Knowledge

Serpent (cipher)

Source đź“ť

1702:
permutation to simplify an optimized implementation. The round function in Rijndael consists of three parts: a nonlinear layer, a linear mixing layer, and a key-mixing XOR layer. The round function in Serpent consists of key-mixing XOR, thirty-two parallel applications of the same 4Ă—4 S-box, and a linear transformation, except in the last round, wherein another key-mixing XOR replaces the linear transformation. The nonlinear layer in Rijndael uses an 8Ă—8 S-box whereas Serpent uses eight different 4Ă—4 S-boxes. The 32 rounds mean that Serpent has a higher security margin than Rijndael; however, Rijndael with 10 rounds is faster and easier to implement for small blocks. Hence, Rijndael was selected as the winner in the AES competition.
2290: 24: 3652: 2019:"Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the General Public License (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application. If you do use it, we would appreciate it if you would let us know!" 227:
Serpent took a conservative approach to security, opting for a large security margin: the designers deemed 16 rounds to be sufficient against known types of attack but specified 32 rounds as insurance against future discoveries in cryptanalysis. The official NIST report on AES competition classified
264:
The Serpent key schedule consists of 3 main stages. In the first stage the key is initialized by adding padding if necessary. This is done in order to make short keys map to long keys of 256-bits, one "1" bit is appended to the end of the short key followed by "0" bits until the short key is mapped
236:
and in contrast to the adequate security margin of RC6 and Rijndael (currently AES). In final voting, Serpent had the fewest negative votes among the finalists but ranked in second place overall because Rijndael had substantially more positive votes, the deciding factor being that Rijndael allowed
1701:
is a substitution-linear transformation network with ten, twelve, or fourteen rounds, depending on the key size, and with key sizes of 128 bits, 192 bits, or 256 bits, independently specified. Serpent is a substitution–permutation network which has thirty-two rounds, plus an initial and a final
140:
All publicly known attacks are computationally infeasible, and none of them affect the full 32-round Serpent. A 2011 attack breaks 11 round Serpent (all key sizes) with 2 known plaintexts, 2 time and 2 memory (as described in). The same paper also describes two attacks which break 12 rounds of
1128:
s-boxes. These were transformed by swapping entries, resulting arrays with desired properties were stored as the Serpent s-boxes. This process was repeated until a total of 8 s-boxes were found. The following key was used in this process:
1777:
The same paper also describes two attacks which break 12 rounds of Serpent-256. The first requires 2 known plaintexts, 2 time and 2 memory. The other attack requires 2 known plaintexts and 2 memory but also requires 2 time.
256:. There are no restrictions or encumbrances regarding its use. As a result, anyone is free to incorporate Serpent in their software (or in hardware implementations) without paying license fees. 1120:
the nonlinear order of the output bits as function of the input bits is 3. However there have been output bits found which in function of the input bits have an order of only 2.
1774:
A 2011 attack by Hongjun Wu, Huaxiong Wang and Phuong Ha Nguyen, also using linear cryptanalysis, breaks 11 rounds of Serpent-128 with 2 known plaintexts, 2 time and 2 memory.
1714:, but a somewhat tweaked version, Serpent-1, was submitted to the AES competition. The AES submission paper discusses the changes, which include key-scheduling differences. 3632: 3462: 141:
Serpent-256. The first requires 2 known plaintexts, 2 time and 2 memory. The other attack requires 2 known plaintexts and 2 memory but also requires 2 time.
1768:
attack that breaks 10 of 32 rounds of Serpent-128 with 2 known plaintexts and 2 time, and 11 rounds of Serpent-192/256 with 2 known plaintexts and 2 time.
1771:
A 2009 paper has noticed that the nonlinear order of Serpent S-boxes were not 3 as was claimed by the designers. Specifically, four elements had order 2.
1812: 1115:
linear characteristics have a probability between 1:2 and 1:4, linear relationship between input and output bits has a probability between 1:2 and 1:8.
3315: 3250: 2331: 1959: 1110:
a 1-bit input difference will never lead to a 1-bit output difference, a differential characteristic has a probability of 1:4 or less.
2231: 3077: 2433: 3067: 2561: 1835: 290:
At the end the round key or "subkey" are placed in the "initial permutation IP" to place the key bits in the correct column.
287:
Finally the "subkeys" are derived from the previously generated "prekeys". This results in a total of 33 128-bit "subkeys".
3230: 3204: 3072: 2968: 197: 158: 115: 2078: 2077:
Bruce Schneier; John Kelsey; Doug Whiting; David Wagner; Chris Hall. Niels Fergusonk; Tadayoshi Kohno; Mike Stay (2000).
1302:
Consists of XOR, S-Box, bit shift left and bit rotate left operations. These operations are performed on 4 32-bit words.
3045: 3308: 1738:
believe that once implementation considerations are taken into account the XSL attack would be more expensive than a
3214: 2324: 3093: 3511: 3271: 268:
In the next phase, the "prekeys" are derived using the previously initialized key. 32-bit key parts XORed, the
1841: 3301: 2361: 1731: 201: 181: 3627: 3582: 3395: 3157: 2317: 3506: 3174: 3084: 3062: 2375: 1750: 3622: 3179: 3035: 2988: 2463: 2004:
Serpent Holds the Key to Internet Security – Finalists in world-wide encryption competition announced
1746: 185: 102: 2203: 2153: 2117: 2063: 3612: 3602: 3457: 3245: 3127: 3002: 2371: 2181: 2172: 1711: 1125: 221: 3607: 3597: 3400: 3360: 3353: 3343: 3338: 3184: 2973: 2344: 2252: 1869:
Nechvatal, J.; Barker, E.; Bassham, L.; Burr, W.; Dworkin, M.; Foti, J.; Roback, E. (May 2001).
3680: 3348: 3276: 3152: 3147: 3099: 2176: 284:
and round index were added to achieve an even distribution of the keys bits during the rounds.
249: 3685: 3655: 3501: 3447: 3266: 3089: 2948: 2526: 2190: 2140: 2104: 2050: 3617: 3541: 3169: 3052: 2978: 2661: 2641: 2222: 1787: 1765: 122: 8: 3380: 3132: 3109: 2428: 229: 2289: 2235: 3486: 3470: 3417: 3117: 3025: 2737: 2666: 2636: 2581: 2257: 1903: 1739: 209: 3546: 3536: 3407: 2837: 2536: 2496: 2491: 2458: 2418: 2366: 1980: 1908: 1890: 1831: 208:
32 times in parallel. Serpent was designed so that all operations can be executed in
3481: 3209: 3104: 2983: 2842: 2722: 2691: 2295: 2085: 1951: 1898: 1882: 1823: 166: 44: 2132: 3056: 3040: 3029: 2963: 2922: 2887: 2817: 2797: 2671: 2551: 2546: 2501: 2076: 1822:. Lecture Notes in Computer Science. Vol. 6812. ACISP 2011. pp. 61–74. 70: 2003: 1827: 3556: 3476: 3437: 3385: 3370: 3194: 3142: 2953: 2938: 2877: 2872: 2757: 2506: 1926: 2283: 2015: 1955: 3674: 3637: 3592: 3551: 3531: 3427: 3390: 3365: 3189: 3137: 3016: 2998: 2787: 2762: 2752: 2576: 2566: 2413: 2171:& Nathan Keller (2001). "Linear Cryptanalysis of Reduced Round Serpent". 2168: 1894: 1761: 1735: 241: 217: 151: 133: 1726:, if effective, would weaken Serpent (though not as much as it would weaken 3587: 3432: 3422: 3412: 3375: 3324: 3122: 2943: 2907: 2772: 2651: 2606: 2438: 2390: 2340: 2267: 2223:"Cryptography – 256 bit ciphers: Reference (AES submission) implementation" 1912: 277: 273: 174: 154: 80: 52: 2037: 3566: 2732: 2727: 2611: 1886: 1875:
Journal of Research of the National Institute of Standards and Technology
1810: 1103: 23: 2130: 2016:
SERPENT – A Candidate Block Cipher for the Advanced Encryption Standard
1956:"Serpent: A Candidate Block Cipher for the Advanced Encryption Standard" 3526: 3496: 3491: 3452: 3164: 2882: 2822: 2706: 2701: 2646: 2516: 2379: 2039: 1870: 1723: 1146:
The initial permutation works on 128 bits at a time moving bits around.
1710:
The original Serpent, Serpent-0, was presented at the 5th workshop on
1124:
The Serpent s-boxes have been constructed based on the 32 rows of the
3516: 2897: 2892: 2782: 2696: 2591: 2571: 2166: 1871:"Report on the development of the Advanced Encryption Standard (AES)" 1757: 1224:
The final permutation works on 128 bits at a time moving bits around.
213: 170: 48: 1813:"Improving the Algorithm 2 in Multidimensional Linear Cryptanalysis" 3561: 3521: 3235: 3199: 2993: 2656: 2531: 2511: 2423: 1727: 1698: 276:
and the round index is XORed with the key parts, the result of the
245: 189: 162: 92: 216:. This maximizes parallelism but also allows use of the extensive 2902: 2852: 2812: 2802: 2747: 2742: 2586: 2395: 233: 3442: 3240: 2862: 2857: 2792: 2777: 2767: 2712: 2686: 2681: 2676: 2556: 2541: 193: 2958: 2917: 2867: 2847: 2832: 2621: 2601: 2521: 2486: 205: 2807: 2716: 2631: 2626: 2616: 2596: 2468: 2453: 2131:
Tadayoshi Kohno; John Kelsey & Bruce Schneier (2000).
1868: 2912: 2827: 2448: 2443: 1811:
Huaxiong Wang, Hongjun Wu & Phuong Ha Nguyen (2011).
253: 2038:
Bhupendra Singh; Lexy Alexander; Sanjay Burman (2009).
306:#define ROTL(A, n) ((A) << n | (A) >> 32-n) 3463:
Cryptographically secure pseudorandom number generator
2339: 2301: 2220: 2133:"Preliminary Cryptanalysis of Reduced-Round Serpent" 2079:"The Twofish Team's Final Comments on AES Selection" 2298:– SERPENT Reference implementation and derived code 1136: 2253:"In Pellicano Case, Lessons in Wiretapping Skills" 2221:Anderson, Ross; Biham, Eli; Knudsen, Lars (1998). 237:for a far more efficient software implementation. 204:. Each round applies one of eight 4-bit to 4-bit 3672: 1950: 2232:"Serpent – A New Block Cipher Proposal for AES" 252:, and the optimized code is licensed under the 2270:. University of Cambridge Computer Laboratory. 228:Serpent as having a high security margin like 3309: 2325: 1297: 2033: 2031: 2029: 2027: 1806: 1804: 1745:In 2000, a paper by Kohno et al. presents a 2160: 2040:"On Algebraic Relations of Serpent S-boxes" 1960:University of Cambridge Computer Laboratory 1141: 1106:, and subject to the following properties: 3316: 3302: 2332: 2318: 2288: 2250: 1705: 159:Advanced Encryption Standard (AES) contest 2180: 2024: 1902: 1801: 1749:against 6 of 32 rounds of Serpent and an 1219: 280:operation is rotated to left by 11. The 2265: 1693: 303:// fractional part of the golden ratio 240:The Serpent cipher algorithm is in the 3673: 293: 3297: 2313: 1946: 1944: 1942: 1940: 1938: 1936: 1864: 1862: 200:operating on a block of four 32-bit 2266:Stajano, Frank (10 February 2006). 1790:– hash function by the same authors 1753:against 9 of 32 rounds in Serpent. 13: 2268:"Serpent reference implementation" 2251:Halbfinger, David M (5 May 2008). 2214: 22: 14: 3697: 2275: 2229: 1933: 1859: 3651: 3650: 3323: 1820:Information Security and Privacy 1137:Permutations and Transformations 198:substitution–permutation network 116:Substitution–permutation network 2124: 573:/* key schedule: get subkeys */ 351:/* key schedule: get prekeys */ 259: 161:, in which it ranked second to 3512:Information-theoretic security 2070: 2009: 1997: 1973: 1919: 1102:The Serpent s-boxes are 4-bit 192:of 128, 192, or 256 bits. The 1: 1764:and Nathan Keller presents a 272:which is the fraction of the 30:Serpent's linear mixing stage 1794: 300:#define FRAC 0x9e3779b9 7: 3628:Message authentication code 3583:Cryptographic hash function 3396:Cryptographic hash function 1828:10.1007/978-3-642-22497-3_5 1781: 1717: 188:of 128 bits and supports a 184:submissions, Serpent has a 157:that was a finalist in the 10: 3702: 3507:Harvest now, decrypt later 1751:amplified boomerang attack 1298:Linear transformation (LT) 1097: 165:. Serpent was designed by 3646: 3623:Post-quantum cryptography 3575: 3331: 3293: 3259: 3223: 3215:Time/memory/data tradeoff 3012: 2931: 2477: 2404: 2352: 2309: 2305: 1747:meet-in-the-middle attack 139: 131: 121: 111: 101: 91: 86: 76: 66: 58: 40: 35: 21: 3613:Quantum key distribution 3603:Authenticated encryption 3458:Random number generation 3003:Whitening transformation 1712:Fast Software Encryption 1304: 1226: 1148: 1142:Initial permutation (IP) 297: 248:. The reference code is 3608:Public-key cryptography 3598:Symmetric-key algorithm 3401:Key derivation function 3361:Cryptographic primitive 3354:Authentication protocol 3344:Outline of cryptography 3339:History of cryptography 2974:Confusion and diffusion 1706:Serpent-0 vs. Serpent-1 318:// key provided by user 3349:Cryptographic protocol 2198:Cite journal requires 2148:Cite journal requires 2112:Cite journal requires 2058:Cite journal requires 1220:Final permutation (FP) 265:to a long key length. 250:public domain software 27: 3502:End-to-end encryption 3448:Cryptojacking malware 3267:Initialization vector 26: 3618:Quantum cryptography 3542:Trusted timestamping 3046:3-subset MITM attack 2662:Intel Cascade Cipher 2642:Hasty Pudding cipher 1887:10.6028/jres.106.023 1766:linear cryptanalysis 1694:Rijndael vs. Serpent 97:128, 192 or 256 bits 3381:Cryptographic nonce 3085:Differential-linear 1954:(23 October 2006). 1927:"Serpent Home Page" 294:Key Schedule in C++ 18: 3487:Subliminal channel 3471:Pseudorandom noise 3418:Key (cryptography) 3158:Differential-fault 2376:internal mechanics 2258:The New York Times 1740:brute force attack 1131:"sboxesforserpent" 220:work performed on 28: 16: 3668: 3667: 3664: 3663: 3547:Key-based routing 3537:Trapdoor function 3408:Digital signature 3289: 3288: 3285: 3284: 3272:Mode of operation 2949:Lai–Massey scheme 2091:on 2 January 2010 1837:978-3-642-22496-6 1756:A 2001 attack by 1734:). However, many 244:and has not been 145: 144: 3693: 3654: 3653: 3482:Insecure channel 3318: 3311: 3304: 3295: 3294: 3143:Power-monitoring 2984:Avalanche effect 2692:Khufu and Khafre 2345:security summary 2334: 2327: 2320: 2311: 2310: 2307: 2306: 2303: 2302: 2292: 2287: 2286: 2284:Official website 2271: 2262: 2247: 2245: 2243: 2234:. Archived from 2226: 2208: 2207: 2201: 2196: 2194: 2186: 2184: 2164: 2158: 2157: 2151: 2146: 2144: 2136: 2128: 2122: 2121: 2115: 2110: 2108: 2100: 2098: 2096: 2090: 2084:. Archived from 2083: 2074: 2068: 2067: 2061: 2056: 2054: 2046: 2044: 2035: 2022: 2013: 2007: 2001: 1995: 1994: 1992: 1990: 1985: 1977: 1971: 1970: 1968: 1966: 1952:Ross J. Anderson 1948: 1931: 1930: 1923: 1917: 1916: 1906: 1866: 1857: 1856: 1854: 1852: 1847:on 14 April 2017 1846: 1840:. Archived from 1817: 1808: 1689: 1686: 1683: 1680: 1677: 1674: 1671: 1668: 1665: 1662: 1659: 1656: 1653: 1650: 1647: 1644: 1641: 1638: 1635: 1632: 1629: 1626: 1623: 1620: 1617: 1614: 1611: 1608: 1605: 1602: 1599: 1596: 1593: 1590: 1587: 1584: 1581: 1578: 1575: 1572: 1569: 1566: 1563: 1560: 1557: 1554: 1551: 1548: 1545: 1542: 1539: 1536: 1533: 1530: 1527: 1524: 1521: 1518: 1515: 1512: 1509: 1506: 1503: 1500: 1497: 1494: 1491: 1488: 1485: 1482: 1479: 1476: 1473: 1470: 1467: 1464: 1461: 1458: 1455: 1452: 1449: 1446: 1443: 1440: 1437: 1434: 1431: 1428: 1425: 1422: 1419: 1416: 1413: 1410: 1407: 1404: 1401: 1398: 1395: 1392: 1389: 1386: 1383: 1380: 1377: 1374: 1371: 1368: 1365: 1362: 1359: 1356: 1353: 1350: 1347: 1344: 1341: 1338: 1335: 1332: 1329: 1326: 1323: 1320: 1317: 1314: 1311: 1308: 1293: 1290: 1287: 1284: 1281: 1278: 1275: 1272: 1269: 1266: 1263: 1260: 1257: 1254: 1251: 1248: 1245: 1242: 1239: 1236: 1233: 1230: 1215: 1212: 1209: 1206: 1203: 1200: 1197: 1194: 1191: 1188: 1185: 1182: 1179: 1176: 1173: 1170: 1167: 1164: 1161: 1158: 1155: 1152: 1132: 1093: 1090: 1087: 1084: 1081: 1078: 1075: 1072: 1069: 1066: 1063: 1060: 1057: 1054: 1051: 1048: 1045: 1042: 1039: 1036: 1033: 1030: 1027: 1024: 1021: 1018: 1015: 1012: 1009: 1006: 1003: 1000: 997: 994: 991: 988: 985: 982: 979: 976: 973: 970: 967: 964: 961: 958: 955: 952: 949: 946: 943: 940: 937: 934: 931: 928: 925: 922: 919: 916: 913: 910: 907: 904: 901: 898: 895: 892: 889: 886: 883: 880: 877: 874: 871: 868: 865: 862: 859: 856: 853: 850: 847: 844: 841: 838: 835: 832: 829: 826: 823: 820: 817: 814: 811: 808: 805: 802: 799: 796: 793: 790: 787: 784: 781: 778: 775: 772: 769: 766: 763: 760: 757: 754: 751: 748: 745: 742: 739: 736: 733: 730: 727: 724: 721: 718: 715: 712: 709: 706: 703: 700: 697: 694: 691: 688: 685: 682: 679: 676: 673: 670: 667: 664: 661: 658: 655: 652: 649: 646: 643: 640: 637: 634: 631: 628: 625: 622: 619: 616: 613: 610: 607: 604: 601: 598: 595: 592: 589: 586: 583: 580: 577: 574: 571: 568: 565: 562: 559: 556: 553: 550: 547: 544: 541: 538: 535: 532: 529: 526: 523: 520: 517: 514: 511: 508: 505: 502: 499: 496: 493: 490: 487: 484: 481: 478: 475: 472: 469: 466: 463: 460: 457: 454: 451: 448: 445: 442: 439: 436: 433: 430: 427: 424: 421: 418: 415: 412: 409: 406: 403: 400: 397: 394: 391: 388: 385: 382: 379: 376: 373: 370: 367: 364: 361: 358: 355: 352: 349: 346: 343: 340: 337: 334: 331: 328: 325: 322: 319: 316: 313: 310: 307: 304: 301: 19: 15: 3701: 3700: 3696: 3695: 3694: 3692: 3691: 3690: 3671: 3670: 3669: 3660: 3642: 3571: 3327: 3322: 3281: 3255: 3224:Standardization 3219: 3148:Electromagnetic 3100:Integral/Square 3057:Piling-up lemma 3041:Biclique attack 3030:EFF DES cracker 3014: 3008: 2939:Feistel network 2927: 2552:CIPHERUNICORN-E 2547:CIPHERUNICORN-A 2479: 2473: 2406: 2400: 2354: 2348: 2338: 2296:256 bit ciphers 2282: 2281: 2278: 2241: 2239: 2238:on 17 June 2014 2217: 2215:Further reading 2212: 2211: 2199: 2197: 2188: 2187: 2165: 2161: 2149: 2147: 2138: 2137: 2129: 2125: 2113: 2111: 2102: 2101: 2094: 2092: 2088: 2081: 2075: 2071: 2059: 2057: 2048: 2047: 2042: 2036: 2025: 2014: 2010: 2002: 1998: 1988: 1986: 1983: 1979: 1978: 1974: 1964: 1962: 1949: 1934: 1925: 1924: 1920: 1867: 1860: 1850: 1848: 1844: 1838: 1815: 1809: 1802: 1797: 1784: 1730:, which became 1720: 1708: 1696: 1691: 1690: 1687: 1684: 1681: 1678: 1675: 1672: 1669: 1666: 1663: 1660: 1657: 1654: 1651: 1648: 1645: 1642: 1639: 1636: 1633: 1630: 1627: 1624: 1621: 1618: 1615: 1612: 1609: 1606: 1603: 1600: 1597: 1594: 1591: 1588: 1585: 1582: 1579: 1576: 1573: 1570: 1567: 1564: 1561: 1558: 1555: 1552: 1549: 1546: 1543: 1540: 1537: 1534: 1531: 1528: 1525: 1522: 1519: 1516: 1513: 1510: 1507: 1504: 1501: 1498: 1495: 1492: 1489: 1486: 1483: 1480: 1477: 1474: 1471: 1468: 1465: 1462: 1459: 1456: 1453: 1450: 1447: 1444: 1441: 1438: 1435: 1432: 1429: 1426: 1423: 1420: 1417: 1414: 1411: 1408: 1405: 1402: 1399: 1396: 1393: 1390: 1387: 1384: 1381: 1378: 1375: 1372: 1369: 1366: 1363: 1360: 1357: 1354: 1351: 1348: 1345: 1342: 1339: 1336: 1333: 1330: 1327: 1324: 1321: 1318: 1315: 1312: 1309: 1306: 1300: 1295: 1294: 1291: 1288: 1285: 1282: 1279: 1276: 1273: 1270: 1267: 1264: 1261: 1258: 1255: 1252: 1249: 1246: 1243: 1240: 1237: 1234: 1231: 1228: 1222: 1217: 1216: 1213: 1210: 1207: 1204: 1201: 1198: 1195: 1192: 1189: 1186: 1183: 1180: 1177: 1174: 1171: 1168: 1165: 1162: 1159: 1156: 1153: 1150: 1144: 1139: 1130: 1100: 1095: 1094: 1091: 1088: 1085: 1082: 1079: 1076: 1073: 1070: 1067: 1064: 1061: 1058: 1055: 1052: 1049: 1046: 1043: 1040: 1037: 1034: 1031: 1028: 1025: 1022: 1019: 1016: 1013: 1010: 1007: 1004: 1001: 998: 995: 992: 989: 986: 983: 980: 977: 974: 971: 968: 965: 962: 959: 956: 953: 950: 947: 944: 941: 938: 935: 932: 929: 926: 923: 920: 917: 914: 911: 908: 905: 902: 899: 896: 893: 890: 887: 884: 881: 878: 875: 872: 869: 866: 863: 860: 857: 854: 851: 848: 845: 842: 839: 836: 833: 830: 827: 824: 821: 818: 815: 812: 809: 806: 803: 800: 797: 794: 791: 788: 785: 782: 779: 776: 773: 770: 767: 764: 761: 758: 755: 752: 749: 746: 743: 740: 737: 734: 731: 728: 725: 722: 719: 716: 713: 710: 707: 704: 701: 698: 695: 692: 689: 686: 683: 680: 677: 674: 671: 668: 665: 662: 659: 656: 653: 650: 647: 644: 641: 638: 635: 632: 629: 626: 623: 620: 617: 614: 611: 608: 605: 602: 599: 596: 593: 590: 587: 584: 581: 578: 575: 572: 569: 566: 563: 560: 557: 554: 551: 548: 545: 542: 539: 536: 533: 530: 527: 524: 521: 518: 515: 512: 509: 506: 503: 500: 497: 494: 491: 488: 485: 482: 479: 476: 473: 470: 467: 464: 461: 458: 455: 452: 449: 446: 443: 440: 437: 434: 431: 428: 425: 422: 419: 416: 413: 410: 407: 404: 401: 398: 395: 392: 389: 386: 383: 380: 377: 374: 371: 368: 365: 362: 359: 356: 353: 350: 347: 344: 341: 338: 335: 332: 329: 326: 323: 320: 317: 314: 311: 308: 305: 302: 299: 296: 262: 59:First published 31: 12: 11: 5: 3699: 3689: 3688: 3683: 3666: 3665: 3662: 3661: 3659: 3658: 3647: 3644: 3643: 3641: 3640: 3635: 3633:Random numbers 3630: 3625: 3620: 3615: 3610: 3605: 3600: 3595: 3590: 3585: 3579: 3577: 3573: 3572: 3570: 3569: 3564: 3559: 3557:Garlic routing 3554: 3549: 3544: 3539: 3534: 3529: 3524: 3519: 3514: 3509: 3504: 3499: 3494: 3489: 3484: 3479: 3477:Secure channel 3474: 3468: 3467: 3466: 3455: 3450: 3445: 3440: 3438:Key stretching 3435: 3430: 3425: 3420: 3415: 3410: 3405: 3404: 3403: 3398: 3388: 3386:Cryptovirology 3383: 3378: 3373: 3371:Cryptocurrency 3368: 3363: 3358: 3357: 3356: 3346: 3341: 3335: 3333: 3329: 3328: 3321: 3320: 3313: 3306: 3298: 3291: 3290: 3287: 3286: 3283: 3282: 3280: 3279: 3274: 3269: 3263: 3261: 3257: 3256: 3254: 3253: 3248: 3243: 3238: 3233: 3227: 3225: 3221: 3220: 3218: 3217: 3212: 3207: 3202: 3197: 3192: 3187: 3182: 3177: 3172: 3167: 3162: 3161: 3160: 3155: 3150: 3145: 3140: 3130: 3125: 3120: 3115: 3107: 3102: 3097: 3090:Distinguishing 3087: 3082: 3081: 3080: 3075: 3070: 3060: 3050: 3049: 3048: 3043: 3033: 3022: 3020: 3010: 3009: 3007: 3006: 2996: 2991: 2986: 2981: 2976: 2971: 2966: 2961: 2956: 2954:Product cipher 2951: 2946: 2941: 2935: 2933: 2929: 2928: 2926: 2925: 2920: 2915: 2910: 2905: 2900: 2895: 2890: 2885: 2880: 2875: 2870: 2865: 2860: 2855: 2850: 2845: 2840: 2835: 2830: 2825: 2820: 2815: 2810: 2805: 2800: 2795: 2790: 2785: 2780: 2775: 2770: 2765: 2760: 2755: 2750: 2745: 2740: 2735: 2730: 2725: 2720: 2709: 2704: 2699: 2694: 2689: 2684: 2679: 2674: 2669: 2664: 2659: 2654: 2649: 2644: 2639: 2634: 2629: 2624: 2619: 2614: 2609: 2604: 2599: 2594: 2589: 2584: 2582:Cryptomeria/C2 2579: 2574: 2569: 2564: 2559: 2554: 2549: 2544: 2539: 2534: 2529: 2524: 2519: 2514: 2509: 2504: 2499: 2494: 2489: 2483: 2481: 2475: 2474: 2472: 2471: 2466: 2461: 2456: 2451: 2446: 2441: 2436: 2431: 2426: 2421: 2416: 2410: 2408: 2402: 2401: 2399: 2398: 2393: 2388: 2383: 2369: 2364: 2358: 2356: 2350: 2349: 2337: 2336: 2329: 2322: 2314: 2300: 2299: 2293: 2277: 2276:External links 2274: 2273: 2272: 2263: 2248: 2227: 2216: 2213: 2210: 2209: 2200:|journal= 2182:10.1.1.78.6148 2159: 2150:|journal= 2123: 2114:|journal= 2069: 2060:|journal= 2023: 2008: 1996: 1972: 1932: 1918: 1881:(3): 511–577. 1858: 1836: 1799: 1798: 1796: 1793: 1792: 1791: 1783: 1780: 1719: 1716: 1707: 1704: 1695: 1692: 1305: 1299: 1296: 1227: 1221: 1218: 1149: 1143: 1140: 1138: 1135: 1122: 1121: 1117: 1116: 1112: 1111: 1099: 1096: 298: 295: 292: 261: 258: 196:is a 32-round 143: 142: 137: 136: 129: 128: 125: 119: 118: 113: 109: 108: 105: 99: 98: 95: 89: 88: 84: 83: 78: 74: 73: 68: 64: 63: 60: 56: 55: 42: 38: 37: 33: 32: 29: 9: 6: 4: 3: 2: 3698: 3687: 3684: 3682: 3681:Block ciphers 3679: 3678: 3676: 3657: 3649: 3648: 3645: 3639: 3638:Steganography 3636: 3634: 3631: 3629: 3626: 3624: 3621: 3619: 3616: 3614: 3611: 3609: 3606: 3604: 3601: 3599: 3596: 3594: 3593:Stream cipher 3591: 3589: 3586: 3584: 3581: 3580: 3578: 3574: 3568: 3565: 3563: 3560: 3558: 3555: 3553: 3552:Onion routing 3550: 3548: 3545: 3543: 3540: 3538: 3535: 3533: 3532:Shared secret 3530: 3528: 3525: 3523: 3520: 3518: 3515: 3513: 3510: 3508: 3505: 3503: 3500: 3498: 3495: 3493: 3490: 3488: 3485: 3483: 3480: 3478: 3475: 3472: 3469: 3464: 3461: 3460: 3459: 3456: 3454: 3451: 3449: 3446: 3444: 3441: 3439: 3436: 3434: 3431: 3429: 3428:Key generator 3426: 3424: 3421: 3419: 3416: 3414: 3411: 3409: 3406: 3402: 3399: 3397: 3394: 3393: 3392: 3391:Hash function 3389: 3387: 3384: 3382: 3379: 3377: 3374: 3372: 3369: 3367: 3366:Cryptanalysis 3364: 3362: 3359: 3355: 3352: 3351: 3350: 3347: 3345: 3342: 3340: 3337: 3336: 3334: 3330: 3326: 3319: 3314: 3312: 3307: 3305: 3300: 3299: 3296: 3292: 3278: 3275: 3273: 3270: 3268: 3265: 3264: 3262: 3258: 3252: 3249: 3247: 3244: 3242: 3239: 3237: 3234: 3232: 3229: 3228: 3226: 3222: 3216: 3213: 3211: 3208: 3206: 3203: 3201: 3198: 3196: 3193: 3191: 3188: 3186: 3183: 3181: 3178: 3176: 3173: 3171: 3170:Interpolation 3168: 3166: 3163: 3159: 3156: 3154: 3151: 3149: 3146: 3144: 3141: 3139: 3136: 3135: 3134: 3131: 3129: 3126: 3124: 3121: 3119: 3116: 3114: 3113: 3108: 3106: 3103: 3101: 3098: 3095: 3091: 3088: 3086: 3083: 3079: 3076: 3074: 3071: 3069: 3066: 3065: 3064: 3061: 3058: 3054: 3051: 3047: 3044: 3042: 3039: 3038: 3037: 3034: 3031: 3027: 3024: 3023: 3021: 3018: 3017:cryptanalysis 3011: 3004: 3000: 2999:Key whitening 2997: 2995: 2992: 2990: 2987: 2985: 2982: 2980: 2977: 2975: 2972: 2970: 2967: 2965: 2962: 2960: 2957: 2955: 2952: 2950: 2947: 2945: 2942: 2940: 2937: 2936: 2934: 2930: 2924: 2921: 2919: 2916: 2914: 2911: 2909: 2906: 2904: 2901: 2899: 2896: 2894: 2891: 2889: 2886: 2884: 2881: 2879: 2876: 2874: 2871: 2869: 2866: 2864: 2861: 2859: 2856: 2854: 2851: 2849: 2846: 2844: 2841: 2839: 2836: 2834: 2831: 2829: 2826: 2824: 2821: 2819: 2816: 2814: 2811: 2809: 2806: 2804: 2801: 2799: 2796: 2794: 2791: 2789: 2788:New Data Seal 2786: 2784: 2781: 2779: 2776: 2774: 2771: 2769: 2766: 2764: 2761: 2759: 2756: 2754: 2751: 2749: 2746: 2744: 2741: 2739: 2736: 2734: 2731: 2729: 2726: 2724: 2721: 2718: 2714: 2710: 2708: 2705: 2703: 2700: 2698: 2695: 2693: 2690: 2688: 2685: 2683: 2680: 2678: 2675: 2673: 2670: 2668: 2665: 2663: 2660: 2658: 2655: 2653: 2650: 2648: 2645: 2643: 2640: 2638: 2635: 2633: 2630: 2628: 2625: 2623: 2620: 2618: 2615: 2613: 2610: 2608: 2605: 2603: 2600: 2598: 2595: 2593: 2590: 2588: 2585: 2583: 2580: 2578: 2575: 2573: 2570: 2568: 2565: 2563: 2560: 2558: 2555: 2553: 2550: 2548: 2545: 2543: 2540: 2538: 2535: 2533: 2530: 2528: 2527:BEAR and LION 2525: 2523: 2520: 2518: 2515: 2513: 2510: 2508: 2505: 2503: 2500: 2498: 2495: 2493: 2490: 2488: 2485: 2484: 2482: 2476: 2470: 2467: 2465: 2462: 2460: 2457: 2455: 2452: 2450: 2447: 2445: 2442: 2440: 2437: 2435: 2432: 2430: 2427: 2425: 2422: 2420: 2417: 2415: 2412: 2411: 2409: 2403: 2397: 2394: 2392: 2389: 2387: 2384: 2381: 2377: 2373: 2370: 2368: 2365: 2363: 2360: 2359: 2357: 2351: 2346: 2342: 2341:Block ciphers 2335: 2330: 2328: 2323: 2321: 2316: 2315: 2312: 2308: 2304: 2297: 2294: 2291: 2285: 2280: 2279: 2269: 2264: 2260: 2259: 2254: 2249: 2237: 2233: 2228: 2224: 2219: 2218: 2205: 2192: 2183: 2178: 2174: 2170: 2169:Orr Dunkelman 2163: 2155: 2142: 2134: 2127: 2119: 2106: 2087: 2080: 2073: 2065: 2052: 2041: 2034: 2032: 2030: 2028: 2020: 2017: 2012: 2005: 2000: 1982: 1981:"serpent.pdf" 1976: 1961: 1957: 1953: 1947: 1945: 1943: 1941: 1939: 1937: 1928: 1922: 1914: 1910: 1905: 1900: 1896: 1892: 1888: 1884: 1880: 1876: 1872: 1865: 1863: 1843: 1839: 1833: 1829: 1825: 1821: 1814: 1807: 1805: 1800: 1789: 1786: 1785: 1779: 1775: 1772: 1769: 1767: 1763: 1762:Orr Dunkelman 1759: 1754: 1752: 1748: 1743: 1741: 1737: 1736:cryptanalysts 1733: 1729: 1725: 1715: 1713: 1703: 1700: 1303: 1225: 1147: 1134: 1127: 1119: 1118: 1114: 1113: 1109: 1108: 1107: 1105: 291: 288: 285: 283: 279: 275: 271: 266: 257: 255: 251: 247: 243: 242:public domain 238: 235: 231: 225: 223: 219: 218:cryptanalysis 215: 211: 207: 203: 199: 195: 191: 187: 183: 178: 176: 172: 168: 167:Ross Anderson 164: 160: 156: 153: 152:symmetric key 149: 138: 135: 134:cryptanalysis 130: 126: 124: 120: 117: 114: 110: 106: 104: 100: 96: 94: 90: 87:Cipher detail 85: 82: 79: 77:Certification 75: 72: 69: 65: 61: 57: 54: 50: 46: 45:Ross Anderson 43: 39: 34: 25: 20: 3686:Free ciphers 3588:Block cipher 3433:Key schedule 3423:Key exchange 3413:Kleptography 3376:Cryptosystem 3325:Cryptography 3175:Partitioning 3133:Side-channel 3111: 3078:Higher-order 3063:Differential 2944:Key schedule 2385: 2256: 2240:. Retrieved 2236:the original 2230:Biham, Eli. 2191:cite journal 2162: 2141:cite journal 2126: 2105:cite journal 2093:. Retrieved 2086:the original 2072: 2051:cite journal 2018: 2011: 1999: 1987:. Retrieved 1975: 1963:. Retrieved 1921: 1878: 1874: 1851:25 September 1849:. Retrieved 1842:the original 1819: 1776: 1773: 1770: 1755: 1744: 1721: 1709: 1697: 1301: 1223: 1145: 1123: 1104:permutations 1101: 1038:key_schedule 330:// roundkeys 289: 286: 281: 274:Golden ratio 269: 267: 263: 260:Key Schedule 239: 226: 179: 175:Lars Knudsen 155:block cipher 147: 146: 132:Best public 81:AES finalist 67:Derived from 53:Lars Knudsen 3576:Mathematics 3567:Mix network 3260:Utilization 3246:NSA Suite B 3231:AES process 3180:Rubber-hose 3118:Related-key 3026:Brute-force 2405:Less common 2167:Eli Biham, 212:, using 32 180:Like other 103:Block sizes 3675:Categories 3527:Ciphertext 3497:Decryption 3492:Encryption 3453:Ransomware 3210:Chi-square 3128:Rotational 3068:Impossible 2989:Block size 2883:Spectr-H64 2707:Ladder-DES 2702:Kuznyechik 2647:Hierocrypt 2517:BassOmatic 2480:algorithms 2407:algorithms 2380:Triple DES 2355:algorithms 2242:15 January 2095:19 January 1965:14 January 1724:XSL attack 348:// S-boxes 214:bit slices 186:block size 62:1998-08-21 3517:Plaintext 3185:Black-bag 3105:Boomerang 3094:Known-key 3073:Truncated 2898:Threefish 2893:SXAL/MBAL 2783:MultiSwap 2738:MacGuffin 2697:KN-Cipher 2637:Grand Cru 2592:CS-Cipher 2572:COCONUT98 2177:CiteSeerX 1895:1044-677X 1795:Footnotes 1758:Eli Biham 171:Eli Biham 112:Structure 93:Key sizes 49:Eli Biham 41:Designers 3656:Category 3562:Kademlia 3522:Codetext 3465:(CSPRNG) 3236:CRYPTREC 3200:Weak key 3153:Acoustic 2994:Key size 2838:Red Pike 2657:IDEA NXT 2537:Chiasmus 2532:CAST-256 2512:BaseKing 2497:Akelarre 2492:Adiantum 2459:Skipjack 2424:CAST-128 2419:Camellia 2367:Blowfish 1989:25 April 1913:27500035 1782:See also 1728:Rijndael 1718:Security 1699:Rijndael 1574:<< 1469:<< 1047:uint32_t 1014:<< 996:>> 933:<< 915:>> 900:<< 882:>> 867:<< 849:>> 834:<< 816:>> 597:uint32_t 588:uint32_t 387:uint32_t 375:uint32_t 363:uint32_t 321:uint32_t 309:uint32_t 246:patented 210:parallel 190:key size 163:Rijndael 107:128 bits 3332:General 3277:Padding 3195:Rebound 2903:Treyfer 2853:SAVILLE 2813:PRESENT 2803:NOEKEON 2748:MAGENTA 2743:Madryga 2723:Lucifer 2587:CRYPTON 2396:Twofish 2386:Serpent 1904:4863838 1098:S-Boxes 1056:get_pre 615:uint8_t 357:get_pre 336:uint8_t 234:Twofish 206:S-boxes 148:Serpent 36:General 17:Serpent 3443:Keygen 3241:NESSIE 3190:Davies 3138:Timing 3053:Linear 3013:Attack 2932:Design 2923:Zodiac 2888:Square 2863:SHACAL 2858:SC2000 2818:Prince 2798:Nimbus 2793:NewDES 2778:MULTI2 2768:MISTY1 2711:LOKI ( 2687:KHAZAD 2682:KeeLoq 2677:KASUMI 2672:Kalyna 2557:CLEFIA 2542:CIKS-1 2502:Anubis 2353:Common 2179:  2175:2001. 2021:(1999) 2006:(1999) 1911:  1901:  1893:  1834:  1086:subkey 1074:get_sk 579:get_sk 324:subkey 194:cipher 173:, and 123:Rounds 71:Square 3473:(PRN) 3123:Slide 2979:Round 2964:P-box 2959:S-box 2918:XXTEA 2878:Speck 2873:Simon 2868:SHARK 2848:SAFER 2833:REDOC 2758:Mercy 2717:89/91 2667:Iraqi 2632:G-DES 2622:FEA-M 2602:DES-X 2567:Cobra 2522:BATON 2507:Ascon 2487:3-Way 2478:Other 2089:(PDF) 2082:(PDF) 2043:(PDF) 1984:(PDF) 1845:(PDF) 1816:(PDF) 1788:Tiger 1637:short 1313:short 1005:& 924:& 891:& 858:& 825:& 585:const 372:const 333:const 202:words 150:is a 3251:CNSA 3110:Mod 3036:MITM 2808:NUSH 2763:MESH 2753:MARS 2627:FROG 2617:FEAL 2597:DEAL 2577:Crab 2562:CMEA 2469:XTEA 2454:SEED 2434:IDEA 2429:GOST 2414:ARIA 2244:2013 2204:help 2154:help 2118:help 2097:2015 2064:help 1991:2022 1967:2013 1909:PMID 1891:ISSN 1853:2014 1832:ISBN 1722:The 1655:< 1613:ROTL 1589:ROTL 1508:ROTL 1484:ROTL 1403:ROTL 1379:ROTL 1331:< 1247:swap 1169:swap 1035:void 963:< 786:< 735:< 669:< 576:void 531:FRAC 501:ROTL 474:< 420:< 354:void 282:FRAC 270:FRAC 232:and 230:MARS 3205:Tau 3165:XSL 2969:SPN 2913:xmx 2908:UES 2843:S-1 2828:RC2 2773:MMB 2652:ICE 2607:DFC 2464:TEA 2449:RC6 2444:RC5 2439:LEA 2391:SM4 2372:DES 2362:AES 2173:FSE 1899:PMC 1883:doi 1879:106 1824:doi 1732:AES 1631:for 1307:for 1286:127 1265:bit 1253:bit 1244:127 1229:for 1208:127 1187:bit 1175:bit 1166:127 1151:for 1126:DES 1068:key 1008:0x1 942:for 927:0x1 894:0x1 861:0x1 828:0x1 765:for 714:for 648:for 477:140 456:int 450:for 402:int 396:for 345:{}; 312:key 278:XOR 254:GPL 222:DES 182:AES 3677:: 2733:M8 2728:M6 2715:, 2713:97 2612:E2 2378:, 2255:. 2195:: 2193:}} 2189:{{ 2145:: 2143:}} 2139:{{ 2109:: 2107:}} 2103:{{ 2055:: 2053:}} 2049:{{ 2026:^ 1958:. 1935:^ 1907:. 1897:. 1889:. 1877:. 1873:. 1861:^ 1830:. 1818:. 1803:^ 1760:, 1742:. 1667:++ 1628:); 1625:22 1604:); 1580:); 1523:); 1499:); 1475:); 1418:); 1394:); 1391:13 1367:]; 1343:++ 1268:(( 1262:), 1241:.. 1235:in 1193:32 1190:(( 1184:), 1163:.. 1157:in 1133:. 1089:); 1071:); 1041:() 990:(( 987:|= 984:sk 975:++ 939:]; 909:(( 876:(( 843:(( 798:++ 789:32 753:sk 747:++ 696:32 681:++ 672:33 609:)) 606:sk 552:); 549:11 546:), 543:-8 486:++ 432:++ 224:. 177:. 169:, 127:32 51:, 47:, 3317:e 3310:t 3303:v 3112:n 3096:) 3092:( 3059:) 3055:( 3032:) 3028:( 3019:) 3015:( 3005:) 3001:( 2823:Q 2719:) 2382:) 2374:( 2347:) 2343:( 2333:e 2326:t 2319:v 2261:. 2246:. 2225:. 2206:) 2202:( 2185:. 2156:) 2152:( 2135:. 2120:) 2116:( 2099:. 2066:) 2062:( 2045:. 1993:. 1969:. 1929:. 1915:. 1885:: 1855:. 1826:: 1688:} 1685:; 1682:X 1679:= 1676:B 1673:{ 1670:) 1664:i 1661:; 1658:4 1652:i 1649:; 1646:0 1643:= 1640:i 1634:( 1622:, 1619:X 1616:( 1610:= 1607:X 1601:5 1598:, 1595:X 1592:( 1586:= 1583:X 1577:7 1571:X 1568:( 1565:^ 1562:X 1559:^ 1556:X 1553:= 1550:X 1547:; 1544:X 1541:^ 1538:X 1535:^ 1532:X 1529:= 1526:X 1520:7 1517:, 1514:X 1511:( 1505:= 1502:X 1496:1 1493:, 1490:X 1487:( 1481:= 1478:X 1472:3 1466:X 1463:( 1460:^ 1457:X 1454:^ 1451:X 1448:= 1445:X 1442:; 1439:X 1436:^ 1433:X 1430:^ 1427:X 1424:= 1421:X 1415:3 1412:, 1409:X 1406:( 1400:= 1397:X 1388:, 1385:X 1382:( 1376:= 1373:X 1370:} 1364:K 1361:^ 1358:S 1355:= 1352:X 1349:{ 1346:) 1340:i 1337:; 1334:4 1328:i 1325:; 1322:0 1319:= 1316:i 1310:( 1292:) 1289:) 1283:% 1280:) 1277:i 1274:* 1271:4 1259:i 1256:( 1250:( 1238:0 1232:i 1214:) 1211:) 1205:% 1202:) 1199:i 1196:* 1181:i 1178:( 1172:( 1160:0 1154:i 1092:} 1083:, 1080:w 1077:( 1065:, 1062:w 1059:( 1053:; 1050:w 1044:{ 1032:} 1029:} 1026:} 1023:} 1020:; 1017:k 1011:) 1002:) 999:j 993:s 981:{ 978:) 972:j 969:; 966:4 960:j 957:; 954:0 951:= 948:j 945:( 936:3 930:) 921:) 918:k 912:w 906:| 903:2 897:) 888:) 885:k 879:w 873:| 870:1 864:) 855:) 852:k 846:w 840:| 837:0 831:) 822:) 819:k 813:S 810:= 807:s 804:{ 801:) 795:k 792:; 783:k 780:; 777:0 774:= 771:k 768:( 762:; 759:0 756:= 750:) 744:j 741:; 738:4 732:j 729:; 726:0 723:= 720:j 717:( 711:; 708:i 705:- 702:3 699:+ 693:= 690:p 687:{ 684:) 678:i 675:; 666:i 663:; 660:0 657:= 654:i 651:( 645:; 642:k 639:, 636:s 633:, 630:j 627:, 624:p 621:, 618:i 612:{ 603:* 600:( 594:, 591:w 582:( 570:} 567:} 564:; 561:x 558:= 555:w 540:i 537:( 534:^ 528:^ 525:x 522:^ 519:x 516:^ 513:x 510:^ 507:x 504:( 498:= 495:x 492:{ 489:) 483:i 480:; 471:i 468:; 465:8 462:= 459:i 453:( 447:; 444:k 441:= 438:x 435:) 429:i 426:; 423:8 417:i 414:; 411:0 408:= 405:i 399:( 393:; 390:x 384:{ 381:) 378:k 369:, 366:w 360:( 342:= 339:S 327:; 315:;

Index


Ross Anderson
Eli Biham
Lars Knudsen
Square
AES finalist
Key sizes
Block sizes
Substitution–permutation network
Rounds
cryptanalysis
symmetric key
block cipher
Advanced Encryption Standard (AES) contest
Rijndael
Ross Anderson
Eli Biham
Lars Knudsen
AES
block size
key size
cipher
substitution–permutation network
words
S-boxes
parallel
bit slices
cryptanalysis
DES
MARS

Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.

↑