review of the journey from des to aes - tjprc.org of the -full.pdf · review of the journey from...
TRANSCRIPT
REVIEW OF THE JOURNEY FROM DES TO AES
NEETA WADHWA, SYED ZEESHAN HUSSAIN & S. A. M RIZVI
Department of Computer Science, Jamia Millia Islamia, New Delhi, India
ABSTRACT
DES [Data Encryption Standard] was born in mid 70‘s and died in late 90‘s. A new secure and fast algorithm was
required to replace it. And it was replaced by AES [Advanced Encryption Algorithm] in 2001. This paper reviews the
whole process of replacing the DES and finding the AES. It presents the critical analysis of all the 15 finalists of first round
of AES process. All the participant algorithms are analyzed from the Speed versus Security perspective.
KEYWORDS: AES, DES, Symmetric Ciphers, Symmetric Cryptography
INTRODUCTION
In 1972, National Bureau of Standards (NBS), a part of the US. Department of Commerce, started a project to
develop standards for the protection of data stored in computers. Before this NBS call, cryptography had been largely the
concern of military and other government organizations only so all the cryptographic algorithms used by national military
organizations were closely held secrets. NBS received many responses for the project, but did not receive any algorithms
that met the established criteria. NBS issued a second solicitation in the Federal Register (August 17, 1974). In response,
IBM submitted its encryption design LUCIFER designed by Horst Feistel with his team. LUCIFER enciphered blocks of
128 bits, and it used a 128-bit key [block size and key size greater than DES]. NSA did some modifications to the original
design [1,2]. The NSA reduced the key size from 112 bits to 56 bits and made changes to the S-boxes after which the
algorithm was subjected to nearly two years of public evaluation and comment. There was much criticism of the DES key
length and its design criteria for the internal structure particularly S-box. The NSA was accused of changing the algorithm
to plant a ‗back door‘ in it that would allow agents to decrypt any information without having to know the encryption key.
But these blames proved unjustified and no such back door has ever been found. The modified Lucifer algorithm was
adopted by NIST as a federal standard on November 23, 1976. Its name was changed to the Data Encryption Standard
(DES). Finally, the official description of the standard, FIPS PUB 46, Data Encryption Standard was published on 15
January 1977. NIST also requested IBM to grant nonexclusive, royalty-free licenses to make, use, and sell devices that
implemented the algorithm. NBS recommended that the standard be issued with the provisions for a review by NBS every
five years [3].
Eli Biham and Adi Shamir described differential cryptanalysis in detail in [4]. It was actually Chosen-Plaintext
attack and required 247
chosen plaintexts (possible theoretically only). This attack was based on the structure of S-box. And
Cryptologers believe that NIST was aware of this attack in the 70‘s only that is why they designed S-boxes non-linear and
even didn‘t disclose the design principles of S-boxes at that time, however, now the design principles are disclosed and
become the interesting area of research and study. If it happened to be a known plaintext attack, 255
pairs of known
plaintext are required, which is possible theoretically only. Mitsuru Matsui invented linear cryptanalysis. This
cryptanalytic attack on DES has been illustrated in [5]. He proved that with 243
known plaintext pairs, the secret key can be
recovered, which is also not feasible practically. A software implementation of this attack recovered a DES key in 50 days
using 12 HP9000/735 workstations which is the most effective attack so far [5]. DES was actually cracked by the
International Journal of Computer Science Engineering
and Information Technology Research (IJCSEITR)
ISSN 2249-6831
Vol. 3, Issue 2, Jun 2013, 351-366
© TJPRC Pvt. Ltd.
352 Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi
Electronic Frontier Foundation (EFF) in 1998, it used a specially developed computer called the DES Cracker, which was
developed for under $250,000 and find the 56 bit DES key in 56 hours [6]. So due to very small key length and increasing
computational power of computers, DES was cracked and 3DES was very slow. So there was an alarming need for a new
standard for encryption.
AES PROCESS
On January 2, 1997 the National Institute of Standards and Technology (NIST) initiates the project of replacing
the DES [7]. The govt. agencies, academicians, vendors commented on the specifications and requirements for the new
algorithm which would be called (Advanced Encryption Algorithm) AEA. On April 15, 1997, NIST organized a workshop
to discuss the comments received and to specify the request for candidate algorithms. Finally, On September 12, 1997,
NIST put out a formal call for the successor of DES [8].
The requirements of the new standard were: it should be a symmetric block cipher, should allow key sizes of 128,
192 and 256 bits and blocks size of 128 bits, highly portable, working on a variety of hardware platforms including 8-bit
processors used in smart cards and 32-bit processors used in most personal computers. The performance specification of an
algorithm should also be submitted.
For this criteria, the results of C and Java implementation should be specified and the most important criteria was
the cryptographic strength of an algorithm. Thus the two main considerations for the proposed AES were SPEED and
SECURITY.
ROUND 1
Cryptographers, security professionals, researchers and other academics submitted algorithms for consideration.
On June 15, 1998, Twenty-one algorithms were submitted to NIST. NIST reviewed them and selected 15 candidate
algorithms which were fulfilling the minimum requirements of the published specification. It did not perform any
cryptanalysis of the submitted algorithms. Thus this selection process had no cryptographic grounds. NIST just checked the
minimum eligibility criteria and inclusion of all the required documents. Six incomplete submissions were rejected from
the competition.
On August 20-22, 1998, the First AES Candidate Conference (AES1) was held in Ventura, California. NIST
published the fifteen Round 1 AES candidates in the conference and the inventors of the 15 algorithms gave presentations
to brief the structure, security and performance of the submitted algorithm.
Then all candidate algorithms were opened to the public for their Security v/s Speed analysis and NIST announced
the last date 15th
April 1999 for submitting the comments on the candidates. Throughout the whole AES process NIST
encouraged cryptanalyzers to crack/attack each of the methods. These 15 submissions of Round 1 were having lots of
diversity. The candidates had varying strengths and weaknesses.
FIFTEEN ALGORITHMS
CAST
CAST-256 is a successor of CAST-128. [9]. It is a ‗DES like SPN (Substitution-Permutation Network)
cryptosystem, because it used Feistel model like DES to implement Shanon‘s concept of S-P Network. CAST is a byte
oriented Fiestel cipher. Adams, published some articles describing various components of the CAST design procedure [9-
12]. Finally in [12] he described CAST as a design procedure for designing secure symmetric encryption algorithms.
Review of the Journey from DES to AES 353
Security v/s Speed Tradeoff
Designer claimed in [13] that CAST cipher family is very much immune to various cryptanalytic attacks like
differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis [14]. He also showed that this cipher family
has many desirable cryptographic properties such as avalanche, Strict Avalanche Criterion (SAC), Bit Independence
Criterion. He also said that this family of ciphers has no weak and semi-weak keys like DES. As CAST is DES like crypto
system which was well understood at that time, it is rigorously analyzed by various cryptographers. It has low resistance
against power-analysis attacks due to the use of variable rotations and additions/subtractions. It is simple to implement and
has medium speed on different platforms. But it has a hardware expensive implementation. It requires a large ROM, which
makes it unsuitable for smart cards [15].
CRYPTON
CRYPTON [16-18] is a S-P Network based on SQUARE structure [19]. It uses the same routine for encryption
and decryption. It has 12 rounds and support additional key sizes: 32 bits to 256 bits and also supports a block size of 512
bits.
Security v/s Speed Tradeoff
Designer claimed that the speed of Crypton is double as compared to the DES. The key-schedule time is different
for encryption and decryption. It is much faster for encryption than for decryption. It does not need too much RAM [just 52
bytes in total (20 bytes for variables and 32 bytes for user key)]. It also supports on-the-fly key generation. These features
make it suitable for smart cards. CRYPTON is pretty fast in both hardware and software. Its software implementation on
Pentium-Pro, 200MHz showed about 40Mbps, the best encryption and decryption speeds among the AES candidates [20].
Hardware implementations of CRYPTON are even more efficient than software implementations because it was designed
from the beginning with hardware implementations in mind. CRYPTON is considered as the most hardware-friendly AES
candidate in few researches [21-23]. Hong et.al analyzes the hardware implementation of Crypton and also studied the
properties of S-boxes. They proved that it can encrypt at the speed of 1.6 Gbit/s by using moderate area of 30,000 gates and
even achieve the speed of 2.6 Gbit/s with less than 100,000 gates. The 2.6 Gbps speed is faster than the commercially
available fastest Triple-DES chip. This is enough speed to support the Gigabit networks. Since CRYPTON has good
scalability in gate count, a designer can select a proper speed-area tradeoff from the large set choices [24].
As far as the security parameter is concerned, designer claimed it as resistant to all known cryptanalytic attacks so
far and invited more analysis from crypotgraphy world. This cipher is immune against side channel cryptanalysis like
timing attack as each processing step of the cipher involves the same kind of operations up to byte levels. The SQUARE
attack, a special cryptanalytic technique for SQUARE based ciphers can be applied on 6-round version of CRYPTON [25].
This cipher also has the presence of weak keys which makes it vulnerable to some attacks. Borst in [26] proved that
CRYPTON has a class of 232
weak 256 bit keys. So Crypton with key length of 256 bits has to be used carefully. He also
suggested to incorporate some nonlinearity feature in the key schedule algorithm like it has been used in Rijndael which is
also based on the same SQUARE model. Rijndael also won the AES competition and became a new standard AES, the
successor of DES.
DEAL [Digital Encryption Algorithm with Larger Blocks]
DEAL cipher is based on Feistel and even use same DES as its round function [27]. It encrypts 128 bit data block
with three variant key sizes: DEAL -128 (6 rounds), DEAL- 192 (6 rounds) and DEAL-256 (8 rounds). All versions work
354 Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi
well in all the four modes (ECB, CBC, CFB, OFB) defined for DES [28]. It is also most readily available and
implementable as DES source code is already available.
Security v/s Speed Tradeoff
Due to the large key and block sizes, exhaustive key search and the matching ciphertext attack are infeasible. In
[29,30] Lars Knudsen used a 5-round impossible differential to attack DEAL. Eli Biham, Alex Biryukov, and Adi Shamir
gave the technique the name of Impossible differential', and applied it with great success to Skipjack [31]. An attack was
described on DEAL-192 in [32]. It requires 233
chosen plaintexts, and work equivalent to about 6 x 2189
DES encryptions
(about 2189
DEAL encryptions). Thus this attack is not feasible in practical environment. In [30], a number of impractical
attacks are discussed on DEAL-192. There is a straightforward meet-in-the-middle attack on DEAL-192 requiring about
2168
work and 2173
bytes of memory, requiring only three known plaintexts.
The memory requirements are totally unreasonable, and trading off time for memory does not yield an attack with
reasonable memory requirements and less work than brute-forcing the key. The slow key schedule of DEAL makes it a
poor choice for hashing applications. The presence of equivalent or related keys made the cipher unusable as a hash
function [33]. The speed of DEAL is comparable to 3DES. This implies that DEAL is as slow as 3DES.
DFC [Decorrelated Fast Cipher]
DFC is a Feistel network with 8 rounds [34]. It supports varying key sizes upto 256 bits. Decryption is identical to
encryption except the order of the round keys. Designers claimed that DFC has more speed than DES. DFC is based on 64-
bit arithmetic. All operations of round function like addition and multiplication are done with reduction modulo 264
.
Security v/s Speed Tradeoff
It is very fast on 64-bit architecture but quite slow on 32-bit machines. It is also not suitable for smart cards since
it do not port well to 8-bit platforms. As it uses multiplications and additions, it is not immune to side channel
cryptanalysis like timing and power analysis attacks. Its key schedule has two weaknesses:
Coppersmith [35,36] figure out that if the internal RK2 Round Key happens to be zero (which holds with
probability 2−128
), then the key schedule become symmetrical that make the whole encryption scheme become the
identity function means plaintext and cipher text would be identical.
Second the first round key, RK1, depends on only half of the secret key which may lead to an exhaustive key
search attack on the first round key.
E2 [EFFICIENT ENCRYPTION]
E2 is a Feistel network with 12 rounds. It is a 128 bit symmetric block cipher with 3 different key sizes E2-128,
E2-192, E2- 256.
Security v/s Speed Tradeoff
It needs large amount of ROM. Designer claimed it Platform friendly as its S-box can be efficiently implemented
on all platforms 8bit, 32bit as well as 64bit.It has medium speed across different platforms but it is faster than DES.
Designers showed in their presentation that on 32 bit CPU its C implementation performs encryption with the speed of
36Mbits/sec whereas on the same configuration, DES performs at 10.6 Mbits/sec. But on-the-fly subkey generation feature
was absent that rules out its implementation on many low-end smart cards. E2 was resistant to all the known attacks like
Differential cryptanalysis, Linear cryptanalysis, Higher order differential attack, Interpolation attack and Partitioning
Review of the Journey from DES to AES 355
cryptanalysis of that time since S-box was designed with no vulnerabilities. Designer also claimed that nine rounds of E2
would provide enough security against differential and linear attacks.Matsui and Tokita did a truncated differential attack
on lower rounds version( up to 8 rounds) of E2. Their analysis is based on byte characteristics, where a difference of two
bytes is simply encoded into one bit information ―0‖ (the same) or ―1‖ (not the same). Since E2 is a strongly byte-oriented
algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior. They
themselves admit that their analysis does not have a serious impact on the full E2 (12 rounds with initial and final
transformation) [37]. Thus E2 is secure, fast and flexible cipher.
FROG
Frog is 8 round substitution-permutation network [38]. It is quite flexible as it can encrypt blocks of any size
between 8 and 128 bytes and has key of any size between 5 and 125 bytes. FROG uses only byte level XORs and byte
level substitutions.
Security v/s Speed Tradeoff
It is slower than DES (at 43 clocks/byte) but faster than triple-DES (at about 120 clocks/byte), but much slower
than some other modern ciphers such as Blowfish, Square, and RC5, which operate at 20-25 clocks/byte [39]. It is easy to
implement but its keys schedule is very complex and so very slow, thus it has overall slow speed across different
platforms. But once the internal key is setup, the encryption and decryption processes of FROG are extremely simple.It
also needs large amount of RAM (2304 bytes for 128bit block). So it is not suitable for smart card implementations.
Wagner et.al cryptanalyzed FROG. They perform differential attack that uses about 258
chosen plaintexts and very little
time for the analysis. Then they perform linear attack which uses 256
known texts .The linear attack can also be converted
to a ciphertext-only attack using 264
known ciphertexts. Also, the decryption function of FROG is quite weaker than the
encryption function. [40]. Its decryption function was about twice as slow as encryption, key schedule was slow and there
was a feasible attack given above. Due to these factors, FROG turned out as not a realistic AES candidate.
HPC [Hasty Pudding Cipher]
Designer Rich Schroeppel, called HPC as an ―omni-cipher‖ because it is flexible enough to handle variable spice
size, any key size, and especially, any block size.
Security v/s Speed Tradeoff
HPC-128 is relatively easy to implement since C source code fragments are provided in the specification. The
key-schedule appears very costly compared to the encryption and decryption routines. Wagner proved the presence of
equivalent keys in HPC [41]. Designers also said that the algorithm is ―forward-looking‖ in that it runs best on 64-bit
architectures. But the fact is that this feature makes it unsuited to 8-bit or 32-bit platforms. So it is not suitable for
smartcard implementation. As NIST was looking for a general purpose, fast and secure cipher. Ciphers which are not
suitable for Smart card implementation could not be the general purpose cipher.
LOKI97
LOKI97 is a 128-bit based on earlier LOKI89 [42] and LOKI91 [43] . It had a traditional Feistel S-P design. It has
16 rounds and a 256-bit key schedule which can be initialized using 128, 192, or 256-bit keys. LOKI89 was a 64bit cipher
its full version is secure but Biham and Shamir presented an attack for its reduced version. Thus it was modified to
LOKI91.LOKI91 was considered secure against known attacks such as differential and linear cryptanalysis [44], but its
356 Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi
effective key size ( 260
) was not adequate after the brute force attacks of 56-bit key spaces in [45]. So it was redesigned to
LOKI97 for the submission in the AES process.
Security v/s Speed Tradeoff
LOKI97 was broken in 1998 by Vincent Rijmen and L. R. Knudsen. They perform a differential Cryptanalysis
successfully with 256
chosen plaintexts. They found two weaknesses in LOKI97. First its F-function is imbalanced and
second it has two rounds iterative characteristics with probability 2-8
[46]. Designer even suggested some modifications to
deal with this attack while presenting the cipher in the AES presentation organized by NIST.
MAGENTA [Multifunctional Algorithm for General Purpose Encryption and Network Telecommunication
Applications]
MAJENTA was designed in 1990 and published in 1996. The basic design principles of MAJENTA are explained
in the unpublished paper. It has a block size of 128 bits and key sizes of 128, 192 and 256 bits. It is a Feistel cipher with six
or eight rounds [47].
Security v/s Speed Tradeoff
The basic data unit is 8-bit byte, MAGENTA is very much suitable for small smart-card processors [48]. The
algorithm can be optimized for small storage space. Due to the convenient data format, the small storage space necessary,
and the fast encryption speed, the algorithm is also very suitable for applications in ATM, HDTV, B-ISDN, voice and
satellite applications. MAGENTA is also suitable for use as a pseudo-random number generator. But some of the algebraic
properties of MAGENTA lead to simplifying the construction of collisions. That makes MAGENTA, unsuitable for hash
function or MAC generator. The cipher has some weak keys and during a presentation at the AES conference, Biham and
Shamir mounted attacks on MAGENTA based on the symmetry of the subkeys [49].
MARS
MARS encrypts block size of 128 bits and a variable key size, ranging from 128 to over 400 bits. It is an extended
feistel cipher with 32 modified Feistel rounds. It supports key sizes much higher than 256 bits (theoretically up to 1248
bits, but some equivalent keys emerge at the boundary) [50]. Decryption is not identical to encryption.
Security v/s Speed Tradeoff
Designer claimed that MARS offers high resistance to known attacks, better than triple DES, and runs faster than
single DES in some implementations. It had good performance on 32-bit platforms; excellent performance on platforms
providing strong support for 32-bit variable rotations and multiplications. But it is not resistant to timing and power
analysis attacks due to the use of multiplications, variable rotations, and additions. During the analysis phase some
misconceptions were rumored, that were cleared by the designers.
Like at AES- Conference 3, one presentation 52 claimed that MARS requires 512 bytes RAM for key storage.
Designers proved it wrong by stating that the original MARS design included expanded keys that took 160 bytes to store,
but with an accepted ―tweak‖ to the MARS key setup makes it possible to store only 40 bytes of expanded keys at a time.
Even the smallest smart cards can support MARS in this mode. Biham and Furman [52] and Kelsey et al. [53]
show more efficient ways of distinguishing 8 to 8½ rounds of the MARS core from a random permutation (and then
guessing the keys in subsequent rounds to get an attack against 10-11 core rounds).
Review of the Journey from DES to AES 357
RC6
RC6 is based on RC5 [54]. Modifications were made to RC5 to meet the AES requirements, to increase security,
and to improve performance. It has fully parameterized Key size, block size, and round number and defined as RC6-w/r/b
parameters. It also supports variable rotations and multiplications. It is fast on 32-bit platforms, and also has fast key setup.
It supports key sizes much higher than 256 bits (theoretically up to 1248 bits, but some equivalent keys emerge at the
boundary).
Security v/s Speed Tradeoff
RC6 is the fastest algorithm among all the candidates. Since RC5 was proposed in 1995, various studies [55-57]
have provided a greater understanding of how RC5's structure and operations contribute to its security. While no practical
attack on RC5 has been found, the studies provide some interesting theoretical attacks, generally based on the fact that the
rotation amounts in RC5 do not depend on all of the bits in a register. RC6 was designed to thwart such attacks, and indeed
to thwart all known attacks, providing a cipher that can offer the security required for the lifespan of the AES.
On an 8-bit processor (an Intel MCS51 (1 Mhz clock), RC6 performs at Encrypt/decrypt at 9.2
Kbits/second(13535 cycles/block). Its key setup in 27 milliseconds and only 176 bytes needed for table of round keys. It
fits well on smart card (< 256 bytes RAM) [58]. It has no known weaknesses in the key schedule means no weak keys
and so resistant to related key attack [59]. RC6 meets the speed, security and simplicity criteria of AES, so one of the
qualifier of second round.
Rijndael
It is invented by two Belgian inventors, Joan Daemen and Vincent Rijmen [60, 61]. It is byte oriented, iterated
block cipher based on the SP (substitution-permutation) Network model structure given by Claude Shannon. It is a
successor of SQUARE cipher. Rijndael is defined as a block cipher with key lengths of 128, 192 or 256 bits with the
possible input block lengths are 128, 192 or 256. Any 9 combinations of block length and key length may be possible for
the Rijndael algorithm. The AES algorithm is exactly the same as the Rijndael algorithm, but it only defines one block
length of 128 bits with variable key lengths128, 192 or 256. It became winner and a new standard AES.
Security v/s Speed Tradeoff
Rijndael is consistently a very good performer in both hardware and software across a wide range of computing
environments. Its key setup time is excellent, and its key agility is good. Rijndael's very low memory requirements make it
very well suited for restricted-space environments like smart cards.
Rijndael is resistant to brute force attacks. AES was designed to be resistant against main cryptanalytic attacks
like Differential and Linear Cryptanalysis. The impossible differential cryptanalysis yielded the first attack on 7-round
AES-128 with non-marginal data complexity [62]. Since its birth, many papers have been published on the cryptanalysis
of AES in the last one and a half decade. In 2000, single-key attacks were introduced on round-reduced AES variants
[63,64]. The number of cryptanalyzed rounds are 7 for AES-128, 8 for AES-192 and AES- 256. Then in 2010, these
attacks are improved a little bit by achieving the slightly low computational complexity of the key recovery [62,65] but the
number of cryptanalyzed rounds remained same. Another attack to AES algorithm was the square attack, which was
successful in breaking Rijndael‘s predecessor, a block cipher called Square [66]. The square attack exploits the byte-
oriented structure of the algorithm to extract information about the cipher key. However, with the current number of rounds
for each possible key length, the square attack does not seem to threaten the security of AES unless we are able to reach the
358 Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi
level of power necessary to break Rijndael cipher. Recently in [65] the first attack on 8-round AES-192 with non-marginal
data complexity has appeared. So the last twelve years saw some progress in the cryptanalysis of AES. Till today, full
round AES is secure. It is almost as secure as it was 10 years ago in the strongest and most practical model with a single
secret key. In other models, like the related-key cryptanalysis was applied to the full versions of AES-192 and AES-256
[66] and the rebound attack demonstrated a non-random property in 8-round AES-128 [67] But none of these techniques
can affect the security of the most practical single-secret-key model. In other models, like the related-key cryptanalysis was
applied to the full versions of AES-192 and AES-256 [66] and the rebound attack demonstrated a non-random property in
8-round AES-128 [67] But none of these techniques can affect the security of the most practical single-secret-key model.
SAFER+ [SECURE AND FAST ENCRYPTION ROUTINE]
SAFER+ is a substitution/linear-transformation cipher based on the SAFER (Secure and Fast Encryption
Routines) family of ciphers- SAFER K-64, SAFER K-128, SAFER SK-64, SAFER SK-128, and SAFER SK-40. It is a 64
bit symmetric cipher and the key length is 40 or 64 or 128 bits as indicated in the name of the cipher. It has different
encryption and decryption routine. For a key length of 128 bits, 8 rounds are used; for 192 bits, 12 rounds; and for a 256-
bit key, 16 rounds are used [68].
Security v/s Speed Tradeoff
SAFER+ with six or more rounds (but not fewer) is secure against differential cryptanalysis. For a desirable
margin of safety, designers had chosen 8 rounds for SAFER+ with the 128-bit key schedule. These 8 rounds of SAFER+
(with a 128-bit key) provide an enormous margin of safety against an attack by linear cryptanalysis [69].
Its C implementation encrypts at the rate of 9- 18 Mbits/sec with 15 to 50 microseconds to run the key schedule.
SAFER++ is undoubtedly secured than SAFER+. In the year 2000, SAFER++ was submitted to the NESSIE project in two
versions, one with 64 bits, and the other with 128 bits [70]. It is a byte-oriented algorithm that does not take full advantage
of the 32-bit operations available on the Pentium II but it is well-suited to smart cards due to low RAM and ROM
requirements. It also supports on-the-fly subkey generation with subkeys computable in any order. It is slow across
platforms.
SERPENT
Serpent is a substitution-linear transformation network.Serpent encrypts a 128-bit data block to a 128-bit
ciphertext block in 32 rounds under the control of 33 128-bit subkeys K0;…. ; K32. [71]. The user key length is variable,
but for the AES submission purpose designers fixed it at 128, 192 or 256 bits, short keys with less than 256 bits are
mapped to full-length keys of 256 bits by appending one bit to the MSB end, followed by as many 0 bits as required to
make up 256 bits. This mapping is designed to map every short key to a full-length key, with no two short keys being
equivalent.
Security v/s Speed Tradeoff
The number of instructions used to encrypt or decrypt does not depend on either the data or the key, so timing
attacks [72] are not applicable. Designer also described how ―bitslicing‖ could be used to implement the algorithm
efficiently and for parallel computation of S-boxes., so that it runs as fast as DES. Serpent is the best of the AES finalists in
hardware even with the full 32 rounds. An independent team produced implementations for the Xilinx XCV1000 FPGA of
RC6, Rijndael, Serpent and Twofish. Serpent was the only finalist for which a fully pipelined implementation could be
fitted into a single chip. Serpent was also by far the fastest, achieving a throughput of 5.04 Gbit/sec, versus 2.40 Gbit/sec
Review of the Journey from DES to AES 359
for RC6, 1.94 Gbit/sec for Rijndael and 1.71 Gbit/sec for Twofish [73]. An NSA study of ASIC costs predicts 8.03
Gbit/sec for Serpent versus 5.163 for Rijndael, 2.171 for RC6 and 1.445 for Twofish [74]. It is also well-suited to smart
cards due to low RAM and ROM requirements [75].
TWOFISH
Twofish is a 128-bit block cipher, with key lengths of 128 bits, 192 bits and 256 bits. It has no weak keys.
Twofish is a slightly modified Feistel network with 16 rounds and has a slight asymmetry between encryption and
decryption besides the order of the round subkeys [76,77].
Security v/s Speed Tradeoff
Twofish is a quite complex algorithm that combines many different techniques. It is quite expensive to implement
from scratch, especially so if optimum performance is needed. The resulting benefit is that the algorithm can be
implemented in many different ways that allow it to be optimised for a wide range of applications scenarios. It is very fast
across platforms. It is well-suited to smart cards due to low RAM and ROM requirements. It also supports on-the-fly
subkey generation with subkeys computable in any order. Neil Ferguson showed how an impossible-differential attack,
first applied to DEAL by Knudsen, can be applied to Twofish. This attack breaks six rounds of the 256-bit key version
using 2256
steps; it cannot be extended to seven or more Twofish rounds [78].
Designers summarizes that the most efficient attack against Twofish is the brute force attack as for 128-bit key it
needs 2128
complexity, for 192-bit key it requires 2192
complexity and for 256-bit key the complexity is 2256
. From these
results, designers got success in proving that the cipher has a good security margin.
ROUND 2
After one year of rigorous analysis and research on 15 candidate algorithms, In 1999, NIST had shortlisted the
candidates for AES to only a one-third of the original number. The 3 ciphers were rejected because NIST did not accepted
their modified versions and the other 5 weak ciphers were also weeded out from Round1, They were: Magenta (broken in
real-time at the conference where it was presented), LOKI97 (differential cryptanalysis), Frog (differential cryptanalysis),
DEAL (small flaw), SAFER+ (small flaw). Based on the achievements of the specified criterias of speed, security and
simplicity, NIST had selected five finalists for AES Round 2: MARS, RC6, Rijndael, Serpent and Twofish. No
significant security vulnerabilities were found for these candidates during the Round 1 analysis. Most submissions will
remain unbroken till the end of the AES process but the real concern was: which ones will be secure till 2030? Anything
can be made more secure by adding more complexity but increasing complexity has a drawback of decreasing
performance. The objective was to find a secure,fast and simple cipher. Each finalist has its own strength:
MARS: Complex but fast on both 8 and 32 bit architecture.
RC6: Simple and fast on both 8 and 32 bit architecture, but low security margin.
Rijndael: Simple, fast on both 8 and 32 bit architecture and good security margin.
Serpent: Slow, but huge security margin.
Twofish: fast, good security margin, but a bit complicated.
The successful candidates were not perfect. All had serious problems in smart cards. The use of multiplication and
rotation makes MARS and RC6 vulnerable to timing attacks. So is Twofish. But a differential power analysis attack
360 Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi
exhibited far more serious problems. Taking power samples of the whitening process from 100 independent block
encryptions, a rogue smart-card implementation leaked all 128 bits of Twofish‘s key. This was not due to a peculiarity of
Twofish—all the round-one AES candidates were equally vulnerable to power analysis attack. There were ways around
such penetrabilities, but these come at a cost of time and space, neither of which is in great supply in smart cards. So for
smart cards, a special-purpose algorithm might be the good solution.
All 5 finalists had offered adequate security, but Rijndael was selected because of its consistently good
performance and its flexibility. In October 2000, NIST after considering the response from the cryptography world selected
Rijndael (pronounced Rhine-doll) to be the AES. Thus Rijndael was selected to be the AES and the official announcement
that it was the new standard was made on Dec. 4, 2001 (to be effective March 26, 2002).In 2001, NIST drafted and refined
a Federal Information Processing Standard (FIPS) for AES. It took more than 3 years to go from a proposal to a standard
called AES.
CONCLUSIONS
The paper describes how DES was replaced by AES. All the participant algorithms of the process are reviewed
from the speed v/s security perspective. Rijndael placed in the highest level for overall performance in the final AES
conference and became AES. It has been the secure symmetric encryption standard from the last 12 years. It was expected
to survive for 30 years. However, last few years saw some progress in the cryptanalysis of AES. But till today, full round
AES is secure.
REFERENCES
1. L. Smith, The Design of Lucifer, A Cryptographic Device for Data Communications, IBM Research Report
RC3326, Yorktown Heights, New York, 1971.
2. Sorkin and Lucifer, A Cryptographic Algorithm, Cryptologia, 8, pp. 22–41, 1984; with addendum Cryptologia,
84, 260–261, 1984.
3. National Bureau of Standards, Federal Information Processing Standards Publication 46-1, Data Encryption
Standard (DES), National Bureau of Standards, January 22, 1988; superseded by Federal Information Processing
Standards Publication 46-2, December 30, 1993, and reaffirmed as FIPS PUB 46-2, October 25, 1999.
4. E. Biham and A. Shamir, "Differential Cryptanalysis of the Full 16-Round DES," Advances in Cryptology-
CRYPTO '92 Proceedings,Springer-Verlag, 1993, pp. 487- 496.
5. M. Matsui, The First Experimental Cryptanalysis of the Data Encryption Standard, Advances in Cryptology -
CRYPTO ‘94 (Lecture Notes in Computer Science no. 839), Springer-Verlag, pp. 1-11, 1994.
6. Electronic Frontier Foundation, Cracking DES- Secrets of Encryption Research, Wiretap Politics & Chip Design,
O‘ Reilly (July 1998) ISBN 1-56592-520-3.
7. Announcing Development of a Federal Information Processing Standard for Advanced Encryption Standard,
Federal Register, Volume 62, Number 1, January 2, 1997, pp. 93-94.
8. Announcing Request for Candidate Algorithm Nominations for the Advanced Encryption Standard (AES),
Federal Register, Volume 62, Number 177, September 12, 1997. pp. 48051-48058.
Review of the Journey from DES to AES 361
9. C. M. Adams, Simple and effective key scheduling for symmetric ciphers,Workshop Record of the Workshop on
Selected Areas in Cryptography (SAC 94), May 5–6 (1994) pp. 129–133.
10. C. M. Adams, Designing DES-like ciphers with guaranteed resistance to differential and linear attacks, Workshop
Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 133–144.
11. C.M.Adams, The CAST-128 Encryption Algorithm, Request for Comments (RFC) 2144, Network Working
Group, Internet Engineering Task Force, May, 1997.
12. C.M.Adams, Constructing Symmetric Ciphers Using the CAST Design Procedure, Designs, Codes and
Cryptography, Vol.12, No.3, Nov., pp.283-316, Kluwer Academic Publishers, 1997.
13. J. H. Moore and G. J. Simmons, Cycle structure of the DES with weak and semi-weak keys, Advances in
Cryptology: Proc. of Crypto ‘86, Springer-Verlag, New York (1987) pp. 9–32.
14. E. Biham, Newtypes of cryptanalytic attacks using related keys, Advances in Cryptology: Proc. of Eurocrypt ‘93,
Springer-Verlag (1994) pp. 398–409.
15. S. Chari, C. Jutla, J. Rao, and R. Rohatgi, A cautionary note regarding evaluation of AES candidates on smart
cards, The Second AES Conference, March 22-23, 1999, pp 133-147.
16. C.H. Lim, CRYPTON: A New 128-bit Block Cipher, Proceedings of the First Advanced Encryption Standard
Candidate Conference, (Ventura, California), National Institute of Standards and Technology (NIST), August
1998.
17. C.H. Lim, Specification and Analysis of CRYPTON Version 1.0, Information and Communications Research
Center, Future Systems, Inc., December 1998.
18. C. Lim, A revised version of CRYPTON Version 1.0, Fast Software Encryption Workshop, March 24-26, 1999,
pp. 31-46.
19. J.Daemen, L.R. Knudsen, V. Rijmen, The block cipher SQUARE, Fast Software Encryption, Proc. Fourth
International Workshop, LNCS 1267. Springer Verlag, 1997, pp.149-165.
20. M. Smid and E. Roback, Developing the Advanced Encryption Standard, Proceedings of the 1999
RSAConference, January 1999.
21. B. Schneier, et. al., Performance Comparison of the AES Submissions, Proceedings of the Second Advanced
Encryption Standard Candidate Conference, (Rome, Italy), National Institute of Standards and Technology
(NIST)", March 1999.
22. C.S.K. Clapp, Instruction-level Parallelism in AES Candidates, Proceedings of the Second Advanced Encryption
Standard Candidate Conference, (Rome, Italy), National Institute of Standards and Technology (NIST), March
1999.
23. E. Biham, A Note on Comparing the AES Candidates, Proceedings of the Second Advanced Encryption Standard
Candidate Conference, (Rome, Italy), National Institute of Standards and Technology (NIST), March 1999.
24. Eunjong Hong, Jai-Hoon Chung, and Chae Hoon Lim, Hardware Design and Performance Estimation of The 128-
bit Block Cipher CRYPTON, Information and Communications Research Center, Future Systems, Inc.372-2
362 Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi
Yangjae-Dong, Seocho-Ku, Seoul, Korea 137-130. Ç.K. Koç and C. Paar (Eds.): CHES'99, LNCS 1717, pp. 49-
60, 1999 © Springer-Verlag Berlin Heidelberg 1999.
25. C.D. Halluin, G. Bijnens, V. Rijmen and B. Preenel, Attack on six rounds of CRYPTON, in Fast Software
Encryption, FSE 1999, Lecture Notes in Computer Science 1636, L. R. Knudsen (ed.), Springer-Verlag, pp. 46-
59, 1999.
26. J. Borst, Weak Keys of Crypton, Second AES Candidate Conference, rump session presentation, Mar 99.
27. L Knudsen, DEAL - A 128-bit Block Cipher, NIST AES Proposal, Jun 98.
28. National Bureau of Standards, DES modes of operation, Federal Information Processing Standard (FIPS),
Publication 81, National Bureau of Standards, U.S. Department of Commerce, Washington D.C., December 1980.
29. Lars R. Knudsen, DEAL-a 128-bit block cipher. Technical report 151, Department of Informatics, University of
Bergen, Norway, February 1998.
30. Lars R. Knudsen, DEAL-a 128-bit block cipher. In AES Round 1 Technical Evaluation CD-1: Documentation.
NIST, August 1998. See http://www.nist.gov/aes.
31. Eli Biham, Alex Biryukov, and Adi Shamir, Cryptanalysis of Skipjack reduced to 31 rounds using impossible
differentials, In Jacques Stern, editor, Advances in Cryptology-EUROCRYPT'99, volume 1592 of LectureNotes
in Computer Science. Springer-Verlag, 1999.
32. S. Lucks, On the Security of the 128-bit Block Cipher DEAL, Fast Software Encryption, Sixth International
Workshop, Springer-Verlag, 1999.
33. R.S.Winternitz, Producing One-Way Hash Functions from DES, Advances in Cryptology: Proceedings of Crypto
83, Plenum Press, 1984, pp. 203-207.
34. H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay, Decorrelated Fast
Cipher: an AES Candidate, submitted to the Advanced Encryption Standard process. In CD-ROM AES CD-1:
Documentation, National Institute of Standards and Technology (NIST), August 1998.
35. D. Coppersmith, DFC Weak Keys, Note to NIST AES Discussion Group, 10 Sep 98.
36. D. Coppersmith, Re: DFC Weak Keys, Note to NIST AES Discussion Group, 22 Oct 98.
37. M. Matsui, T. Tokita, Cryptanalysis of a Reduced Version of the Block Cipher E2, 6th International Workshop
on Fast Software Encryption (FSE 1999). Rome: Springer-Verlag. pp. 71–80.
38. D. Georgoudis, D. Lerous, and B.S.Chaves, The Frog Encryption Algorithm, NIST AES Proposal, Jun 98.
39. B. Schneier and D. Whiting, Fast Software Encryption: Designing Encryption Algorithms for Optimal Speed on
the Intel Pentium Processor, Fast Software Encryption, 4th International Workshop Proceedings, Springer-Verlag,
1997, pp. 242-259.
40. D.Wagner, N. Ferguson, and B. Schneier, Cryptanalysis of FROG, Second AESCandidate Conference, Mar 99.
41. D. Wagner, Equivalent keys for HPC, Second AES Candidate Conference, rump session presentation, Mar 99.
42. D. Wagner, Equivalent keys for HPC, Second AES Candidate Conference, rump session presentation, Mar 99.
Review of the Journey from DES to AES 363
43. Lawrence Brown, Josef Pieprzyk, Jennifer Seberry, LOKI - A Cryptographic Primitive for Authentication and
Secrecy Applications, in Advances in Cryptology: Auscrypt '90, Lecture Notes in Computer Science, Vol 453,
Springer-Verlag, pp 229-236, 1990.
44. Lawrence Brown, Matthew Kwan, Josef Pieprzyk, Jennifer Seberry, Improving Resistance to Differential
Cryptanalysis and the Redesign of LOKI, in Advances in Cryptology - Asiacrypt'91, Lecture Notes in Computer
Science, Vol 739, Springer-Verlag, pp 36-50, 1991.
45. L. Knudsen, Cryptanalysis of LOKI '91, Advances in Cryptography, AUSCRYPT '92 Proceedings, Springer-
Verlag, 1993.
46. RSA Data Security Inc, Government encryption standard DES takes a fall, 1997.
47. V. Rijmen, L.R. Knudsen, Weaknesses in LOKI97,
48. ftp:// ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/loki97,1998.k
49. M.J. Jacobson and K. Huber, The MAGENTA Block Cipher Algorithm, NIST AES Proposal, Jun 98.
50. K. Huber and S. Wolter., Telekom's MAGENTA algorithm for en-/decryption in the gigabit/sec range. In
ICASSP 1996 Conference Proceedings, volume 6, pages 3233-3235, 1996.
51. E. Biham, A. Biryukov, N. Ferguson, L. Knudsen, B. Schneier, A. Shamir, Cryptanalysis of MAGENTA,
http://www.counterpane.com/magenta.html, August 20, 1998.
52. C. Burwick, D. Coppersmith, E. D'Avignon, R. Gennaro, S. Halevi, C. Jutla, S.M. Matyas Jr., L. O'Connor, M.
Peyravian, D. Safford and N. Zunic, MARS – A Candidate Cipher for AES. Presented in the 1st AES conference,
CA, USA, August 1998.
53. F. Sano, M. Koike, S. Kawamura, and M. Shiba, Performance Evaluation of AES Finalists on the High-End Smart
Card, Presented in the 3rd
AES conference, NY, USA, April 2000.
54. E. Biham, and V. Furman., Impossible Differential on 8-Round MARS' Core, Presented in the 3rd
AES
conference, NY, USA, April 2000.
55. J. Kelsey, T. Kohno, and B. Schneier, Amplified Boomerang Attacks Against Reduced-Round MARS and
Serpent, Presented in the Fast Software Encryption Workshop, NY, USA, April 2000.
56. R.L. Rivest, The RC5 encryption algorithm, In B. Preneel, editor, Fast Software Encryption, volume 1008 of
Lecture Notes in Computer Science, pages 86-96, 1995. Springer Verlag.
57. M.H. Heys, Linearly weak keys of RC5, IEE Electronic Letters, Vol. 33, pages 836-838, 1997.
58. Biryukov and E. Kushilevitz, Improved cryptanalysis of RC5, In K. Nyberg, editor, Advances in Cryptology
Eurocrypt '98, volume 1403 Lecture Notes in Computer Science, pages 85-99, 1998. Springer Verlag.
59. B.S. Kaliski and Y.L. Yin, On differential and linear cryptanalysis of the RC5 encryption algorithm, In D.
Coppersmith, editor, Advances in Cryptology Crypto '95, volume 963 of Lecture Notes in Computer Science,
pages 171-184, 1995. Springer Verlag.
60. L.R. Knudsen and W. Meier, Improved differential attacks on RC5, In N. Koblitz, editor, Advances in Cryptology
, Crypto '96, volume 1109 of Lecture Notes in Computer Science, pages 216-228, 1996. Springer Verlag.
364 Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi
61. S. Moriai, K. Aoki, and K. Ohta, Key-dependency of linear probability of RC5, March 1996. To appear in IEICE
Trans. Fundamentals.
62. J. Daemen and V. Rijmen, ―AES Proposal: Rijndael, AES Algorithm‖ Submission, September 3, 1999,
63. Joan Daemen and Vincent Rijmen. The Design of Rijndael: AES -TheAdvanced Encryption Standard. Springer,
2002.
64. Hamid Mala, Mohammad Dakhilalian, Vincent Rijmen, and Mahmoud Modarres-Hashemi, Improved Impossible
Differential Cryptanalysis of 7-Round AES-128, In INDOCRYPT‘10, volume 6498 of Lecture Notes in Computer
Science, pages 282–291. Springer, 2010.
65. Henri Gilbert and Marine Minier, A Collision Attack on 7 Rounds of Rijndael. In AES Candidate Conference,
pages 230–241, 2000.
66. Niels Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Michael Stay, David Wagner, and Doug Whiting,
Improved cryptanalysis of Rijndael. In FSE‘00, volume 1978 of Lecture Notes in ComputerScience, pages 213–
230. Springer, 2000.
67. Orr Dunkelman, Nathan Keller, and Adi Shamir, Improved Single-Key Attacks on 8-Round AES-192 and AES-
256. In ASIACRYPT‘10, volume 6477 of Lecture Notes in Computer Science, pages 158–176. Springer, 2010.
68. Alex Biryukov and Dmitry Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256. In
ASIACRYPT‘09, volume 5912 of Lecture Notes in Computer Science, pages 1–18. Springer, 2009.
69. Henri Gilbert and Thomas Peyrin, Super-Sbox cryptanalysis: Improved attacks for AES-like permutations.In
FSE‘10, volume 6147 of Lecture Notes in Computer Science, pages 365–383. Springer, 2010.
70. James L. Massey, SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm, Fast Software Encryption,
Cambridge Security Workshop Proceedings, Springer, 1994, pp: 1-17.
71. James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER+ as Candidate Algorithm for the
Advanced Encryption Standard, 1st Advanced Encryption Standard Canditate Conference, CA, Aug: 20-22, 1998,
pp 1-14
72. James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER++ as Candidate Algorithm for the
New European Schemes for Signatures, Integrity, and Encryption (NESSIE), Presented in First Open NESSIE
Workshop, November, 2000.
73. RJ Anderson, E Biham, LR Knudsen, Serpent: A Proposal for the Advanced Encryption Standard, submitted to
NIST as an AES candidate. A short version of the paper appeared at the AES conference, August 1998; both
papers are available at http://www.cl.cam.ac.uk/~rja14/serpent.html
74. PC Kocher, Timing Attacks on Implementations of Diffe-Hellman, RSA, DSS,and Other Systems, in Advances in
Cryptology Crypto 96, Springer LNCSv 1109 pp 104-113.
75. AJ Elbirt, W Yip, B Chetwynd, C Paar, An FPGA-Based Performance Evaluation of the AES Block Cipher
Candidate Algorithm Finalists, IEEE Transactions on Very Large Scale Integration (VLSI) Systems, Aug. 2001,
Volume: 9, Issue: 4, pp. 545 - 557.
Review of the Journey from DES to AES 365
76. B.Weeks, M. Bean, T. Rozylowicz, C Ficke, ―Hardware Performance Simulations of Round 2 Advanced
Encryption Standard Algorithms‖, to appear in the proceedings of the 3rd AES Candidate Conference, April 13-
14, 2000
77. R.J .Anderson, E .Biham, L.R .Knudsen, Serpent and Smartcards, in Cardis 98, Springer Verlag (2000) pp 257-
264; also available at http://www.cl.cam.ac.uk/~rja14/serpent.html.
78. Bruce Schneier, John Kelsey, DougWhiting, David Wagner, Chris Hall, and Niels Ferguson, Twofish: A 128-bit
block cipher, In AES Round 1 Technical Evaluation CD-1: Documentation.NIST, August 1998. Available at
http://www.nist.gov/aes.
79. Bruce Schneier, John Kelsey, DougWhiting , David Wagner, Chris Hall, and Niels Ferguson, The Twofish
Encryption Algorithm, A 128-Bit Block Cipher Wiley,1999.
80. Niels Ferguson, Impossible differentials in Twofish, Twofish Technical Report 5, Counterpane Systems, October
1999. See http://www.counterpane.com/twofish.html