review of the journey from des to aes - tjprc.org of the -full.pdf · review of the journey from...

REVIEW OF THE JOURNEY FROM DES TO AES

NEETA WADHWA, SYED ZEESHAN HUSSAIN & S. A. M RIZVI

Department of Computer Science, Jamia Millia Islamia, New Delhi, India

ABSTRACT

DES [Data Encryption Standard] was born in mid 70‘s and died in late 90‘s. A new secure and fast algorithm was

required to replace it. And it was replaced by AES [Advanced Encryption Algorithm] in 2001. This paper reviews the

whole process of replacing the DES and finding the AES. It presents the critical analysis of all the 15 finalists of first round

of AES process. All the participant algorithms are analyzed from the Speed versus Security perspective.

KEYWORDS: AES, DES, Symmetric Ciphers, Symmetric Cryptography

INTRODUCTION

In 1972, National Bureau of Standards (NBS), a part of the US. Department of Commerce, started a project to

develop standards for the protection of data stored in computers. Before this NBS call, cryptography had been largely the

concern of military and other government organizations only so all the cryptographic algorithms used by national military

organizations were closely held secrets. NBS received many responses for the project, but did not receive any algorithms

that met the established criteria. NBS issued a second solicitation in the Federal Register (August 17, 1974). In response,

IBM submitted its encryption design LUCIFER designed by Horst Feistel with his team. LUCIFER enciphered blocks of

128 bits, and it used a 128-bit key [block size and key size greater than DES]. NSA did some modifications to the original

design [1,2]. The NSA reduced the key size from 112 bits to 56 bits and made changes to the S-boxes after which the

algorithm was subjected to nearly two years of public evaluation and comment. There was much criticism of the DES key

length and its design criteria for the internal structure particularly S-box. The NSA was accused of changing the algorithm

to plant a ‗back door‘ in it that would allow agents to decrypt any information without having to know the encryption key.

But these blames proved unjustified and no such back door has ever been found. The modified Lucifer algorithm was

adopted by NIST as a federal standard on November 23, 1976. Its name was changed to the Data Encryption Standard

(DES). Finally, the official description of the standard, FIPS PUB 46, Data Encryption Standard was published on 15

January 1977. NIST also requested IBM to grant nonexclusive, royalty-free licenses to make, use, and sell devices that

implemented the algorithm. NBS recommended that the standard be issued with the provisions for a review by NBS every

five years [3].

Eli Biham and Adi Shamir described differential cryptanalysis in detail in [4]. It was actually Chosen-Plaintext

attack and required 247

chosen plaintexts (possible theoretically only). This attack was based on the structure of S-box. And

Cryptologers believe that NIST was aware of this attack in the 70‘s only that is why they designed S-boxes non-linear and

even didn‘t disclose the design principles of S-boxes at that time, however, now the design principles are disclosed and

become the interesting area of research and study. If it happened to be a known plaintext attack, 255

pairs of known

plaintext are required, which is possible theoretically only. Mitsuru Matsui invented linear cryptanalysis. This

cryptanalytic attack on DES has been illustrated in [5]. He proved that with 243

known plaintext pairs, the secret key can be

recovered, which is also not feasible practically. A software implementation of this attack recovered a DES key in 50 days

using 12 HP9000/735 workstations which is the most effective attack so far [5]. DES was actually cracked by the

International Journal of Computer Science Engineering

and Information Technology Research (IJCSEITR)

ISSN 2249-6831

Vol. 3, Issue 2, Jun 2013, 351-366

© TJPRC Pvt. Ltd.

352 Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi

Electronic Frontier Foundation (EFF) in 1998, it used a specially developed computer called the DES Cracker, which was

developed for under $250,000 and find the 56 bit DES key in 56 hours [6]. So due to very small key length and increasing

computational power of computers, DES was cracked and 3DES was very slow. So there was an alarming need for a new

standard for encryption.

AES PROCESS

On January 2, 1997 the National Institute of Standards and Technology (NIST) initiates the project of replacing

the DES [7]. The govt. agencies, academicians, vendors commented on the specifications and requirements for the new

algorithm which would be called (Advanced Encryption Algorithm) AEA. On April 15, 1997, NIST organized a workshop

to discuss the comments received and to specify the request for candidate algorithms. Finally, On September 12, 1997,

NIST put out a formal call for the successor of DES [8].

The requirements of the new standard were: it should be a symmetric block cipher, should allow key sizes of 128,

192 and 256 bits and blocks size of 128 bits, highly portable, working on a variety of hardware platforms including 8-bit

processors used in smart cards and 32-bit processors used in most personal computers. The performance specification of an

algorithm should also be submitted.

For this criteria, the results of C and Java implementation should be specified and the most important criteria was

the cryptographic strength of an algorithm. Thus the two main considerations for the proposed AES were SPEED and

SECURITY.

ROUND 1

Cryptographers, security professionals, researchers and other academics submitted algorithms for consideration.

On June 15, 1998, Twenty-one algorithms were submitted to NIST. NIST reviewed them and selected 15 candidate

algorithms which were fulfilling the minimum requirements of the published specification. It did not perform any

cryptanalysis of the submitted algorithms. Thus this selection process had no cryptographic grounds. NIST just checked the

minimum eligibility criteria and inclusion of all the required documents. Six incomplete submissions were rejected from

the competition.

On August 20-22, 1998, the First AES Candidate Conference (AES1) was held in Ventura, California. NIST

published the fifteen Round 1 AES candidates in the conference and the inventors of the 15 algorithms gave presentations

to brief the structure, security and performance of the submitted algorithm.

Then all candidate algorithms were opened to the public for their Security v/s Speed analysis and NIST announced

the last date 15th

April 1999 for submitting the comments on the candidates. Throughout the whole AES process NIST

encouraged cryptanalyzers to crack/attack each of the methods. These 15 submissions of Round 1 were having lots of

diversity. The candidates had varying strengths and weaknesses.

FIFTEEN ALGORITHMS

CAST

CAST-256 is a successor of CAST-128. [9]. It is a ‗DES like SPN (Substitution-Permutation Network)

cryptosystem, because it used Feistel model like DES to implement Shanon‘s concept of S-P Network. CAST is a byte

oriented Fiestel cipher. Adams, published some articles describing various components of the CAST design procedure [9-

12]. Finally in [12] he described CAST as a design procedure for designing secure symmetric encryption algorithms.

Review of the Journey from DES to AES 353

Security v/s Speed Tradeoff

Designer claimed in [13] that CAST cipher family is very much immune to various cryptanalytic attacks like

differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis [14]. He also showed that this cipher family

has many desirable cryptographic properties such as avalanche, Strict Avalanche Criterion (SAC), Bit Independence

Criterion. He also said that this family of ciphers has no weak and semi-weak keys like DES. As CAST is DES like crypto

system which was well understood at that time, it is rigorously analyzed by various cryptographers. It has low resistance

against power-analysis attacks due to the use of variable rotations and additions/subtractions. It is simple to implement and

has medium speed on different platforms. But it has a hardware expensive implementation. It requires a large ROM, which

makes it unsuitable for smart cards [15].

CRYPTON

CRYPTON [16-18] is a S-P Network based on SQUARE structure [19]. It uses the same routine for encryption

and decryption. It has 12 rounds and support additional key sizes: 32 bits to 256 bits and also supports a block size of 512

bits.


Designer claimed that the speed of Crypton is double as compared to the DES. The key-schedule time is different

for encryption and decryption. It is much faster for encryption than for decryption. It does not need too much RAM [just 52

bytes in total (20 bytes for variables and 32 bytes for user key)]. It also supports on-the-fly key generation. These features

make it suitable for smart cards. CRYPTON is pretty fast in both hardware and software. Its software implementation on

Pentium-Pro, 200MHz showed about 40Mbps, the best encryption and decryption speeds among the AES candidates [20].

Hardware implementations of CRYPTON are even more efficient than software implementations because it was designed

from the beginning with hardware implementations in mind. CRYPTON is considered as the most hardware-friendly AES

candidate in few researches [21-23]. Hong et.al analyzes the hardware implementation of Crypton and also studied the

properties of S-boxes. They proved that it can encrypt at the speed of 1.6 Gbit/s by using moderate area of 30,000 gates and

even achieve the speed of 2.6 Gbit/s with less than 100,000 gates. The 2.6 Gbps speed is faster than the commercially

available fastest Triple-DES chip. This is enough speed to support the Gigabit networks. Since CRYPTON has good

scalability in gate count, a designer can select a proper speed-area tradeoff from the large set choices [24].

As far as the security parameter is concerned, designer claimed it as resistant to all known cryptanalytic attacks so

far and invited more analysis from crypotgraphy world. This cipher is immune against side channel cryptanalysis like

timing attack as each processing step of the cipher involves the same kind of operations up to byte levels. The SQUARE

attack, a special cryptanalytic technique for SQUARE based ciphers can be applied on 6-round version of CRYPTON [25].

This cipher also has the presence of weak keys which makes it vulnerable to some attacks. Borst in [26] proved that

CRYPTON has a class of 232

weak 256 bit keys. So Crypton with key length of 256 bits has to be used carefully. He also

suggested to incorporate some nonlinearity feature in the key schedule algorithm like it has been used in Rijndael which is

also based on the same SQUARE model. Rijndael also won the AES competition and became a new standard AES, the

successor of DES.

DEAL [Digital Encryption Algorithm with Larger Blocks]

DEAL cipher is based on Feistel and even use same DES as its round function [27]. It encrypts 128 bit data block

with three variant key sizes: DEAL -128 (6 rounds), DEAL- 192 (6 rounds) and DEAL-256 (8 rounds). All versions work


well in all the four modes (ECB, CBC, CFB, OFB) defined for DES [28]. It is also most readily available and

implementable as DES source code is already available.


Due to the large key and block sizes, exhaustive key search and the matching ciphertext attack are infeasible. In

[29,30] Lars Knudsen used a 5-round impossible differential to attack DEAL. Eli Biham, Alex Biryukov, and Adi Shamir

gave the technique the name of Impossible differential', and applied it with great success to Skipjack [31]. An attack was

described on DEAL-192 in [32]. It requires 233

chosen plaintexts, and work equivalent to about 6 x 2189

DES encryptions

(about 2189

DEAL encryptions). Thus this attack is not feasible in practical environment. In [30], a number of impractical

attacks are discussed on DEAL-192. There is a straightforward meet-in-the-middle attack on DEAL-192 requiring about

2168

work and 2173

bytes of memory, requiring only three known plaintexts.

The memory requirements are totally unreasonable, and trading off time for memory does not yield an attack with

reasonable memory requirements and less work than brute-forcing the key. The slow key schedule of DEAL makes it a

poor choice for hashing applications. The presence of equivalent or related keys made the cipher unusable as a hash

function [33]. The speed of DEAL is comparable to 3DES. This implies that DEAL is as slow as 3DES.

DFC [Decorrelated Fast Cipher]

DFC is a Feistel network with 8 rounds [34]. It supports varying key sizes upto 256 bits. Decryption is identical to

encryption except the order of the round keys. Designers claimed that DFC has more speed than DES. DFC is based on 64-

bit arithmetic. All operations of round function like addition and multiplication are done with reduction modulo 264

.


It is very fast on 64-bit architecture but quite slow on 32-bit machines. It is also not suitable for smart cards since

it do not port well to 8-bit platforms. As it uses multiplications and additions, it is not immune to side channel

cryptanalysis like timing and power analysis attacks. Its key schedule has two weaknesses:

Coppersmith [35,36] figure out that if the internal RK2 Round Key happens to be zero (which holds with

probability 2−128

), then the key schedule become symmetrical that make the whole encryption scheme become the

identity function means plaintext and cipher text would be identical.

Second the first round key, RK1, depends on only half of the secret key which may lead to an exhaustive key

search attack on the first round key.

E2 [EFFICIENT ENCRYPTION]

E2 is a Feistel network with 12 rounds. It is a 128 bit symmetric block cipher with 3 different key sizes E2-128,

E2-192, E2- 256.


It needs large amount of ROM. Designer claimed it Platform friendly as its S-box can be efficiently implemented

on all platforms 8bit, 32bit as well as 64bit.It has medium speed across different platforms but it is faster than DES.

Designers showed in their presentation that on 32 bit CPU its C implementation performs encryption with the speed of

36Mbits/sec whereas on the same configuration, DES performs at 10.6 Mbits/sec. But on-the-fly subkey generation feature

was absent that rules out its implementation on many low-end smart cards. E2 was resistant to all the known attacks like

Differential cryptanalysis, Linear cryptanalysis, Higher order differential attack, Interpolation attack and Partitioning


cryptanalysis of that time since S-box was designed with no vulnerabilities. Designer also claimed that nine rounds of E2

would provide enough security against differential and linear attacks.Matsui and Tokita did a truncated differential attack

on lower rounds version( up to 8 rounds) of E2. Their analysis is based on byte characteristics, where a difference of two

bytes is simply encoded into one bit information ―0‖ (the same) or ―1‖ (not the same). Since E2 is a strongly byte-oriented

algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior. They

themselves admit that their analysis does not have a serious impact on the full E2 (12 rounds with initial and final

transformation) [37]. Thus E2 is secure, fast and flexible cipher.

FROG

Frog is 8 round substitution-permutation network [38]. It is quite flexible as it can encrypt blocks of any size

between 8 and 128 bytes and has key of any size between 5 and 125 bytes. FROG uses only byte level XORs and byte

level substitutions.


It is slower than DES (at 43 clocks/byte) but faster than triple-DES (at about 120 clocks/byte), but much slower

than some other modern ciphers such as Blowfish, Square, and RC5, which operate at 20-25 clocks/byte [39]. It is easy to

implement but its keys schedule is very complex and so very slow, thus it has overall slow speed across different

platforms. But once the internal key is setup, the encryption and decryption processes of FROG are extremely simple.It

also needs large amount of RAM (2304 bytes for 128bit block). So it is not suitable for smart card implementations.

Wagner et.al cryptanalyzed FROG. They perform differential attack that uses about 258

chosen plaintexts and very little

time for the analysis. Then they perform linear attack which uses 256

known texts .The linear attack can also be converted

to a ciphertext-only attack using 264

known ciphertexts. Also, the decryption function of FROG is quite weaker than the

encryption function. [40]. Its decryption function was about twice as slow as encryption, key schedule was slow and there

was a feasible attack given above. Due to these factors, FROG turned out as not a realistic AES candidate.

HPC [Hasty Pudding Cipher]

Designer Rich Schroeppel, called HPC as an ―omni-cipher‖ because it is flexible enough to handle variable spice

size, any key size, and especially, any block size.


HPC-128 is relatively easy to implement since C source code fragments are provided in the specification. The

key-schedule appears very costly compared to the encryption and decryption routines. Wagner proved the presence of

equivalent keys in HPC [41]. Designers also said that the algorithm is ―forward-looking‖ in that it runs best on 64-bit

architectures. But the fact is that this feature makes it unsuited to 8-bit or 32-bit platforms. So it is not suitable for

smartcard implementation. As NIST was looking for a general purpose, fast and secure cipher. Ciphers which are not

suitable for Smart card implementation could not be the general purpose cipher.

LOKI97

LOKI97 is a 128-bit based on earlier LOKI89 [42] and LOKI91 [43] . It had a traditional Feistel S-P design. It has

16 rounds and a 256-bit key schedule which can be initialized using 128, 192, or 256-bit keys. LOKI89 was a 64bit cipher

its full version is secure but Biham and Shamir presented an attack for its reduced version. Thus it was modified to

LOKI91.LOKI91 was considered secure against known attacks such as differential and linear cryptanalysis [44], but its


effective key size ( 260

) was not adequate after the brute force attacks of 56-bit key spaces in [45]. So it was redesigned to

LOKI97 for the submission in the AES process.


LOKI97 was broken in 1998 by Vincent Rijmen and L. R. Knudsen. They perform a differential Cryptanalysis

successfully with 256

chosen plaintexts. They found two weaknesses in LOKI97. First its F-function is imbalanced and

second it has two rounds iterative characteristics with probability 2-8

[46]. Designer even suggested some modifications to

deal with this attack while presenting the cipher in the AES presentation organized by NIST.

MAGENTA [Multifunctional Algorithm for General Purpose Encryption and Network Telecommunication

Applications]

MAJENTA was designed in 1990 and published in 1996. The basic design principles of MAJENTA are explained

in the unpublished paper. It has a block size of 128 bits and key sizes of 128, 192 and 256 bits. It is a Feistel cipher with six

or eight rounds [47].


The basic data unit is 8-bit byte, MAGENTA is very much suitable for small smart-card processors [48]. The

algorithm can be optimized for small storage space. Due to the convenient data format, the small storage space necessary,

and the fast encryption speed, the algorithm is also very suitable for applications in ATM, HDTV, B-ISDN, voice and

satellite applications. MAGENTA is also suitable for use as a pseudo-random number generator. But some of the algebraic

properties of MAGENTA lead to simplifying the construction of collisions. That makes MAGENTA, unsuitable for hash

function or MAC generator. The cipher has some weak keys and during a presentation at the AES conference, Biham and

Shamir mounted attacks on MAGENTA based on the symmetry of the subkeys [49].

MARS

MARS encrypts block size of 128 bits and a variable key size, ranging from 128 to over 400 bits. It is an extended

feistel cipher with 32 modified Feistel rounds. It supports key sizes much higher than 256 bits (theoretically up to 1248

bits, but some equivalent keys emerge at the boundary) [50]. Decryption is not identical to encryption.


Designer claimed that MARS offers high resistance to known attacks, better than triple DES, and runs faster than

single DES in some implementations. It had good performance on 32-bit platforms; excellent performance on platforms

providing strong support for 32-bit variable rotations and multiplications. But it is not resistant to timing and power

analysis attacks due to the use of multiplications, variable rotations, and additions. During the analysis phase some

misconceptions were rumored, that were cleared by the designers.

Like at AES- Conference 3, one presentation 52 claimed that MARS requires 512 bytes RAM for key storage.

Designers proved it wrong by stating that the original MARS design included expanded keys that took 160 bytes to store,

but with an accepted ―tweak‖ to the MARS key setup makes it possible to store only 40 bytes of expanded keys at a time.

Even the smallest smart cards can support MARS in this mode. Biham and Furman [52] and Kelsey et al. [53]

show more efficient ways of distinguishing 8 to 8½ rounds of the MARS core from a random permutation (and then

guessing the keys in subsequent rounds to get an attack against 10-11 core rounds).


RC6

RC6 is based on RC5 [54]. Modifications were made to RC5 to meet the AES requirements, to increase security,

and to improve performance. It has fully parameterized Key size, block size, and round number and defined as RC6-w/r/b

parameters. It also supports variable rotations and multiplications. It is fast on 32-bit platforms, and also has fast key setup.

It supports key sizes much higher than 256 bits (theoretically up to 1248 bits, but some equivalent keys emerge at the

boundary).


RC6 is the fastest algorithm among all the candidates. Since RC5 was proposed in 1995, various studies [55-57]

have provided a greater understanding of how RC5's structure and operations contribute to its security. While no practical

attack on RC5 has been found, the studies provide some interesting theoretical attacks, generally based on the fact that the

rotation amounts in RC5 do not depend on all of the bits in a register. RC6 was designed to thwart such attacks, and indeed

to thwart all known attacks, providing a cipher that can offer the security required for the lifespan of the AES.

On an 8-bit processor (an Intel MCS51 (1 Mhz clock), RC6 performs at Encrypt/decrypt at 9.2

Kbits/second(13535 cycles/block). Its key setup in 27 milliseconds and only 176 bytes needed for table of round keys. It

fits well on smart card (< 256 bytes RAM) [58]. It has no known weaknesses in the key schedule means no weak keys

and so resistant to related key attack [59]. RC6 meets the speed, security and simplicity criteria of AES, so one of the

qualifier of second round.

Rijndael

It is invented by two Belgian inventors, Joan Daemen and Vincent Rijmen [60, 61]. It is byte oriented, iterated

block cipher based on the SP (substitution-permutation) Network model structure given by Claude Shannon. It is a

successor of SQUARE cipher. Rijndael is defined as a block cipher with key lengths of 128, 192 or 256 bits with the

possible input block lengths are 128, 192 or 256. Any 9 combinations of block length and key length may be possible for

the Rijndael algorithm. The AES algorithm is exactly the same as the Rijndael algorithm, but it only defines one block

length of 128 bits with variable key lengths128, 192 or 256. It became winner and a new standard AES.


Rijndael is consistently a very good performer in both hardware and software across a wide range of computing

environments. Its key setup time is excellent, and its key agility is good. Rijndael's very low memory requirements make it

very well suited for restricted-space environments like smart cards.

Rijndael is resistant to brute force attacks. AES was designed to be resistant against main cryptanalytic attacks

like Differential and Linear Cryptanalysis. The impossible differential cryptanalysis yielded the first attack on 7-round

AES-128 with non-marginal data complexity [62]. Since its birth, many papers have been published on the cryptanalysis

of AES in the last one and a half decade. In 2000, single-key attacks were introduced on round-reduced AES variants

[63,64]. The number of cryptanalyzed rounds are 7 for AES-128, 8 for AES-192 and AES- 256. Then in 2010, these

attacks are improved a little bit by achieving the slightly low computational complexity of the key recovery [62,65] but the

number of cryptanalyzed rounds remained same. Another attack to AES algorithm was the square attack, which was

successful in breaking Rijndael‘s predecessor, a block cipher called Square [66]. The square attack exploits the byte-

oriented structure of the algorithm to extract information about the cipher key. However, with the current number of rounds

for each possible key length, the square attack does not seem to threaten the security of AES unless we are able to reach the

http://en.wikipedia.org/wiki/Joan_Daemen

http://en.wikipedia.org/wiki/Vincent_Rijmen


level of power necessary to break Rijndael cipher. Recently in [65] the first attack on 8-round AES-192 with non-marginal

data complexity has appeared. So the last twelve years saw some progress in the cryptanalysis of AES. Till today, full

round AES is secure. It is almost as secure as it was 10 years ago in the strongest and most practical model with a single

secret key. In other models, like the related-key cryptanalysis was applied to the full versions of AES-192 and AES-256

[66] and the rebound attack demonstrated a non-random property in 8-round AES-128 [67] But none of these techniques

can affect the security of the most practical single-secret-key model. In other models, like the related-key cryptanalysis was

applied to the full versions of AES-192 and AES-256 [66] and the rebound attack demonstrated a non-random property in

8-round AES-128 [67] But none of these techniques can affect the security of the most practical single-secret-key model.

SAFER+ [SECURE AND FAST ENCRYPTION ROUTINE]

SAFER+ is a substitution/linear-transformation cipher based on the SAFER (Secure and Fast Encryption

Routines) family of ciphers- SAFER K-64, SAFER K-128, SAFER SK-64, SAFER SK-128, and SAFER SK-40. It is a 64

bit symmetric cipher and the key length is 40 or 64 or 128 bits as indicated in the name of the cipher. It has different

encryption and decryption routine. For a key length of 128 bits, 8 rounds are used; for 192 bits, 12 rounds; and for a 256-

bit key, 16 rounds are used [68].


SAFER+ with six or more rounds (but not fewer) is secure against differential cryptanalysis. For a desirable

margin of safety, designers had chosen 8 rounds for SAFER+ with the 128-bit key schedule. These 8 rounds of SAFER+

(with a 128-bit key) provide an enormous margin of safety against an attack by linear cryptanalysis [69].

Its C implementation encrypts at the rate of 9- 18 Mbits/sec with 15 to 50 microseconds to run the key schedule.

SAFER++ is undoubtedly secured than SAFER+. In the year 2000, SAFER++ was submitted to the NESSIE project in two

versions, one with 64 bits, and the other with 128 bits [70]. It is a byte-oriented algorithm that does not take full advantage

of the 32-bit operations available on the Pentium II but it is well-suited to smart cards due to low RAM and ROM

requirements. It also supports on-the-fly subkey generation with subkeys computable in any order. It is slow across

platforms.

SERPENT

Serpent is a substitution-linear transformation network.Serpent encrypts a 128-bit data block to a 128-bit

ciphertext block in 32 rounds under the control of 33 128-bit subkeys K0;…. ; K32. [71]. The user key length is variable,

but for the AES submission purpose designers fixed it at 128, 192 or 256 bits, short keys with less than 256 bits are

mapped to full-length keys of 256 bits by appending one bit to the MSB end, followed by as many 0 bits as required to

make up 256 bits. This mapping is designed to map every short key to a full-length key, with no two short keys being

equivalent.


The number of instructions used to encrypt or decrypt does not depend on either the data or the key, so timing

attacks [72] are not applicable. Designer also described how ―bitslicing‖ could be used to implement the algorithm

efficiently and for parallel computation of S-boxes., so that it runs as fast as DES. Serpent is the best of the AES finalists in

hardware even with the full 32 rounds. An independent team produced implementations for the Xilinx XCV1000 FPGA of

RC6, Rijndael, Serpent and Twofish. Serpent was the only finalist for which a fully pipelined implementation could be

fitted into a single chip. Serpent was also by far the fastest, achieving a throughput of 5.04 Gbit/sec, versus 2.40 Gbit/sec


for RC6, 1.94 Gbit/sec for Rijndael and 1.71 Gbit/sec for Twofish [73]. An NSA study of ASIC costs predicts 8.03

Gbit/sec for Serpent versus 5.163 for Rijndael, 2.171 for RC6 and 1.445 for Twofish [74]. It is also well-suited to smart

cards due to low RAM and ROM requirements [75].

TWOFISH

Twofish is a 128-bit block cipher, with key lengths of 128 bits, 192 bits and 256 bits. It has no weak keys.

Twofish is a slightly modified Feistel network with 16 rounds and has a slight asymmetry between encryption and

decryption besides the order of the round subkeys [76,77].


Twofish is a quite complex algorithm that combines many different techniques. It is quite expensive to implement

from scratch, especially so if optimum performance is needed. The resulting benefit is that the algorithm can be

implemented in many different ways that allow it to be optimised for a wide range of applications scenarios. It is very fast

across platforms. It is well-suited to smart cards due to low RAM and ROM requirements. It also supports on-the-fly

subkey generation with subkeys computable in any order. Neil Ferguson showed how an impossible-differential attack,

first applied to DEAL by Knudsen, can be applied to Twofish. This attack breaks six rounds of the 256-bit key version

using 2256

steps; it cannot be extended to seven or more Twofish rounds [78].

Designers summarizes that the most efficient attack against Twofish is the brute force attack as for 128-bit key it

needs 2128

complexity, for 192-bit key it requires 2192

complexity and for 256-bit key the complexity is 2256

. From these

results, designers got success in proving that the cipher has a good security margin.

ROUND 2

After one year of rigorous analysis and research on 15 candidate algorithms, In 1999, NIST had shortlisted the

candidates for AES to only a one-third of the original number. The 3 ciphers were rejected because NIST did not accepted

their modified versions and the other 5 weak ciphers were also weeded out from Round1, They were: Magenta (broken in

real-time at the conference where it was presented), LOKI97 (differential cryptanalysis), Frog (differential cryptanalysis),

DEAL (small flaw), SAFER+ (small flaw). Based on the achievements of the specified criterias of speed, security and

simplicity, NIST had selected five finalists for AES Round 2: MARS, RC6, Rijndael, Serpent and Twofish. No

significant security vulnerabilities were found for these candidates during the Round 1 analysis. Most submissions will

remain unbroken till the end of the AES process but the real concern was: which ones will be secure till 2030? Anything

can be made more secure by adding more complexity but increasing complexity has a drawback of decreasing

performance. The objective was to find a secure,fast and simple cipher. Each finalist has its own strength:

MARS: Complex but fast on both 8 and 32 bit architecture.

RC6: Simple and fast on both 8 and 32 bit architecture, but low security margin.

Rijndael: Simple, fast on both 8 and 32 bit architecture and good security margin.

Serpent: Slow, but huge security margin.

Twofish: fast, good security margin, but a bit complicated.

The successful candidates were not perfect. All had serious problems in smart cards. The use of multiplication and

rotation makes MARS and RC6 vulnerable to timing attacks. So is Twofish. But a differential power analysis attack


exhibited far more serious problems. Taking power samples of the whitening process from 100 independent block

encryptions, a rogue smart-card implementation leaked all 128 bits of Twofish‘s key. This was not due to a peculiarity of

Twofish—all the round-one AES candidates were equally vulnerable to power analysis attack. There were ways around

such penetrabilities, but these come at a cost of time and space, neither of which is in great supply in smart cards. So for

smart cards, a special-purpose algorithm might be the good solution.

All 5 finalists had offered adequate security, but Rijndael was selected because of its consistently good

performance and its flexibility. In October 2000, NIST after considering the response from the cryptography world selected

Rijndael (pronounced Rhine-doll) to be the AES. Thus Rijndael was selected to be the AES and the official announcement

that it was the new standard was made on Dec. 4, 2001 (to be effective March 26, 2002).In 2001, NIST drafted and refined

a Federal Information Processing Standard (FIPS) for AES. It took more than 3 years to go from a proposal to a standard

called AES.

CONCLUSIONS

The paper describes how DES was replaced by AES. All the participant algorithms of the process are reviewed

from the speed v/s security perspective. Rijndael placed in the highest level for overall performance in the final AES

conference and became AES. It has been the secure symmetric encryption standard from the last 12 years. It was expected

to survive for 30 years. However, last few years saw some progress in the cryptanalysis of AES. But till today, full round

AES is secure.

REFERENCES

1. L. Smith, The Design of Lucifer, A Cryptographic Device for Data Communications, IBM Research Report

RC3326, Yorktown Heights, New York, 1971.

2. Sorkin and Lucifer, A Cryptographic Algorithm, Cryptologia, 8, pp. 22–41, 1984; with addendum Cryptologia,

84, 260–261, 1984.

3. National Bureau of Standards, Federal Information Processing Standards Publication 46-1, Data Encryption

Standard (DES), National Bureau of Standards, January 22, 1988; superseded by Federal Information Processing

Standards Publication 46-2, December 30, 1993, and reaffirmed as FIPS PUB 46-2, October 25, 1999.

4. E. Biham and A. Shamir, "Differential Cryptanalysis of the Full 16-Round DES," Advances in Cryptology-

CRYPTO '92 Proceedings,Springer-Verlag, 1993, pp. 487- 496.

5. M. Matsui, The First Experimental Cryptanalysis of the Data Encryption Standard, Advances in Cryptology -

CRYPTO ‘94 (Lecture Notes in Computer Science no. 839), Springer-Verlag, pp. 1-11, 1994.

6. Electronic Frontier Foundation, Cracking DES- Secrets of Encryption Research, Wiretap Politics & Chip Design,

O‘ Reilly (July 1998) ISBN 1-56592-520-3.

7. Announcing Development of a Federal Information Processing Standard for Advanced Encryption Standard,

Federal Register, Volume 62, Number 1, January 2, 1997, pp. 93-94.

8. Announcing Request for Candidate Algorithm Nominations for the Advanced Encryption Standard (AES),

Federal Register, Volume 62, Number 177, September 12, 1997. pp. 48051-48058.


9. C. M. Adams, Simple and effective key scheduling for symmetric ciphers,Workshop Record of the Workshop on

Selected Areas in Cryptography (SAC 94), May 5–6 (1994) pp. 129–133.

10. C. M. Adams, Designing DES-like ciphers with guaranteed resistance to differential and linear attacks, Workshop

Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 133–144.

11. C.M.Adams, The CAST-128 Encryption Algorithm, Request for Comments (RFC) 2144, Network Working

Group, Internet Engineering Task Force, May, 1997.

12. C.M.Adams, Constructing Symmetric Ciphers Using the CAST Design Procedure, Designs, Codes and

Cryptography, Vol.12, No.3, Nov., pp.283-316, Kluwer Academic Publishers, 1997.

13. J. H. Moore and G. J. Simmons, Cycle structure of the DES with weak and semi-weak keys, Advances in

Cryptology: Proc. of Crypto ‘86, Springer-Verlag, New York (1987) pp. 9–32.

14. E. Biham, Newtypes of cryptanalytic attacks using related keys, Advances in Cryptology: Proc. of Eurocrypt ‘93,

Springer-Verlag (1994) pp. 398–409.

15. S. Chari, C. Jutla, J. Rao, and R. Rohatgi, A cautionary note regarding evaluation of AES candidates on smart

cards, The Second AES Conference, March 22-23, 1999, pp 133-147.

16. C.H. Lim, CRYPTON: A New 128-bit Block Cipher, Proceedings of the First Advanced Encryption Standard

Candidate Conference, (Ventura, California), National Institute of Standards and Technology (NIST), August

1998.

17. C.H. Lim, Specification and Analysis of CRYPTON Version 1.0, Information and Communications Research

Center, Future Systems, Inc., December 1998.

18. C. Lim, A revised version of CRYPTON Version 1.0, Fast Software Encryption Workshop, March 24-26, 1999,

pp. 31-46.

19. J.Daemen, L.R. Knudsen, V. Rijmen, The block cipher SQUARE, Fast Software Encryption, Proc. Fourth

International Workshop, LNCS 1267. Springer Verlag, 1997, pp.149-165.

20. M. Smid and E. Roback, Developing the Advanced Encryption Standard, Proceedings of the 1999

RSAConference, January 1999.

21. B. Schneier, et. al., Performance Comparison of the AES Submissions, Proceedings of the Second Advanced

Encryption Standard Candidate Conference, (Rome, Italy), National Institute of Standards and Technology

(NIST)", March 1999.

22. C.S.K. Clapp, Instruction-level Parallelism in AES Candidates, Proceedings of the Second Advanced Encryption

Standard Candidate Conference, (Rome, Italy), National Institute of Standards and Technology (NIST), March

1999.

23. E. Biham, A Note on Comparing the AES Candidates, Proceedings of the Second Advanced Encryption Standard

Candidate Conference, (Rome, Italy), National Institute of Standards and Technology (NIST), March 1999.

24. Eunjong Hong, Jai-Hoon Chung, and Chae Hoon Lim, Hardware Design and Performance Estimation of The 128-

bit Block Cipher CRYPTON, Information and Communications Research Center, Future Systems, Inc.372-2


Yangjae-Dong, Seocho-Ku, Seoul, Korea 137-130. Ç.K. Koç and C. Paar (Eds.): CHES'99, LNCS 1717, pp. 49-

60, 1999 © Springer-Verlag Berlin Heidelberg 1999.

25. C.D. Halluin, G. Bijnens, V. Rijmen and B. Preenel, Attack on six rounds of CRYPTON, in Fast Software

Encryption, FSE 1999, Lecture Notes in Computer Science 1636, L. R. Knudsen (ed.), Springer-Verlag, pp. 46-

59, 1999.

26. J. Borst, Weak Keys of Crypton, Second AES Candidate Conference, rump session presentation, Mar 99.

27. L Knudsen, DEAL - A 128-bit Block Cipher, NIST AES Proposal, Jun 98.

28. National Bureau of Standards, DES modes of operation, Federal Information Processing Standard (FIPS),

Publication 81, National Bureau of Standards, U.S. Department of Commerce, Washington D.C., December 1980.

29. Lars R. Knudsen, DEAL-a 128-bit block cipher. Technical report 151, Department of Informatics, University of

Bergen, Norway, February 1998.

30. Lars R. Knudsen, DEAL-a 128-bit block cipher. In AES Round 1 Technical Evaluation CD-1: Documentation.

NIST, August 1998. See http://www.nist.gov/aes.

31. Eli Biham, Alex Biryukov, and Adi Shamir, Cryptanalysis of Skipjack reduced to 31 rounds using impossible

differentials, In Jacques Stern, editor, Advances in Cryptology-EUROCRYPT'99, volume 1592 of LectureNotes

in Computer Science. Springer-Verlag, 1999.

32. S. Lucks, On the Security of the 128-bit Block Cipher DEAL, Fast Software Encryption, Sixth International

Workshop, Springer-Verlag, 1999.

33. R.S.Winternitz, Producing One-Way Hash Functions from DES, Advances in Cryptology: Proceedings of Crypto

83, Plenum Press, 1984, pp. 203-207.

34. H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay, Decorrelated Fast

Cipher: an AES Candidate, submitted to the Advanced Encryption Standard process. In CD-ROM AES CD-1:

Documentation, National Institute of Standards and Technology (NIST), August 1998.

35. D. Coppersmith, DFC Weak Keys, Note to NIST AES Discussion Group, 10 Sep 98.

36. D. Coppersmith, Re: DFC Weak Keys, Note to NIST AES Discussion Group, 22 Oct 98.

37. M. Matsui, T. Tokita, Cryptanalysis of a Reduced Version of the Block Cipher E2, 6th International Workshop

on Fast Software Encryption (FSE 1999). Rome: Springer-Verlag. pp. 71–80.

38. D. Georgoudis, D. Lerous, and B.S.Chaves, The Frog Encryption Algorithm, NIST AES Proposal, Jun 98.

39. B. Schneier and D. Whiting, Fast Software Encryption: Designing Encryption Algorithms for Optimal Speed on

the Intel Pentium Processor, Fast Software Encryption, 4th International Workshop Proceedings, Springer-Verlag,

1997, pp. 242-259.

40. D.Wagner, N. Ferguson, and B. Schneier, Cryptanalysis of FROG, Second AESCandidate Conference, Mar 99.

41. D. Wagner, Equivalent keys for HPC, Second AES Candidate Conference, rump session presentation, Mar 99.

42. D. Wagner, Equivalent keys for HPC, Second AES Candidate Conference, rump session presentation, Mar 99.

http://en.wikipedia.org/wiki/Mitsuru_Matsui

http://en.wikipedia.org/w/index.php?title=Toshio_Tokita&action=edit&redlink=1

http://www.mathmagic.cn/Crypt1998-2003/bibs/1636/16360071.htm

http://en.wikipedia.org/wiki/Fast_Software_Encryption

http://en.wikipedia.org/wiki/Rome

http://en.wikipedia.org/wiki/Springer-Verlag


43. Lawrence Brown, Josef Pieprzyk, Jennifer Seberry, LOKI - A Cryptographic Primitive for Authentication and

Secrecy Applications, in Advances in Cryptology: Auscrypt '90, Lecture Notes in Computer Science, Vol 453,

Springer-Verlag, pp 229-236, 1990.

44. Lawrence Brown, Matthew Kwan, Josef Pieprzyk, Jennifer Seberry, Improving Resistance to Differential

Cryptanalysis and the Redesign of LOKI, in Advances in Cryptology - Asiacrypt'91, Lecture Notes in Computer

Science, Vol 739, Springer-Verlag, pp 36-50, 1991.

45. L. Knudsen, Cryptanalysis of LOKI '91, Advances in Cryptography, AUSCRYPT '92 Proceedings, Springer-

Verlag, 1993.

46. RSA Data Security Inc, Government encryption standard DES takes a fall, 1997.

47. V. Rijmen, L.R. Knudsen, Weaknesses in LOKI97,

48. ftp:// ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/loki97,1998.k

49. M.J. Jacobson and K. Huber, The MAGENTA Block Cipher Algorithm, NIST AES Proposal, Jun 98.

50. K. Huber and S. Wolter., Telekom's MAGENTA algorithm for en-/decryption in the gigabit/sec range. In

ICASSP 1996 Conference Proceedings, volume 6, pages 3233-3235, 1996.

51. E. Biham, A. Biryukov, N. Ferguson, L. Knudsen, B. Schneier, A. Shamir, Cryptanalysis of MAGENTA,

http://www.counterpane.com/magenta.html, August 20, 1998.

52. C. Burwick, D. Coppersmith, E. D'Avignon, R. Gennaro, S. Halevi, C. Jutla, S.M. Matyas Jr., L. O'Connor, M.

Peyravian, D. Safford and N. Zunic, MARS – A Candidate Cipher for AES. Presented in the 1st AES conference,

CA, USA, August 1998.

53. F. Sano, M. Koike, S. Kawamura, and M. Shiba, Performance Evaluation of AES Finalists on the High-End Smart

Card, Presented in the 3rd

AES conference, NY, USA, April 2000.

54. E. Biham, and V. Furman., Impossible Differential on 8-Round MARS' Core, Presented in the 3rd

AES

conference, NY, USA, April 2000.

55. J. Kelsey, T. Kohno, and B. Schneier, Amplified Boomerang Attacks Against Reduced-Round MARS and

Serpent, Presented in the Fast Software Encryption Workshop, NY, USA, April 2000.

56. R.L. Rivest, The RC5 encryption algorithm, In B. Preneel, editor, Fast Software Encryption, volume 1008 of

Lecture Notes in Computer Science, pages 86-96, 1995. Springer Verlag.

57. M.H. Heys, Linearly weak keys of RC5, IEE Electronic Letters, Vol. 33, pages 836-838, 1997.

58. Biryukov and E. Kushilevitz, Improved cryptanalysis of RC5, In K. Nyberg, editor, Advances in Cryptology

Eurocrypt '98, volume 1403 Lecture Notes in Computer Science, pages 85-99, 1998. Springer Verlag.

59. B.S. Kaliski and Y.L. Yin, On differential and linear cryptanalysis of the RC5 encryption algorithm, In D.

Coppersmith, editor, Advances in Cryptology Crypto '95, volume 963 of Lecture Notes in Computer Science,

pages 171-184, 1995. Springer Verlag.

60. L.R. Knudsen and W. Meier, Improved differential attacks on RC5, In N. Koblitz, editor, Advances in Cryptology

, Crypto '96, volume 1109 of Lecture Notes in Computer Science, pages 216-228, 1996. Springer Verlag.


61. S. Moriai, K. Aoki, and K. Ohta, Key-dependency of linear probability of RC5, March 1996. To appear in IEICE

Trans. Fundamentals.

62. J. Daemen and V. Rijmen, ―AES Proposal: Rijndael, AES Algorithm‖ Submission, September 3, 1999,

63. Joan Daemen and Vincent Rijmen. The Design of Rijndael: AES -TheAdvanced Encryption Standard. Springer,

2002.

64. Hamid Mala, Mohammad Dakhilalian, Vincent Rijmen, and Mahmoud Modarres-Hashemi, Improved Impossible

Differential Cryptanalysis of 7-Round AES-128, In INDOCRYPT‘10, volume 6498 of Lecture Notes in Computer

Science, pages 282–291. Springer, 2010.

65. Henri Gilbert and Marine Minier, A Collision Attack on 7 Rounds of Rijndael. In AES Candidate Conference,

pages 230–241, 2000.

66. Niels Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Michael Stay, David Wagner, and Doug Whiting,

Improved cryptanalysis of Rijndael. In FSE‘00, volume 1978 of Lecture Notes in ComputerScience, pages 213–

230. Springer, 2000.

67. Orr Dunkelman, Nathan Keller, and Adi Shamir, Improved Single-Key Attacks on 8-Round AES-192 and AES-

256. In ASIACRYPT‘10, volume 6477 of Lecture Notes in Computer Science, pages 158–176. Springer, 2010.

68. Alex Biryukov and Dmitry Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256. In

ASIACRYPT‘09, volume 5912 of Lecture Notes in Computer Science, pages 1–18. Springer, 2009.

69. Henri Gilbert and Thomas Peyrin, Super-Sbox cryptanalysis: Improved attacks for AES-like permutations.In

FSE‘10, volume 6147 of Lecture Notes in Computer Science, pages 365–383. Springer, 2010.

70. James L. Massey, SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm, Fast Software Encryption,

Cambridge Security Workshop Proceedings, Springer, 1994, pp: 1-17.

71. James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER+ as Candidate Algorithm for the

Advanced Encryption Standard, 1st Advanced Encryption Standard Canditate Conference, CA, Aug: 20-22, 1998,

pp 1-14

72. James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER++ as Candidate Algorithm for the

New European Schemes for Signatures, Integrity, and Encryption (NESSIE), Presented in First Open NESSIE

Workshop, November, 2000.

73. RJ Anderson, E Biham, LR Knudsen, Serpent: A Proposal for the Advanced Encryption Standard, submitted to

NIST as an AES candidate. A short version of the paper appeared at the AES conference, August 1998; both

papers are available at http://www.cl.cam.ac.uk/~rja14/serpent.html

74. PC Kocher, Timing Attacks on Implementations of Diffe-Hellman, RSA, DSS,and Other Systems, in Advances in

Cryptology Crypto 96, Springer LNCSv 1109 pp 104-113.

75. AJ Elbirt, W Yip, B Chetwynd, C Paar, An FPGA-Based Performance Evaluation of the AES Block Cipher

Candidate Algorithm Finalists, IEEE Transactions on Very Large Scale Integration (VLSI) Systems, Aug. 2001,

Volume: 9, Issue: 4, pp. 545 - 557.


76. B.Weeks, M. Bean, T. Rozylowicz, C Ficke, ―Hardware Performance Simulations of Round 2 Advanced

Encryption Standard Algorithms‖, to appear in the proceedings of the 3rd AES Candidate Conference, April 13-

14, 2000

77. R.J .Anderson, E .Biham, L.R .Knudsen, Serpent and Smartcards, in Cardis 98, Springer Verlag (2000) pp 257-

264; also available at http://www.cl.cam.ac.uk/~rja14/serpent.html.

78. Bruce Schneier, John Kelsey, DougWhiting, David Wagner, Chris Hall, and Niels Ferguson, Twofish: A 128-bit

block cipher, In AES Round 1 Technical Evaluation CD-1: Documentation.NIST, August 1998. Available at

http://www.nist.gov/aes.

79. Bruce Schneier, John Kelsey, DougWhiting , David Wagner, Chris Hall, and Niels Ferguson, The Twofish

Encryption Algorithm, A 128-Bit Block Cipher Wiley,1999.

80. Niels Ferguson, Impossible differentials in Twofish, Twofish Technical Report 5, Counterpane Systems, October

1999. See http://www.counterpane.com/twofish.html

http://www.cl.cam.ac.uk/~rja14/serpent.html

http://www.nist.gov/aes

review of the journey from des to aes - tjprc.org of the -full.pdf · review of the journey from...

Documents