idnits 2.17.1 draft-irtf-cfrg-cipher-catalog-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 22, 2012) is 4204 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-09) exists of draft-kiyomoto-kcipher2-06 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Research Task Force D. McGrew 3 Internet-Draft Cisco Systems 4 Intended status: Informational S. Shen 5 Expires: April 25, 2013 Chinese Academy of Science 6 October 22, 2012 8 Ciphers in Use in the Internet 9 draft-irtf-cfrg-cipher-catalog-01 11 Abstract 13 This note catalogs the ciphers in use on the Internet, to guide users 14 and standards processes. It presents the security goals, security 15 analysis and results, specification, intellectual property 16 considerations, and publication date of each cipher. Background 17 information and security guidance is provided as well. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on April 25, 2013. 36 Copyright Notice 38 Copyright (c) 2012 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 1.1. Document History . . . . . . . . . . . . . . . . . . . . . 3 55 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 3 56 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2.1. Attack Models . . . . . . . . . . . . . . . . . . . . . . 4 58 2.2. Security Goals . . . . . . . . . . . . . . . . . . . . . . 5 59 2.2.1. Exhaustive Search . . . . . . . . . . . . . . . . . . 6 60 2.2.2. Attacks on reduced-round versions . . . . . . . . . . 6 61 2.2.3. Indistinguishability and the birthday bound . . . . . 6 62 3. Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 63 3.1. AES Compatibility . . . . . . . . . . . . . . . . . . . . 8 64 4. 128-bit Block Ciphers . . . . . . . . . . . . . . . . . . . . 8 65 4.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 66 4.2. CLEFIA . . . . . . . . . . . . . . . . . . . . . . . . . . 9 67 4.3. SMS4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 68 4.4. SEED . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 69 4.5. Camellia . . . . . . . . . . . . . . . . . . . . . . . . . 11 70 4.6. CAST-256 . . . . . . . . . . . . . . . . . . . . . . . . . 11 71 4.7. Advanced Encryption Standard (AES) . . . . . . . . . . . . 12 72 4.8. Twofish . . . . . . . . . . . . . . . . . . . . . . . . . 14 73 4.9. Serpent . . . . . . . . . . . . . . . . . . . . . . . . . 14 74 5. 64-bit Block Ciphers . . . . . . . . . . . . . . . . . . . . . 15 75 5.1. MISTY1 . . . . . . . . . . . . . . . . . . . . . . . . . . 15 76 5.2. SKIPJACK . . . . . . . . . . . . . . . . . . . . . . . . . 16 77 5.3. RC2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 78 5.4. CAST-128 . . . . . . . . . . . . . . . . . . . . . . . . . 17 79 5.5. BLOWFISH . . . . . . . . . . . . . . . . . . . . . . . . . 17 80 5.6. International Data Encryption Algorithm (IDEA) . . . . . . 17 81 5.7. GOST 28147-89 . . . . . . . . . . . . . . . . . . . . . . 18 82 5.8. Triple Data Encryption Standard (TDES) . . . . . . . . . . 19 83 5.9. Data Encryption Standard (DES) . . . . . . . . . . . . . . 19 84 6. Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . 20 85 6.1. Kcipher-2 . . . . . . . . . . . . . . . . . . . . . . . . 20 86 6.2. Rabbit . . . . . . . . . . . . . . . . . . . . . . . . . . 20 87 6.3. RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 88 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 21 89 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 90 9. Security Considerations . . . . . . . . . . . . . . . . . . . 22 91 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 92 10.1. Normative References . . . . . . . . . . . . . . . . . . . 22 93 10.2. Informative References . . . . . . . . . . . . . . . . . . 22 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 58 96 1. Introduction 98 This note is a catalog of the ciphers in use on the Internet, and/or 99 defined or referenced in IETF RFCs. 101 This note is not a standards document; instead it aims to capture the 102 consensus of the Cryto Forum Research Group at the time of 103 publication, and to provide technical guidance to standards groups 104 that are selecting ciphers. 106 This note groups together ciphers with similar block structure, and 107 lists ciphers in decreasing order of the year of their publication. 109 1.1. Document History 111 This is the second version of this note; it is a work in progress, 112 and it should not yet be considered as representative of a consensus. 113 Comments are solicited and should be sent to the authors and to 114 cfrg@irtf.org. 116 This section is to be removed by the RFC Editor upon publication as 117 an RFC. 119 1.2. Requirements Language 121 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 122 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 123 document are to be interpreted as described in RFC 2119 [RFC2119]. 125 2. Background 127 A cipher is an encryption method. Encryption is a transformation of 128 data that uses a secret key to change a plaintext value, which needs 129 to be kept secret, into a ciphertext value, which can be safely 130 revealed without the loss of the confidentiality of the plaintext. 131 Ciphertext can be converted back into plaintext, through the use of 132 the secret key, via a decryption algorithm that is the reverse of the 133 encryption algorithm. Importantly, encryption does not protect the 134 integrity or authenticity of the plaintext; it does not provide a 135 data integrity service, or a data origin authentication service 136 [RFC4949]. 138 Authenticated Encryption is an encryption method that does protect 139 the integrity and authenticity of the plaintext, as well as the 140 confidentiality of the plaintext. Authenticated Encryption with 141 Associated Data (AEAD) protects the confidentiality, integrity, and 142 authenticity of the plaintext, and also protects the integrity and 143 authenticity of some associated data [RFC5116]. 145 A Block Cipher is an encryption algorithm that encrypts a fixed-size 146 plaintext block with a secret key, resulting in a fixed-size 147 ciphertext block. The encryption is reversible, so that the 148 plaintext block can be computed from the key and the ciphertext 149 block. Block ciphers are not directly used to encrypt data, but 150 instead are used in a mode of operation, as described below. A block 151 cipher has two parameters: block size (the number of bits in the 152 fixed-size blocks), and key size (the number of bits in the key). 153 Some block ciphers accept more than one key size. 155 A Block Cipher Mode of Operation is a method for encrypting and/or 156 authenticating data. Most modes of operation can operate on 157 arbitrary-length data, unlike the block cipher itself, which can only 158 operate on fixed length data. The mode of operation logically breaks 159 plaintext into fixed-size blocks, and processes these blocks using 160 the block cipher (and other operations such as bitwise exclusive-or). 162 A Stream Cipher is an encryption method that does not use a block 163 cipher, and is not used in a mode of operation; instead, the stream 164 cipher defines its own encryption method. Most stream ciphers 165 encrypt plaintext by generating pseudorandom data with a secret key, 166 then bitwise exclusive-oring the pseudorandom data with the plaintext 167 to produce the ciphertext. Some stream ciphers take an 168 Initialization Vector (IV) as input; a different IV is provided to 169 the cipher for each different message that is encrypted. A stream 170 cipher has two parameters: IV size (the number of bits in the IV), 171 and key size (the number of bits in the key). Some stream ciphers 172 accept more than one key size. 174 2.1. Attack Models 176 There are many different attack models that are used to analyze the 177 security of ciphers. An attack model is a formal statement of the 178 attacker's capabilities. A particular cipher may be strong in one 179 attack model, but weak in another; the suitability of that cipher for 180 use in a particular application will depend entirely on the 181 attacker's actual capabilities in the real world. 183 In a Known-Plaintext Attack (KPA), the attacker knows some (but not 184 all) of the plaintexts that are encrypted with an unknown secret key, 185 and can learn the resulting ciphertexts. The attacker's goal is to 186 determine the value of some of unknown plaintexts. 188 In a Chosen-Plaintext Attack (CPA), the attacker can choose some (but 189 not all) of the plaintexts that are encrypted with an unknown secret 190 key, and can learn the resulting ciphertexts. A CPA is adaptive if 191 the attacker can adapt the plaintexts that it chooses based on the 192 ciphertexts that it observes. The attacker's goal is to determine 193 the value of some of the plaintexts that it does not choose and that 194 it does not know. 196 In a Chosen-Ciphertext Attack (CCA), the attacker can cause the 197 decryption of some ciphertexts of its choice, and can learn the 198 results of those decryptions. The attacker can also observe the 199 ciphertext resulting from the encryption of some unknown plaintexts. 200 A CCA is adaptive if the attacker can adapt the ciphertexts that it 201 chooses based on other data that it observes. The attacker's goal is 202 to determine the value of some of the unknown plaintexts. 203 (Authenticated Encryption protects against these attacks.) 205 In a Related-Key Attack (RKA), the attacker can cause the encryption 206 of unknown plaintext values under two or more keys, where the 207 relationship between the keys is known to the attacker, but the 208 actual value of the keys is not known. For example, if keys K1 and 209 K2 are in use, the attacker might know the value of the bitwise 210 exclusive-or of K1 and K2, while not knowing the value of either key. 211 Related-Key Attacks do not have any effect on security when keys are 212 chosen independently, as is the case in most communication security 213 protocols. It is a theoretical impossibility for a cipher to be 214 resistant to all types of RKAs, which underscores the need for sound 215 key generation and key management. 217 In a Side-Channel Attack (SCA), the attacker has access to physical 218 side information beyond the digital representation of the plaintexts 219 and ciphertexts, such as the voltage levels used during the 220 encryption process, or fine-grained timing information about the 221 duration of the encryption operations. SCAs act against an 222 implementation of a cipher, rather than against the cipher design, 223 since the side information is a property of the former and not the 224 latter. Nonetheless, it is important to study methods of defending a 225 particular cipher design from SCAs. 227 In a Key Recovery Attack (KRA), the attacker learns the secret key 228 that is used to encrypt some ciphertext. In a Plaintext Recovery 229 Attack (PRA), the attacker learns some unknown plaintext, but does 230 not learn the secret key. A successful KRA is devastating, but a 231 successful PRA can also be just as damaging. 233 2.2. Security Goals 235 There are several security goals for block ciphers; understanding 236 these goals is important to understanding the actual security 237 provided by ciphers in the real world. This section reviews the most 238 important security goals. 240 2.2.1. Exhaustive Search 242 For each cipher, the best attack is described. Any cipher can be 243 defeated, in theory, by exhaustively searching over every possible 244 key, but in practice this attack is computationally feasible only for 245 smaller key sizes. The 1998 Deep Crack machine cost $250,000 and 246 could break a 56-bit key by exhaustive search in about one day [K98]. 247 Due to the exponentially fast decrease in the cost of computing power 248 (Moore's Law), the length of a key that can be broken for a fixed 249 amount of money goes up by one bit every 1.5 years. Combining these 250 facts, we estimate that a $250,000 machine can break 66-bit keys via 251 exhaustive search in 2013, and that a $32M machine can break 73-bit 252 keys. 254 2.2.2. Attacks on reduced-round versions 256 In most block ciphers, the encryption operation essentially consists 257 of a round function that is repeated multiple times, each time with a 258 different subkey. The plaintext block is input to the first round, 259 and the ciphertext block is the output of the final round. 260 Cryptanalysts investigating the security of a block cipher often 261 consider the strength of the cipher against reduced-round versions, 262 that is, a variant of the cipher that includes fewer rounds than the 263 actual cipher. Most attacks against block ciphers can be easily 264 generalized to attacks on reduced-round variants of block ciphers. 265 The effectiveness of an attack against a block cipher is measured, in 266 part, by the number of rounds that the attack can defeat. 268 The number of chosen plaintext blocks, chosen ciphertext blocks, or 269 known plaintext blocks that are used in an attack is an important 270 measure of the strength of that attack. For instance, an attack 271 against a 128-bit block cipher that requires more than 2^64 known 272 plaintext blocks has little effect on practical security, because 273 those ciphers are not used to encrypt that much data with a single 274 key (see Section 2.2.3). 276 2.2.3. Indistinguishability and the birthday bound 278 An encryption method is indistinguishable from random whenever its 279 ciphertext cannot be distinguished from a random value by a 280 computationally limited adversary. This idea has been mathematically 281 formalized, and is fundamental to the analysis of ciphers. A cipher 282 cannot be secure unless it is indistinguishable, and thus, this is 283 the main security goal. 285 Typical block cipher modes of operation are insecure when the amount 286 of data processed by a single key is larger than w * 2^(w/2) bits, 287 where w is the block size of the block cipher. (Here and below 2^w 288 denotes 2 to the power w.) This limit is called the birthday bound, 289 by analogy to the fact that, in a group of people, a birthday common 290 to two people is more likely than one might expect. The birthday 291 bound is a primary consideration for the security of block ciphers. 292 Above the birthday bound, all of the block cipher modes of operation 293 that are in common use are distinguishable from random, and are 294 vulnerable to plaintext recovery attacks. 296 The bound for a 64-bit block cipher is 2^34 bytes, or 4 Gigabytes, 297 and 299 The bound for a 128-bit block cipher is 2^67 bytes, or 128 300 Trillion Gigabytes. 302 In practice, it is highly desirable that the amount of data is 303 significantly below the birthday bound, in order to make the 304 likelihood of a successful plaintext recovery attack negligible. 306 It is highly desirable that a block cipher be indistinguishable from 307 random even if the attacker knows most of the 2^w possible w-bit 308 plaintext/ciphertext pairs for a given key. However, because of the 309 birthday bound, a block cipher should not be used to encrypt more 310 than 2^(w/2) plaintexts, and attacks against a block cipher that 311 require more than 2^(w/2) plaintexts or ciphertexts likely have no 312 effect on the practical security of that cipher. 314 3. Guidance 316 It is STRONGLY RECOMMENDED that any cipher used be secure in the KPA, 317 adaptive CPA, and adaptive CCA models. The security against this 318 type of attack is determined by the cipher design. 320 It is RECOMMENDED that any implementation of a cipher be secure in 321 the SCA model, and it is STRONGLY RECOMMENDED that any implementation 322 that must operate while in the physical possession of an attacker be 323 secure in the SCA model. The security against this type of attack is 324 determined by the particulars of the implementation, and not the 325 design of the cipher. However, a specific cipher design may be 326 easier to implement such that it is secure in the SCA model, compared 327 to other ciphers. 329 When encryption is in use, it is STRONGLY RECOMMENDED that either 1) 330 Authenticated Encryption or AEAD be used, or 2) an encryption method 331 be used in conjunction with an algorithm that protects the 332 authenticity of the data, such as a Message Authentication Code 333 [RFC4949]. 335 64-bit block ciphers SHOULD NOT be used in general-purpose systems, 336 because of the plaintext recovery attacks that are possible against 337 them. When a 64-bit block cipher is used for legacy reasons, it is 338 RECOMMENDED that the amount of data encrypted by a single key is 1 339 Megabyte. For special purpose applications in which the amount of 340 encrypted data is below this threshold, 64-bit block ciphers MAY be 341 used. 343 3.1. AES Compatibility 345 At present, the most widely used cipher is the Advanced Encryption 346 Standard (see Section Section 4.7), which is believed to provide 347 adequate security for the foreseeable future. It has a block size of 348 128 bits, and key sizes of 128, 192, or 256 bits. We say that a 349 cipher is AES-compatible if it supports the same block and key sizes, 350 and that a cipher is partially AES-compatible if it supports the same 351 block size and at least one of the key sizes. 353 AES-compatible ciphers include ARIA, CAST-256, Camellia, Serpent, and 354 Twofish. Partly-AES-compatible ciphers include SEED and SMS4, both 355 of which only support 128 bit keys. All of these ciphers, except for 356 SMS4, are either free from intellectual property claims, or are 357 available worldwide royalty free. 359 The existence of strong ciphers that are free of intellectual 360 property restrictions shows that it is not necessary to use 361 encumbered ciphers in order to obtain good security. 363 4. 128-bit Block Ciphers 365 4.1. ARIA 367 ARIA was first published in 2003 [NBC:KKP03] by a large group of 368 researchers from the Republic of South Korea. It is specified in 369 [RFC5794], and supports a block length of 128 bits and keys length of 370 128 bits, 192 bits, and 256 bits. Thus ARIA is AES-compatible. 372 IETF uses includes 21 RFCs and 11 Internet Drafts. 374 Intellectual Property Rights have not been claimed on ARIA. 376 The best known attack against this cipher is meet-in-the-middle 377 attack on 8 rounds (out of 12) with data complexity 2^56, which was 378 shown in [MMA:TSLL10]. There have been other analyses as well. 379 Classical linear and differential cryptanalysis were shown in [SPAA: 380 BC03]. Truncated differentials, boomerang and slide attacks were 381 shown in [INDOCRYPT:FFGL10] and [SPAA:BC03]. Impossible differential 382 cryptanalysis appared in [CANS:DuChe10]. SCA security was considered 383 in [WISA:YHMOM06]. 385 In 2004, the Korean Agency for Technology and Standards selected ARIA 386 as a standard cryptographic technique. The algorithm uses a 387 substitution-permutation network (SPN) structure like that of AES. 388 The number of rounds is 12, 14, or 16, depending on the key sizes. 389 ARIA uses two 8 x 8-bit substitution tables and their inverses in 390 alternate rounds; one of these is the AES substitution table. The 391 key schedule processes the key using a 3-round 256-bit Feistel 392 cipher. 394 4.2. CLEFIA 396 CLEFIA was designed by the SONY corporation, and was first published 397 in 2007 [BC:SSAMI07],[FSE:SSAMI07]. It is specified in [RFC6114], 398 and supports keys lengths of 128, 192, and 256. 400 IETF uses include 1 RFC, which specifies the cipher, and 2 Internet 401 Drafts, defining its use in IPsec and TLS. 403 Intellectual Property Rights have been claimed on CLEFIA. The owner 404 of those rights is SONY. 406 The best known attack against this cipher is the improbable 407 differential cryptanalysis of reduced round CLEFIA presented in 408 [INDOCRYPT:Tezcan10]. It requires 2^126.8 chosen plaintexts and 409 breaks 13 (out of 18) rounds with a complexity of 2^126.8 encryptions 410 for the key size of 128 bits. Similar attacks apply for 14 and 15 411 rounds of CLEFIA for the key sizes 192 and 256 bits,respectively. 413 This cipher has also been analyzed by differential and linear 414 cryptanalysis. Impossible Differential Cryptanalysis was shown in 415 [IDCC:TTSSSK08]. SCA has been considered; cryptanalysis using 416 differential methods with cache trace patterns was described in [RSA: 417 RebMuk11] and differential fault analysis was described in [ICICS: 418 CheWuFen07]. 420 CLEFIA has 18, 22, or 16 rounds, for key sizes of 128 bits, 192 bits, 421 and 256 bits, respectively. It is intended to be used in Digital 422 Rights Management (DRM) systems. 424 4.3. SMS4 426 SMS4 was first published in 2006. It is specified in [SMS4], and 427 supports a keys length of 128 bits. 429 There are not yet any IETF uses. 431 Intellectual Property Rights have been claimed on SMS4. The owner of 432 those rights is BDST. 434 The best known attack against SMS4 are the linear and differential 435 attacks against 22 rounds (out of 32) shown in [LDC:KKHS08]. These 436 attacks require 2^117 known plaintexts and 2^118 chosen plaintexts, 437 respectively. Rectangle and impossible differential attacks were 438 shown in [AARRS:DT08]. Other attacks against reduced-round versions 439 of SMS4 have appeared [ACISP:ZhaZhaWu08] [SAC:EtrRob08] [ICICS: 440 TozDun08] [ICICS:Lu07]. 442 Algebraic and XLS attacks against reduced-round SMS4 have been pusued 443 [CANS:ChoYapKho09] [ICISC:EriDinChr09] [INDOCRYPT:JiHu07]. 445 SMS4 is used in the Chinese National Standard for Wireless LAN WAPI. 446 SMS4 was a proposed cipher to be used in IEEE 802.11i standard, but 447 so far has been rejected by ISO. One of the reasons for the 448 rejection has been opposition to the WAPI fast-track proposal by the 449 IEEE. SMS4 uses an 8-bit substitution table, and performs 32 rounds 450 to process one block. A non-linear key schedule is used to produce 451 the round keys. 453 4.4. SEED 455 SEED was first published in 1998. It is specified in [RFC4269], and 456 supports a key length of 128 bits. 458 IETF use includes 7 RFCs and 1 Internet Draft, which specify the 459 cipher and define its use in CMS, TLS, IPsec, SRTP, and MIKEY. 461 Intellectual Property Rights have not been claimed on SEED. 463 The best attack against SEED is a differential attack against eight 464 (out of 16) rounds [S11] that requires 2^125 chosen plaintexts. 465 Differential and linear attacks were also shown [DC:YS03] [SKES: 466 WMF03] [SCN:YanShi02]. SCA was considered in [WISA:YKHMP04]. 468 SEED is a 16-round Feistel network that uses two 8 x 8 S-boxes that 469 are derived from discrete exponentiation, as in the design of the 470 SAFER block cipher. It was developed by the Korean Information 471 Security Agency (KISA). It is used broadly in South Korea, but not 472 often used elsewhere. It was adopted in Korea because the 40-bit 473 "export strength" cryptography, as was common at the time in the 474 Secure Sockets Layer (SSL) in web browers, was rightly regarded as 475 insufficient; KISA developed its own the SEED standard to address 476 this fact. However, SEED is a national rather than international 477 standard, and this fact limits the interoperability of SEED 478 implementations in communications across national borders. 480 4.5. Camellia 482 Camellia was first published in 2000 in [SC:AIKMMNT00]. It is 483 specified in [RFC3713], and supports keys lengths 128, 192, and 256. 485 IETF uses include 15 RFCs and 6 Internet Drafts, which specify the 486 cipher and define its use in XMLsec, TLS, IPsec, OpenPGP, CMS, PSKC, 487 and Kerberos. 489 Intellectual Property Rights have been claimed on CAMELLIA. The 490 owner of those rights is NTT, who has stated that it "intends to 491 grant royalty-free licenses for the essential patents" needed to 492 implement Camellia [NTT]. 494 The best known attack against Camellia is an impossible differential 495 attack against 10 (out of 18) rounds that uses 2^112.4 chosen 496 plaintext blocks [ISPEC:BaiLi11]. Higher order differential attacks 497 were shown in [HRDA:HSK02] and [SAC:HatSekKan02]. Truncated and 498 impossible differential cryptanalysis have been presented [AC: 499 SugKobIma01] [ICISC:LHLLY01] [FSE:KanMat01] [DLBRC:S02] [RSA:LKKD08] 500 [SAC:WuZhaZha08] [SAC:MSDB09] [FSE:ShiKanAbe02]. Other analyses 501 include the square attack (integral cryptanalysis) [ICICS:LeiLiFen07] 502 [FSE:YeoParKim02] [ICICS:HeQin01] and collision attacks [CANS: 503 JieZho06][SAC:WuFenChe04]. 505 Camellia is a 128-bit block cipher jointly developed by Mitsubishi 506 and NTT. The cipher has been approved for use by the ISO/IEC, the 507 European Union's NESSIE project and the Japanese CRYPTREC project. 508 The cipher has security levels and processing abilities comparable to 509 the Advanced Encryption Standard. Camellia's block size is 16 bytes 510 (128 bits). The block cipher was designed to be suitable for both 511 software and hardware implementations, from low-cost smart cards to 512 high-speed network systems. Camellia is a Feistel cipher with either 513 18 rounds (for 128-bit keys) or 24 rounds (for 192 or 256 bit keys). 514 Every six rounds, a logical transformation layer is applied: the so- 515 called "FL-function" or its inverse. Camellia uses four 8 x 8-bit 516 S-boxes with input and output affine transformations and logical 517 operations. The cipher also uses input and output key whitening. 518 The diffusion layer uses a linear transformation based on an MDS 519 matrix with a branch number of 5. 521 4.6. CAST-256 523 CAST-256 was first published in 1998 in [EA:C98]. It is specified in 524 [RFC2612], and supports keys lengths 128, 160, 192, 224 and 256. 526 Its IETF use is RFC 2612, which defines the cipher. 528 Intellectual Property Rights have been claimed on CAST-256 by 529 Entrust. According to RFC 2612, it "is available worldwide on a 530 royalty-free and license-free basis for commercial and non- 531 commercial uses." 533 The best known attack against 12 (out of 48) rounds of CAST-256 is 534 linear attack that requires 2^101 known plaintext blocks [SAC: 535 WamWanHu08]. Other analysis includes differential and linear attacks 536 [CA:AHTW99] higher order differential attacks [FSE:MorShiKan98]. 538 The CAST-256 (or CAST6) block cipher was submitted as a candidate for 539 the Advanced Encryption Standard (AES); however, it was not among the 540 five AES finalists. It is an extension of an earlier cipher, CAST- 541 128; both were designed according to the "CAST" design methodology 542 invented by Carlisle Adams and Stafford Tavares. Howard Heys and 543 Michael Wiener also contributed to the design. CAST-256 uses the 544 same elements as CAST-128, including S-boxes, but is adapted for a 545 block size of 128 bits, twice the size of its 64-bit predecessor. (A 546 similar construction occurred in the evolution of RC5 into RC6). 547 CAST-256 is composed of 48 rounds, sometimes described as 12 "quad- 548 rounds", arranged in a generalised Feistel network. 550 4.7. Advanced Encryption Standard (AES) 552 AES was first published in 1998 in [AP:DR99], and was originally 553 called RIJNDAEL. It is specified in [FIPS-197], and supports keys 554 lengths of 128, 192, and 256 bits. 556 IETF uses include 29 RFCs and 3 Internet Drafts. 558 Intellectual Property Rights have not been claimed on AES. 560 The best known attack against this cipher is biclique cryptanalysis, 561 which works against the full 10 rounds of AES-129 and requires 2^88 562 chosen plaintexts and 2^126 operations [AC:BogKhoRec11]. Besides 563 this work, there has been considerable attention paid to the AES 564 cipher by cryptanalysts, making it the most-studied cipher ever. 565 Much of this work is in the KPA, CPA, and CCA models [C:BouDerFou11] 566 [FSE:DemSel08] [FSE:BucPysWei06] [INDOCRYPT:DTCB09] [INDOCRYPT: 567 LDKK08] [SAC:MPRS09] [AC:PSCYL02] [SAC:ZWZF06] [CAOR:GM00] [KRBR: 568 BDK05] [RKIDA:BDK06] [MITMA:DS08] [ACISP:FleGorLuc09] [SAC: 569 KelMeiTav01] [FSE:GilPey10] [AC:DunKelSha10] [AFRICACRYPT:GalMin08] 570 [FSE:Sasaki11] [EC:BirNik10] [ISC:ZWPKY08] [ISC:NakPav07]. 572 The RKA model for AES has also been well studied [C:BirKhoNik09] 573 [SAC:JakDes03] [AC:BirKho09] [INDOCRYPT:ZZWF07] [INDOCRYPT:GorLuc08] 574 [FSE:HKLP05] [RSA:BihDunKel06] [FSE:KimHonPre07] [IWSEC:Sasaki10]. 576 Considerable work has been done on SCA, including power analysis 577 attacks and defenses [CHES:GouMar11] [CHES:CFGRV11] [AFRICACRYPT: 578 GenProQui11] [AFRICACRYPT:AliMuk11] [ACNS:LuPanHar10] [ACNS:CanBat08] 579 [ACNS:TilHerMan07] [ASIACCS:NevSeiWan06] [ACISP:FouTun06] [ACNS: 580 DusLetViv03] [INDOCRYPT:KumMukCho07] [ISC:BatGieLem08] [SAC: 581 Bogdanov07] [CANS:ZhaYuLiu10] [CHES:KimHonLim11] [CHES:RKSF11] [SAC: 582 CEJV02] [CHES:DerFouLer11] [ICISC:ZhaWuFen07] [INDOCRYPT:MDRM10] 583 [INDOCRYPT:MulWysPre10] [FSE:OMPR05] [CHES:RivPro10] [CHES: 584 Bogdanov08] [CHES:RenStaVey09] [CHES:SSHA08] [CHES:KerRey08] [CHES: 585 TilHer08] [CHES:Jaffe07] [CHES:SLFP04] [CHES:PirQui03] [CHES: 586 ManPraOsw05] [CHES:AkkGir01] [CHES:TriDeSGer02] [CHES:GolTym02] [RSA: 587 BEPW10] [RSA:SakYagOht09] [FC:BloSei03] [ICICS:ZSMTS07] [RSA: 588 SchPaa06] [ICISC:Mangard02] [INDOCRYPT:ProRoc10] [WISA:SchKim08] 589 [WISA:OswSch05] [ICISC:CouGou05] [ICISC:Karroumi10] [SAC:BloGuaKru04] 590 [SAC:BilGilEch04] [CHES:GebHoTiu05] [CHES:StaBerPre04]. 592 Cache-timing attacks and defenses have also been analyzed [RSA: 593 Konighofer08] [CHES:KasSch09] [CHES:BonMir06] [RSA:AciSchKoc07] [RSA: 594 OsvShaTro06] [SP:GulBanKre11] [ICICS:AciKoc06] [SAC:BloKru07] [SAC: 595 NevSei06] [WISA:GalKizTun10]. 597 The mathematical structure of AES has also been studied [SCN: 598 DaeRij06] [SAC:BaiVau05] [ICICS:MonVau04] [FSE:SonSeb03] [FSE: 599 Wernsdorf02] [ICISC:SonSeb02] [C:MurRob02] [AC:BarBih02] [SAC: 600 FegSchWhi01]. 602 (AES) is a specification for the encryption of electronic data. It 603 has been adopted by the U.S. government and is now used worldwide. 604 AES was announced by National Institute of Standards and Technology 605 (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 606 five-year standardization process in which fifteen competing designs 607 were presented and evaluated before it was selected as the most 608 suitable. It became effective as a Federal government standard on 609 May 26, 2002 after approval by the Secretary of Commerce. It is 610 available in many different encryption packages. AES is the first 611 publicly accessible and open cipher approved by the National Security 612 Agency (NSA) for top secret information. Originally called Rijndael, 613 the cipher was developed by two Belgian cryptographers, Joan Daemen 614 and Vincent Rijmen, and submitted by them to the AES selection 615 process. AES is based on a design principle known as a substitution- 616 permutation network. It is fast in both software and hardware. AES 617 operates on a 4 x 4 column-major order matrix of bytes, termed the 618 state (versions of Rijndael with a larger block size have additional 619 columns in the state). Most AES calculations are done in a special 620 finite field.The AES cipher is specified as a number of repetitions 621 of transformation rounds that convert the input plaintext into the 622 final output of ciphertext. Each round consists of several 623 processing steps, including one that depends on the encryption key. 625 A set of reverse rounds are applied to transform ciphertext back into 626 the original plaintext using the same encryption key. 628 4.8. Twofish 630 Twofish was first published in 1998. It is specified in [Twofish], 631 and supports keys lengths of 128, 192, and 256 bits. 633 IETF use include 9 RFCs, that specify its use in OpenPGP, SSH, and 634 ZRTP. 636 Intellectual Property Rights have not been claimed on Twofish. 638 Attack: The best known attack against this cipher is truncated 639 differential attack,which was shown in [TC:MY00]. Truncated 640 differential,impossible differential attack that breaks was shown in 641 [TC:MY00]. The Saturation Attack - A Bait for Twofish was shown in 642 [FSE:Lucks01]. Analysis: Improved Impossible Differentials on 643 Twofish was shown in [INDOCRYPT:BihFur00]. On the Twofish Key 644 Schedul was shown in [SAC:SKWWH98]. 646 Twofish is a symmetric key block cipher with a block size of 128 647 bits. It was one of the five finalists of the Advanced Encryption 648 Standard contest, but was not selected for standardisation. Twofish 649 is related to the earlier block cipher Blowfish. Twofish's 650 distinctive features are the use of pre-computed key-dependent 651 S-boxes, and a relatively complex key schedule.Twofish borrows some 652 elements from other designs; for example, the pseudo-Hadamard 653 transform (PHT) from the SAFER family of ciphers. Twofish uses the 654 same Feistel structure as DES. On most software platforms Twofish 655 was slightly slower than Rijndael for 128-bit keys, but somewhat 656 faster for 256-bit keys. Twofish was designed by Bruce Schneier, 657 John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels 658 Ferguson; Twofish algorithm is free for anyone to use without any 659 restrictions whatsoever. It is one of a few ciphers included in the 660 OpenPGP standard (RFC 4880). However, Twofish has seen less 661 widespread usage than Blowfish, which has been available longer. 663 4.9. Serpent 665 Serpent was first published in 1998. It is specified in [Serpent], 666 and supports keys lengths of 128, 192, and 256 bits. 668 IETF uses include 6 RFCs, which specify its use in SSH. 670 Intellectual Property Rights have not been claimed on Serpent. 672 Attack: The best known attack against this cipher is linear attack. 674 The Rectangle Attack - Rectangling the Serpent was shown in [EC: 675 BihDunKel01]. Amplified Boomerang Attacks Against Reduced-Round MARS 676 and Serpent was shown in [FSE:KelKohSch00]. A Differential-Linear 677 Attack on 12-Round Serpent was shown in [INDOCRYPT:DunIndKel08]. 678 Analysis: Amplified boomerang,rectangle,differential 679 cryptanalysis,linear cryptanalysis and differential-linear 680 cryptanalysis were shown in [ABA:KKS00],[RA:BDK01],[DC:WH00],[LC: 681 BDK02],[DLC:BDK03]. Multidimensional Linear Cryptanalysis of Reduced 682 Round Serpent was shown in [ACISP:HerChoNyb08]. Experiments on the 683 Multiple Linear Cryptanalysis of Reduced Round Serpent was shown in 684 [FSE:ColStaQui08]. Differential-Linear Cryptanalysis of Serpent was 685 shown in [FSE:BihDunKel03a]. Linear Cryptanalysis of Reduced Round 686 Serpent was shown in [FSE:BihDunKel01]. A New Technique for 687 Multidimensional Linear Cryptanalysis with Applications on Reduced 688 Round Serpent was shown in [ICISC:ChoHerNyb08]. A Dynamic FPGA 689 Implementation of the Serpent Block Cipher was shown in [CHES: 690 Patterson00]. On the Pseudorandomness of the AES Finalists - RC6 and 691 Serpent was shown in [FSE:IwaKur00]. Serpent: A New Block Cipher 692 Proposal was shown in [FSE:BihAndKnu98]. 694 Serpent was a finalist in the AES contest,where it came second to 695 Rijndael.Serpent was designed by Ross Anderson,Eli Biham,and Lars 696 Knudsen. Serpent was widely viewed as taking a more conservative 697 approach to security than the other AES finalists, opting for a 698 larger security margin: the designers deemed 16 rounds to be 699 sufficient against known types of attack, but specified 32 rounds as 700 insurance against future discoveries in cryptanalysis. The Serpent 701 cipher is in the public domain and has not been patented. There are 702 no restrictions or encumbrances whatsoever regarding its use. As a 703 result, anyone is free to incorporate Serpent in their software (or 704 hardware implementations) without paying license fees. 706 5. 64-bit Block Ciphers 708 5.1. MISTY1 710 MISTY1 was first published in 1995. It is specified in [RFC2994], 711 and supports key lengths 128. 713 IETF use includes RFC 2994, which specifies the cipher. 715 Intellectual Property Rights have been claimed on MISTY1. The owner 716 of those rights is Mistsubishi. According to [RFC2994], "the 717 algorithm is freely available for academic (non-profit) use. 718 Additionally, the algorithm can be used for commercial use without 719 paying the patent fee if you contract with Mitsubishi Electric 720 Corporation. For more information, please contact at 721 MISTY@isl.melco.co.jp." 723 Attack: An Improved Impossible Differential Attack on MISTY1 was 724 shown in [AC:DunKel08a]. Higher Order Differential Attacks on 725 Reduced-Round MISTY1 was shown in [ICISC:TSSK08]. Improved Integral 726 Attacks on MISTY1 was shown in [SAC:SunLai09]. Analysis: 727 Cryptanalysis of Reduced-Round MISTY was shown in [EC:Kuhn01]. 728 Improved Cryptanalysis of MISTY1 was shown in [FSE:Kuhn02]. Security 729 Analysis of MISTY1 was shown in [WISA:THSK07]. Improving the 730 Efficiency of Impossible Differential Cryptanalysis of Reduced 731 Camellia and MISTY1 was shown in [RSA:LKKD08]. On MISTY1 Higher 732 Order Differential Cryptanalysis was shown in [ICISC:BabFri00]. 733 Security of the MISTY Structure in the Luby-Rackoff Model was shown 734 in [SAC:PirQui04]. Round Security and Super-Pseudorandomness of 735 MISTY Type Structure was shown in [FSE:IYYK01]. A Very Compact 736 Hardware Implementation of the MISTY1 Block Cipher was shown in 737 [CHES:YamYajIto08]. New Block Encryption Algorithm MISTY was shown 738 in [FSE:Matsui97]. 740 5.2. SKIPJACK 742 SKIPJACK was first published in 1998, and is specified in [SKIPJACK]. 743 It supports a key length of 80 bits. 745 IETF use includes 15 RFCs, which describe its use in CMS and TELNET. 747 Intellectual Property Rights have not been claimed on SKIPJACK. 749 Attack: Saturation Attacks on Reduced Round Skipjack was shown in 750 [FSE:KLLLL02]. Analysis: Provable Security for the Skipjack-like 751 Structure against Differential Cryptanalysis and Linear Cryptanalysis 752 was shown in [AC:SLLHP00]. Truncated Differentials and Skipjack was 753 shown in [C:KnuRobWag99]. Cryptanalysis of Skipjack Reduced to 31 754 Rounds Using Impossible Differentials was shown in [EC:BihBirSha99]. 755 Flaws in Differential Cryptanalysis of Skipjack was shown in [FSE: 756 Granboulan01]. Markov Truncated Differential Cryptanalysis of 757 Skipjack was shown in [SAC:ReiWag02]. Initial Observations on 758 Skipjack:Cryptanalysis of Skipjack-3XOR (Invited Talk) was shown in 759 [SAC:BBDRS98]. 761 5.3. RC2 763 RC2 was first published in 1998. It is specified in [RFC2268], and 764 supports keys lengths of 8, 16, 24, ... , 1024 bits. 766 IETF use includes 36 RFCs, which specify the cipher and describe its 767 use in CMS, SMIME, TLS, and PKIX. 769 Intellectual Property Rights have not been claimed on RC2, though 770 [RFC2268] says that "RC2 is a registered trademark of RSA Data 771 Security, Inc. RSA's copyrighted RC2 software is available under 772 license from RSA Data Security, Inc." 774 On the Design and Security of RC2 was shown in [FSE:KRRR98]. 775 Related-key cryptanalysis of 3-WAY Biham-DES,CAST DES-X, NewDES, RC2, 776 and TEA was shown in [ICICS:KelSchWag97]. 778 5.4. CAST-128 780 CAST-128 was first published in 1997. It is specified in [RFC2144], 781 and supports a key length of 128 bits. 783 IETF use includes 20 RFCs that specify the cipher and define its use 784 in OpenPGP, IPsec, CMS, and PKIX. 786 Intellectual Property Rights have been claimed on CAST-128 by 787 Entrust. According to [RFC2144], "The CAST-128 cipher described in 788 this document is available worldwide on a royalty-free basis for 789 commercial and non-commercial uses." 791 5.5. BLOWFISH 793 BLOWFISH was first published in 1994. It is specified in [Blowfish], 794 and supports keys lengths 32,64,96, ... , 448. 796 IETF use includes None. 798 Intellectual Property Rights have not been claimed on BLOWFISH. 800 A New Class of Weak Keys for Blowfish was shown in [FSE:KarMan07]. 801 On the Weak Keys of Blowfish was shown in [FSE:Vaudenay96]. 802 Description of a New Variable-Length Key 64-bit Block Cipher 803 (Blowfish) was shown in [FSE:Schneier93]. 805 5.6. International Data Encryption Algorithm (IDEA) 807 IDEA was first published in 1992. It is specified in [IDEA], and 808 supports key length of 128 bits. 810 IETF use includes 9 RFCs, which describe its use in TLS and IPsec 811 (but not in OpenPGP, though IDEA was used in earlier PGP versions). 813 Intellectual Property Rights have been claimed on IDEA. The owner of 814 those rights is MediaCrypt AG. 816 Attack: Two Attacks on Reduced IDEA was shown in [EC:BorKnuRij97]. A 817 New Attack on 6-Round IDEA was shown in [FSE:BihDunKel07b]. New 818 Attacks Against Reduced-Round Versions of IDEA was shown in [FSE: 819 Junod05]. Miss in the Middle Attacks on IDEA and Khufu was shown in 820 [FSE:BihBirSha99]. A New Meet-in-the-Middle Attack on the IDEA Block 821 Cipher was shown in [SAC:DemSelTur03]. Square-like Attacks on 822 Reduced Rounds of IDEA was shown in [SAC:Demirci02]. Analysis: On 823 the Security of the IDEA Block Cipher was shown in [EC:Meier93]. 824 Cryptanalysis of IDEA-X/2 was shown in [FSE:Raddum03]. New 825 Cryptanalytic Results on IDEA was shown in [AC:BihDunKel06]. On 826 Applying Linear Cryptanalysis to IDEA was shown in [AC:HawOCo96]. 827 Key-Schedule Cryptoanalysis of IDEA G-DES,GOST SAFER, and Triple-DES 828 was shown in [C:KelSchWag96]. Fault Analysis Study of IDEA was shown 829 in [RSA:ClaGieVer08]. Differential-Linear Weak Key Classes of IDEA 830 was shown in [EC:Hawkes98]. Improved DST Cryptanalysis of IDEA was 831 shown in [SAC:AyaSel06]. Weak Keys for IDEA was shown in 832 [C:DaeGovVan93]. New Weak-Key Classes of IDEA was shown in [ICICS: 833 BNPV02]. 835 DPA on n-Bit Sized Boolean and Arithmetic Operations and Its 836 Application to IDEA RC6, and the HMAC-Construction was shown in 837 [CHES:LemSchPaa04]. Switching Blindings with a View Towards IDEA was 838 shown in [CHES:NeiPul04]. Tradeoffs in Parallel and Serial 839 Implementations of the International Data Encryption Algorithm IDEA 840 was shown in [CHES:CTLL01]. Revisiting the IDEA Philosophy was shown 841 in [FSE:JunMac09]. Nonlinearity Properties of the Mixing Operations 842 of the Block Cipher IDEA was shown in [INDOCRYPT:Yildirim03]. A Note 843 on Weak Keys of PES IDEA,and Some Extended Variants was shown in 844 [ISC:NakPreVan03]. IDEA: A Cipher For Multimedia Architectures? was 845 shown in [SAC:Lipmaa98]. 847 5.7. GOST 28147-89 849 The GOST 28147-89 was first published in 1989. It is specified in 850 [RFC5830], and supports a key length of 256 bits. 256 Bit 851 Standardized Crypto for 650 GE - GOST Revisited was shown in [CHES: 852 PosLinWan10]. 854 IETF use includes 7 RFCs. 856 Intellectual Property Rights have not been claimed on GOST 28147-89. 858 Attack: A Single-Key Attack on the Full GOST Block Ciphe was shown in 859 [FSE:Isobe11]. Analysis: Cryptanalysis of the GOST Hash Function was 860 shown in [C:MPRKS08]. Key-Schedule Cryptoanalysis of IDEA G-DES,GOST 861 SAFER, and Triple-DES was shown in [C:KelSchWag96]. Differential 862 Cryptanalysis of Reduced Rounds of GOST was shown in [SAC:SekKan00]. 864 5.8. Triple Data Encryption Standard (TDES) 866 The Triple Data Encryption Standard (TDES, or sometimes 3DES) was 867 first published in 1979. It is specified in [FIPS-46-3], and 868 supports key lengths of 112. 870 IETF uses include citations in 143 RFCs, which describe the use of 871 the cipher in IPsec, TLS, SMIME, CMS, PKIX, PPP, SSH, GSAKMP. 873 Intellectual Property Rights have been claimed on TDES. The owner of 874 those rights is IBM. According to [FIPS-46-3], TDES may be "covered 875 by U.S. and foreign patents, including patents issued to the 876 International Business Machines Corporation. However, IBM has 877 granted nonexclusive, royalty-free licenses under the patents to 878 make, use and sell apparatus which complies with the standard." 880 Attack: Attacking Triple Encryption was shown in [FSE:Lucks98]. A 881 Known Plaintext Attack on Two-Key Triple Encryption was shown in [EC: 882 VanWie90]. Analysis: The Security of Triple Encryption and a 883 Framework for Code-Based Game-Playing Proofs was shown in [EC: 884 BelRog06]. 886 5.9. Data Encryption Standard (DES) 888 DES was first published in 1977. It is specified in [FIPS-46], and 889 its key length is 56 bits. 891 IETF use includes 66 drafts and 158 RFCs. 893 Intellectual Property Rights have been claimed on DES. The owner of 894 those rights is IBM. According to [FIPS-46-3], TDES may be "covered 895 by U.S. and foreign patents, including patents issued to the 896 International Business Machines Corporation. However, IBM has 897 granted nonexclusive, royalty-free licenses under the patents to 898 make, use and sell apparatus which complies with the standard." 900 DES is currently obsolete; its key size is inadequate to protect 901 against attackers with access to modern computing resources. The 902 security implications of using DES are discussed at length in 903 [RFC4772]. Historically, DES was intstrumental in the development of 904 moden cryptography; Differential [C:BihSha90] and Linear [EC: 905 Matsui93] Cryptanalysis were developed through the analysis of the 906 DES algorithm. 908 DES was designed by an IBM research team led by Horst Feistel, a 909 German-born cryptographer. DES was a refinement of the earlier 910 LUCIFER cipher, which is the first modern block cipher that has been 911 publicly described. 913 6. Stream Ciphers 915 6.1. Kcipher-2 917 Kcipher-2 was first published in 2011. It is specified in 918 [I-D.kiyomoto-kcipher2] and supports a key length of 128 bits, and a 919 128-bit initialization vector. 921 IETF use includes 2 drafts, which specify the cipher and describe its 922 use in TLS. 924 Intellectual Property Rights have been claimed on Kcipher-2. The 925 owners of those rights are KDDI and Qualcomm. 927 KCipher-2 has been used for industrial applications, especially for 928 mobile health monitoring and diagnostic services in Japan. 930 6.2. Rabbit 932 Rabbit was first published in 2003 [FSE:BVPCS03] in a peer-reviewed 933 workshop. It is specified in [RFC4503], and supports a keys length 934 of 128 bits, and a 64-bit IV. 936 The only citation in IETF documents is the cipher specification 937 itself. 939 Intellectual Property Rights have been claimed on this cipher. The 940 owner of those rights is Cryptico A/S. 942 The best known attacks against this cipher have a complexity greather 943 than 2^128, and thus do not violate its security goals. 944 Distinguishing attacks were shown in [ISC:LuDes10] [ISC:LuWanLin08]. 945 Side channels and fault injection attacks were considered in 946 [INDOCRYPT:BerCanGou09] and [SAC:KirYou09], which described state- 947 recovery attacks with 2^38 complexity. 949 Rabbit is the only finalist from eSTREAM, the ECRYPT Stream Cipher 950 Project, that appears in this note. Rabbit has a relatively small 951 internal state of about 64 bytes, and it updates all words of state 952 at each iteration, in contrast to RC4 (Section 6.3). 954 6.3. RC4 956 RC4 was first described in 1994. No normative specification exists; 957 it is sometimes called ARCFOUR, which is short for alleged RC4. The 958 cipher supports key lengths of 8, 16, 24, ..., 1024 bits. RC4 does 959 not accept an initialization vector. 961 IETF use includes 54 RFCs and 23 drafts, which describe the use of 962 RC4 in TLS, Kerberos, and SSH. 964 Intellectual Property Rights have not been claimed on RC4. 966 Attack: A Practical Attack on the Fixed RC4 in the WEP Mode was shown 967 in [AC:Mantin05]. New State Recovery Attack on RC4 was shown in 968 [C:MaxKho08]. Statistical Attack on RC4 - Distinguishing WPA was 969 shown in [EC:SepVauVua11]. Predicting and Distinguishing Attacks on 970 RC4 Keystream Generator was shown in [EC:Mantin05]. Attack on 971 Broadcast RC4 Revisited was shown in [FSE:MaiPauSen11]. Key 972 Collisions of the RC4 Stream Cipher was shown in [FSE:Matsui09]. Two 973 Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 974 Family of Stream Ciphers was shown in [FSE:Maximov05]. A Practical 975 Attack on Broadcast RC4 was shown in [FSE:ManSha01]. Collisions for 976 RC4-Hash was shown in [ISC:IndPre08]. Passive-Only Key Recovery 977 Attacks on RC4 was shown in [SAC:VauVua07]. Generalized RC4 Key 978 Collisions and Hash Collisions was shown in [SCN:CheMiy10]. 979 Analysis: New Correlations of RC4 PRGA Using Nonzero-Bit Differences 980 was shown in [ACISP:MiySuk09]. Cache Timing Analysis of RC4 was 981 shown in [ACNS:ChaFouLer11]. Impossible Fault Analysis of RC4 and 982 Differential Fault Analysis of RC4 was shown in [FSE:BihGraNgu05]. 983 Statistical Analysis of the Alleged RC4 Keystream Generator was shown 984 in [FSE:FluMcG00]. Analysis of RC4 and Proposal of Additional Layers 985 for Better Security Margin was shown in [INDOCRYPT:MaiPau08]. 986 Analysis of Non-fortuitous Predictive States of the RC4 Keystream 987 Generator was shown in [INDOCRYPT:PauPre03]. Cryptanalysis of RC4- 988 like Ciphers was shown in [SAC:MisTav98]. Recovering RC4 Permutation 989 from 2048 Keystream Bytes if j Is Stuck was shown in [ACISP: 990 MaiPau08]. (Not So) Random Shuffles of RC4 was shown in 991 [C:Mironov02]. Linear Statistical Weakness of Alleged RC4 Keystream 992 Generator was shown in [EC:Golic97a]. New Form of Permutation Bias 993 and Secret Key Leakage in Keystream Bytes of RC4 was shown in [FSE: 994 MaiPau08]. Efficient Reconstruction of RC4 Keys from Internal States 995 was shown in [FSE:BihCar08]. A New Weakness in the RC4 Keystream 996 Generator and an Approach to Improve the Security of the Cipher was 997 shown in [FSE:PauPre04]. One Byte per Clock: A Novel RC4 Hardware 998 was shown in [INDOCRYPT:SSMS10]. New Results on the Key Scheduling 999 Algorithm of RC4 was shown in [INDOCRYPT:AkgKavDem08]. Discovery and 1000 Exploitation of New Biases in RC4 was shown in [SAC:SepVauVua10]. 1001 Permutation After RC4 Key Scheduling Reveals the Secret Key was shown 1002 in [SAC:PauMai07]. Weaknesses in the Key Scheduling Algorithm of RC4 1003 was shown in [SAC:FluManSha01]. 1005 7. Acknowledgements 1007 Thanks are due to Jon Callas and Kevin Igoe. 1009 8. IANA Considerations 1011 This memo includes no request to IANA. 1013 9. Security Considerations 1015 Security is the main topic of this note. 1017 10. References 1019 10.1. Normative References 1021 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1022 Requirement Levels", BCP 14, RFC 2119, March 1997. 1024 10.2. Informative References 1026 [AARRS:DT08] 1027 Dunkelman, O. and D. Toz, "SMS4: Analysis of the Attacking 1028 Reduced-Round Versions of the SMS4", International 1029 Conference on Information and Communications Security- 1030 ICICS AARRS:DT08vol, 2008. 1032 [ABA:KKS00] 1033 Kelsey, J., Kohno, T., and B. Schneier, "Serpent: 1034 Amplified Boomerang Attacks Against Reduced-Round MARS and 1035 Serpent", Fast software encryption-FSE ABA:KKS00, 2000. 1037 [AC:BBGR09] 1038 Billet, O., Gueron, S., J., M., and R. Benadjila, "The 1039 Intel AES Instructions Set and the SHA-3 Candidates", 1040 Lecture Notes in Computer Science asiacrypt09vol, 2009. 1042 [AC:BarBih02] 1043 Biham, E. and E. Barkan, "In How Many Ways Can You Write 1044 Rijndael?", Lecture Notes in Computer 1045 Science asiacrypt02vol, 2002. 1047 [AC:BihDunKel06] 1048 Dunkelman, O., Keller, N., and E. Biham, "New 1049 Cryptanalytic Results on IDEA", Lecture Notes in Computer 1050 Science asiacrypt06vol, 2006. 1052 [AC:BirKho09] 1053 Khovratovich, D. and A. Biryukov, "Related-Key 1054 Cryptanalysis of the Full AES-192 and AES-256", Lecture 1055 Notes in Computer Science asiacrypt09vol, 2009. 1057 [AC:BogKhoRec11] 1058 Khovratovich, D., Rechberger, C., and A. Bogdanov, 1059 "Biclique Cryptanalysis of the Full AES", Lecture Notes in 1060 Computer Science asiacrypt11vol, 2011. 1062 [AC:DunKel08a] 1063 Keller, N. and O. Dunkelman, "An Improved Impossible 1064 Differential Attack on MISTY1", Lecture Notes in Computer 1065 Science asiacrypt08vol, 2008. 1067 [AC:DunKelSha10] 1068 Keller, N., Shamir, A., and O. Dunkelman, "Improved 1069 Single-Key Attacks on 8-Round AES-192 and AES-256", 1070 Lecture Notes in Computer Science asiacrypt10vol, 2010. 1072 [AC:HawOCo96] 1073 O'Connor, L. and P. Hawkes, "On Applying Linear 1074 Cryptanalysis to IDEA", Lecture Notes in Computer 1075 Science asiacrypt96vol, 1996. 1077 [AC:Lenstra01] 1078 K., A., "Unbelievable Security. Matching AES Security 1079 Using Public Key Systems (Invited Talk)", Lecture Notes in 1080 Computer Science asiacrypt01vol, 2001. 1082 [AC:Mantin05] 1083 Mantin, I., "A Practical Attack on the Fixed RC4 in the 1084 WEP Mode", Lecture Notes in Computer 1085 Science asiacrypt05vol, 2005. 1087 [AC:PSCYL02] 1088 Hak, S., Chee, S., Yoon, E., Lim, J., and S. Park, "On the 1089 Security of Rijndael-Like Structures against Differential 1090 and Linear Cryptanalysis", Lecture Notes in Computer 1091 Science asiacrypt02vol, 2002. 1093 [AC:SLLHP00] 1094 Lee, S., In, J., Hong, S., Park, S., and J. Sung, 1095 "Provable Security for the Skipjack-like Structure against 1096 Differential Cryptanalysis and Linear Cryptanalysis", 1097 Lecture Notes in Computer Science asiacrypt00vol, 2000. 1099 [AC:SMTM01] 1100 Morioka, S., Takano, K., Munetoh, S., and A. Satoh, "A 1101 Compact Rijndael Hardware Architecture with S-Box 1102 Optimization", Lecture Notes in Computer 1103 Science asiacrypt01vol, 2001. 1105 [AC:SugKobIma01] 1106 Kobara, K., Imai, H., and M. Sugita, "Security of Reduced 1107 Version of the Block Cipher Camellia against Truncated and 1108 Impossible Differential Cryptanalysis", Lecture Notes in 1109 Computer Science asiacrypt01vol, 2001. 1111 [ACISP:FleGorLuc09] 1112 Gorski, M., Lucks, S., and E. Fleischmann, "Attacking 9 1113 and 10 Rounds of AES-256", Lecture Notes in Computer 1114 Science acisp09vol, 2009. 1116 [ACISP:FouTun06] 1117 Tunstall, M. and J. J., "Cache Based Power Analysis 1118 Attacks on AES", Lecture Notes in Computer 1119 Science acisp06vol, 2006. 1121 [ACISP:HYYKT10] 1122 Yap, W., Hoo, C., Kiyomoto, S., Tanaka, T., and M. 1123 Henricksen, "Side-Channel Analysis of the K2 Stream 1124 Cipher", Lecture Notes in Computer Science acisp10vol, 1125 2010. 1127 [ACISP:HerChoNyb08] 1128 Yeon, J., Nyberg, K., and M. Hermelin, "Multidimensional 1129 Linear Cryptanalysis of Reduced Round Serpent", Lecture 1130 Notes in Computer Science acisp08vol, 2008. 1132 [ACISP:MaiPau08] 1133 Paul, G. and S. Maitra, "Recovering RC4 Permutation from 1134 2048 Keystream Bytes if j Is Stuck", Lecture Notes in 1135 Computer Science acisp08vol, 2008. 1137 [ACISP:MiySuk09] 1138 Sukegawa, M. and A. Miyaji, "New Correlations of RC4 PRGA 1139 Using Nonzero-Bit Differences", Lecture Notes in Computer 1140 Science acisp09vol, 2009. 1142 [ACISP:ZhaZhaWu08] 1143 Zhang, W., Wu, W., and L. Zhang, "Cryptanalysis of 1144 Reduced-Round SMS4 Block Cipher", Lecture Notes in 1145 Computer Science acisp08vol, 2008. 1147 [ACNS:CanBat08] 1148 Batina, L. and D. Canright, "A Very Compact ``Perfectly 1149 Masked'' S-Box for AES", Lecture Notes in Computer 1150 Science acns08vol, 2008. 1152 [ACNS:ChaFouLer11] 1153 Fouque, P., Leresteux, D., and T. Chardin, "Cache Timing 1154 Analysis of RC4", Lecture Notes in Computer 1155 Science acns11vol, 2011. 1157 [ACNS:DusLetViv03] 1158 Letourneux, G., Vivolo, O., and P. Dusart, "Differential 1159 Fault Analysis on AES", Lecture Notes in Computer 1160 Science acns03vol, 2003. 1162 [ACNS:HerOswMan06] 1163 Oswald, E., Mangard, S., and C. Herbst, "An AES Smart Card 1164 Implementation Resistant to Power Analysis Attacks", 1165 Lecture Notes in Computer Science acns06vol, 2006. 1167 [ACNS:LuPanHar10] 1168 Pan, J., den, J., and J. Lu, "Principles on the Security 1169 of AES against First and Second-Order Differential Power 1170 Analysis", Lecture Notes in Computer Science acns10vol, 1171 2010. 1173 [ACNS:TilHerMan07] 1174 Herbst, C., Mangard, S., and S. Tillich, "Protecting AES 1175 Software Implementations on 32-Bit Processors Against 1176 Power Analysis", Lecture Notes in Computer 1177 Science acns07vol, 2007. 1179 [AFRICACRYPT:AliMuk11] 1180 Mukhopadhyay, D. and S. Ali, "An Improved Differential 1181 Fault Analysis on AES-256", Lecture Notes in Computer 1182 Science africacrypt11vol, 2011. 1184 [AFRICACRYPT:BSQPR08] 1185 Standaert, F., Quisquater, J., Pellegrin, P., Rouvroy, G., 1186 and P. Bulens, "Implementation of the AES-128 on Virtex-5 1187 FPGAs", Lecture Notes in Computer 1188 Science africacrypt08vol, 2008. 1190 [AFRICACRYPT:GalMin08] 1191 Minier, M. and S. Galice, "Improving Integral Attacks 1192 Against Rijndael-256 Up to 9 Rounds", Lecture Notes in 1193 Computer Science africacrypt08vol, 2008. 1195 [AFRICACRYPT:GenProQui11] 1196 Prouff, E., Quisquater, M., and L. Genelle, "Montgomery's 1197 Trick and Fast Implementation of Masked AES", Lecture 1198 Notes in Computer Science africacrypt11vol, 2011. 1200 [AFRICACRYPT:MinPhaPou09] 1201 C.-W., R., Pousse, B., and M. Minier, "Distinguishers for 1202 Ciphers and Known Key Attack against Rijndael with Large 1203 Blocks", Lecture Notes in Computer 1204 Science africacrypt09vol, 2009. 1206 [AFRICACRYPT:YapKhoPos10] 1207 Khoo, K., Poschmann, A., and H. Yap, "Parallelizing the 1208 Camellia and SMS4 Block Ciphers", Lecture Notes in 1209 Computer Science africacrypt10vol, 2010. 1211 [AP:DR99] Daemen, J. and V. Rijmen, "AES:AES Proposal: Rijndael", 1212 1999. 1214 [ASIACCS:NevSeiWan06] 1215 Seifert, J., Wang, Z., and M. Neve, "A refined look at 1216 Bernstein's AES side-channel analysis (Fast abstract)", , 1217 2006. 1219 [BC:SSAMI07] 1220 Shirai, T., Shibutani, K., Akishita, T., Moriai, S., and 1221 T. Iwata, "Clefia: The 128-bit blockcipher CLEFIA", 2007. 1223 [Blowfish] 1224 Schneier, "Description of a New Variable-Length Key, 64- 1225 Bit Block Cipher (Blowfish)", Lecture Notes in Computer 1226 Science fse94vol, 1994. 1228 [C:BihSha90] 1229 Shamir, A. and E. Biham, "Differential Cryptanalysis of 1230 DES-like Cryptosystems", Lecture Notes in Computer 1231 Science crypto90vol, 1991. 1233 [C:BirKhoNik09] 1234 Khovratovich, D., Nikolic, I., and A. Biryukov, 1235 "Distinguisher and Related-Key Attack on the Full AES- 1236 256", Lecture Notes in Computer Science crypto09vol, 2009. 1238 [C:BouDerFou11] 1239 Derbez, P., Fouque, P., and C. Bouillaguet, "Automatic 1240 Search of Attacks on Round-Reduced AES and Applications", 1241 Lecture Notes in Computer Science crypto11vol, 2011. 1243 [C:DaeGovVan93] 1244 Govaerts, R., Vandewalle, J., and J. Daemen, "Weak Keys 1245 for IDEA", Lecture Notes in Computer Science crypto93vol, 1246 1994. 1248 [C:KelSchWag96] 1249 Schneier, B., Wagner, D., and J. Kelsey, "Key-Schedule 1250 Cryptoanalysis of IDEA G-DES,GOST SAFER, and Triple-DES,", 1251 Lecture Notes in Computer Science crypto96vol, 1996. 1253 [C:KnuRobWag99] 1254 J., M., Wagner, D., and L. R., "Truncated Differentials 1255 and Skipjack", Lecture Notes in Computer 1256 Science crypto99vol, 1999. 1258 [C:MPRKS08] 1259 Pramstaller, N., Rechberger, C., Kontak, M., Szmidt, J., 1260 and F. Mendel, "Cryptanalysis of the GOST Hash Function", 1261 Lecture Notes in Computer Science crypto08vol, 2008. 1263 [C:MaxKho08] 1264 Khovratovich, D. and A. Maximov, "New State Recovery 1265 Attack on RC4", Lecture Notes in Computer 1266 Science crypto08vol, 2008. 1268 [C:Mironov02] 1269 Mironov, I., "(Not So) Random Shuffles of RC4", Lecture 1270 Notes in Computer Science crypto02vol, 2002. 1272 [C:MurRob02] 1273 J., M. and S. Murphy, "Essential Algebraic Structure 1274 within the AES", Lecture Notes in Computer 1275 Science crypto02vol, 2002. 1277 [CA:AHTW99] 1278 Adams, C., Heys, H., Tavares, S., and M. Wiener, "Cast- 1279 256:An Analysis of the CAST-256 Cipher", Proceedings of 1280 IEEE Canadian Conference on Electrical and Computer 1281 Engineering CA:AHTW99, 1999. 1283 [CANS:ChoYapKho09] 1284 Yap, H., Khoo, K., and J. Choy, "An Analysis of the 1285 Compact XSL Attack on BES and Embedded SMS4", Lecture 1286 Notes in Computer Science cans09vol, 2009. 1288 [CANS:DuChe10] 1289 Chen, J. and C. Du, "Impossible Differential Cryptanalysis 1290 of ARIA Reduced to 7 Rounds", Lecture Notes in Computer 1291 Science cans10vol, 2010. 1293 [CANS:JieZho06] 1294 Zhongya, Z. and G. Jie, "Improved Collision Attack on 1295 Reduced Round Camellia", Lecture Notes in Computer 1296 Science cans06vol, 2006. 1298 [CANS:RebSelDev06] 1299 David, A., S., A., and C. Rebeiro, "Bitslice 1300 Implementation of AES", Lecture Notes in Computer 1301 Science cans06vol, 2006. 1303 [CANS:ZhaYuLiu10] 1304 Yu, Q., Wei, X., and C. N., "An Algorithm Based Concurrent 1305 Error Detection Scheme for AES", Lecture Notes in Computer 1306 Science cans10vol, 2010. 1308 [CAOR:GM00] 1309 Gilbert, H. and M. Minier, "AES: A collision attack on 1310 seven rounds of Rijndael", Proceedings of the third AES 1311 candidate conference CAOR:GM00, 2000. 1313 [CHES:AkkGir01] 1314 Giraud, C. and M. Akkar, "An Implementation of DES and AES 1315 Secure against Some Attacks", Lecture Notes in Computer 1316 Science ches01vol, 2001. 1318 [CHES:BBKK07] 1319 Bogdanov, A., Khovratovich, D., Kasper, T., and A. 1320 Biryukov, "Collision Attacks on AES-Based MAC: Alpha-MAC", 1321 Lecture Notes in Computer Science ches07vol, 2007. 1323 [CHES:Bogdanov08] 1324 Bogdanov, A., "Multiple-Differential Side-Channel 1325 Collision Attacks on AES", Lecture Notes in Computer 1326 Science ches08vol, 2008. 1328 [CHES:BonMir06] 1329 Mironov, I. and J. Bonneau, "Cache-Collision Timing 1330 Attacks Against AES", Lecture Notes in Computer 1331 Science ches06vol, 2006. 1333 [CHES:BosOzeSta11] 1334 \\Ozen, O., Stam, M., and J. W., "Efficient Hashing Using 1335 the AES Instruction Set", Lecture Notes in Computer 1336 Science ches11vol, 2011. 1338 [CHES:CFGRV11] 1339 Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V., and 1340 C. Clavier, "Improved Collision-Correlation Power Analysis 1341 on First Order Protected AES", Lecture Notes in Computer 1342 Science ches11vol, 2011. 1344 [CHES:CTLL01] 1345 Hung, K., Heng, P., P., M., and O. Y., "Tradeoffs in 1346 Parallel and Serial Implementations of the International 1347 Data Encryption Algorithm IDEA", Lecture Notes in Computer 1348 Science ches01vol, 2001. 1350 [CHES:Canright05] 1351 Canright, D., "A Very Compact S-Box for AES", Lecture 1352 Notes in Computer Science ches05vol, 2005. 1354 [CHES:ChoGaj03] 1355 Gaj, K. and P. Chodowiec, "Very Compact FPGA 1356 Implementation of the AES Algorithm", Lecture Notes in 1357 Computer Science ches03vol, 2003. 1359 [CHES:DanPraRol00] 1360 K., V., D., J., and A. Dandalis, "A Comparative Study of 1361 Performance of AES Final Candidates Using FPGAs", Lecture 1362 Notes in Computer Science ches00vol, 2000. 1364 [CHES:DerFouLer11] 1365 Fouque, P., Leresteux, D., and P. Derbez, "Meet-in-the- 1366 Middle and Impossible Differential Fault Analysis on AES", 1367 Lecture Notes in Computer Science ches11vol, 2011. 1369 [CHES:FelDomWol04] 1370 Dominikus, S., Wolkerstorfer, J., and M. Feldhofer, 1371 "Strong Authentication for RFID Systems Using the AES 1372 Algorithm", Lecture Notes in Computer Science ches04vol, 1373 2004. 1375 [CHES:FisDru01] 1376 Drutarovsk\\'y, M. and V. Fischer, "Two Methods of 1377 Rijndael Implementation in Reconfigurable Hardware", 1378 Lecture Notes in Computer Science ches01vol, 2001. 1380 [CHES:GebHoTiu05] 1381 Ho, S., C., C., and C. H., "EM Analysis of Rijndael and 1382 ECC on a Wireless Java-Based PDA", Lecture Notes in 1383 Computer Science ches05vol, 2005. 1385 [CHES:GolTym02] 1386 Tymen, C. and J. Dj., "Multiplicative Masking and Power 1387 Analysis of AES", Lecture Notes in Computer 1388 Science ches02vol, 2002. 1390 [CHES:GooBen05] 1391 Benaissa, M. and T. Good, "AES on FPGA from the Fastest to 1392 the Smallest", Lecture Notes in Computer 1393 Science ches05vol, 2005. 1395 [CHES:GouMar11] 1396 Martinelli, A. and L. Goubin, "Protecting AES with 1397 Shamir's Secret Sharing Scheme", Lecture Notes in Computer 1398 Science ches11vol, 2011. 1400 [CHES:Hamburg09] 1401 Hamburg, M., "Accelerating AES with Vector Permute 1402 Instructions", Lecture Notes in Computer 1403 Science ches09vol, 2009. 1405 [CHES:HarWal07] 1406 Waldron, J. and O. Harrison, "AES Encryption 1407 Implementation and Analysis on Commodity Graphics 1408 Processing Units", Lecture Notes in Computer 1409 Science ches07vol, 2007. 1411 [CHES:Jaffe07] 1412 Jaffe, J., "A First-Order DPA Attack Against AES in 1413 Counter Mode with Unknown Initial Counter", Lecture Notes 1414 in Computer Science ches07vol, 2007. 1416 [CHES:KasSch09] 1417 Schwabe, P. and E. K\\asper, "Faster and Timing-Attack 1418 Resistant AES-GCM", Lecture Notes in Computer 1419 Science ches09vol, 2009. 1421 [CHES:KerRey08] 1422 Reyhani-Masoleh, A. and M. Mozaffari, "A Lightweight 1423 Concurrent Fault Detection Scheme for the AES S-Boxes 1424 Using Normal Basis", Lecture Notes in Computer 1425 Science ches08vol, 2008. 1427 [CHES:KimHonLim11] 1428 Hong, S., Lim, J., and H. Kim, "A Fast and Provably Secure 1429 Higher-Order Masking of AES S-Box", Lecture Notes in 1430 Computer Science ches11vol, 2011. 1432 [CHES:KuoVer01] 1433 Verbauwhede, I. and H. Kuo, "Architectural Optimization 1434 for a 1.82Gbits/sec VLSI Implementation of the AES 1435 Rijndael Algorithm", Lecture Notes in Computer 1436 Science ches01vol, 2001. 1438 [CHES:LWFB07] 1439 Wolkerstorfer, J., Felber, N., Braendli, M., and S. 1441 Lemsitzer, "Multi-gigabit GCM-AES Architecture Optimized 1442 for FPGAs", Lecture Notes in Computer Science ches07vol, 1443 2007. 1445 [CHES:LemSchPaa04] 1446 Schramm, K., Paar, C., and K. Lemke, "DPA on n-Bit Sized 1447 Boolean and Arithmetic Operations and Its Application to 1448 IDEA RC6,and the HMAC-Construction", Lecture Notes in 1449 Computer Science ches04vol, 2004. 1451 [CHES:ManPraOsw05] 1452 Pramstaller, N., Oswald, E., and S. Mangard, "Successfully 1453 Attacking Masked AES ardware Implementations", Lecture 1454 Notes in Computer Science ches05vol, 2005. 1456 [CHES:ManSch06] 1457 Schramm, K. and S. Mangard, "Pinpointing the Side-Channel 1458 Leakage of Masked AES Hardware Implementations", Lecture 1459 Notes in Computer Science ches06vol, 2006. 1461 [CHES:MasRaiAhm06] 1462 Raissi, F., Ahmadian, M., and M. Masoumi, "NanoCMOS- 1463 Molecular Realization of Rijndael", Lecture Notes in 1464 Computer Science ches06vol, 2006. 1466 [CHES:McLMcC01] 1467 V., J. and M. McLoone, "High Performance Single-Chip FPGA 1468 Rijndael Algorithm Implementations", Lecture Notes in 1469 Computer Science ches01vol, 2001. 1471 [CHES:MorSat02] 1472 Satoh, A. and S. Morioka, "An Optimized S-Box Circuit 1473 Architecture for Low Power AES Design", Lecture Notes in 1474 Computer Science ches02vol, 2002. 1476 [CHES:MorShaSal06] 1477 T., M., Salmasizadeh, M., and A. Moradi, "A Generalized 1478 Method of Differential Fault Attack Against AES 1479 Cryptosystem", Lecture Notes in Computer 1480 Science ches06vol, 2006. 1482 [CHES:NNTHM10] 1483 Nekado, K., Toyota, T., Hongo, N., Morikawa, Y., and Y. 1484 Nogami, "Mixed Bases for Efficient Inversion in 1485 F_((2^2)^2)^2 and Conversion Matrices of SubBytes of AES", 1486 Lecture Notes in Computer Science ches10vol, 2010. 1488 [CHES:NeiPul04] 1489 Pulkus, J. and O. Nei\\sse, "Switching Blindings with a 1490 View Towards IDEA", Lecture Notes in Computer 1491 Science ches04vol, 2004. 1493 [CHES:Patterson00] 1494 Patterson, C., "A Dynamic FPGA Implementation of the 1495 Serpent Block Cipher", Lecture Notes in Computer 1496 Science ches00vol, 2000. 1498 [CHES:PirQui03] 1499 Quisquater, J. and G. Piret, "A Differential Fault Attack 1500 Technique against SPN Structures with Application to the 1501 AES and KHAZAD", Lecture Notes in Computer 1502 Science ches03vol, 2003. 1504 [CHES:PosLinWan10] 1505 Ling, S., Wang, H., and A. Poschmann, "256 Bit 1506 Standardized Crypto for 650 GE - GOST Revisited", Lecture 1507 Notes in Computer Science ches10vol, 2010. 1509 [CHES:ProRoc11] 1510 Roche, T. and E. Prouff, "Higher-Order Glitches Free 1511 Implementation of the AES Using Secure Multi-party 1512 Computation Protocols", Lecture Notes in Computer 1513 Science ches11vol, 2011. 1515 [CHES:RKSF11] 1516 Kamel, D., Standaert, F., Flandre, D., and M. Renauld, 1517 "Information Theoretic and Security Analysis of a 65- 1518 Nanometer DDSLL AES S-Box", Lecture Notes in Computer 1519 Science ches11vol, 2011. 1521 [CHES:RenStaVey09] 1522 Standaert, F., Veyrat-Charvillon, N., and M. Renauld, 1523 "Algebraic Side-Channel Attacks on the AES: Why Time also 1524 Matters in DPA", Lecture Notes in Computer 1525 Science ches09vol, 2009. 1527 [CHES:RivPro10] 1528 Prouff, E. and M. Rivain, "Provably Secure Higher-Order 1529 Masking of AES", Lecture Notes in Computer 1530 Science ches10vol, 2010. 1532 [CHES:SLFP04] 1533 Leander, G., Felke, P., Paar, C., and K. Schramm, "A 1534 Collision-Attack on AES:Combining Side Channel- and 1535 Differential-Attack", Lecture Notes in Computer 1536 Science ches04vol, 2004. 1538 [CHES:SRQL03] 1539 Rouvroy, G., Quisquater, J., Legat, J., and F. Standaert, 1540 "Efficient Implementation of Rijndael Encryption in 1541 Reconfigurable Hardware:Improvements and Design 1542 Tradeoffs", Lecture Notes in Computer Science ches03vol, 1543 2003. 1545 [CHES:SSHA08] 1546 Sugawara, T., Homma, N., Aoki, T., and A. Satoh, "High- 1547 Performance Concurrent Error Detection Scheme for AES 1548 Hardware", Lecture Notes in Computer Science ches08vol, 1549 2008. 1551 [CHES:SatMor03] 1552 Morioka, S. and A. Satoh, "Unified Hardware Architecture 1553 for 128-Bit Block Ciphers AES and Camellia", Lecture Notes 1554 in Computer Science ches03vol, 2003. 1556 [CHES:StaBerPre04] 1557 Berna, S., Preneel, B., and F. Standaert, "Power Analysis 1558 of an FPGA:Implementation of Rijndael:s Pipelining a DPA 1559 Countermeasure?", Lecture Notes in Computer 1560 Science ches04vol, 2004. 1562 [CHES:TilGro06] 1563 Gro\\sssch\\adl, J. and S. Tillich, "Instruction Set 1564 Extensions for Efficient AES Implementation on 32-bit 1565 Processors", Lecture Notes in Computer Science ches06vol, 1566 2006. 1568 [CHES:TilGro07] 1569 Gro\\sssch\\adl, J. and S. Tillich, "Power Analysis 1570 Resistant AES Implementation with Instruction Set 1571 Extensions", Lecture Notes in Computer Science ches07vol, 1572 2007. 1574 [CHES:TilHer08] 1575 Herbst, C. and S. Tillich, "Attacking State-of-the-Art 1576 Software Countermeasures-A Case Study for AES", Lecture 1577 Notes in Computer Science ches08vol, 2008. 1579 [CHES:TriDeSGer02] 1580 De, D., Germani, L., and E. Trichina, "Simplified Adaptive 1581 Multiplicative Masking for AES", Lecture Notes in Computer 1582 Science ches02vol, 2002. 1584 [CHES:YamYajIto08] 1585 Yajima, J., Itoh, K., and D. Yamamoto, "A Very Compact 1586 Hardware Implementation of the MISTY1 Block Cipher", 1587 Lecture Notes in Computer Science ches08vol, 2008. 1589 [DC:WH00] Wang, X. and L. Hui, "Serpent: The differential 1590 cryptanalysis of an AES finalist-serpent", Technical 1591 report TP-2000-04 TC:MY00, 2000. 1593 [DC:YS03] Yanami, H. and T. Shimoyama, "SEED: Differential 1594 Cryptanalysis of a Reduced-Round SEED", Security in 1595 Communication Networks-SCN 2002 YS03vol, 2003. 1597 [DLBRC:S02] 1598 Shirai, T., "Camellia: Differential,linear,boomerang and 1599 rectangle cryptannalysis of reduced-round Camellia", The 1600 third MESSIE Workshop DLBRC:S02, 2002. 1602 [DLC:BDK03] 1603 Bilham, E., Dunkelman, O., and N. Keller, "Serpent: 1604 Differential-Linear cryptanalysis of serpent", Fast 1605 software encryption-FSE 2003 DLC:BDK03, 2003. 1607 [EA:C98] Adams, C., "Cast-256: The CAST-256 Encryption Algorithm", 1608 1998. 1610 [EC:BDKKS10] 1611 Dunkelman, O., Keller, N., Khovratovich, D., Shamir, A., 1612 and A. Biryukov, "Key Recovery Attacks of Practical 1613 Complexity on AES-256 Variants with up to 10 Rounds", 1614 Lecture Notes in Computer Science eurocrypt10vol, 2010. 1616 [EC:BelRog06] 1617 Rogaway, P. and M. Bellare, "The Security of Triple 1618 Encryption and a Framework for Code-Based Game-Playing 1619 Proofs", Lecture Notes in Computer Science eurocrypt06vol, 1620 2006. 1622 [EC:BihBirSha99] 1623 Biryukov, A., Shamir, A., and E. Biham, "Cryptanalysis of 1624 Skipjack Reduced to 31 Rounds Using Impossible 1625 Differentials", Lecture Notes in Computer 1626 Science eurocrypt99vol, 1999. 1628 [EC:BihDunKel01] 1629 Dunkelman, O., Keller, N., and E. Biham, "The Rectangle 1630 Attack - Rectangling the Serpent", Lecture Notes in 1631 Computer Science eurocrypt01vol, 2001. 1633 [EC:BirNik10] 1634 Nikolic, I. and A. Biryukov, "Automatic Search for 1635 Related-Key Differential Characteristics in Byte-Oriented 1636 Block Ciphers: Application to AES Camellia, Khazad and 1637 Others,", Lecture Notes in Computer 1638 Science eurocrypt10vol, 2010. 1640 [EC:BorKnuRij97] 1641 R., L., Rijmen, V., and J. Borst, "Two Attacks on Reduced 1642 IDEA", Lecture Notes in Computer Science eurocrypt97vol, 1643 1997. 1645 [EC:DaeRij02] 1646 Rijmen, V. and J. Daemen, "AES and the Wide Trail Design 1647 Strategy (Invited Talk)", Lecture Notes in Computer 1648 Science eurocrypt02vol, 2002. 1650 [EC:Golic97a] 1651 Dj., J., "Linear Statistical Weakness of Alleged RC4 1652 Keystream Generator", Lecture Notes in Computer 1653 Science eurocrypt97vol, 1997. 1655 [EC:Hawkes98] 1656 Hawkes, P., "Differential-Linear Weak Key Classes of 1657 IDEA", Lecture Notes in Computer Science eurocrypt98vol, 1658 1998. 1660 [EC:Kuhn01] 1661 Kuhn, U., "Cryptanalysis of Reduced-Round MISTY", Lecture 1662 Notes in Computer Science eurocrypt01vol, 2001. 1664 [EC:MPLPW11] 1665 Poschmann, A., Ling, S., Paar, C., Wang, H., and A. 1666 Moradi, "Pushing the Limits: A Very Compact and a 1667 Threshold Implementation of AES", Lecture Notes in 1668 Computer Science eurocrypt11vol, 2011. 1670 [EC:Mantin05] 1671 Mantin, I., "Predicting and Distinguishing Attacks on RC4 1672 Keystream Generator", Lecture Notes in Computer 1673 Science eurocrypt05vol, 2005. 1675 [EC:Matsui93] 1676 Matsui, M., "Linear Cryptoanalysis Method for DES Cipher", 1677 Lecture Notes in Computer Science eurocrypt93vol, 1993. 1679 [EC:Meier93] 1680 Meier, W., "On the Security of the IDEA Block Cipher", 1681 Lecture Notes in Computer Science eurocrypt93vol, 1993. 1683 [EC:SepVauVua11] 1684 Vaudenay, S., Vuagnoux, M., and P. Sepehrdad, "Statistical 1685 Attack on RC4 - Distinguishing WPA", Lecture Notes in 1686 Computer Science eurocrypt11vol, 2011. 1688 [EC:VanWie90] 1689 J., M. and P. C., "A Known Plaintext Attack on Two-Key 1690 Triple Encryption", Lecture Notes in Computer 1691 Science eurocrypt90vol, 1990. 1693 [FC:BloSei03] 1694 Seifert, J. and J. Bl\\omer, "Fault Based Cryptanalysis of 1695 the Advanced Encryption Standard (AES)", Lecture Notes in 1696 Computer Science fc03vol, 2003. 1698 [FC:DamKel10] 1699 Keller, M. and I. Damg\\aard, "Secure Multiparty AES", 1700 Lecture Notes in Computer Science fc10vol, 2010. 1702 [FIPS-197] 1703 National Institute of Standards and Technology, 1704 "Specification for the Advanced Encryption Standard 1705 (AES)", FIPS 197, November 2001. 1707 [FIPS-46] National Institute of Standards and Technology, "Data 1708 Encryption Standard (DES)", FIPS 46, July 1977. 1710 [FIPS-46-3] 1711 National Institute of Standards and Technology, "Data 1712 Encryption Standard (DES) (Revision 3)", FIPS 46-3, 1713 October 1999. 1715 [FSE:AES97] 1716 Anderson, R., "Advanced Encryption Standard (Discussion)", 1717 Lecture Notes in Computer Science fse97vol, 1997. 1719 [FSE:BVPCS03] 1720 Vesterager, M., Pedersen, T., Christiansen, J., Scavenius, 1721 O., and M. Boesgaard, "Rabbit: A New High-Performance 1722 Stream Cipher", Lecture Notes in Computer 1723 Science fse03vol, 2003. 1725 [FSE:Bernstein05] 1726 J., D., "The Poly1305-AES Message-Authentication Code", 1727 Lecture Notes in Computer Science fse05vol, 2005. 1729 [FSE:BihAndKnu98] 1730 J., R., R., L., and E. Biham, "Serpent: A New Block Cipher 1731 Proposal", Lecture Notes in Computer Science fse98vol, 1732 1998. 1734 [FSE:BihBirSha99] 1735 Biryukov, A., Shamir, A., and E. Biham, "Miss in the 1736 Middle Attacks on IDEA and Khufu", Lecture Notes in 1737 Computer Science fse99vol, 1999. 1739 [FSE:BihCar08] 1740 Carmeli, Y. and E. Biham, "Efficient Reconstruction of RC4 1741 Keys from Internal States", Lecture Notes in Computer 1742 Science fse08vol, 2008. 1744 [FSE:BihDunKel01] 1745 Dunkelman, O., Keller, N., and E. Biham, "Linear 1746 Cryptanalysis of Reduced Round Serpent", Lecture Notes in 1747 Computer Science fse01vol, 2001. 1749 [FSE:BihDunKel03a] 1750 Dunkelman, O., Keller, N., and E. Biham, "Differential- 1751 Linear Cryptanalysis of Serpent", Lecture Notes in 1752 Computer Science fse03vol, 2003. 1754 [FSE:BihDunKel07b] 1755 Dunkelman, O., Keller, N., and E. Biham, "A New Attack on 1756 6-Round IDEA", Lecture Notes in Computer Science fse07vol, 1757 2007. 1759 [FSE:BihGraNgu05] 1760 Granboulan, L., Q., P., and E. Biham, "Impossible Fault 1761 Analysis of RC4 and Differential Fault Analysis of RC4", 1762 Lecture Notes in Computer Science fse05vol, 2005. 1764 [FSE:BucPysWei06] 1765 Pyshkin, A., Weinmann, R., and J. Buchmann, "A Zero- 1766 Dimensional Gr\obner Basis for AES-128"", Lecture Notes in 1767 Computer Science fse06vol, 2006. 1769 [FSE:CidMurRob05] 1770 Murphy, S., J., M., and C. Cid, "Small Scale Variants of 1771 the AES", Lecture Notes in Computer Science fse05vol, 1772 2005. 1774 [FSE:ColStaQui08] 1775 Standaert, F., Quisquater, J., and B. Collard, 1776 "Experiments on the Multiple Linear Cryptanalysis of 1777 Reduced Round Serpent", Lecture Notes in Computer 1778 Science fse08vol, 2008. 1780 [FSE:DemSel08] 1781 Aydin, A. and H. Demirci, "A Meet-in-the-Middle Attack on 1782 8-Round AES", Lecture Notes in Computer Science fse08vol, 1783 2008. 1785 [FSE:FluMcG00] 1786 A., D. and S. R., "Statistical Analysis of the Alleged RC4 1787 Keystream Generator", Lecture Notes in Computer 1788 Science fse00vol, 2000. 1790 [FSE:GilPey10] 1791 Peyrin, T. and H. Gilbert, "Super-Sbox Cryptanalysis: 1792 Improved Attacks for AES-Like Permutations", Lecture Notes 1793 in Computer Science fse10vol, 2010. 1795 [FSE:Granboulan01] 1796 Granboulan, L., "Flaws in Differential Cryptanalysis of 1797 Skipjack", Lecture Notes in Computer Science fse01vol, 1798 2001. 1800 [FSE:Gueron09] 1801 Gueron, S., "Intel's New AES Instructions for Enhanced 1802 Performance and Security (Invited Talk)", Lecture Notes in 1803 Computer Science fse09vol, 2009. 1805 [FSE:HKLP05] 1806 Kim, J., Lee, S., Preneel, B., and S. Hong, "Related-Key 1807 Rectangle Attacks on Reduced Versions of SHACAL-1 and AES- 1808 192", Lecture Notes in Computer Science fse05vol, 2005. 1810 [FSE:IYYK01] 1811 Yoshino, T., Yuasa, T., Kurosawa, K., and T. Iwata, "Round 1812 Security and Super-Pseudorandomness of MISTY Type 1813 Structure", Lecture Notes in Computer Science fse01vol, 1814 2001. 1816 [FSE:Isobe11] 1817 Isobe, T., "A Single-Key Attack on the Full GOST Block 1818 Cipher", Lecture Notes in Computer Science fse11vol, 2011. 1820 [FSE:IwaKur00] 1821 Kurosawa, K. and T. Iwata, "On the Pseudorandomness of the 1822 AES Finalists - RC6 and Serpent", Lecture Notes in 1823 Computer Science fse00vol, 2000. 1825 [FSE:JunMac09] 1826 Macchetti, M. and P. Junod, "Revisiting the IDEA 1827 Philosophy", Lecture Notes in Computer Science fse09vol, 1828 2009. 1830 [FSE:Junod05] 1831 Junod, P., "New Attacks Against Reduced-Round Versions of 1832 IDEA", Lecture Notes in Computer Science fse05vol, 2005. 1834 [FSE:KLLLL02] 1835 Lee, W., Lee, S., Lee, S., Lim, J., and K. Hwang, 1836 "Saturation Attacks on Reduced Round Skipjack", Lecture 1837 Notes in Computer Science fse02vol, 2002. 1839 [FSE:KRRR98] 1840 Rijmen, V., L., R., J., M., and L. R., "On the Design and 1841 Security of RC2", Lecture Notes in Computer 1842 Science fse98vol, 1998. 1844 [FSE:KanMat01] 1845 Matsumoto, T. and M. Kanda, "Security of Camellia against 1846 Truncated Differential Cryptanalysis", Lecture Notes in 1847 Computer Science fse01vol, 2001. 1849 [FSE:KarMan07] 1850 Manap, C. and O. Kara, "A New Class of Weak Keys for 1851 Blowfish", Lecture Notes in Computer Science fse07vol, 1852 2007. 1854 [FSE:KelKohSch00] 1855 Kohno, T., Schneier, B., and J. Kelsey, "Amplified 1856 Boomerang Attacks Against Reduced-Round MARS and Serpent", 1857 Lecture Notes in Computer Science fse00vol, 2000. 1859 [FSE:KimHonPre07] 1860 Hong, S., Preneel, B., and J. Kim, "Related-Key Rectangle 1861 Attacks on Reduced AES-192 and AES-256", Lecture Notes in 1862 Computer Science fse07vol, 2007. 1864 [FSE:Kuhn02] 1865 Kuhn, U., "Improved Cryptanalysis of MISTY1", Lecture 1866 Notes in Computer Science fse02vol, 2002. 1868 [FSE:Lucks01] 1869 Lucks, S., "The Saturation Attack - A Bait for Twofish", 1870 Lecture Notes in Computer Science fse01vol, 2001. 1872 [FSE:Lucks98] 1873 Lucks, S., "Attacking Triple Encryption", Lecture Notes in 1874 Computer Science fse98vol, 1998. 1876 [FSE:MaiPau08] 1877 Paul, G. and S. Maitra, "New Form of Permutation Bias and 1878 Secret Key Leakage in Keystream Bytes of RC4", Lecture 1879 Notes in Computer Science fse08vol, 2008. 1881 [FSE:MaiPauSen11] 1882 Paul, G., Sengupta, S., and S. Maitra, "Attack on 1883 Broadcast RC4 Revisited", Lecture Notes in Computer 1884 Science fse11vol, 2011. 1886 [FSE:ManSha01] 1887 Shamir, A. and I. Mantin, "A Practical Attack on Broadcast 1888 RC4", Lecture Notes in Computer Science fse01vol, 2001. 1890 [FSE:Matsui09] 1891 Matsui, M., "Key Collisions of the RC4 Stream Cipher", 1892 Lecture Notes in Computer Science fse09vol, 2009. 1894 [FSE:Matsui97] 1895 Matsui, M., "New Block Encryption Algorithm MISTY", 1896 Lecture Notes in Computer Science fse97vol, 1997. 1898 [FSE:Maximov05] 1899 Maximov, A., "Two Linear Distinguishing Attacks on VMPC 1900 and RC4A and Weakness of RC4 Family of Stream Ciphers", 1901 Lecture Notes in Computer Science fse05vol, 2005. 1903 [FSE:MenPraRec08] 1904 Pramstaller, N., Rechberger, C., and F. Mendel, "A 1905 (Second) Preimage Attack on the GOST Hash Function", 1906 Lecture Notes in Computer Science fse08vol, 2008. 1908 [FSE:Messerges00] 1909 S., T., "Securing the AES Finalists Against Power Analysis 1910 Attacks", Lecture Notes in Computer Science fse00vol, 1911 2000. 1913 [FSE:MinTsu06] 1914 Tsunoo, Y. and K. Minematsu, "Provably Secure MACs from 1915 Differentially-Uniform Permutations and AES-Based 1916 Implementations", Lecture Notes in Computer 1917 Science fse06vol, 2006. 1919 [FSE:MorShiKan98] 1920 Shimoyama, T., Kaneko, T., and S. Moriai, "Higher Order 1921 Differential Attak of CAST Cipher", Lecture Notes in 1922 Computer Science fse98vol, 1998. 1924 [FSE:OBSC10] 1925 W., J., Stefan, D., Canright, D., and D. Arne, "Fast 1926 Software AES Encryption", Lecture Notes in Computer 1927 Science fse10vol, 2010. 1929 [FSE:OMPR05] 1930 Mangard, S., Pramstaller, N., Rijmen, V., and E. Oswald, 1931 "A Side-Channel Analysis Resistant Description of the AES 1932 S-Box", Lecture Notes in Computer Science fse05vol, 2005. 1934 [FSE:PauPre04] 1935 Preneel, B. and S. Paul, "A New Weakness in the RC4 1936 Keystream Generator and an Approach to Improve the 1937 Security of the Cipher", Lecture Notes in Computer 1938 Science fse04vol, 2004. 1940 [FSE:Raddum03] 1941 Raddum, H., "Cryptanalysis of IDEA-X/2", Lecture Notes in 1942 Computer Science fse03vol, 2003. 1944 [FSE:SSAMI07] 1945 Shibutani, K., Akishita, T., Moriai, S., Iwata, T., and T. 1946 Shirai, "The 128-Bit Blockcipher CLEFIA (Extended 1947 Abstract)", Lecture Notes in Computer Science fse07vol, 1948 2007. 1950 [FSE:Sasaki11] 1951 Sasaki, Y., "Meet-in-the-Middle Preimage Attacks on AES 1952 Hashing Modes and an Application to Whirlpool", Lecture 1953 Notes in Computer Science fse11vol, 2011. 1955 [FSE:Schneier93] 1956 Schneier, B., "Description of a New Variable-Length Key 1957 64-bit Block Cipher (Blowfish)", Lecture Notes in Computer 1958 Science fse93vol, 1993. 1960 [FSE:ShiKanAbe02] 1961 Kanamaru, S., Abe, G., and T. Shirai, "Improved Upper 1962 Bounds of Differential and Linear Characteristic 1963 Probability for Camellia", Lecture Notes in Computer 1964 Science fse02vol, 2002. 1966 [FSE:SonSeb03] 1967 Seberry, J. and B. Song, "Further Observations on the 1968 Structure of the AES Algorithm", Lecture Notes in Computer 1969 Science fse03vol, 2003. 1971 [FSE:Vaudenay96] 1972 Vaudenay, S., "On the Weak Keys of Blowfish", Lecture 1973 Notes in Computer Science fse96vol, 1996. 1975 [FSE:Wernsdorf02] 1976 Wernsdorf, R., "The Round Functions of RIJNDAEL Generate 1977 the Alternating Group", Lecture Notes in Computer 1978 Science fse02vol, 2002. 1980 [FSE:YeoParKim02] 1981 Park, S., Kim, I., and Y. Yeom, "On the Security of 1982 CAMELLIA against the Square Attack", Lecture Notes in 1983 Computer Science fse02vol, 2002. 1985 [HRDA:HSK02] 1986 Hatano, Y., Sekine, H., and T. Kaneko, "Camellia: Higher 1987 order differential attack of Camellia(2)", Selected areas 1988 in cryptography-sac 2002 HRDA:HSK02, 2002. 1990 [I-D.kiyomoto-kcipher2] 1991 Kiyomoto, S. and W. Shin, "A Description of KCipher-2 1992 Encryption Algorithm", draft-kiyomoto-kcipher2-06 (work in 1993 progress), December 2011. 1995 [ICICS:AciKoc06] 1996 Kaya, . and O. Acii\\ccmez, "Trace-Driven Cache Attacks on 1997 AES (Short Paper)", Lecture Notes in Computer 1998 Science icics06vol, 2006. 2000 [ICICS:BNPV02] 2001 Nakahara, J., Preneel, B., Vandewalle, J., and A. 2002 Biryukov, "New Weak-Key Classes of IDEA", Lecture Notes in 2003 Computer Science icics02vol, 2002. 2005 [ICICS:CheWuFen07] 2006 Wu, W., Feng, D., and H. Chen, "Differential Fault 2007 Analysis on CLEFIA", Lecture Notes in Computer 2008 Science icics07vol, 2007. 2010 [ICICS:HeQin01] 2011 Qing, S. and Y. He, "Square Attack on Reduced Camellia 2012 Cipher", Lecture Notes in Computer Science icics01vol, 2013 2001. 2015 [ICICS:KelSchWag97] 2016 Schneier, B., Wagner, D., and J. Kelsey, "Related-key 2017 cryptanalysis of 3-WAY Biham-DES,CAST DES-X, NewDES, RC2, 2018 and TEA,", Lecture Notes in Computer Science icics97vol, 2019 1997. 2021 [ICICS:LeiLiFen07] 2022 Li, C., Feng, K., and D. Lei, "Square Like Attack on 2023 Camellia", Lecture Notes in Computer Science icics07vol, 2024 2007. 2026 [ICICS:Lu07] 2027 Lu, J., "Attacking Reduced-Round Versions of the SMS4 2028 Block Cipher in the Chinese WAPI Standard", Lecture Notes 2029 in Computer Science icics07vol, 2007. 2031 [ICICS:MonVau04] 2032 Vaudenay, S. and J. Monnerat, "On Some Weak Extensions of 2033 AES and BES", Lecture Notes in Computer 2034 Science icics04vol, 2004. 2036 [ICICS:TozDun08] 2037 Dunkelman, O. and D. Toz, "Analysis of Two Attacks on 2038 Reduced-Round Versions of the SMS4", Lecture Notes in 2039 Computer Science icics08vol, 2008. 2041 [ICICS:WLFQ9] 2042 Li, B., Feng, D., Qing, S., and W. Wu, "Cryptanalysis of 2043 some AES Candidate Algorithms", Lecture Notes in Computer 2044 Science icics99vol, 1999. 2046 [ICICS:ZSMTS07] 2047 Salmasizadeh, M., Moradi, A., Tabandeh, M., T., M., and B. 2048 Zakeri, "Compact and Secure Design of Masked AES S-Box", 2049 Lecture Notes in Computer Science icics07vol, 2007. 2051 [ICISC:BabFri00] 2052 Frisch, L. and S. Babbage, "On MISTY1 Higher Order 2053 Differential Cryptanalysis", Lecture Notes in Computer 2054 Science icisc00vol, 2000. 2056 [ICISC:ChoHerNyb08] 2057 Hermelin, M., Nyberg, K., and J. Yeon, "A New Technique 2058 for Multidimensional Linear Cryptanalysis with 2059 Applications on Reduced Round Serpent", Lecture Notes in 2060 Computer Science icisc08vol, 2008. 2062 [ICISC:CouGou05] 2063 Goubin, L. and N. Courtois, "An Algebraic Masking Method 2064 to Protect AES Against Power Attacks", Lecture Notes in 2065 Computer Science icisc05vol, 2005. 2067 [ICISC:EriDinChr09] 2068 Ding, J., Christensen, C., and J. Erickson, "Algebraic 2069 Cryptanalysis of SMS4: Gr\obner Basis Attack and SAT 2070 Attack Compared"", Lecture Notes in Computer 2071 Science icisc09vol, 2009. 2073 [ICISC:Karroumi10] 2074 Karroumi, M., "Protecting White-Box AES with Dual 2075 Ciphers", Lecture Notes in Computer Science icisc10vol, 2076 2010. 2078 [ICISC:LHLLY01] 2079 Hong, S., Lee, S., Lim, J., Yoon, S., and S. Lee, 2080 "Truncated Differential Cryptanalysis of Camellia", 2081 Lecture Notes in Computer Science icisc01vol, 2001. 2083 [ICISC:LopRodDia05] 2084 Rodr\\'iguez-Henr\\'iquez, F., D\\'iaz-P\\'erez, A., and 2085 E. L\\'opez-Trejo, "An FPGA Implementation of CCM Mode 2086 Using AES", Lecture Notes in Computer Science icisc05vol, 2087 2005. 2089 [ICISC:Mangard02] 2090 Mangard, S., "A Simple Power-Analysis (SPA) Attackon 2091 Implementations of the AES Key Expansion", Lecture Notes 2092 in Computer Science icisc02vol, 2002. 2094 [ICISC:SonSeb02] 2095 Seberry, J. and B. Song, "Consistent Differential Patterns 2096 of Rijndael", Lecture Notes in Computer 2097 Science icisc02vol, 2002. 2099 [ICISC:TSSK08] 2100 Saito, T., Shigeri, M., Kawabata, T., and Y. Tsunoo, 2101 "Higher Order Differential Attacks on Reduced-Round 2102 MISTY1", Lecture Notes in Computer Science icisc08vol, 2103 2008. 2105 [ICISC:YanParYou06] 2106 Park, J., You, Y., and S. Yang, "The Smallest ARIA Module 2107 with 16-Bit Architecture", Lecture Notes in Computer 2108 Science icisc06vol, 2006. 2110 [ICISC:ZhaWuFen07] 2111 Wu, W., Feng, D., and W. Zhang, "New Results on Impossible 2112 Differential Cryptanalysis of Reduced AES", Lecture Notes 2113 in Computer Science icisc07vol, 2007. 2115 [IDCC:TTSSSK08] 2116 Tsunoo, Y., Tsujihara2, E., Shigeri, M., Saito, T., 2117 Suzaki, T., and H. Kubo, "CLEFIA:Impossible Differential 2118 Cryptanalysis of CLEFIA", Fast Software Encryption- 2119 FSE IDCC08vol, 2008. 2121 [IDEA] Lai and Massey, "A Proposal for a New Block Encryption 2122 Standard", Lecture Notes in Computer 2123 Science eurocrypt90vol, 1990. 2125 [IMA:Knudsen99] 2126 R., L., "Advanced Encryption Standard (AES) - An Update", 2127 Lecture Notes in Computer Science ima99vol, 1999. 2129 [INDOCRYPT:AkgKavDem08] 2130 Kavak, P., Demirci, H., and M. Akg\\un, "New Results on 2131 the Key Scheduling Algorithm of RC4", Lecture Notes in 2132 Computer Science indocrypt08vol, 2008. 2134 [INDOCRYPT:BerCanGou09] 2135 Canovas-Dumas, C., Goubin, L., and A. Berzati, "Fault 2136 Analysis of Rabbit: Toward a Secret Key Leakage", Lecture 2137 Notes in Computer Science indocrypt09vol, 2009. 2139 [INDOCRYPT:BerSch08] 2140 Schwabe, P. and D. J., "New AES Software Speed Records", 2141 Lecture Notes in Computer Science indocrypt08vol, 2008. 2143 [INDOCRYPT:BihFur00] 2144 Furman, V. and E. Biham, "Improved Impossible 2145 Differentials on Twofish", Lecture Notes in Computer 2146 Science indocrypt00vol, 2000. 2148 [INDOCRYPT:DTCB09] 2149 Taskin, I., \\cCoban, M., Baysal, A., and H. Demirci, 2150 "Improved Meet-in-the-Middle Attacks on AES", Lecture 2151 Notes in Computer Science indocrypt09vol, 2009. 2153 [INDOCRYPT:DarKuh06] 2154 Kuhlman, D. and M. Darnall, "AES Software Implementations 2155 on ARM7TDMI", Lecture Notes in Computer 2156 Science indocrypt06vol, 2006. 2158 [INDOCRYPT:DunIndKel08] 2159 Indesteege, S., Keller, N., and O. Dunkelman, "A 2160 Differential-Linear Attack on 12-Round Serpent", Lecture 2161 Notes in Computer Science indocrypt08vol, 2008. 2163 [INDOCRYPT:FFGL10] 2164 Forler, C., Gorski, M., Lucks, S., and E. Fleischmann, 2165 "New Boomerang Attacks on ARIA", Lecture Notes in Computer 2166 Science indocrypt10vol, 2010. 2168 [INDOCRYPT:GorLuc08] 2169 Lucks, S. and M. Gorski, "New Related-Key Boomerang 2170 Attacks on AES", Lecture Notes in Computer 2171 Science indocrypt08vol, 2008. 2173 [INDOCRYPT:JiHu07] 2174 Hu, L. and W. Ji, "New Description of SMS4 by an Embedding 2175 over GF(2^8)", Lecture Notes in Computer 2176 Science indocrypt07vol, 2007. 2178 [INDOCRYPT:KumMukCho07] 2179 Mukhopadhyay, D., Roy, D., and K. Kumar, "Design of a 2180 Differential Power Analysis Resistant Masked AES S-Box 2181 (Short Presentation)", Lecture Notes in Computer 2182 Science indocrypt07vol, 2007. 2184 [INDOCRYPT:LDKK08] 2185 Dunkelman, O., Keller, N., Kim, J., and J. Lu, "New 2186 Impossible Differential Attacks on AES", Lecture Notes in 2187 Computer Science indocrypt08vol, 2008. 2189 [INDOCRYPT:MDRM10] 2190 Dakhilalian, M., Rijmen, V., Modarres-Hashemi, M., and H. 2191 Mala, "Improved Impossible Differential Cryptanalysis of 2192 7-Round AES-128", Lecture Notes in Computer 2193 Science indocrypt10vol, 2010. 2195 [INDOCRYPT:MaiPau08] 2196 Paul, G. and S. Maitra, "Analysis of RC4 and Proposal of 2197 Additional Layers for Better Security Margin", Lecture 2198 Notes in Computer Science indocrypt08vol, 2008. 2200 [INDOCRYPT:ManGre10] 2201 Gregg, D. and R. Manley, "A Program Generator for Intel 2202 AES-NI Instructions", Lecture Notes in Computer 2203 Science indocrypt10vol, 2010. 2205 [INDOCRYPT:MulWysPre10] 2206 Wyseur, B., Preneel, B., and Y. De, "Cryptanalysis of a 2207 Perturbated White-Box AES Implementation", Lecture Notes 2208 in Computer Science indocrypt10vol, 2010. 2210 [INDOCRYPT:PauPre03] 2211 Preneel, B. and S. Paul, "Analysis of Non-fortuitous 2212 Predictive States of the RC4 Keystream Generator", Lecture 2213 Notes in Computer Science indocrypt03vol, 2003. 2215 [INDOCRYPT:ProRoc10] 2216 Roche, T. and E. Prouff, "Attack on a Higher-Order Masking 2217 of the AES Based on Homographic Functions", Lecture Notes 2218 in Computer Science indocrypt10vol, 2010. 2220 [INDOCRYPT:SSMS10] 2221 Sinha, K., Maitra, S., P., B., and S. Sengupta, "One Byte 2222 per Clock: A Novel RC4 Hardware", Lecture Notes in 2223 Computer Science indocrypt10vol, 2010. 2225 [INDOCRYPT:Tezcan10] 2226 Tezcan, C., "The Improbable Differential Attack: 2227 Cryptanalysis of Reduced Round CLEFIA", Lecture Notes in 2228 Computer Science indocrypt10vol, 2010. 2230 [INDOCRYPT:Yildirim03] 2231 Murat, H., "Nonlinearity Properties of the Mixing 2232 Operations of the Block Cipher IDEA", Lecture Notes in 2233 Computer Science indocrypt03vol, 2003. 2235 [INDOCRYPT:ZZWF07] 2236 Zhang, L., Wu, W., Feng, D., and W. Zhang, "Related-Key 2237 Differential-Linear Attacks on Reduced AES-192", Lecture 2238 Notes in Computer Science indocrypt07vol, 2007. 2240 [ISC:BatGieLem08] 2241 Gierlichs, B., Lemke-Rust, K., and L. Batina, "Comparative 2242 Evaluation of Rank Correlation Based DPA on an AES 2243 Prototype Chip", Lecture Notes in Computer 2244 Science isc08vol, 2008. 2246 [ISC:CGBS01] 2247 Gaj, K., Bellows, P., Schott, B., and P. Chodowiec, 2248 "Experimental Testing of the Gigabit IPSec-Compliant 2249 Implementations of Rijndael and Triple DES Using SLAAC-1V 2250 FPGA Accelerator Board", Lecture Notes in Computer 2251 Science isc01vol, 2001. 2253 [ISC:GueKou08] 2254 E., M. and S. Gueron, "Vortex: A New Family of One-Way 2255 Hash Functions Based on AES Rounds and Carry-Less 2256 Multiplication", Lecture Notes in Computer 2257 Science isc08vol, 2008. 2259 [ISC:IndPre08] 2260 Preneel, B. and S. Indesteege, "Collisions for RC4-Hash", 2261 Lecture Notes in Computer Science isc08vol, 2008. 2263 [ISC:LuDes10] 2264 Desmedt, Y. and Y. Lu, "Improved Distinguishing Attack on 2265 Rabbit", Lecture Notes in Computer Science isc10vol, 2010. 2267 [ISC:LuWanLin08] 2268 Wang, H., Ling, S., and Y. Lu, "Cryptanalysis of Rabbit", 2269 Lecture Notes in Computer Science isc08vol, 2008. 2271 [ISC:NakPav07] 2272 Carlos, I. and J. Nakahara, "Impossible-Differential 2273 Attacks on Large-Block Rijndael", Lecture Notes in 2274 Computer Science isc07vol, 2007. 2276 [ISC:NakPreVan03] 2277 Preneel, B., Vandewalle, J., and J. Nakahara, "A Note on 2278 Weak Keys of PES IDEA,and Some Extended Variants", Lecture 2279 Notes in Computer Science isc03vol, 2003. 2281 [ISC:SatMor03] 2282 Morioka, S. and A. Satoh, "Hardware-Focused Performance 2283 Comparison for the Standard Block Ciphers AES Camellia,and 2284 Triple-DES", Lecture Notes in Computer Science isc03vol, 2285 2003. 2287 [ISC:ZWPKY08] 2288 Wu, W., Hong, J., Wook, B., Yeom, Y., and L. Zhang, 2289 "Improved Impossible Differential Attacks on Large-Block 2290 Rijndael", Lecture Notes in Computer Science isc08vol, 2291 2008. 2293 [ISPEC:BaiLi11] 2294 Bai and Li, "New Impossible Differential Attacks on 2295 Camellia", Lecture Notes in Computer Science ISPEC 2012, 2296 2011. 2298 [IWSEC:HSST08] 2299 Satoh, A., Sakane, H., Toda, K., and Y. Hori, "Bitstream 2300 Encryption and Authentication Using AES-GCM in Dynamically 2301 Reconfigurable Systems", Lecture Notes in Computer 2302 Science iwsec08vol, 2008. 2304 [IWSEC:KRCJ06] 2305 Ryou, J., Choi, Y., Jun, S., and M. Kim, "Low Power AES 2306 Hardware Architecture for Radio Frequency Identification", 2307 Lecture Notes in Computer Science iwsec06vol, 2006. 2309 [IWSEC:Sasaki10] 2310 Sasaki, Y., "Known-Key Attacks on Rijndael with Large 2311 Blocks and Strengthening ShiftRow Parameter", Lecture 2312 Notes in Computer Science iwsec10vol, 2010. 2314 [K98] Cryptography Research, "Record Breaking DES Key Search 2315 Completed", 1998. 2317 [KRBR:BDK05] 2318 Bilham, E., Dunkelman, O., and N. Keller, "AES: Related- 2319 key boomerang and rectangle attacks", Advances in 2320 cryptology-EUROCRYPT KRBR:BDK05, 2005. 2322 [LC:BDK02] 2323 Bilham, E., Dunkelman, O., and N. Keller, "Serpent: Linear 2324 cryptanalysis of reduced round serpent", Fast software 2325 encryption-FSE 2003 LC:BDK02, 2002. 2327 [LDC:KKHS08] 2328 Kim, T., Kim, J., Hong, S., and J. Sun, "SMS4: Linear and 2329 Differential Cryptanalysis of Reduced SMS4 Block Cipher", 2330 Cryptology ePrint Archive LDC08vol, 2008. 2332 [MITMA:DS08] 2333 Demirci, H. and A. Selcuk, "AES: A meet-in-the-middle 2334 attack on 8-round AES", Fast software Encryption- 2335 FSE MITMA:DS08, 2008. 2337 [MMA:TSLL10] 2338 Tang, X., Sun, B., Li, R., and C. Li, "Aria: A Meet-in- 2339 the-middle Attack on Aria", 2010. 2341 [NBC:KKP03] 2342 Kwon, D., Kim, J., Park, S., Sung, S., Sohn, Y., Song, J., 2343 Yeom, Y., Lee, S., Lee, J., Chee, S., Lee, J., Han, D., 2344 and J. Hong, "Aria: New Block Cipher", In Proc. 2345 Information Security and Cryptology-ICISC , 2003. 2347 [NTT] NTT, "Announcement of Royalty-free Licenses for Essential 2348 Patents of NTT Encryption and Digital Signature 2349 Algorithms", 2001. 2351 [PKC:JonRob05] 2352 J., M. and J. Jonsson, "Securing RSA-KEM via the AES", 2353 Lecture Notes in Computer Science pkc05vol, 2005. 2355 [PODC:AEST06] 2356 Epstein, L., Shachnai, H., Tamir, T., and H. Attiya, 2357 "Transactional contention management as a non-clairvoyant 2358 scheduling problem", , 2006. 2360 [RA:BDK01] 2361 Bilham, E., Dunkelman, O., and N. Keller, "Serpent: The 2362 rectangle attack-rectangling the serpent", Advances in 2363 cryptology-EUROCRYPT RA:BDK01, 2001. 2365 [RFC2144] Adams, C., "The CAST-128 Encryption Algorithm", RFC 2144, 2366 May 1997. 2368 [RFC2268] Rivest, R., "A Description of the RC2(r) Encryption 2369 Algorithm", RFC 2268, March 1998. 2371 [RFC2612] Adams, C. and J. Gilchrist, "The CAST-256 Encryption 2372 Algorithm", RFC 2612, June 1999. 2374 [RFC2994] Ohta, H. and M. Matsui, "A Description of the MISTY1 2375 Encryption Algorithm", RFC 2994, November 2000. 2377 [RFC3713] Matsui, M., Nakajima, J., and S. Moriai, "A Description of 2378 the Camellia Encryption Algorithm", RFC 3713, April 2004. 2380 [RFC4269] Lee, H., Lee, S., Yoon, J., Cheon, D., and J. Lee, "The 2381 SEED Encryption Algorithm", RFC 4269, December 2005. 2383 [RFC4503] Boesgaard, M., Vesterager, M., and E. Zenner, "A 2384 Description of the Rabbit Stream Cipher Algorithm", 2385 RFC 4503, May 2006. 2387 [RFC4772] Kelly, S., "Security Implications of Using the Data 2388 Encryption Standard (DES)", RFC 4772, December 2006. 2390 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 2391 RFC 4949, August 2007. 2393 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 2394 Encryption", RFC 5116, January 2008. 2396 [RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A 2397 Description of the ARIA Encryption Algorithm", RFC 5794, 2398 March 2010. 2400 [RFC5830] Dolmatov, V., "GOST 28147-89: Encryption, Decryption, and 2401 Message Authentication Code (MAC) Algorithms", RFC 5830, 2402 March 2010. 2404 [RFC6114] Katagi, M. and S. Moriai, "The 128-Bit Blockcipher 2405 CLEFIA", RFC 6114, March 2011. 2407 [RKIDA:BDK06] 2408 Bilham, E., Dunkelman, O., and N. Keller, "AES: Related- 2409 key impossible defferential attacks on 8-round AES-192", 2410 Topics in Cryptology-CT-RSA KRBR:BDK06, 2006. 2412 [RSA:AciSchKoc07] 2413 Schindler, W., Kaya, ., and O. Acii\\ccmez, "Cache Based 2414 Remote Timing Attack on the AES", Lecture Notes in 2415 Computer Science rsa07vol, 2007. 2417 [RSA:BEPW10] 2418 Eisenbarth, T., Paar, C., Wienecke, M., and A. Bogdanov, 2419 "Differential Cache-Collision Timing Attacks on AES with 2420 Applications to Embedded CPUs", Lecture Notes in Computer 2421 Science rsa10vol, 2010. 2423 [RSA:BihDunKel06] 2424 Dunkelman, O., Keller, N., and E. Biham, "Related-Key 2425 Impossible Differential Attacks on 8-Round AES-192", 2426 Lecture Notes in Computer Science rsa06vol, 2006. 2428 [RSA:ClaGieVer08] 2429 Gierlichs, B., Verbauwhede, I., and C. Clavier, "Fault 2430 Analysis Study of IDEA", Lecture Notes in Computer 2431 Science rsa08vol, 2008. 2433 [RSA:Konighofer08] 2434 K\\onighofer, R., "A Fast and Cache-Timing Resistant 2435 Implementation of the AES", Lecture Notes in Computer 2436 Science rsa08vol, 2008. 2438 [RSA:LKKD08] 2439 Kim, J., Keller, N., Dunkelman, O., and J. Lu, "Improving 2440 the Efficiency of Impossible Differential Cryptanalysis of 2441 Reduced Camellia and MISTY1", Lecture Notes in Computer 2442 Science rsa08vol, 2008. 2444 [RSA:MBPV05] 2445 Batina, L., Preneel, B., Verbauwhede, I., and N. Mentens, 2446 "A Systematic Evaluation of Compact Hardware 2447 mplementations for the Rijndael S-Box", Lecture Notes in 2448 Computer Science rsa05vol, 2005. 2450 [RSA:OsvShaTro06] 2451 Shamir, A., Tromer, E., and D. Arne, "Cache Attacks and 2452 Countermeasures: The Case of AES", Lecture Notes in 2453 Computer Science rsa06vol, 2006. 2455 [RSA:RebMuk11] 2456 Mukhopadhyay, D. and C. Rebeiro, "Cryptanalysis of CLEFIA 2457 Using Differential Methods with Cache Trace Patterns", 2458 Lecture Notes in Computer Science rsa11vol, 2011. 2460 [RSA:SakYagOht09] 2461 Yagi, T., Ohta, K., and K. Sakiyama, "Fault Analysis 2462 Attack against an AES Prototype Chip Using RSL", Lecture 2463 Notes in Computer Science rsa09vol, 2009. 2465 [RSA:SchPaa06] 2466 Paar, C. and K. Schramm, "Higher Order Masking of the 2467 AES", Lecture Notes in Computer Science rsa06vol, 2006. 2469 [RSA:TilHer08] 2470 Herbst, C. and S. Tillich, "Boosting AES Performance on a 2471 Tiny Processor Core", Lecture Notes in Computer 2472 Science rsa08vol, 2008. 2474 [RSA:WolOswLam02] 2475 Oswald, E., Lamberger, M., and J. Wolkerstorfer, "An ASIC 2476 Implementation of the AES S-Boxes", Lecture Notes in 2477 Computer Science rsa02vol, 2002. 2479 [RSA:WuLuLai04] 2480 Lu, S., Laih, C., and S. Wu, "Design of AES Based on Dual 2481 Cipher and Composite Field", Lecture Notes in Computer 2482 Science rsa04vol, 2004. 2484 [S11] Sung, J., "Differential cryptanalysis of eight-round 2485 SEED", Information Processing Letters Volume 111, 2011. 2487 [SAC:AyaSel06] 2488 Aydin, A. and E. Serdar, "Improved DST Cryptanalysis of 2489 IDEA", Lecture Notes in Computer Science sac06vol, 2006. 2491 [SAC:BBDRS98] 2492 Biryukov, A., Dunkelman, O., Richardson, E., Shamir, A., 2493 and E. Biham, "Initial Observations on Skipjack: 2494 Cryptanalysis of Skipjack-3XOR (Invited Talk)", Lecture 2495 Notes in Computer Science sac98vol, 1999. 2497 [SAC:BaiVau05] 2498 Vaudenay, S. and T. Baign\\`eres, "Proving the Security of 2499 AES Substitution-Permutation Network", Lecture Notes in 2500 Computer Science sac05vol, 2005. 2502 [SAC:BilGilEch04] 2503 Gilbert, H., Ech-Chatbi, C., and O. Billet, "Cryptanalysis 2504 of a White Box AES Implementation", Lecture Notes in 2505 Computer Science sac04vol, 2004. 2507 [SAC:BloGuaKru04] 2508 Guajardo, J., Krummel, V., and J. Bl\\omer, "Provably 2509 Secure Masking of AES", Lecture Notes in Computer 2510 Science sac04vol, 2004. 2512 [SAC:BloKru07] 2513 Krummel, V. and J. Bl\\omer, "Analysis of Countermeasures 2514 Against Access Driven Cache Attacks on AES", Lecture Notes 2515 in Computer Science sac07vol, 2007. 2517 [SAC:Bogdanov07] 2518 Bogdanov, A., "Improved Side-Channel Collision Attacks on 2519 AES", Lecture Notes in Computer Science sac07vol, 2007. 2521 [SAC:CEJV02] 2522 A., P., Johnson, H., C., P., and S. Chow, "White-Box 2523 Cryptography and an AES Implementation", Lecture Notes in 2524 Computer Science sac02vol, 2003. 2526 [SAC:CanOsv09] 2527 Arne, D. and D. Canright, "A More Compact AES", Lecture 2528 Notes in Computer Science sac09vol, 2009. 2530 [SAC:DemSelTur03] 2531 Aydin, A., Ture, E., and H. Demirci, "A New Meet-in-the- 2532 Middle Attack on the IDEA Block Cipher", Lecture Notes in 2533 Computer Science sac03vol, 2004. 2535 [SAC:Demirci02] 2536 Demirci, H., "Square-like Attacks on Reduced Rounds of 2537 IDEA", Lecture Notes in Computer Science sac02vol, 2003. 2539 [SAC:EtrRob08] 2540 J., M. and J. Etrog, "The Cryptanalysis of Reduced-Round 2541 SMS4", Lecture Notes in Computer Science sac08vol, 2008. 2543 [SAC:FegSchWhi01] 2544 Schroeppel, R., Whiting, D., and N. Ferguson, "A Simple 2545 Algebraic Representation of Rijndael", Lecture Notes in 2546 Computer Science sac01vol, 2001. 2548 [SAC:FluManSha01] 2549 Mantin, I., Shamir, A., and S. R., "Weaknesses in the Key 2550 Scheduling Algorithm of RC4", Lecture Notes in Computer 2551 Science sac01vol, 2001. 2553 [SAC:HatSekKan02] 2554 Sekine, H., Kaneko, T., and Y. Hatano, "Higher Order 2555 Differential Attack of Camellia (II)", Lecture Notes in 2556 Computer Science sac02vol, 2003. 2558 [SAC:JakDes03] 2559 Desmedt, Y. and G. Jakimoski, "Related-Key Differential 2560 Cryptanalysis of 192-bit Key AES Variants", Lecture Notes 2561 in Computer Science sac03vol, 2004. 2563 [SAC:KelMeiTav01] 2564 Meijer, H., E., S., and L. Keliher, "Improving the Upper 2565 Bound on the Maximum Average Linear Hull Probability for 2566 Rijndael", Lecture Notes in Computer Science sac01vol, 2567 2001. 2569 [SAC:KirYou09] 2570 M., A. and A. Kircanski, "Differential Fault Analysis of 2571 Rabbit", Lecture Notes in Computer Science sac09vol, 2009. 2573 [SAC:LeiChaFen05] 2574 Chao, L., Feng, K., and D. Lei, "New Observation on 2575 Camellia", Lecture Notes in Computer Science sac05vol, 2576 2005. 2578 [SAC:Lipmaa98] 2579 Lipmaa, H., "IDEA: A Cipher For Multimedia 2580 Architectures?", Lecture Notes in Computer 2581 Science sac98vol, 1999. 2583 [SAC:MPRS09] 2584 Peyrin, T., Rechberger, C., Schl\\affer, M., and F. 2585 Mendel, "Improved Cryptanalysis of the Reduced Gr\ostl 2586 Compression Function ECHO Permutation and AES Block 2587 Cipher,", Lecture Notes in Computer Science sac09vol, 2588 2009. 2590 [SAC:MSDB09] 2591 Shakiba, M., Dakhilalian, M., Bagherikaram, G., and H. 2592 Mala, "New Results on Impossible Differential 2593 Cryptanalysis of Reduced-Round Camellia-128", Lecture 2594 Notes in Computer Science sac09vol, 2009. 2596 [SAC:MisTav98] 2597 E., S. and S. Mister, "Cryptanalysis of RC4-like Ciphers", 2598 Lecture Notes in Computer Science sac98vol, 1999. 2600 [SAC:NevSei06] 2601 Seifert, J. and M. Neve, "Advances on Access-Driven Cache 2602 Attacks on AES", Lecture Notes in Computer 2603 Science sac06vol, 2006. 2605 [SAC:Nikolic10] 2606 Nikolic, I., "Tweaking AES", Lecture Notes in Computer 2607 Science sac10vol, 2010. 2609 [SAC:PauMai07] 2610 Maitra, S. and G. Paul, "Permutation After RC4 Key 2611 Scheduling Reveals the Secret Key", Lecture Notes in 2612 Computer Science sac07vol, 2007. 2614 [SAC:PirQui04] 2615 Quisquater, J. and G. Piret, "Security of the MISTY 2616 Structure in the Luby-Rackoff Model: Improved Results", 2617 Lecture Notes in Computer Science sac04vol, 2004. 2619 [SAC:ReiWag02] 2620 Wagner, D. and B. Reichardt, "Markov Truncated 2621 Differential Cryptanalysis of Skipjack", Lecture Notes in 2622 Computer Science sac02vol, 2003. 2624 [SAC:SKWWH98] 2625 Kelsey, J., Whiting, D., Wagner, D., Hall, C., and B. 2626 Schneier, "On the Twofish Key Schedule", Lecture Notes in 2627 Computer Science sac98vol, 1999. 2629 [SAC:SekKan00] 2630 Kaneko, T. and H. Seki, "Differential Cryptanalysis of 2631 Reduced Rounds of GOST", Lecture Notes in Computer 2632 Science sac00vol, 2001. 2634 [SAC:SepVauVua10] 2635 Vaudenay, S., Vuagnoux, M., and P. Sepehrdad, "Discovery 2636 and Exploitation of New Biases in RC4", Lecture Notes in 2637 Computer Science sac10vol, 2010. 2639 [SAC:SunLai09] 2640 Lai, X. and X. Sun, "Improved Integral Attacks on MISTY1", 2641 Lecture Notes in Computer Science sac09vol, 2009. 2643 [SAC:Tsow09] 2644 Tsow, A., "An Improved Recovery Algorithm for Decayed AES 2645 Key Schedule Images", Lecture Notes in Computer 2646 Science sac09vol, 2009. 2648 [SAC:VauVua07] 2649 Vuagnoux, M. and S. Vaudenay, "Passive-Only Key Recovery 2650 Attacks on RC4", Lecture Notes in Computer 2651 Science sac07vol, 2007. 2653 [SAC:WamWanHu08] 2654 Wang, X., Hu, C., and M. Wang, "New Linear Cryptanalytic 2655 Results of Reduced-Round of CAST-128 and CAST-256", 2656 Lecture Notes in Computer Science sac08vol, 2008. 2658 [SAC:WuFenChe04] 2659 Feng, D., Chen, H., and W. Wu, "Collision Attack and 2660 Pseudorandomness of Reduced-Round Camellia", Lecture Notes 2661 in Computer Science sac04vol, 2004. 2663 [SAC:WuZhaZha08] 2664 Zhang, L., Zhang, W., and W. Wu, "Improved Impossible 2665 Differential Cryptanalysis of Reduced-Round Camellia", 2666 Lecture Notes in Computer Science sac08vol, 2008. 2668 [SAC:ZWZF06] 2669 Wu, W., Zhang, L., Feng, D., and W. Zhang, "Improved 2670 Related-Key Impossible Differential Attacks on Reduced- 2671 Round AES-192", Lecture Notes in Computer 2672 Science sac06vol, 2006. 2674 [SC:AIKMMNT00] 2675 AOKI, K., ICHIKAWA, T., KANDA, M., MATSUI, M., MORIAI, S., 2676 NAKAJIMA, J., and T. TOKITA, "Camellia: Specification of 2677 Camellia--128-bit block cipher", 2000. 2679 [SCN:CheMiy10] 2680 Miyaji, A. and J. Chen, "Generalized RC4 Key Collisions 2681 and Hash Collisions", Lecture Notes in Computer 2682 Science scn10vol, 2010. 2684 [SCN:DaeRij06] 2685 Rijmen, V. and J. Daemen, "Understanding Two-Round 2686 Differentials in AES", Lecture Notes in Computer 2687 Science scn06vol, 2006. 2689 [SCN:NikRijSch08] 2690 Rijmen, V., Schl\\affer, M., and S. Nikova, "Using Normal 2691 Bases for Compact Hardware Implementations of the AES 2692 S-Box", Lecture Notes in Computer Science scn08vol, 2008. 2694 [SCN:YanShi02] 2695 Shimoyama, T. and H. Yanami, "Differential Cryptanalysis 2696 of a Reduced-Round SEED", Lecture Notes in Computer 2697 Science scn02vol, 2002. 2699 [SKES:WMF03] 2700 Wu, W., Ma, H., and D. Feng, "SEED: Security on Korean 2701 Encryption Standard", Acta Electronica Sinica 2003-2004, 2702 2003. 2704 [SKIPJACK] 2705 U.S. National Institute of Standards and Technology, 2706 "SKIPJACK and KEA Specifications", 1998. 2708 [SMS4] OSCCA, "The SMS4 Block Cipher", 2006. 2710 [SP:GulBanKre11] 2711 Bangerter, E., Krenn, S., and D. Gullasch, "Cache Games - 2712 Bringing Access-Based Cache Attacks on AES to Practice", 2713 , 2011. 2715 [SPAA:BC03] 2716 Biryukov, A. and C. Canniere, "Security and Performance 2717 Analysis of Aira", ARIA-COSIC report.pdf SPAA03vol, 2003. 2719 [Serpent] Anderson, Biham, and Knudsen, "The Serpent Block Cipher", 2720 1998. 2722 [TC:MY00] Moriai, S. and Y. Yin, "Twofish: Cryptanalysis of 2723 twofish(2)", Technical report,IEICE TC:MY00, 2000. 2725 [Twofish] Schneier, Kelsey, Whiting, Wagner, Hall, and Fergusen, 2726 "The Twofish Block Cipher", 1998. 2728 [WISA:GalKizTun10] 2729 Kizhvatov, I., Tunstall, M., and J. Gallais, "Improved 2730 Trace-Driven Cache-Collision Attacks against Embedded AES 2731 Implementations", Lecture Notes in Computer 2732 Science wisa10vol, 2010. 2734 [WISA:OswSch05] 2735 Schramm, K. and E. Oswald, "An Efficient Masking Scheme 2736 for AES Software Implementations", Lecture Notes in 2737 Computer Science wisa05vol, 2005. 2739 [WISA:SchKim08] 2740 Hee, C. and J. Schmidt, "A Probing Attack on AES", Lecture 2741 Notes in Computer Science wisa08vol, 2008. 2743 [WISA:THSK07] 2744 Hatano, Y., Sugio, N., Kaneko, T., and H. Tanaka, 2745 "Security Analysis of MISTY1", Lecture Notes in Computer 2746 Science wisa07vol, 2007. 2748 [WISA:TriKor04] 2749 Korkishko, L. and E. Trichina, "Secure and Efficient AES 2750 Software Implementation for Smart Cards", Lecture Notes in 2751 Computer Science wisa04vol, 2004. 2753 [WISA:YHMOM06] 2754 Herbst, C., Mangard, S., Oswald, E., Moon, S., and H. Yoo, 2755 "Investigations of Power Analysis Attacks and 2756 Countermeasures for ARIA", Lecture Notes in Computer 2757 Science wisa06vol, 2006. 2759 [WISA:YKHMP04] 2760 Kim, C., Ha, J., Moon, S., Park, I., and H. Yoo, "Side 2761 Channel Cryptanalysis on SEED", Lecture Notes in Computer 2762 Science wisa04vol, 2004. 2764 Authors' Addresses 2766 David McGrew 2767 Cisco Systems 2768 13600 Dulles Technology Drive 2769 Herndon, VA 20171 2770 USA 2772 Email: mcgrew@cisco.com 2774 Sean Shen 2775 Chinese Academy of Science 2776 No.4 South 4th Zhongguancun Street 2777 Beijing, 100190 2778 China 2780 Phone: +86 10-58813038 2781 Email: shenshuo@cnnic.cn