment, May 2000. http://csrc.nist.gov/encryption/aes/round2/comments/20000524-bpreneel.pdf [ An ] IBM MARS Team,

"Comments on MARS's linear analysis,"

Submitted to NIST as an AES comment, May 2000.

http://csrc.nist.gov/encryption/aes/round2/comments/20000515-ibm-2.pdf

] IBM MARS Team, "Comments on MARS's linear analysis," Submitted to NIST as an AES comment, May 2000. http://csrc.nist.gov/encryption/aes/round2/comments/20000515-ibm-2.pdf [ An ] Tetsu Iwata, Kaoru Kurosawa,

"On the Pseudorandomness of AES Finalists - RC6, Serpent, MARS and Twofish,"

Presented at Fast Software Encryption 2000 , New York.

] Tetsu Iwata, Kaoru Kurosawa, "On the Pseudorandomness of AES Finalists - RC6, Serpent, MARS and Twofish," Presented at , New York. [ An ] John Kelsey, Tadayoshi Kohno, Bruce Schneier,

"Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent,"

Presented at Fast Software Encryption 2000 , New York.

http://www.counterpane.com/boomerang.html

] John Kelsey, Tadayoshi Kohno, Bruce Schneier, "Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent," Presented at , New York. http://www.counterpane.com/boomerang.html [ Patent ] [[need patent title and date]]

U.S. Patent Application: IBM application CR998021 .

] [[need patent title and date]] . [Test] IBM Corporation,

New MARS Test Vectors,

http://www.research.ibm.com/security/test-vectors/ Key length: Minimum 128, maximum 448, multiple of 32 bits; default 128 bits. Block size: 16 bytes. Patent status: IBM has a patent pending on MARS. It has said that "... we are making MARS available on a royalty-free basis, worldwide, regardless of AES outcome." (See this press release.) However, it is not clear whether "royalty-free" excludes the possibility of up-front license fees.

? MDC Stream Cipher

Designer: Peter Gutmann Published: October 1992 References: [ Def ] Peter Gutmann,

Subject: MDC cipher code (long) ,

ftp://ftp.zedz.com/pub/crypto/libraries/mdc/mdc-gutmann.c.gz

] Peter Gutmann, , ftp://ftp.zedz.com/pub/crypto/libraries/mdc/mdc-gutmann.c.gz [Impl] Peter Gutmann,

MDC reference implementation (in C) ,

ftp://ftp.zedz.com/pub/crypto/libraries/mdc/ Key length: Minimum 64, maximum 640, multiple of 8 bits; default 128 bits. Missing information: Test vectors. Comments: With regard to buffering and use of IVs, MDC behaves identically to the CFB mode of a block cipher. The length of the initialisation vector is 16 bytes. Implementations MUST support immediate processing of individual bytes.

MDC has nothing to do with the cipher constructions MDC-2 and MDC-4 designed at IBM (which do not have SCAN standard names). Security comment: A new random IV should be used for each message encrypted under a given key.

MISTY1[(rounds)] Block Cipher

Designer: M. Matsui Published: January 1997 References: [ Def ] M. Matsui,

"New Block Encryption Algorithm MISTY,"

4th Fast Software Encryption Workshop , January 1997.

http://www.mitsubishi.com/ghp_japan/misty/misty_e_b.pdf, .ps

] M. Matsui, "New Block Encryption Algorithm MISTY," , January 1997. http://www.mitsubishi.com/ghp_japan/misty/misty_e_b.pdf, .ps [ Inf ] Mitsubishi Electric,

MISTY home page ,

http://www.mitsubishi.com/ghp_japan/misty/200misty.htm

] Mitsubishi Electric, , http://www.mitsubishi.com/ghp_japan/misty/200misty.htm [ Inf ] M. Matsui,

"Block Encryption Algorithm MISTY," (in Japanese)

Technical Report of IEICE, ISEC96-11 (1996-07) .

http://www.mitsubishi.com/ghp_japan/misty/misty_j_b.pdf, .ps

] M. Matsui, "Block Encryption Algorithm MISTY," (in Japanese) . http://www.mitsubishi.com/ghp_japan/misty/misty_j_b.pdf, .ps [Inf] M. Matsui,

"New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis,"

3rd Fast Software Encryption Workshop , February 1996. Parameters: Integer rounds [creation/read, default 8] - the number of rounds to be performed (minimum 8, multiple of 4) Key length: 128 bits. Block size: 8 bytes.

? MISTY2 [(rounds)] Block Cipher

Designer: M. Matsui Published: January 1997 References: [ Def ] M. Matsui,

"New Block Encryption Algorithm MISTY,"

4th Fast Software Encryption Workshop , January 1997.

http://www.mitsubishi.com/ghp_japan/misty/misty_e_b.pdf, .ps

] M. Matsui, "New Block Encryption Algorithm MISTY," , January 1997. http://www.mitsubishi.com/ghp_japan/misty/misty_e_b.pdf, .ps [ Inf ] Mitsubishi Electric,

MISTY home page ,

http://www.mitsubishi.com/ghp_japan/misty/200misty.htm

] Mitsubishi Electric, , http://www.mitsubishi.com/ghp_japan/misty/200misty.htm [ Inf ] M. Matsui,

"Block Encryption Algorithm MISTY," (in Japanese)

Technical Report of IEICE, ISEC96-11 (1996-07) .

http://www.mitsubishi.com/ghp_japan/misty/misty_j_b.pdf, .ps

] M. Matsui, "Block Encryption Algorithm MISTY," (in Japanese) . http://www.mitsubishi.com/ghp_japan/misty/misty_j_b.pdf, .ps [Inf] M. Matsui,

"New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis,"

3rd Fast Software Encryption Workshop , February 1996. Parameters: Integer rounds [creation/read, default 12] - the number of rounds to be performed (minimum 12, multiple of 4) Key length: 128 bits. Block size: 8 bytes. Missing information: Test vectors.

Noekeon[(rounds)] Block Cipher

Designers: Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen Published: November 2000 References: [ Def, An ] Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen,

The Noekeon Block Cipher ,

Presented at the First Open NESSIE Workshop, November 2000.

https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/noekeon.zip

] Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen, , Presented at the First Open NESSIE Workshop, November 2000. https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/noekeon.zip [ Inf ] Proton World,

Research: Noekeon, a 128-bit block cipher ,

http://www.protonworld.com/research/noekeon/

] Proton World, , http://www.protonworld.com/research/noekeon/ [Test] Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen,

Noekeon Test Values ,

https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/noekeon.zip Parameters: Integer rounds [creation/read, default 16] - the number of rounds to be performed (minimum 16) Key length: 128 bits. Block size: 16 bytes.

Noekeon-Direct[(rounds)] Block Cipher

Designers: Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen Published: November 2000 Description: This is the "direct-key" variant of Noekeon, i.e. where the working key is provided directly. This key should be generated at random, or as the output of a hash or PRF. References: [ Def, An ] Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen,

The Noekeon Block Cipher ,

http://www.cryptonessie.org/submissions/noekeon/noekeon.zip

] Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen, , http://www.cryptonessie.org/submissions/noekeon/noekeon.zip [ Inf, Test ] Joan Daemen, Vincent Rijmen,

The Noekeon Page ,

http://www.esat.kuleuven.ac.be/~rijmen/noekeon/



] Joan Daemen, Vincent Rijmen, , http://www.esat.kuleuven.ac.be/~r