]>
Ciphers in Use in the Internet
Cisco Systems
13600 Dulles Technology Drive
Herndon
`20171`

VA
USA
mcgrew@cisco.com
Chinese Academy of Science
No.4 South 4th Zhongguancun Street
Beijing
`100190`

China
+86 10-58813038
shenshuo@cnnic.cn
General
Internet Research Task Force
Cipher, encryption, cryptography
This note catalogs the ciphers in use on the Internet, to
guide users and standards processes. It presents
the security goals, security analysis and results,
specification, intellectual property considerations, and
publication date of each cipher. Background information and
security guidance is provided as well.
This note is a catalog of the ciphers in use on the Internet,
and/or defined or referenced in IETF RFCs.
This note is not a standards document; instead it aims to
capture the consensus of the Cryto Forum Research Group
at the time of publication, and to provide technical guidance
to standards groups that are selecting ciphers.
This note groups together ciphers with similar block structure,
and lists ciphers in decreasing order of the year of their
publication.
This is the second version of this note; it is a work in progress,
and it should not yet be considered as representative of a
consensus. Comments are solicited and should be sent to the
authors and to cfrg@irtf.org.
This section is to be removed by the RFC Editor upon publication
as an RFC.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
A cipher is an encryption method. Encryption is a transformation
of data that uses a secret key to change a plaintext value, which
needs to be kept secret, into a ciphertext value, which can be
safely revealed without the loss of the confidentiality of the
plaintext. Ciphertext can be converted back into plaintext,
through the use of the secret key, via a decryption algorithm that
is the reverse of the encryption algorithm. Importantly,
encryption does not protect the integrity or authenticity of the
plaintext; it does not provide a data integrity service, or a data
origin authentication service .
Authenticated Encryption is an encryption method that does protect
the integrity and authenticity of the plaintext, as well as the
confidentiality of the plaintext. Authenticated Encryption with
Associated Data (AEAD) protects the confidentiality, integrity,
and authenticity of the plaintext, and also protects the integrity
and authenticity of some associated data .
A Block Cipher is an encryption algorithm that encrypts a
fixed-size plaintext block with a secret key, resulting in a
fixed-size ciphertext block. The encryption is reversible, so
that the plaintext block can be computed from the key and the
ciphertext block. Block ciphers are not directly used to encrypt
data, but instead are used in a mode of operation, as described
below. A block cipher has two parameters: block size (the number
of bits in the fixed-size blocks), and key size (the number
of bits in the key). Some block ciphers accept more than one
key size.
A Block Cipher Mode of Operation is a method for encrypting and/or
authenticating data. Most modes of operation can operate on
arbitrary-length data, unlike the block cipher itself, which can
only operate on fixed length data. The mode of operation
logically breaks plaintext into fixed-size blocks, and processes
these blocks using the block cipher (and other operations such
as bitwise exclusive-or).
A Stream Cipher is an encryption method that does not use a block
cipher, and is not used in a mode of operation; instead, the
stream cipher defines its own encryption method. Most stream
ciphers encrypt plaintext by generating pseudorandom data with a
secret key, then bitwise exclusive-oring the pseudorandom data
with the plaintext to produce the ciphertext. Some stream ciphers
take an Initialization Vector (IV) as input; a different IV is
provided to the cipher for each different message that is
encrypted. A stream cipher has two parameters: IV size (the
number of bits in the IV), and key size (the number of bits in the
key). Some stream ciphers accept more than one key size.
There are many different attack models that are used to analyze
the security of ciphers. An attack model is a formal statement of
the attacker's capabilities. A particular cipher may be strong in
one attack model, but weak in another; the suitability of that
cipher for use in a particular application will depend entirely on
the attacker's actual capabilities in the real world.
In a Known-Plaintext Attack (KPA), the attacker knows some (but
not all) of the plaintexts that are encrypted with an unknown
secret key, and can learn the resulting ciphertexts. The
attacker's goal is to determine the value of
some of unknown plaintexts.
In a Chosen-Plaintext Attack (CPA), the attacker can choose some
(but not all) of the plaintexts that are encrypted with an unknown
secret key, and can learn the resulting ciphertexts. A CPA is
adaptive if the attacker can adapt the plaintexts that it chooses
based on the ciphertexts that it observes. The attacker's
goal is to determine the value of some of the plaintexts that
it does not choose and that it does not know.
In a Chosen-Ciphertext Attack (CCA), the attacker can cause the
decryption of some ciphertexts of its choice, and can learn the
results of those decryptions. The attacker can also observe the
ciphertext resulting from the encryption of some unknown
plaintexts. A CCA is adaptive if the attacker can adapt the
ciphertexts that it chooses based on other data that it observes.
The attacker's goal is to determine the value of some of the
unknown plaintexts.
(Authenticated Encryption protects against these attacks.)
In a Related-Key Attack (RKA), the attacker can cause the
encryption of unknown plaintext values under two or more keys,
where the relationship between the keys is known to the attacker,
but the actual value of the keys is not known. For example, if
keys K1 and K2 are in use, the attacker might know the value of
the bitwise exclusive-or of K1 and K2, while not knowing the value
of either key. Related-Key Attacks do not have any effect on
security when keys are chosen independently, as is the case in
most communication security protocols. It is a theoretical
impossibility for a cipher to be resistant to all types of RKAs,
which underscores the need for sound key generation and key
management.
In a Side-Channel Attack (SCA), the attacker has access to
physical side information beyond the digital representation of the
plaintexts and ciphertexts, such as the voltage levels used during
the encryption process, or fine-grained timing information about
the duration of the encryption operations. SCAs act against an
implementation of a cipher, rather than against the cipher design,
since the side information is a property of the former and not the
latter. Nonetheless, it is important to study methods of
defending a particular cipher design from SCAs.
In a Key Recovery Attack (KRA), the attacker learns the secret key
that is used to encrypt some ciphertext. In a Plaintext Recovery
Attack (PRA), the attacker learns some unknown plaintext, but
does not learn the secret key. A successful KRA is devastating,
but a successful PRA can also be just as damaging.
There are several security goals for block ciphers; understanding these
goals is important to understanding the actual security provided
by ciphers in the real world. This section reviews
the most important security goals.
For each cipher, the best attack is described. Any cipher can be
defeated, in theory, by exhaustively searching over every possible
key, but in practice this attack is computationally feasible only
for smaller key sizes.
The 1998 Deep Crack machine cost $250,000 and could break a 56-bit
key by exhaustive search in about one day .
Due to the exponentially fast decrease in the cost of computing
power (Moore's Law), the length of a key that can be broken for a
fixed amount of money goes up by one bit every 1.5 years.
Combining these facts, we estimate that a $250,000 machine can
break 66-bit keys via exhaustive search in 2013, and that a $32M
machine can break 73-bit keys.
In most block ciphers, the encryption operation essentially consists
of a round function that is repeated multiple times, each time with
a different subkey. The plaintext block is input to the first
round, and the ciphertext block is the output of the final round.
Cryptanalysts investigating the security of a block cipher often
consider the strength of the cipher against reduced-round versions,
that is, a variant of the cipher that includes fewer rounds than the
actual cipher. Most attacks against block ciphers can be easily
generalized to attacks on reduced-round variants of block ciphers.
The effectiveness of an attack against a block cipher is measured,
in part, by the number of rounds that the attack can defeat.
The number of chosen plaintext blocks, chosen ciphertext blocks, or
known plaintext blocks that are used in an attack is an important
measure of the strength of that attack. For instance, an attack
against a 128-bit block cipher that requires more than 2^64 known
plaintext blocks has little effect on practical security, because
those ciphers are not used to encrypt that much data with a single
key (see ).
An encryption method is indistinguishable from random whenever its
ciphertext cannot be distinguished from a random value by a
computationally limited adversary. This idea has been mathematically
formalized, and is fundamental to the analysis of ciphers. A cipher
cannot be secure unless it is indistinguishable, and thus,
this is the main security goal.
Typical block cipher modes of operation are insecure when the amount
of data processed by a single key is larger than w * 2^(w/2) bits,
where w is the block size of the block cipher. (Here and below 2^w
denotes 2 to the power w.) This limit is called the birthday bound,
by analogy to the fact that, in a group of people, a birthday common
to two people is more likely than one might expect.
The birthday bound is a primary
consideration for the security of block ciphers.
Above the
birthday bound, all of the block cipher modes of operation that are in
common use are distinguishable from random, and are vulnerable to
plaintext recovery attacks.
The bound for a 64-bit block cipher is 2^34 bytes, or 4 Gigabytes, and
The bound for a 128-bit block cipher is 2^67 bytes, or 128 Trillion Gigabytes.

In practice, it is highly desirable that the amount of data is
significantly below the birthday bound, in order to make the
likelihood of a successful plaintext recovery attack negligible.
It is highly desirable that a block cipher be indistinguishable from
random even if the attacker knows most of the 2^w possible w-bit
plaintext/ciphertext pairs for a given key. However, because of the
birthday bound, a block cipher should not be used to encrypt more than
2^(w/2) plaintexts, and attacks against a block cipher that require
more than 2^(w/2) plaintexts or ciphertexts likely have no effect on the
practical security of that cipher.
It is STRONGLY RECOMMENDED that any cipher used be secure in the
KPA, adaptive CPA, and adaptive CCA models. The security against
this type of attack is determined by the cipher design.
It is RECOMMENDED that any implementation of a cipher be secure in
the SCA model, and it is STRONGLY RECOMMENDED that any
implementation that must operate while in the physical possession
of an attacker be secure in the SCA model. The security against
this type of attack is determined by the particulars of the
implementation, and not the design of the cipher. However, a
specific cipher design may be easier to implement such that it is
secure in the SCA model, compared to other ciphers.
When encryption is in use, it is STRONGLY RECOMMENDED that either
1) Authenticated Encryption or AEAD be used, or 2) an encryption
method be used in conjunction with an algorithm that protects the
authenticity of the data, such as a Message Authentication Code
.
64-bit block ciphers SHOULD NOT be used in general-purpose
systems, because of the plaintext recovery attacks that are
possible against them. When a 64-bit block cipher is used for
legacy reasons, it is RECOMMENDED that the amount of data
encrypted by a single key is 1 Megabyte. For special purpose
applications in which the amount of encrypted data is below this
threshold, 64-bit block ciphers MAY be used.
At present, the most widely used cipher is the Advanced Encryption
Standard (see Section ), which is believed to
provide adequate security for the foreseeable future. It has a
block size of 128 bits, and key sizes of 128, 192, or 256 bits.
We say that a cipher is AES-compatible if it supports the same
block and key sizes, and that a cipher is partially AES-compatible
if it supports the same block size and at least one of the key
sizes.
AES-compatible ciphers include ARIA, CAST-256, Camellia, Serpent,
and Twofish. Partly-AES-compatible ciphers include SEED and SMS4,
both of which only support 128 bit keys. All of these ciphers,
except for SMS4, are either free from intellectual property
claims, or are available worldwide royalty free.
The existence of strong ciphers that are free of intellectual
property restrictions shows that it is not necessary to use
encumbered ciphers in order to obtain good security.
ARIA was first published in 2003
by a large group of researchers from the Republic of South Korea.
It is specified in ,
and supports a block length of 128 bits and keys length of 128 bits, 192 bits, and 256 bits.
Thus ARIA is AES-compatible.
IETF uses includes 21 RFCs and 11 Internet Drafts.
Intellectual Property Rights have not been claimed
on ARIA.
The best known attack against this cipher is meet-in-the-middle
attack on 8 rounds (out of 12) with data complexity 2^56, which
was shown in . There have been other
analyses as well. Classical linear and differential
cryptanalysis were shown in .
Truncated differentials, boomerang and slide attacks were shown
in and . Impossible differential cryptanalysis
appared in . SCA security was
considered in .
In 2004, the Korean Agency for Technology and Standards selected
ARIA as a standard cryptographic technique. The algorithm uses a
substitution-permutation network (SPN) structure like that of
AES. The number of rounds is 12, 14, or 16, depending on the key
sizes. ARIA uses two 8 x 8-bit substitution tables and their inverses in
alternate rounds; one of these is the AES substitution table. The key
schedule processes the key using a 3-round 256-bit Feistel
cipher.
CLEFIA was designed by the SONY corporation, and was first
published in 2007 ,. It is specified in , and supports keys lengths of 128, 192, and
256.
IETF uses include 1 RFC, which specifies the cipher, and 2
Internet Drafts, defining its use in IPsec and TLS.
Intellectual Property Rights have been claimed
on CLEFIA. The owner of those rights is SONY.
The best known attack against this cipher is the improbable
differential cryptanalysis of reduced round CLEFIA presented in
. It requires 2^126.8 chosen
plaintexts and breaks 13 (out of 18) rounds with a complexity of
2^126.8 encryptions for the key size of 128 bits. Similar
attacks apply for 14 and 15 rounds of CLEFIA for the key sizes
192 and 256 bits,respectively.
This cipher has also been analyzed by differential and linear
cryptanalysis. Impossible Differential Cryptanalysis was shown
in . SCA has been considered;
cryptanalysis using differential methods with cache trace
patterns was described in and
differential fault analysis was described in .
CLEFIA has 18, 22, or 16 rounds, for key sizes of 128 bits, 192
bits, and 256 bits, respectively. It is intended to be used in
Digital Rights Management (DRM) systems.
SMS4 was first published in 2006.
It is specified in ,
and supports a keys length of 128 bits.
There are not yet any IETF uses.
Intellectual Property Rights have been claimed on SMS4. The
owner of those rights is BDST.
The best known attack against SMS4 are the linear and
differential attacks against 22 rounds (out of 32) shown in
. These attacks require 2^117 known
plaintexts and 2^118 chosen plaintexts, respectively. Rectangle
and impossible differential attacks were shown in . Other attacks against reduced-round
versions of SMS4 have appeared
.
Algebraic and XLS attacks against reduced-round SMS4 have been
pusued .
SMS4 is used in the Chinese National Standard for Wireless LAN
WAPI. SMS4 was a proposed cipher to be used in IEEE 802.11i
standard, but so far has been rejected by ISO. One of the
reasons for the rejection has been opposition to the WAPI
fast-track proposal by the IEEE. SMS4 uses an 8-bit
substitution table, and performs 32 rounds to process one block.
A non-linear key schedule is used to produce the round keys.
SEED was first published in 1998.
It is specified in ,
and supports a key length of 128 bits.
IETF use includes 7 RFCs and 1 Internet Draft, which specify the
cipher and define its use in CMS, TLS, IPsec, SRTP, and MIKEY.
Intellectual Property Rights have not been claimed on SEED.
The best attack against SEED is a differential attack against
eight (out of 16) rounds that requires
2^125 chosen plaintexts. Differential and linear attacks were
also shown
. SCA was considered in .
SEED is a 16-round Feistel network that uses two 8 x 8 S-boxes
that are derived from discrete exponentiation, as in the design
of the SAFER block cipher. It was developed by the Korean
Information Security Agency (KISA). It is used broadly in South
Korea, but not often used elsewhere. It was adopted in Korea
because the 40-bit "export strength" cryptography, as was common
at the time in the Secure Sockets Layer (SSL) in web browers,
was rightly regarded as insufficient; KISA developed its own the
SEED standard to address this fact. However, SEED is a national
rather than international standard, and this fact limits the
interoperability of SEED implementations in communications
across national borders.
Camellia was first published in 2000 in .
It is specified in ,
and supports keys lengths 128, 192, and 256.
IETF uses include 15 RFCs and 6 Internet Drafts, which specify
the cipher and define its use in XMLsec, TLS, IPsec, OpenPGP,
CMS, PSKC, and Kerberos.
Intellectual Property Rights have been claimed on CAMELLIA. The
owner of those rights is NTT, who has stated that it "intends to
grant royalty-free licenses for the essential patents"
needed to implement Camellia .
The best known attack against Camellia is an impossible differential
attack against 10 (out of 18) rounds that uses 2^112.4 chosen plaintext
blocks .
Higher order differential attacks were shown in and .
Truncated and impossible differential cryptanalysis have been
presented . Other analyses include the square
attack (integral cryptanalysis)
and
collision attacks .
Camellia is a 128-bit block cipher jointly developed by
Mitsubishi and NTT. The cipher has been approved for use by the
ISO/IEC, the European Union's NESSIE project and the Japanese
CRYPTREC project. The cipher has security levels and processing
abilities comparable to the Advanced Encryption Standard.
Camellia's block size is 16 bytes (128 bits). The block cipher
was designed to be suitable for both software and hardware
implementations, from low-cost smart cards to high-speed network
systems. Camellia is a Feistel cipher with either 18 rounds
(for 128-bit keys) or 24 rounds (for 192 or 256 bit keys). Every
six rounds, a logical transformation layer is applied: the
so-called "FL-function" or its inverse. Camellia uses four 8 x
8-bit S-boxes with input and output affine transformations and
logical operations. The cipher also uses input and output key
whitening. The diffusion layer uses a linear transformation
based on an MDS matrix with a branch number of 5.
CAST-256 was first published in 1998 in .
It is specified in ,
and supports keys lengths 128, 160, 192, 224 and 256.
Its IETF use is RFC 2612, which defines the cipher.
Intellectual Property Rights have been claimed on CAST-256 by
Entrust. According to RFC 2612, it "is available worldwide on a
royalty-free and license-free basis for commercial and non-
commercial uses."
The best known attack against 12 (out of 48) rounds of CAST-256
is linear attack that requires 2^101 known plaintext blocks
. Other analysis includes
differential and linear attacks
higher order differential attacks .
The CAST-256 (or CAST6) block cipher was submitted as a
candidate for the Advanced Encryption Standard (AES); however,
it was not among the five AES finalists. It is an extension of
an earlier cipher, CAST-128; both were designed according to the
"CAST" design methodology invented by Carlisle Adams and
Stafford Tavares. Howard Heys and Michael Wiener also
contributed to the design. CAST-256 uses the same elements as
CAST-128, including S-boxes, but is adapted for a block size of
128 bits, twice the size of its 64-bit predecessor. (A similar
construction occurred in the evolution of RC5 into RC6).
CAST-256 is composed of 48 rounds, sometimes described as 12
"quad-rounds", arranged in a generalised Feistel network.
AES was first published in 1998 in , and
was originally called RIJNDAEL. It is specified in , and supports keys lengths of 128, 192, and
256 bits.
IETF uses include 29 RFCs and 3 Internet Drafts.
Intellectual Property Rights have not been claimed
on AES.
The best known attack against this cipher is biclique
cryptanalysis, which works against the full 10 rounds of AES-129
and requires 2^88 chosen plaintexts and 2^126 operations . Besides this work, there has been
considerable attention paid to the AES cipher by cryptanalysts,
making it the most-studied cipher ever.
Much of this work is in the KPA, CPA, and CCA models
.
The RKA model for AES has also been well studied
.
Considerable work has been done on SCA, including power analysis attacks and defenses
.
Cache-timing attacks and defenses have also been analyzed
.
The mathematical structure of AES has also been studied
.
(AES) is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used
worldwide.
AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26,
2001 after a five-year standardization process in which fifteen competing designs were presented and evaluated before it was
selected as the most suitable. It became effective as a Federal government standard on May 26, 2002 after approval by the
Secretary of Commerce. It is available in many different encryption packages. AES is the first publicly accessible and open
cipher approved by the National Security Agency (NSA) for top secret information.
Originally called Rijndael, the cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and submitted
by them to the AES selection process.
AES is based on a design principle known as a substitution-permutation network. It is fast in both software and hardware.
AES operates on a 4 x 4 column-major order matrix of bytes, termed the state (versions of Rijndael with a larger block size
have additional columns in the state). Most AES calculations are done in a special finite field.The AES cipher is specified
as a number of repetitions of transformation rounds that convert the input plaintext into the final output of ciphertext.
Each round consists of several processing steps, including one that depends on the encryption key. A set of reverse rounds
are applied to transform ciphertext back into the original plaintext using the same encryption key.
Twofish was first published in 1998. It is specified in , and supports keys lengths of 128, 192, and 256 bits.
IETF use include 9 RFCs, that specify its use in OpenPGP, SSH, and ZRTP.
Intellectual Property Rights have not been claimed
on Twofish.
Attack:
The best known attack against this cipher is truncated differential attack,which was shown in .
Truncated differential,impossible differential attack that breaks was shown in .
The Saturation Attack - A Bait for Twofish was shown in .
Analysis:
Improved Impossible Differentials on Twofish was shown in .
On the Twofish Key Schedul was shown in .
Twofish is a symmetric key block cipher with a block size of
128 bits. It was one of the five finalists of the Advanced
Encryption Standard contest, but was not selected for
standardisation. Twofish is related to the earlier block
cipher Blowfish. Twofish's distinctive features are the use
of pre-computed key-dependent S-boxes, and a relatively
complex key schedule.Twofish borrows some elements from other
designs; for example, the pseudo-Hadamard transform (PHT) from
the SAFER family of ciphers. Twofish uses the same Feistel
structure as DES. On most software platforms Twofish was
slightly slower than Rijndael for 128-bit keys, but somewhat
faster for 256-bit keys. Twofish was designed by Bruce
Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall,
and Niels Ferguson; Twofish algorithm is free for anyone to
use without any restrictions whatsoever. It is one of a few
ciphers included in the OpenPGP standard (RFC 4880). However,
Twofish has seen less widespread usage than Blowfish, which
has been available longer.
Serpent was first published in 1998.
It is specified in ,
and supports keys lengths of 128, 192, and 256 bits.
IETF uses include 6 RFCs, which specify its use in SSH.
Intellectual Property Rights have not been claimed
on Serpent.
Attack:
The best known attack against this cipher is linear attack.
The Rectangle Attack - Rectangling the Serpent was shown in .
Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent was shown in .
A Differential-Linear Attack on 12-Round Serpent was shown in .
Analysis:
Amplified boomerang,rectangle,differential cryptanalysis,linear cryptanalysis and differential-linear cryptanalysis
were shown in ,,,,.
Multidimensional Linear Cryptanalysis of Reduced Round Serpent was shown in .
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent was shown in .
Differential-Linear Cryptanalysis of Serpent was shown in .
Linear Cryptanalysis of Reduced Round Serpent was shown in .
A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent was shown in .
A Dynamic FPGA Implementation of the Serpent Block Cipher was shown in .
On the Pseudorandomness of the AES Finalists - RC6 and Serpent was shown in .
Serpent: A New Block Cipher Proposal was shown in .
Serpent was a finalist in the AES contest,where it came second to Rijndael.Serpent was designed by Ross Anderson,Eli Biham,and Lars Knudsen.
Serpent was widely viewed as taking a more conservative approach to security than the other AES finalists, opting for a larger
security margin: the designers deemed 16 rounds to be sufficient against known types of attack, but specified 32 rounds as insurance
against future discoveries in cryptanalysis.
The Serpent cipher is in the public domain and has not been patented. There are no restrictions or encumbrances whatsoever regarding its
use. As a result, anyone is free to incorporate Serpent in their software (or hardware implementations) without paying license fees.
MISTY1 was first published in 1995.
It is specified in ,
and supports key lengths 128.
IETF use includes RFC 2994, which specifies the cipher.
Intellectual Property Rights have been claimed on MISTY1. The
owner of those rights is Mistsubishi. According to , "the algorithm is freely available for
academic (non-profit) use. Additionally, the algorithm can be
used for commercial use without paying the patent fee if you
contract with Mitsubishi Electric Corporation. For more
information, please contact at MISTY@isl.melco.co.jp."
Attack:
An Improved Impossible Differential Attack on MISTY1 was shown in .
Higher Order Differential Attacks on Reduced-Round MISTY1 was shown in .
Improved Integral Attacks on MISTY1 was shown in .
Analysis:
Cryptanalysis of Reduced-Round MISTY was shown in .
Improved Cryptanalysis of MISTY1 was shown in .
Security Analysis of MISTY1 was shown in .
Improving the Efficiency of Impossible Differential Cryptanalysis of Reduced Camellia and MISTY1 was shown in .
On MISTY1 Higher Order Differential Cryptanalysis was shown in .
Security of the MISTY Structure in the Luby-Rackoff Model was shown in .
Round Security and Super-Pseudorandomness of MISTY Type Structure was shown in .
A Very Compact Hardware Implementation of the MISTY1 Block Cipher was shown in .
New Block Encryption Algorithm MISTY was shown in .
SKIPJACK was first published in 1998, and is specified in . It
supports a key length of 80 bits.
IETF use includes 15 RFCs, which describe its use in CMS and TELNET.
Intellectual Property Rights have not been claimed
on SKIPJACK.
Attack:
Saturation Attacks on Reduced Round Skipjack was shown in .
Analysis:
Provable Security for the Skipjack-like Structure against Differential Cryptanalysis and Linear Cryptanalysis was shown in .
Truncated Differentials and Skipjack was shown in .
Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials was shown in .
Flaws in Differential Cryptanalysis of Skipjack was shown in .
Markov Truncated Differential Cryptanalysis of Skipjack was shown in .
Initial Observations on Skipjack:Cryptanalysis of Skipjack-3XOR (Invited Talk) was shown in .
RC2 was first published in 1998.
It is specified in ,
and supports keys lengths of 8, 16, 24, ... , 1024 bits.
IETF use includes 36 RFCs, which specify the cipher and describe its use in CMS, SMIME, TLS, and PKIX.
Intellectual Property Rights have not been claimed on RC2,
though says that "RC2 is a registered
trademark of RSA Data Security, Inc. RSA's copyrighted RC2
software is available under license from RSA Data Security, Inc."
On the Design and Security of RC2 was shown in .
Related-key cryptanalysis of 3-WAY Biham-DES,CAST DES-X, NewDES, RC2, and TEA was shown in .
CAST-128 was first published in 1997.
It is specified in ,
and supports a key length of 128 bits.
IETF use includes 20 RFCs that specify the cipher and define its use in OpenPGP, IPsec, CMS, and PKIX.
Intellectual Property Rights have been claimed on CAST-128 by
Entrust. According to , "The CAST-128
cipher described in this document is available worldwide on a
royalty-free basis for commercial and non-commercial uses."
BLOWFISH was first published in 1994.
It is specified in ,
and supports keys lengths 32,64,96, ... , 448.
IETF use includes None.
Intellectual Property Rights have not been claimed
on BLOWFISH.
A New Class of Weak Keys for Blowfish was shown in .
On the Weak Keys of Blowfish was shown in .
Description of a New Variable-Length Key 64-bit Block Cipher (Blowfish) was shown in .
IDEA was first published in 1992.
It is specified in ,
and supports key length of 128 bits.
IETF use includes 9 RFCs, which describe its use in TLS and IPsec (but not in OpenPGP,
though IDEA was used in earlier PGP versions).
Intellectual Property Rights have been claimed on IDEA. The
owner of those rights is MediaCrypt AG.
Attack:
Two Attacks on Reduced IDEA was shown in .
A New Attack on 6-Round IDEA was shown in .
New Attacks Against Reduced-Round Versions of IDEA was shown in .
Miss in the Middle Attacks on IDEA and Khufu was shown in .
A New Meet-in-the-Middle Attack on the IDEA Block Cipher was shown in .
Square-like Attacks on Reduced Rounds of IDEA was shown in .
Analysis:
On the Security of the IDEA Block Cipher was shown in .
Cryptanalysis of IDEA-X/2 was shown in .
New Cryptanalytic Results on IDEA was shown in .
On Applying Linear Cryptanalysis to IDEA was shown in .
Key-Schedule Cryptoanalysis of IDEA G-DES,GOST SAFER, and Triple-DES was shown in .
Fault Analysis Study of IDEA was shown in .
Differential-Linear Weak Key Classes of IDEA was shown in .
Improved DST Cryptanalysis of IDEA was shown in .
Weak Keys for IDEA was shown in .
New Weak-Key Classes of IDEA was shown in .
DPA on n-Bit Sized Boolean and Arithmetic Operations and Its Application to IDEA RC6,
and the HMAC-Construction was shown in .
Switching Blindings with a View Towards IDEA was shown in .
Tradeoffs in Parallel and Serial Implementations of the International Data Encryption Algorithm
IDEA was shown in .
Revisiting the IDEA Philosophy was shown in .
Nonlinearity Properties of the Mixing Operations of the Block Cipher IDEA was shown in .
A Note on Weak Keys of PES IDEA,and Some Extended Variants was shown in .
IDEA: A Cipher For Multimedia Architectures? was shown in .
The GOST 28147-89 was first published in 1989.
It is specified in ,
and supports a key length of 256 bits.
256 Bit Standardized Crypto for 650 GE - GOST Revisited was shown in .
IETF use includes 7 RFCs.
Intellectual Property Rights have not been claimed
on GOST 28147-89.
Attack:
A Single-Key Attack on the Full GOST Block Ciphe was shown in .
Analysis:
Cryptanalysis of the GOST Hash Function was shown in .
Key-Schedule Cryptoanalysis of IDEA G-DES,GOST SAFER, and Triple-DES was shown in .
Differential Cryptanalysis of Reduced Rounds of GOST was shown in .
The Triple Data Encryption Standard (TDES, or sometimes 3DES)
was first published in 1979. It is specified in
, and supports key lengths
of 112.
IETF uses include citations in 143 RFCs, which describe the use of the cipher
in IPsec, TLS, SMIME, CMS, PKIX, PPP, SSH, GSAKMP.
Intellectual Property Rights have been claimed on TDES. The
owner of those rights is IBM. According to , TDES may be "covered by U.S. and foreign
patents, including patents issued to the International Business
Machines Corporation. However, IBM has granted nonexclusive,
royalty-free licenses under the patents to make, use and sell
apparatus which complies with the standard."
Attack:
Attacking Triple Encryption was shown in .
A Known Plaintext Attack on Two-Key Triple Encryption was shown in .
Analysis:
The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs was shown in .
DES was first published in 1977.
It is specified in ,
and its key length is 56 bits.
IETF use includes 66 drafts and 158 RFCs.
Intellectual Property Rights have been claimed on DES. The
owner of those rights is IBM. According to , TDES may be "covered by U.S. and foreign
patents, including patents issued to the International Business
Machines Corporation. However, IBM has granted nonexclusive,
royalty-free licenses under the patents to make, use and sell
apparatus which complies with the standard."
DES is currently obsolete; its key size is inadequate to
protect against attackers with access to modern computing
resources. The security implications of using DES are
discussed at length in . Historically,
DES was intstrumental in the development of moden cryptography;
Differential and Linear Cryptanalysis were developed through the
analysis of the DES algorithm.
DES was designed by an IBM research team led by Horst Feistel, a
German-born cryptographer. DES was a refinement of the earlier
LUCIFER cipher, which is the first modern block cipher that has been
publicly described.
Kcipher-2 was first published in 2011.
It is specified in
and supports a key length of 128 bits, and a 128-bit
initialization vector.
IETF use includes 2 drafts, which specify the cipher and describe
its use in TLS.
Intellectual Property Rights have been claimed on Kcipher-2.
The owners of those rights are KDDI and Qualcomm.
KCipher-2 has been used for industrial applications, especially
for mobile health monitoring and diagnostic services in Japan.
Rabbit was first published in 2003 in a
peer-reviewed workshop.
It is specified in , and
supports a keys length of 128 bits, and a 64-bit IV.
The only citation in IETF documents is the cipher specification itself.
Intellectual Property Rights have been claimed on this cipher.
The owner of those rights is Cryptico A/S.
The best known attacks against this cipher have a complexity
greather than 2^128, and thus do not violate its security goals.
Distinguishing attacks were shown in .
Side channels and fault injection attacks were considered in and ,
which described state-recovery attacks
with 2^38 complexity.
Rabbit is the only finalist from eSTREAM, the ECRYPT Stream
Cipher Project, that appears in this note. Rabbit has a
relatively small internal state of about 64 bytes, and it
updates all words of state at each iteration, in contrast to RC4
().
RC4 was first described in 1994. No normative specification
exists; it is sometimes called ARCFOUR, which is short for
alleged RC4. The cipher supports key lengths of 8, 16, 24, ...,
1024 bits. RC4 does not accept an initialization vector.
IETF use includes 54 RFCs and 23 drafts, which
describe the use of RC4
in TLS, Kerberos, and SSH.
Intellectual Property Rights have not been claimed
on RC4.
Attack:
A Practical Attack on the Fixed RC4 in the WEP Mode was shown in .
New State Recovery Attack on RC4 was shown in .
Statistical Attack on RC4 - Distinguishing WPA was shown in .
Predicting and Distinguishing Attacks on RC4 Keystream Generator was shown in .
Attack on Broadcast RC4 Revisited was shown in .
Key Collisions of the RC4 Stream Cipher was shown in .
Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 Family of Stream Ciphers was shown in .
A Practical Attack on Broadcast RC4 was shown in .
Collisions for RC4-Hash was shown in .
Passive-Only Key Recovery Attacks on RC4 was shown in .
Generalized RC4 Key Collisions and Hash Collisions was shown in .
Analysis:
New Correlations of RC4 PRGA Using Nonzero-Bit Differences was shown in .
Cache Timing Analysis of RC4 was shown in .
Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4 was shown in .
Statistical Analysis of the Alleged RC4 Keystream Generator was shown in .
Analysis of RC4 and Proposal of Additional Layers for Better Security Margin was shown in .
Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator was shown in .
Cryptanalysis of RC4-like Ciphers was shown in .
Recovering RC4 Permutation from 2048 Keystream Bytes if j Is Stuck was shown in .
(Not So) Random Shuffles of RC4 was shown in .
Linear Statistical Weakness of Alleged RC4 Keystream Generator was shown in .
New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 was shown in .
Efficient Reconstruction of RC4 Keys from Internal States was shown in .
A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher was shown in .
One Byte per Clock: A Novel RC4 Hardware was shown in .
New Results on the Key Scheduling Algorithm of RC4 was shown in .
Discovery and Exploitation of New Biases in RC4 was shown in .
Permutation After RC4 Key Scheduling Reveals the Secret Key was shown in .
Weaknesses in the Key Scheduling Algorithm of RC4 was shown in .
Thanks are due to Jon Callas and Kevin Igoe.
This memo includes no request to IANA.
Security is the main topic of this note.
&RFC2119;
&RFC5116;
&RFC4949;
&RFC4772;
&I-D.kiyomoto-kcipher2;
Record Breaking DES Key Search Completed
Announcement of Royalty-free Licenses for Essential
Patents of NTT Encryption and Digital Signature Algorithms
The SMS4 Block Cipher
New Impossible Differential Attacks on Camellia
The Twofish Block Cipher
The Serpent Block Cipher
SKIPJACK and KEA Specifications
Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish)
A Proposal for a New Block Encryption Standard
&RFC5794;
&RFC6114;
&RFC4269;
&RFC3713;
&RFC2612;
&RFC2994;
&RFC2268;
&RFC2144;
&RFC5830;
&RFC4503;
Specification for the Advanced Encryption Standard (AES)
National Institute of Standards and Technology
Data Encryption Standard (DES)
National Institute of Standards and Technology
Data Encryption Standard (DES) (Revision 3)
National Institute of Standards and Technology
Aria: New Block Cipher
Aria: A Meet-in-the-middle Attack on Aria
Security and Performance Analysis of Aira
Impossible Differential Cryptanalysis of ARIA Reduced to 7 Rounds
The Smallest ARIA Module with 16-Bit Architecture
New Boomerang Attacks on ARIA
Investigations of Power Analysis Attacks and Countermeasures for ARIA
Clefia: The 128-bit blockcipher CLEFIA
The 128-Bit Blockcipher CLEFIA (Extended Abstract)
CLEFIA:Impossible Differential Cryptanalysis of CLEFIA
Cryptanalysis of CLEFIA Using Differential Methods with Cache Trace Patterns
Differential Fault Analysis on CLEFIA
The Improbable Differential Attack: Cryptanalysis of Reduced Round CLEFIA
SMS4: Linear and Differential Cryptanalysis of Reduced SMS4 Block Cipher
SMS4: Analysis of the Attacking Reduced-Round Versions of the SMS4
Cryptanalysis of Reduced-Round SMS4 Block Cipher
An Analysis of the Compact XSL Attack on BES and Embedded SMS4
Analysis of Two Attacks on Reduced-Round Versions of the SMS4
Attacking Reduced-Round Versions of the SMS4 Block Cipher in the Chinese WAPI Standard
Algebraic Cryptanalysis of SMS4: Gr\obner Basis Attack and SAT Attack Compared"
New Description of SMS4 by an Embedding over GF(2^8)
The Cryptanalysis of Reduced-Round SMS4
SEED: Differential Cryptanalysis of a Reduced-Round SEED
SEED: Security on Korean Encryption Standard
Differential Cryptanalysis of a Reduced-Round SEED
Side Channel Cryptanalysis on SEED
Camellia: Specification of Camellia--128-bit block cipher
Camellia: Differential,linear,boomerang and rectangle cryptannalysis of reduced-round Camellia
Camellia: Higher order differential attack of Camellia(2)
Parallelizing the Camellia and SMS4 Block Ciphers
Security of Reduced Version of the Block Cipher Camellia against Truncated and Impossible Differential Cryptanalysis
Improved Collision Attack on Reduced Round Camellia
Unified Hardware Architecture for 128-Bit Block Ciphers AES and Camellia
Improving the Efficiency of Impossible Differential Cryptanalysis of Reduced Camellia and MISTY1
Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES Camellia, Khazad and Others,
Improved Upper Bounds of Differential and Linear Characteristic Probability for Camellia
Security of Camellia against Truncated Differential Cryptanalysis
Square Like Attack on Camellia
Square Attack on Reduced Camellia Cipher
Truncated Differential Cryptanalysis of Camellia
Hardware-Focused Performance Comparison for the Standard Block Ciphers AES Camellia,and Triple-DES
New Results on Impossible Differential Cryptanalysis of Reduced-Round Camellia-128
Improved Impossible Differential Cryptanalysis of Reduced-Round Camellia
New Observation on Camellia
Collision Attack and Pseudorandomness of Reduced-Round Camellia
Higher Order Differential Attack of Camellia (II)
On the Security of CAMELLIA against the Square Attack
Cast-256: The CAST-256 Encryption Algorithm
Cast-256:An Analysis of the CAST-256 Cipher
Higher Order Differential Attak of CAST Cipher
Related-key cryptanalysis of 3-WAY Biham-DES,CAST DES-X, NewDES, RC2, and TEA,
New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256
AES:AES Proposal: Rijndael
AES: A collision attack on seven rounds of Rijndael
AES: Related-key boomerang and rectangle attacks
AES: Related-key impossible defferential attacks on 8-round AES-192
AES: A meet-in-the-middle attack on 8-round AES
Attacking 9 and 10 Rounds of AES-256
Cache Based Power Analysis Attacks on AES
Principles on the Security of AES against First and Second-Order Differential Power Analysis
A Very Compact ``Perfectly Masked'' S-Box for AES
Protecting AES Software Implementations on 32-Bit Processors Against Power Analysis
An AES Smart Card Implementation Resistant to Power Analysis Attacks
Differential Fault Analysis on AES
Montgomery's Trick and Fast Implementation of Masked AES
An Improved Differential Fault Analysis on AES-256
Implementation of the AES-128 on Virtex-5 FPGAs
A refined look at Bernstein's AES side-channel analysis (Fast abstract)
Improved Single-Key Attacks on 8-Round AES-192 and AES-256
Related-Key Cryptanalysis of the Full AES-192 and AES-256
The Intel AES Instructions Set and the SHA-3 Candidates
Unbelievable Security. Matching AES Security Using Public Key Systems (Invited Talk)
An Algorithm Based Concurrent Error Detection Scheme for AES
Bitslice Implementation of AES
Improved Collision-Correlation Power Analysis on First Order Protected AES
Higher-Order Glitches Free Implementation of the AES Using Secure Multi-party Computation Protocols
Protecting AES with Shamir's Secret Sharing Scheme
A Fast and Provably Secure Higher-Order Masking of AES S-Box
Information Theoretic and Security Analysis of a 65-Nanometer DDSLL AES S-Box
Meet-in-the-Middle and Impossible Differential Fault Analysis on AES
Efficient Hashing Using the AES Instruction Set
Mixed Bases for Efficient Inversion in F_((2^2)^2)^2 and Conversion Matrices of SubBytes of AES
Provably Secure Higher-Order Masking of AES
Faster and Timing-Attack Resistant AES-GCM
Accelerating AES with Vector Permute Instructions
Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA
Multiple-Differential Side-Channel Collision Attacks on AES
High-Performance Concurrent Error Detection Scheme for AES Hardware
A Lightweight Concurrent Fault Detection Scheme for the AES S-Boxes Using Normal Basis
Attacking State-of-the-Art Software Countermeasures-A Case Study for AES
A First-Order DPA Attack Against AES in Counter Mode with Unknown Initial Counter
Collision Attacks on AES-Based MAC: Alpha-MAC
AES Encryption Implementation and Analysis on Commodity Graphics Processing Units
Multi-gigabit GCM-AES Architecture Optimized for FPGAs
Power Analysis Resistant AES Implementation with Instruction Set Extensions
Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations
A Generalized Method of Differential Fault Attack Against AES Cryptosystem
Cache-Collision Timing Attacks Against AES
Instruction Set Extensions for Efficient AES Implementation on 32-bit Processors
Successfully Attacking Masked AES ardware Implementations
AES on FPGA from the Fastest to the Smallest
A Very Compact S-Box for AES
A Collision-Attack on AES:Combining Side Channel- and Differential-Attack
Strong Authentication for RFID Systems Using the AES Algorithm
A Differential Fault Attack Technique against SPN Structures with Application to the AES and KHAZAD
Very Compact FPGA Implementation of the AES Algorithm
An Optimized S-Box Circuit Architecture for Low Power AES Design
Simplified Adaptive Multiplicative Masking for AES
Multiplicative Masking and Power Analysis of AES
Architectural Optimization for a 1.82Gbits/sec VLSI Implementation of the AES Rijndael Algorithm
An Implementation of DES and AES Secure against Some Attacks
A Comparative Study of Performance of AES Final Candidates Using FPGAs
Automatic Search of Attacks on Round-Reduced AES and Applications
Distinguisher and Related-Key Attack on the Full AES-256
Essential Algebraic Structure within the AES
Differential Cache-Collision Timing Attacks on AES with Applications to Embedded CPUs
Fault Analysis Attack against an AES Prototype Chip Using RSL
Boosting AES Performance on a Tiny Processor Core
A Fast and Cache-Timing Resistant Implementation of the AES
Cache Based Remote Timing Attack on the AES
Cache Attacks and Countermeasures: The Case of AES
Related-Key Impossible Differential Attacks on 8-Round AES-192
Higher Order Masking of the AES
Design of AES Based on Dual Cipher and Composite Field
An ASIC Implementation of the AES S-Boxes
Pushing the Limits: A Very Compact and a Threshold Implementation of AES
Key Recovery Attacks of Practical Complexity on AES-256 Variants with up to 10 Rounds
AES and the Wide Trail Design Strategy (Invited Talk)
Secure Multiparty AES
Fault Based Cryptanalysis of the Advanced Encryption Standard (AES)
Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool
Fast Software AES Encryption
Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations
Intel's New AES Instructions for Enhanced Performance and Security (Invited Talk)
A Meet-in-the-Middle Attack on 8-Round AES
Related-Key Rectangle Attacks on Reduced AES-192 and AES-256
A Zero-Dimensional Gr\obner Basis for AES-128"
Provably Secure MACs from Differentially-Uniform Permutations and AES-Based Implementations
The Poly1305-AES Message-Authentication Code
Small Scale Variants of the AES
Related-Key Rectangle Attacks on Reduced Versions of SHACAL-1 and AES-192
A Side-Channel Analysis Resistant Description of the AES S-Box
Further Observations on the Structure of the AES Algorithm
Securing the AES Finalists Against Power Analysis Attacks
On the Pseudorandomness of the AES Finalists - RC6 and Serpent
Advanced Encryption Standard (Discussion)
Compact and Secure Design of Masked AES S-Box
Trace-Driven Cache Attacks on AES (Short Paper)
On Some Weak Extensions of AES and BES
Cryptanalysis of some AES Candidate Algorithms
Protecting White-Box AES with Dual Ciphers
New Results on Impossible Differential Cryptanalysis of Reduced AES
An Algebraic Masking Method to Protect AES Against Power Attacks
An FPGA Implementation of CCM Mode Using AES
A Simple Power-Analysis (SPA) Attackon Implementations of the AES Key Expansion
Cache Games - Bringing Access-Based Cache Attacks on AES to Practice
Advanced Encryption Standard (AES) - An Update
Attack on a Higher-Order Masking of the AES Based on Homographic Functions
Improved Impossible Differential Cryptanalysis of 7-Round AES-128
Cryptanalysis of a Perturbated White-Box AES Implementation
A Program Generator for Intel AES-NI Instructions
Improved Meet-in-the-Middle Attacks on AES
New Related-Key Boomerang Attacks on AES
New Impossible Differential Attacks on AES
New AES Software Speed Records
Related-Key Differential-Linear Attacks on Reduced AES-192
Design of a Differential Power Analysis Resistant Masked AES S-Box (Short Presentation)
AES Software Implementations on ARM7TDMI
Vortex: A New Family of One-Way Hash Functions Based on AES Rounds and Carry-Less Multiplication
Comparative Evaluation of Rank Correlation Based DPA on an AES Prototype Chip
Bitstream Encryption and Authentication Using AES-GCM in Dynamically Reconfigurable Systems
Low Power AES Hardware Architecture for Radio Frequency Identification
Securing RSA-KEM via the AES
Transactional contention management as a non-clairvoyant scheduling problem
Tweaking AES
Improved Cryptanalysis of the Reduced Gr\ostl Compression Function ECHO Permutation and AES Block Cipher,
A More Compact AES
An Improved Recovery Algorithm for Decayed AES Key Schedule Images
Biclique Cryptanalysis of the Full AES
Improved Side-Channel Collision Attacks on AES
Analysis of Countermeasures Against Access Driven Cache Attacks on AES
Improved Related-Key Impossible Differential Attacks on Reduced-Round AES-192
Advances on Access-Driven Cache Attacks on AES
Proving the Security of AES Substitution-Permutation Network
Provably Secure Masking of AES
Cryptanalysis of a White Box AES Implementation
Related-Key Differential Cryptanalysis of 192-bit Key AES Variants
White-Box Cryptography and an AES Implementation
Using Normal Bases for Compact Hardware Implementations of the AES S-Box
Understanding Two-Round Differentials in AES
Improved Trace-Driven Cache-Collision Attacks against Embedded AES Implementations
A Probing Attack on AES
An Efficient Masking Scheme for AES Software Implementations
Secure and Efficient AES Software Implementation for Smart Cards
Distinguishers for Ciphers and Known Key Attack against Rijndael with Large Blocks
Improving Integral Attacks Against Rijndael-256 Up to 9 Rounds
In How Many Ways Can You Write Rijndael?
On the Security of Rijndael-Like Structures against Differential and Linear Cryptanalysis
A Compact Rijndael Hardware Architecture with S-Box Optimization
NanoCMOS-Molecular Realization of Rijndael
EM Analysis of Rijndael and ECC on a Wireless Java-Based PDA
Power Analysis of an FPGA:Implementation of Rijndael:s Pipelining a DPA Countermeasure?
Efficient Implementation of Rijndael Encryption in Reconfigurable Hardware:Improvements and Design Tradeoffs
High Performance Single-Chip FPGA Rijndael Algorithm Implementations
Two Methods of Rijndael Implementation in Reconfigurable Hardware
A Systematic Evaluation of Compact Hardware mplementations for the Rijndael S-Box
Consistent Differential Patterns of Rijndael
Improved Impossible Differential Attacks on Large-Block Rijndael
Impossible-Differential Attacks on Large-Block Rijndael
Experimental Testing of the Gigabit IPSec-Compliant Implementations of Rijndael and Triple DES Using SLAAC-1V FPGA Accelerator Board
Known-Key Attacks on Rijndael with Large Blocks and Strengthening ShiftRow Parameter
A Simple Algebraic Representation of Rijndael
Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael
The Round Functions of RIJNDAEL Generate the Alternating Group
Twofish: Cryptanalysis of twofish(2)
The Saturation Attack - A Bait for Twofish
Improved Impossible Differentials on Twofish
On the Twofish Key Schedule
Serpent: Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent
Serpent: The rectangle attack-rectangling the serpent
Serpent: The differential cryptanalysis of an AES finalist-serpent
Serpent: Linear cryptanalysis of reduced round serpent
Serpent: Differential-Linear cryptanalysis of serpent
Multidimensional Linear Cryptanalysis of Reduced Round Serpent
A Dynamic FPGA Implementation of the Serpent Block Cipher
The Rectangle Attack - Rectangling the Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Differential-Linear Cryptanalysis of Serpent
Linear Cryptanalysis of Reduced Round Serpent
Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent
Serpent: A New Block Cipher Proposal
A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent
A Differential-Linear Attack on 12-Round Serpent
Fault Analysis of Rabbit: Toward a Secret Key Leakage
Improved Distinguishing Attack on Rabbit
Cryptanalysis of Rabbit
Differential Fault Analysis of Rabbit
Rabbit: A New High-Performance Stream Cipher
Side-Channel Analysis of the K2 Stream Cipher
Differential Cryptanalysis of DES-like Cryptosystems
Linear Cryptoanalysis Method for DES Cipher
Attacking Triple Encryption
A Known Plaintext Attack on Two-Key Triple Encryption
The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs
New Correlations of RC4 PRGA Using Nonzero-Bit Differences
Recovering RC4 Permutation from 2048 Keystream Bytes if j Is Stuck
Cache Timing Analysis of RC4
A Practical Attack on the Fixed RC4 in the WEP Mode
New State Recovery Attack on RC4
(Not So) Random Shuffles of RC4
Statistical Attack on RC4 - Distinguishing WPA
Predicting and Distinguishing Attacks on RC4 Keystream Generator
Linear Statistical Weakness of Alleged RC4 Keystream Generator
Attack on Broadcast RC4 Revisited
Key Collisions of the RC4 Stream Cipher
New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4
Efficient Reconstruction of RC4 Keys from Internal States
Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 Family of Stream Ciphers
Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4
A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher
A Practical Attack on Broadcast RC4
Statistical Analysis of the Alleged RC4 Keystream Generator
One Byte per Clock: A Novel RC4 Hardware
Analysis of RC4 and Proposal of Additional Layers for Better Security Margin
New Results on the Key Scheduling Algorithm of RC4
Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator
Collisions for RC4-Hash
Discovery and Exploitation of New Biases in RC4
Passive-Only Key Recovery Attacks on RC4
Permutation After RC4 Key Scheduling Reveals the Secret Key
Weaknesses in the Key Scheduling Algorithm of RC4
Cryptanalysis of RC4-like Ciphers
Generalized RC4 Key Collisions and Hash Collisions
Provable Security for the Skipjack-like Structure
against Differential Cryptanalysis and Linear
Cryptanalysis
Differential cryptanalysis of eight-round SEED
Truncated Differentials and Skipjack
Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials
Saturation Attacks on Reduced Round Skipjack
Flaws in Differential Cryptanalysis of Skipjack
Markov Truncated Differential Cryptanalysis of Skipjack
Initial Observations on Skipjack:Cryptanalysis of Skipjack-3XOR (Invited Talk)
An Improved Impossible Differential Attack on MISTY1
A Very Compact Hardware Implementation of the MISTY1 Block Cipher
Cryptanalysis of Reduced-Round MISTY
Improved Cryptanalysis of MISTY1
Round Security and Super-Pseudorandomness of MISTY Type Structure
New Block Encryption Algorithm MISTY
Higher Order Differential Attacks on Reduced-Round MISTY1
On MISTY1 Higher Order Differential Cryptanalysis
Improved Integral Attacks on MISTY1
Security of the MISTY Structure in the Luby-Rackoff Model: Improved Results
Security Analysis of MISTY1
On the Design and Security of RC2
A New Class of Weak Keys for Blowfish
On the Weak Keys of Blowfish
Description of a New Variable-Length Key 64-bit Block Cipher (Blowfish)
256 Bit Standardized Crypto for 650 GE - GOST Revisited
Cryptanalysis of the GOST Hash Function
Key-Schedule Cryptoanalysis of IDEA G-DES,GOST SAFER, and Triple-DES,
A Single-Key Attack on the Full GOST Block Cipher
A (Second) Preimage Attack on the GOST Hash Function
Differential Cryptanalysis of Reduced Rounds of GOST
New Cryptanalytic Results on IDEA
On Applying Linear Cryptanalysis to IDEA
DPA on n-Bit Sized Boolean and Arithmetic Operations and Its Application to IDEA RC6,and the HMAC-Construction
Switching Blindings with a View Towards IDEA
Tradeoffs in Parallel and Serial Implementations of the International Data Encryption Algorithm IDEA
Weak Keys for IDEA
Fault Analysis Study of IDEA
Differential-Linear Weak Key Classes of IDEA
Two Attacks on Reduced IDEA
On the Security of the IDEA Block Cipher
Revisiting the IDEA Philosophy
A New Attack on 6-Round IDEA
New Attacks Against Reduced-Round Versions of IDEA
Cryptanalysis of IDEA-X/2
Miss in the Middle Attacks on IDEA and Khufu
New Weak-Key Classes of IDEA
Nonlinearity Properties of the Mixing Operations of the Block Cipher IDEA
A Note on Weak Keys of PES IDEA,and Some Extended Variants
Improved DST Cryptanalysis of IDEA
A New Meet-in-the-Middle Attack on the IDEA Block Cipher
Square-like Attacks on Reduced Rounds of IDEA
IDEA: A Cipher For Multimedia Architectures?