International Journal of Computer Science Engineering and Information Technology Research (IJCSEITR) ISSN 2249-6831 Vol. 3, Issue 2, Jun 2013, 351-366 © TJPRC Pvt. Ltd.

REVIEW OF THE JOURNEY FROM DES TO AES NEETA WADHWA, SYED ZEESHAN HUSSAIN & S. A. M RIZVI Department of Computer Science, Jamia Millia Islamia, New Delhi, India

ABSTRACT DES [Data Encryption Standard] was born in mid 70‘s and died in late 90‘s. A new secure and fast algorithm was required to replace it. And it was replaced by AES [Advanced Encryption Algorithm] in 2001. This paper reviews the whole process of replacing the DES and finding the AES. It presents the critical analysis of all the 15 finalists of first round of AES process. All the participant algorithms are analyzed from the Speed versus Security perspective.

KEYWORDS: AES, DES, Symmetric Ciphers, Symmetric Cryptography INTRODUCTION In 1972, National Bureau of Standards (NBS), a part of the US. Department of Commerce, started a project to develop standards for the protection of data stored in computers. Before this NBS call, cryptography had been largely the concern of military and other government organizations only so all the cryptographic algorithms used by national military organizations were closely held secrets. NBS received many responses for the project, but did not receive any algorithms that met the established criteria. NBS issued a second solicitation in the Federal Register (August 17, 1974). In response, IBM submitted its encryption design LUCIFER designed by Horst Feistel with his team. LUCIFER enciphered blocks of 128 bits, and it used a 128-bit key [block size and key size greater than DES]. NSA did some modifications to the original design [1,2]. The NSA reduced the key size from 112 bits to 56 bits and made changes to the S-boxes after which the algorithm was subjected to nearly two years of public evaluation and comment. There was much criticism of the DES key length and its design criteria for the internal structure particularly S-box. The NSA was accused of changing the algorithm to plant a ‗back door‘ in it that would allow agents to decrypt any information without having to know the encryption key. But these blames proved unjustified and no such back door has ever been found. The modified Lucifer algorithm was adopted by NIST as a federal standard on November 23, 1976. Its name was changed to the Data Encryption Standard (DES). Finally, the official description of the standard, FIPS PUB 46, Data Encryption Standard was published on 15 January 1977. NIST also requested IBM to grant nonexclusive, royalty-free licenses to make, use, and sell devices that implemented the algorithm. NBS recommended that the standard be issued with the provisions for a review by NBS every five years [3]. Eli Biham and Adi Shamir described differential cryptanalysis in detail in [4]. It was actually Chosen-Plaintext attack and required 247 chosen plaintexts (possible theoretically only). This attack was based on the structure of S-box. And Cryptologers believe that NIST was aware of this attack in the 70‘s only that is why they designed S-boxes non-linear and even didn‘t disclose the design principles of S-boxes at that time, however, now the design principles are disclosed and become the interesting area of research and study. If it happened to be a known plaintext attack, 2 55 pairs of known plaintext are required, which is possible theoretically only. Mitsuru Matsui invented linear cryptanalysis. This cryptanalytic attack on DES has been illustrated in [5]. He proved that with 243 known plaintext pairs, the secret key can be recovered, which is also not feasible practically. A software implementation of this attack recovered a DES key in 50 days using 12 HP9000/735 workstations which is the most effective attack so far [5]. DES was actually cracked by the

352

Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi

Electronic Frontier Foundation (EFF) in 1998, it used a specially developed computer called the DES Cracker, which was developed for under $250,000 and find the 56 bit DES key in 56 hours [6]. So due to very small key length and increasing computational power of computers, DES was cracked and 3DES was very slow. So there was an alarming need for a new standard for encryption.

AES PROCESS On January 2, 1997 the National Institute of Standards and Technology (NIST) initiates the project of replacing the DES [7]. The govt. agencies, academicians, vendors commented on the specifications and requirements for the new algorithm which would be called (Advanced Encryption Algorithm) AEA. On April 15, 1997, NIST organized a workshop to discuss the comments received and to specify the request for candidate algorithms. Finally, On September 12, 1997, NIST put out a formal call for the successor of DES [8]. The requirements of the new standard were: it should be a symmetric block cipher, should allow key sizes of 128, 192 and 256 bits and blocks size of 128 bits, highly portable, working on a variety of hardware platforms including 8-bit processors used in smart cards and 32-bit processors used in most personal computers. The performance specification of an algorithm should also be submitted. For this criteria, the results of C and Java implementation should be specified and the most important criteria was the cryptographic strength of an algorithm. Thus the two main considerations for the proposed AES were SPEED and SECURITY. ROUND 1 Cryptographers, security professionals, researchers and other academics submitted algorithms for consideration. On June 15, 1998, Twenty-one algorithms were submitted to NIST. NIST reviewed them and selected 15 candidate algorithms which were fulfilling the minimum requirements of the published specification. It did not perform any cryptanalysis of the submitted algorithms. Thus this selection process had no cryptographic grounds. NIST just checked the minimum eligibility criteria and inclusion of all the required documents. Six incomplete submissions were rejected from the competition. On August 20-22, 1998, the First AES Candidate Conference (AES1) was held in Ventura, California. NIST published the fifteen Round 1 AES candidates in the conference and the inventors of the 15 algorithms gave presentations to brief the structure, security and performance of the submitted algorithm. Then all candidate algorithms were opened to the public for their Security v/s Speed analysis and NIST announced the last date 15th April 1999 for submitting the comments on the candidates. Throughout the whole AES process NIST encouraged cryptanalyzers to crack/attack each of the methods. These 15 submissions of Round 1 were having lots of diversity. The candidates had varying strengths and weaknesses.

FIFTEEN ALGORITHMS CAST CAST-256 is a successor of CAST-128. [9]. It is a â€—DES like SPN (Substitution-Permutation Network) cryptosystem, because it used Feistel model like DES to implement Shanonâ€˜s concept of S-P Network. CAST is a byte oriented Fiestel cipher. Adams, published some articles describing various components of the CAST design procedure [912]. Finally in [12] he described CAST as a design procedure for designing secure symmetric encryption algorithms.

Review of the Journey from DES to AES

353

Security v/s Speed Tradeoff Designer claimed in [13] that CAST cipher family is very much immune to various cryptanalytic attacks like differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis [14]. He also showed that this cipher family has many desirable cryptographic properties such as avalanche, Strict Avalanche Criterion (SAC), Bit Independence Criterion. He also said that this family of ciphers has no weak and semi-weak keys like DES. As CAST is DES like crypto system which was well understood at that time, it is rigorously analyzed by various cryptographers. It has low resistance against power-analysis attacks due to the use of variable rotations and additions/subtractions. It is simple to implement and has medium speed on different platforms. But it has a hardware expensive implementation. It requires a large ROM, which makes it unsuitable for smart cards [15]. CRYPTON CRYPTON [16-18] is a S-P Network based on SQUARE structure [19]. It uses the same routine for encryption and decryption. It has 12 rounds and support additional key sizes: 32 bits to 256 bits and also supports a block size of 512 bits. Security v/s Speed Tradeoff Designer claimed that the speed of Crypton is double as compared to the DES. The key-schedule time is different for encryption and decryption. It is much faster for encryption than for decryption. It does not need too much RAM [just 52 bytes in total (20 bytes for variables and 32 bytes for user key)]. It also supports on-the-fly key generation. These features make it suitable for smart cards. CRYPTON is pretty fast in both hardware and software. Its software implementation on Pentium-Pro, 200MHz showed about 40Mbps, the best encryption and decryption speeds among the AES candidates [20]. Hardware implementations of CRYPTON are even more efficient than software implementations because it was designed from the beginning with hardware implementations in mind. CRYPTON is considered as the most hardware-friendly AES candidate in few researches [21-23]. Hong et.al analyzes the hardware implementation of Crypton and also studied the properties of S-boxes. They proved that it can encrypt at the speed of 1.6 Gbit/s by using moderate area of 30,000 gates and even achieve the speed of 2.6 Gbit/s with less than 100,000 gates. The 2.6 Gbps speed is faster than the commercially available fastest Triple-DES chip. This is enough speed to support the Gigabit networks. Since CRYPTON has good scalability in gate count, a designer can select a proper speed-area tradeoff from the large set choices [24]. As far as the security parameter is concerned, designer claimed it as resistant to all known cryptanalytic attacks so far and invited more analysis from crypotgraphy world. This cipher is immune against side channel cryptanalysis like timing attack as each processing step of the cipher involves the same kind of operations up to byte levels. The SQUARE attack, a special cryptanalytic technique for SQUARE based ciphers can be applied on 6-round version of CRYPTON [25]. This cipher also has the presence of weak keys which makes it vulnerable to some attacks. Borst in [26] proved that CRYPTON has a class of 232 weak 256 bit keys. So Crypton with key length of 256 bits has to be used carefully. He also suggested to incorporate some nonlinearity feature in the key schedule algorithm like it has been used in Rijndael which is also based on the same SQUARE model. Rijndael also won the AES competition and became a new standard AES, the successor of DES. DEAL [Digital Encryption Algorithm with Larger Blocks] DEAL cipher is based on Feistel and even use same DES as its round function [27]. It encrypts 128 bit data block with three variant key sizes: DEAL -128 (6 rounds), DEAL- 192 (6 rounds) and DEAL-256 (8 rounds). All versions work

354

Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi

well in all the four modes (ECB, CBC, CFB, OFB) defined for DES [28]. It is also most readily available and implementable as DES source code is already available. Security v/s Speed Tradeoff Due to the large key and block sizes, exhaustive key search and the matching ciphertext attack are infeasible. In [29,30] Lars Knudsen used a 5-round impossible differential to attack DEAL. Eli Biham, Alex Biryukov, and Adi Shamir gave the technique the name of Impossible differential', and applied it with great success to Skipjack [31]. An attack was described on DEAL-192 in [32]. It requires 233 chosen plaintexts, and work equivalent to about 6 x 2189 DES encryptions (about 2189 DEAL encryptions). Thus this attack is not feasible in practical environment. In [30], a number of impractical attacks are discussed on DEAL-192. There is a straightforward meet-in-the-middle attack on DEAL-192 requiring about 2168 work and 2173 bytes of memory, requiring only three known plaintexts. The memory requirements are totally unreasonable, and trading off time for memory does not yield an attack with reasonable memory requirements and less work than brute-forcing the key. The slow key schedule of DEAL makes it a poor choice for hashing applications. The presence of equivalent or related keys made the cipher unusable as a hash function [33]. The speed of DEAL is comparable to 3DES. This implies that DEAL is as slow as 3DES. DFC [Decorrelated Fast Cipher] DFC is a Feistel network with 8 rounds [34]. It supports varying key sizes upto 256 bits. Decryption is identical to encryption except the order of the round keys. Designers claimed that DFC has more speed than DES. DFC is based on 64bit arithmetic. All operations of round function like addition and multiplication are done with reduction modulo 2 64. Security v/s Speed Tradeoff It is very fast on 64-bit architecture but quite slow on 32-bit machines. It is also not suitable for smart cards since it do not port well to 8-bit platforms. As it uses multiplications and additions, it is not immune to side channel cryptanalysis like timing and power analysis attacks. Its key schedule has two weaknesses:

Coppersmith [35,36] figure out that if the internal RK2 Round Key happens to be zero (which holds with probability 2−128), then the key schedule become symmetrical that make the whole encryption scheme become the identity function means plaintext and cipher text would be identical.

Second the first round key, RK1, depends on only half of the secret key which may lead to an exhaustive key search attack on the first round key.

E2 [EFFICIENT ENCRYPTION] E2 is a Feistel network with 12 rounds. It is a 128 bit symmetric block cipher with 3 different key sizes E2-128, E2-192, E2- 256. Security v/s Speed Tradeoff It needs large amount of ROM. Designer claimed it Platform friendly as its S-box can be efficiently implemented on all platforms 8bit, 32bit as well as 64bit.It has medium speed across different platforms but it is faster than DES. Designers showed in their presentation that on 32 bit CPU its C implementation performs encryption with the speed of 36Mbits/sec whereas on the same configuration, DES performs at 10.6 Mbits/sec. But on-the-fly subkey generation feature was absent that rules out its implementation on many low-end smart cards. E2 was resistant to all the known attacks like Differential cryptanalysis, Linear cryptanalysis, Higher order differential attack, Interpolation attack and Partitioning

Review of the Journey from DES to AES

355

cryptanalysis of that time since S-box was designed with no vulnerabilities. Designer also claimed that nine rounds of E2 would provide enough security against differential and linear attacks.Matsui and Tokita did a truncated differential attack on lower rounds version( up to 8 rounds) of E2. Their analysis is based on byte characteristics, where a difference of two bytes is simply encoded into one bit information ―0‖ (the same) or ―1‖ (not the same). Since E2 is a strongly byte-oriented algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior. They themselves admit that their analysis does not have a serious impact on the full E2 (12 rounds with initial and final transformation) [37]. Thus E2 is secure, fast and flexible cipher. FROG Frog is 8 round substitution-permutation network [38]. It is quite flexible as it can encrypt blocks of any size between 8 and 128 bytes and has key of any size between 5 and 125 bytes. FROG uses only byte level XORs and byte level substitutions. Security v/s Speed Tradeoff It is slower than DES (at 43 clocks/byte) but faster than triple-DES (at about 120 clocks/byte), but much slower than some other modern ciphers such as Blowfish, Square, and RC5, which operate at 20-25 clocks/byte [39]. It is easy to implement but its keys schedule is very complex and so very slow, thus it has overall slow speed across different platforms. But once the internal key is setup, the encryption and decryption processes of FROG are extremely simple.It also needs large amount of RAM (2304 bytes for 128bit block). So it is not suitable for smart card implementations. Wagner et.al cryptanalyzed FROG. They perform differential attack that uses about 2 58 chosen plaintexts and very little time for the analysis. Then they perform linear attack which uses 2 56 known texts .The linear attack can also be converted to a ciphertext-only attack using 264 known ciphertexts. Also, the decryption function of FROG is quite weaker than the encryption function. [40]. Its decryption function was about twice as slow as encryption, key schedule was slow and there was a feasible attack given above. Due to these factors, FROG turned out as not a realistic AES candidate. HPC [Hasty Pudding Cipher] Designer Rich Schroeppel, called HPC as an ―omni-cipher‖ because it is flexible enough to handle variable spice size, any key size, and especially, any block size. Security v/s Speed Tradeoff HPC-128 is relatively easy to implement since C source code fragments are provided in the specification. The key-schedule appears very costly compared to the encryption and decryption routines. Wagner proved the presence of equivalent keys in HPC [41]. Designers also said that the algorithm is ―forward-looking‖ in that it runs best on 64-bit architectures. But the fact is that this feature makes it unsuited to 8-bit or 32-bit platforms. So it is not suitable for smartcard implementation. As NIST was looking for a general purpose, fast and secure cipher. Ciphers which are not suitable for Smart card implementation could not be the general purpose cipher. LOKI97 LOKI97 is a 128-bit based on earlier LOKI89 [42] and LOKI91 [43] . It had a traditional Feistel S-P design. It has 16 rounds and a 256-bit key schedule which can be initialized using 128, 192, or 256-bit keys. LOKI89 was a 64bit cipher its full version is secure but Biham and Shamir presented an attack for its reduced version. Thus it was modified to LOKI91.LOKI91 was considered secure against known attacks such as differential and linear cryptanalysis [44], but its

356

Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi

effective key size ( 260 ) was not adequate after the brute force attacks of 56-bit key spaces in [45]. So it was redesigned to LOKI97 for the submission in the AES process. Security v/s Speed Tradeoff LOKI97 was broken in 1998 by Vincent Rijmen and L. R. Knudsen. They perform a differential Cryptanalysis successfully with 256 chosen plaintexts. They found two weaknesses in LOKI97. First its F-function is imbalanced and second it has two rounds iterative characteristics with probability 2 -8 [46]. Designer even suggested some modifications to deal with this attack while presenting the cipher in the AES presentation organized by NIST. MAGENTA [Multifunctional Algorithm for General Purpose Encryption and Network Telecommunication Applications] MAJENTA was designed in 1990 and published in 1996. The basic design principles of MAJENTA are explained in the unpublished paper. It has a block size of 128 bits and key sizes of 128, 192 and 256 bits. It is a Feistel cipher with six or eight rounds [47]. Security v/s Speed Tradeoff The basic data unit is 8-bit byte, MAGENTA is very much suitable for small smart-card processors [48]. The algorithm can be optimized for small storage space. Due to the convenient data format, the small storage space necessary, and the fast encryption speed, the algorithm is also very suitable for applications in ATM, HDTV, B-ISDN, voice and satellite applications. MAGENTA is also suitable for use as a pseudo-random number generator. But some of the algebraic properties of MAGENTA lead to simplifying the construction of collisions. That makes MAGENTA, unsuitable for hash function or MAC generator. The cipher has some weak keys and during a presentation at the AES conference, Biham and Shamir mounted attacks on MAGENTA based on the symmetry of the subkeys [49]. MARS MARS encrypts block size of 128 bits and a variable key size, ranging from 128 to over 400 bits. It is an extended feistel cipher with 32 modified Feistel rounds. It supports key sizes much higher than 256 bits (theoretically up to 1248 bits, but some equivalent keys emerge at the boundary) [50]. Decryption is not identical to encryption. Security v/s Speed Tradeoff Designer claimed that MARS offers high resistance to known attacks, better than triple DES, and runs faster than single DES in some implementations. It had good performance on 32-bit platforms; excellent performance on platforms providing strong support for 32-bit variable rotations and multiplications. But it is not resistant to timing and power analysis attacks due to the use of multiplications, variable rotations, and additions. During the analysis phase some misconceptions were rumored, that were cleared by the designers. Like at AES- Conference 3, one presentation 52 claimed that MARS requires 512 bytes RAM for key storage. Designers proved it wrong by stating that the original MARS design included expanded keys that took 160 bytes to store, but with an accepted ―tweak‖ to the MARS key setup makes it possible to store only 40 bytes of expanded keys at a time. Even the smallest smart cards can support MARS in this mode. Biham and Furman [52] and Kelsey et al. [53] show more efficient ways of distinguishing 8 to 8½ rounds of the MARS core from a random permutation (and then guessing the keys in subsequent rounds to get an attack against 10-11 core rounds).

Review of the Journey from DES to AES

357

RC6 RC6 is based on RC5 [54]. Modifications were made to RC5 to meet the AES requirements, to increase security, and to improve performance. It has fully parameterized Key size, block size, and round number and defined as RC6-w/r/b parameters. It also supports variable rotations and multiplications. It is fast on 32-bit platforms, and also has fast key setup. It supports key sizes much higher than 256 bits (theoretically up to 1248 bits, but some equivalent keys emerge at the boundary). Security v/s Speed Tradeoff RC6 is the fastest algorithm among all the candidates. Since RC5 was proposed in 1995, various studies [55-57] have provided a greater understanding of how RC5's structure and operations contribute to its security. While no practical attack on RC5 has been found, the studies provide some interesting theoretical attacks, generally based on the fact that the rotation amounts in RC5 do not depend on all of the bits in a register. RC6 was designed to thwart such attacks, and indeed to thwart all known attacks, providing a cipher that can offer the security required for the lifespan of the AES. On an 8-bit processor (an Intel MCS51 (1 Mhz clock), RC6 performs at Encrypt/decrypt at 9.2 Kbits/second(13535 cycles/block). Its key setup in 27 milliseconds and only 176 bytes needed for table of round keys. It fits well on smart card

(< 256 bytes RAM) [58]. It has no known weaknesses in the key schedule means no weak keys

and so resistant to related key attack [59]. RC6 meets the speed, security and simplicity criteria of AES, so one of the qualifier of second round. Rijndael It is invented by two Belgian inventors, Joan Daemen and Vincent Rijmen [60, 61]. It is byte oriented, iterated block cipher based on the SP (substitution-permutation) Network model structure given by Claude Shannon. It is a successor of SQUARE cipher. Rijndael is defined as a block cipher with key lengths of 128, 192 or 256 bits with the possible input block lengths are 128, 192 or 256. Any 9 combinations of block length and key length may be possible for the Rijndael algorithm. The AES algorithm is exactly the same as the Rijndael algorithm, but it only defines one block length of 128 bits with variable key lengths128, 192 or 256. It became winner and a new standard AES. Security v/s Speed Tradeoff Rijndael is consistently a very good performer in both hardware and software across a wide range of computing environments. Its key setup time is excellent, and its key agility is good. Rijndael's very low memory requirements make it very well suited for restricted-space environments like smart cards. Rijndael is resistant to brute force attacks. AES was designed to be resistant against main cryptanalytic attacks like Differential and Linear Cryptanalysis. The impossible differential cryptanalysis yielded the first attack on 7-round AES-128 with non-marginal data complexity [62]. Since its birth, many papers have been published on the cryptanalysis of AES in the last one and a half decade. In 2000, single-key attacks were introduced on round-reduced AES variants [63,64]. The number of cryptanalyzed rounds are 7 for AES-128, 8 for AES-192 and AES- 256. Then in 2010, these attacks are improved a little bit by achieving the slightly low computational complexity of the key recovery [62,65] but the number of cryptanalyzed rounds remained same. Another attack to AES algorithm was the square attack, which was successful in breaking Rijndaelâ€˜s predecessor, a block cipher called Square [66]. The square attack exploits the byteoriented structure of the algorithm to extract information about the cipher key. However, with the current number of rounds for each possible key length, the square attack does not seem to threaten the security of AES unless we are able to reach the

358

Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi

level of power necessary to break Rijndael cipher. Recently in [65] the first attack on 8-round AES-192 with non-marginal data complexity has appeared. So the last twelve years saw some progress in the cryptanalysis of AES. Till today, full round AES is secure. It is almost as secure as it was 10 years ago in the strongest and most practical model with a single secret key. In other models, like the related-key cryptanalysis was applied to the full versions of AES-192 and AES-256 [66] and the rebound attack demonstrated a non-random property in 8-round AES-128 [67] But none of these techniques can affect the security of the most practical single-secret-key model. In other models, like the related-key cryptanalysis was applied to the full versions of AES-192 and AES-256 [66] and the rebound attack demonstrated a non-random property in 8-round AES-128 [67] But none of these techniques can affect the security of the most practical single-secret-key model. SAFER+ [SECURE AND FAST ENCRYPTION ROUTINE] SAFER+ is a substitution/linear-transformation cipher based on the SAFER (Secure and Fast Encryption Routines) family of ciphers- SAFER K-64, SAFER K-128, SAFER SK-64, SAFER SK-128, and SAFER SK-40. It is a 64 bit symmetric cipher and the key length is 40 or 64 or 128 bits as indicated in the name of the cipher. It has different encryption and decryption routine. For a key length of 128 bits, 8 rounds are used; for 192 bits, 12 rounds; and for a 256bit key, 16 rounds are used [68]. Security v/s Speed Tradeoff SAFER+ with six or more rounds (but not fewer) is secure against differential cryptanalysis. For a desirable margin of safety, designers had chosen 8 rounds for SAFER+ with the 128-bit key schedule. These 8 rounds of SAFER+ (with a 128-bit key) provide an enormous margin of safety against an attack by linear cryptanalysis [69]. Its C implementation encrypts at the rate of 9- 18 Mbits/sec with 15 to 50 microseconds to run the key schedule. SAFER++ is undoubtedly secured than SAFER+. In the year 2000, SAFER++ was submitted to the NESSIE project in two versions, one with 64 bits, and the other with 128 bits [70]. It is a byte-oriented algorithm that does not take full advantage of the 32-bit operations available on the Pentium II but it is well-suited to smart cards due to low RAM and ROM requirements. It also supports on-the-fly subkey generation with subkeys computable in any order. It is slow across platforms. SERPENT Serpent is a substitution-linear transformation network.Serpent encrypts a 128-bit data block to a 128-bit ciphertext block in 32 rounds under the control of 33 128-bit subkeys K0;…. ; K32. [71]. The user key length is variable, but for the AES submission purpose designers fixed it at 128, 192 or 256 bits, short keys with less than 256 bits are mapped to full-length keys of 256 bits by appending one bit to the MSB end, followed by as many 0 bits as required to make up 256 bits. This mapping is designed to map every short key to a full-length key, with no two short keys being equivalent. Security v/s Speed Tradeoff The number of instructions used to encrypt or decrypt does not depend on either the data or the key, so timing attacks [72] are not applicable. Designer also described how ―bitslicing‖ could be used to implement the algorithm efficiently and for parallel computation of S-boxes., so that it runs as fast as DES. Serpent is the best of the AES finalists in hardware even with the full 32 rounds. An independent team produced implementations for the Xilinx XCV1000 FPGA of RC6, Rijndael, Serpent and Twofish. Serpent was the only finalist for which a fully pipelined implementation could be fitted into a single chip. Serpent was also by far the fastest, achieving a throughput of 5.04 Gbit/sec, versus 2.40 Gbit/sec

Review of the Journey from DES to AES

359

for RC6, 1.94 Gbit/sec for Rijndael and 1.71 Gbit/sec for Twofish [73]. An NSA study of ASIC costs predicts 8.03 Gbit/sec for Serpent versus 5.163 for Rijndael, 2.171 for RC6 and 1.445 for Twofish [74]. It is also well-suited to smart cards due to low RAM and ROM requirements [75]. TWOFISH Twofish is a 128-bit block cipher, with key lengths of 128 bits, 192 bits and 256 bits. It has no weak keys. Twofish is a slightly modified Feistel network with 16 rounds and has a slight asymmetry between encryption and decryption besides the order of the round subkeys [76,77]. Security v/s Speed Tradeoff Twofish is a quite complex algorithm that combines many different techniques. It is quite expensive to implement from scratch, especially so if optimum performance is needed. The resulting benefit is that the algorithm can be implemented in many different ways that allow it to be optimised for a wide range of applications scenarios. It is very fast across platforms. It is well-suited to smart cards due to low RAM and ROM requirements. It also supports on-the-fly subkey generation with subkeys computable in any order. Neil Ferguson showed how an impossible-differential attack, first applied to DEAL by Knudsen, can be applied to Twofish. This attack breaks six rounds of the 256-bit key version using 2256 steps; it cannot be extended to seven or more Twofish rounds [78]. Designers summarizes that the most efficient attack against Twofish is the brute force attack as for 128-bit key it needs 2

128

complexity, for 192-bit key it requires 2192 complexity and for 256-bit key the complexity is 2256. From these

results, designers got success in proving that the cipher has a good security margin. ROUND 2 After one year of rigorous analysis and research on 15 candidate algorithms, In 1999, NIST had shortlisted the candidates for AES to only a one-third of the original number. The 3 ciphers were rejected because NIST did not accepted their modified versions and the other 5 weak ciphers were also weeded out from Round1, They were: Magenta (broken in real-time at the conference where it was presented), LOKI97 (differential cryptanalysis), Frog (differential cryptanalysis), DEAL (small flaw), SAFER+ (small flaw). Based on the achievements of the specified criterias of speed, security and simplicity, NIST had selected five finalists for AES Round 2: MARS, RC6, Rijndael, Serpent and Twofish. No significant security vulnerabilities were found for these candidates during the Round 1 analysis. Most submissions will remain unbroken till the end of the AES process but the real concern was: which ones will be secure till 2030? Anything can be made more secure by adding more complexity but increasing complexity has a drawback of decreasing performance. The objective was to find a secure,fast and simple cipher. Each finalist has its own strength:

MARS: Complex but fast on both 8 and 32 bit architecture.

RC6: Simple and fast on both 8 and 32 bit architecture, but low security margin.

Rijndael: Simple, fast on both 8 and 32 bit architecture and good security margin.

Serpent: Slow, but huge security margin.

Twofish: fast, good security margin, but a bit complicated. The successful candidates were not perfect. All had serious problems in smart cards. The use of multiplication and

rotation makes MARS and RC6 vulnerable to timing attacks. So is Twofish. But a differential power analysis attack

360

Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi

exhibited far more serious problems. Taking power samples of the whitening process from 100 independent block encryptions, a rogue smart-card implementation leaked all 128 bits of Twofish‘s key. This was not due to a peculiarity of Twofish—all the round-one AES candidates were equally vulnerable to power analysis attack. There were ways around such penetrabilities, but these come at a cost of time and space, neither of which is in great supply in smart cards. So for smart cards, a special-purpose algorithm might be the good solution. All 5 finalists had offered adequate security, but Rijndael was selected because of its consistently good performance and its flexibility. In October 2000, NIST after considering the response from the cryptography world selected Rijndael (pronounced Rhine-doll) to be the AES. Thus Rijndael was selected to be the AES and the official announcement that it was the new standard was made on Dec. 4, 2001 (to be effective March 26, 2002).In 2001, NIST drafted and refined a Federal Information Processing Standard (FIPS) for AES. It took more than 3 years to go from a proposal to a standard called AES.

CONCLUSIONS The paper describes how DES was replaced by AES. All the participant algorithms of the process are reviewed from the speed v/s security perspective. Rijndael placed in the highest level for overall performance in the final AES conference and became AES. It has been the secure symmetric encryption standard from the last 12 years. It was expected to survive for 30 years. However, last few years saw some progress in the cryptanalysis of AES. But till today, full round AES is secure.

REFERENCES 1.

L. Smith, The Design of Lucifer, A Cryptographic Device for Data Communications, IBM Research Report RC3326, Yorktown Heights, New York, 1971.

2.

Sorkin and Lucifer, A Cryptographic Algorithm, Cryptologia, 8, pp. 22–41, 1984; with addendum Cryptologia, 84, 260–261, 1984.

3.

National Bureau of Standards, Federal Information Processing Standards Publication 46-1, Data Encryption Standard (DES), National Bureau of Standards, January 22, 1988; superseded by Federal Information Processing Standards Publication 46-2, December 30, 1993, and reaffirmed as FIPS PUB 46-2, October 25, 1999.

4.

E. Biham and A. Shamir, "Differential Cryptanalysis of the Full 16-Round DES," Advances in CryptologyCRYPTO '92 Proceedings,Springer-Verlag, 1993, pp. 487- 496.

5.

M. Matsui, The First Experimental Cryptanalysis of the Data Encryption Standard, Advances in Cryptology CRYPTO ‘94 (Lecture Notes in Computer Science no. 839), Springer-Verlag, pp. 1-11, 1994.

6.

Electronic Frontier Foundation, Cracking DES- Secrets of Encryption Research, Wiretap Politics & Chip Design, O‘ Reilly (July 1998) ISBN 1-56592-520-3.

7.

Announcing Development of a Federal Information Processing Standard for Advanced Encryption Standard, Federal Register, Volume 62, Number 1, January 2, 1997, pp. 93-94.

8.

Announcing Request for Candidate Algorithm Nominations for the Advanced Encryption Standard (AES), Federal Register, Volume 62, Number 177, September 12, 1997. pp. 48051-48058.

Review of the Journey from DES to AES

9.

361

C. M. Adams, Simple and effective key scheduling for symmetric ciphers,Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 94), May 5–6 (1994) pp. 129–133.

10. C. M. Adams, Designing DES-like ciphers with guaranteed resistance to differential and linear attacks, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 133–144. 11. C.M.Adams, The CAST-128 Encryption Algorithm, Request for Comments (RFC) 2144, Network Working Group, Internet Engineering Task Force, May, 1997. 12. C.M.Adams, Constructing Symmetric Ciphers Using the CAST Design Procedure, Designs, Codes and Cryptography, Vol.12, No.3, Nov., pp.283-316, Kluwer Academic Publishers, 1997. 13. J. H. Moore and G. J. Simmons, Cycle structure of the DES with weak and semi-weak keys, Advances in Cryptology: Proc. of Crypto ‘86, Springer-Verlag, New York (1987) pp. 9–32. 14. E. Biham, Newtypes of cryptanalytic attacks using related keys, Advances in Cryptology: Proc. of Eurocrypt ‘93, Springer-Verlag (1994) pp. 398–409. 15. S. Chari, C. Jutla, J. Rao, and R. Rohatgi, A cautionary note regarding evaluation of AES candidates on smart cards, The Second AES Conference, March 22-23, 1999, pp 133-147. 16. C.H. Lim, CRYPTON: A New 128-bit Block Cipher, Proceedings of the First Advanced Encryption Standard Candidate Conference, (Ventura, California), National Institute of Standards and Technology (NIST), August 1998. 17. C.H. Lim, Specification and Analysis of CRYPTON Version 1.0, Information and Communications Research Center, Future Systems, Inc., December 1998. 18. C. Lim, A revised version of CRYPTON Version 1.0, Fast Software Encryption Workshop, March 24-26, 1999, pp. 31-46. 19. J.Daemen, L.R. Knudsen, V. Rijmen, The block cipher SQUARE, Fast Software Encryption, Proc. Fourth International Workshop, LNCS 1267. Springer Verlag, 1997, pp.149-165. 20. M. Smid and E. Roback, Developing the Advanced Encryption Standard, Proceedings of the 1999 RSAConference, January 1999. 21. B. Schneier, et. al., Performance Comparison of the AES Submissions, Proceedings of the Second Advanced Encryption Standard Candidate Conference, (Rome, Italy), National Institute of Standards and Technology (NIST)", March 1999. 22. C.S.K. Clapp, Instruction-level Parallelism in AES Candidates, Proceedings of the Second Advanced Encryption Standard Candidate Conference, (Rome, Italy), National Institute of Standards and Technology (NIST), March 1999. 23. E. Biham, A Note on Comparing the AES Candidates, Proceedings of the Second Advanced Encryption Standard Candidate Conference, (Rome, Italy), National Institute of Standards and Technology (NIST), March 1999. 24. Eunjong Hong, Jai-Hoon Chung, and Chae Hoon Lim, Hardware Design and Performance Estimation of The 128bit Block Cipher CRYPTON, Information and Communications Research Center, Future Systems, Inc.372-2

362

Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi

Yangjae-Dong, Seocho-Ku, Seoul, Korea 137-130. Ç.K. Koç and C. Paar (Eds.): CHES'99, LNCS 1717, pp. 4960, 1999 © Springer-Verlag Berlin Heidelberg 1999. 25. C.D. Halluin, G. Bijnens, V. Rijmen and B. Preenel, Attack on six rounds of CRYPTON, in Fast Software Encryption, FSE 1999, Lecture Notes in Computer Science 1636, L. R. Knudsen (ed.), Springer-Verlag, pp. 4659, 1999. 26. J. Borst, Weak Keys of Crypton, Second AES Candidate Conference, rump session presentation, Mar 99. 27. L Knudsen, DEAL - A 128-bit Block Cipher, NIST AES Proposal, Jun 98. 28. National Bureau of Standards, DES modes of operation, Federal Information Processing Standard (FIPS), Publication 81, National Bureau of Standards, U.S. Department of Commerce, Washington D.C., December 1980. 29. Lars R. Knudsen, DEAL-a 128-bit block cipher. Technical report 151, Department of Informatics, University of Bergen, Norway, February 1998. 30. Lars R. Knudsen, DEAL-a 128-bit block cipher. In AES Round 1 Technical Evaluation CD-1: Documentation. NIST, August 1998. See http://www.nist.gov/aes. 31. Eli Biham, Alex Biryukov, and Adi Shamir, Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials, In Jacques Stern, editor, Advances in Cryptology-EUROCRYPT'99, volume 1592 of LectureNotes in Computer Science. Springer-Verlag, 1999. 32. S. Lucks, On the Security of the 128-bit Block Cipher DEAL, Fast Software Encryption, Sixth International Workshop, Springer-Verlag, 1999. 33. R.S.Winternitz, Producing One-Way Hash Functions from DES, Advances in Cryptology: Proceedings of Crypto 83, Plenum Press, 1984, pp. 203-207. 34. H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay, Decorrelated Fast Cipher: an AES Candidate, submitted to the Advanced Encryption Standard process. In CD-ROM AES CD-1: Documentation, National Institute of Standards and Technology (NIST), August 1998. 35. D. Coppersmith, DFC Weak Keys, Note to NIST AES Discussion Group, 10 Sep 98. 36. D. Coppersmith, Re: DFC Weak Keys, Note to NIST AES Discussion Group, 22 Oct 98. 37. M. Matsui, T. Tokita, Cryptanalysis of a Reduced Version of the Block Cipher E2, 6th International Workshop on Fast Software Encryption (FSE 1999). Rome: Springer-Verlag. pp. 71–80. 38. D. Georgoudis, D. Lerous, and B.S.Chaves, The Frog Encryption Algorithm, NIST AES Proposal, Jun 98. 39. B. Schneier and D. Whiting, Fast Software Encryption: Designing Encryption Algorithms for Optimal Speed on the Intel Pentium Processor, Fast Software Encryption, 4th International Workshop Proceedings, Springer-Verlag, 1997, pp. 242-259. 40. D.Wagner, N. Ferguson, and B. Schneier, Cryptanalysis of FROG, Second AESCandidate Conference, Mar 99. 41. D. Wagner, Equivalent keys for HPC, Second AES Candidate Conference, rump session presentation, Mar 99. 42. D. Wagner, Equivalent keys for HPC, Second AES Candidate Conference, rump session presentation, Mar 99.

Review of the Journey from DES to AES

363

43. Lawrence Brown, Josef Pieprzyk, Jennifer Seberry, LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications, in Advances in Cryptology: Auscrypt '90, Lecture Notes in Computer Science, Vol 453, Springer-Verlag, pp 229-236, 1990. 44. Lawrence Brown, Matthew Kwan, Josef Pieprzyk, Jennifer Seberry, Improving Resistance to Differential Cryptanalysis and the Redesign of LOKI, in Advances in Cryptology - Asiacrypt'91, Lecture Notes in Computer Science, Vol 739, Springer-Verlag, pp 36-50, 1991. 45. L. Knudsen, Cryptanalysis of LOKI '91, Advances in Cryptography, AUSCRYPT '92 Proceedings, SpringerVerlag, 1993. 46. RSA Data Security Inc, Government encryption standard DES takes a fall, 1997. 47. V. Rijmen, L.R. Knudsen, Weaknesses in LOKI97, 48. ftp:// ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/loki97,1998.k 49. M.J. Jacobson and K. Huber, The MAGENTA Block Cipher Algorithm, NIST AES Proposal, Jun 98. 50. K. Huber and S. Wolter., Telekom's MAGENTA algorithm for en-/decryption in the gigabit/sec range. In ICASSP 1996 Conference Proceedings, volume 6, pages 3233-3235, 1996. 51. E. Biham, A. Biryukov, N. Ferguson, L. Knudsen, B. Schneier, A. Shamir, Cryptanalysis of MAGENTA, http://www.counterpane.com/magenta.html, August 20, 1998. 52. C. Burwick, D. Coppersmith, E. D'Avignon, R. Gennaro, S. Halevi, C. Jutla, S.M. Matyas Jr., L. O'Connor, M. Peyravian, D. Safford and N. Zunic, MARS â€“ A Candidate Cipher for AES. Presented in the 1 st AES conference, CA, USA, August 1998. 53. F. Sano, M. Koike, S. Kawamura, and M. Shiba, Performance Evaluation of AES Finalists on the High-End Smart Card, Presented in the 3rd AES conference, NY, USA, April 2000. 54. E. Biham, and V. Furman., Impossible Differential on 8-Round MARS' Core, Presented in the 3rd AES conference, NY, USA, April 2000. 55. J. Kelsey, T. Kohno, and B. Schneier, Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent, Presented in the Fast Software Encryption Workshop, NY, USA, April 2000. 56. R.L. Rivest, The RC5 encryption algorithm, In B. Preneel, editor, Fast Software Encryption, volume 1008 of Lecture Notes in Computer Science, pages 86-96, 1995. Springer Verlag. 57. M.H. Heys, Linearly weak keys of RC5, IEE Electronic Letters, Vol. 33, pages 836-838, 1997. 58. Biryukov and E. Kushilevitz, Improved cryptanalysis of RC5, In K. Nyberg, editor, Advances in Cryptology Eurocrypt '98, volume 1403 Lecture Notes in Computer Science, pages 85-99, 1998. Springer Verlag. 59. B.S. Kaliski and Y.L. Yin, On differential and linear cryptanalysis of the RC5 encryption algorithm, In D. Coppersmith, editor, Advances in Cryptology Crypto '95, volume 963 of Lecture Notes in Computer Science, pages 171-184, 1995. Springer Verlag. 60. L.R. Knudsen and W. Meier, Improved differential attacks on RC5, In N. Koblitz, editor, Advances in Cryptology , Crypto '96, volume 1109 of Lecture Notes in Computer Science, pages 216-228, 1996. Springer Verlag.

364

Neeta Wadhwa, Syed Zeeshan Hussain & S. A. M Rizvi

61. S. Moriai, K. Aoki, and K. Ohta, Key-dependency of linear probability of RC5, March 1996. To appear in IEICE Trans. Fundamentals. 62. J. Daemen and V. Rijmen, ―AES Proposal: Rijndael, AES Algorithm‖ Submission, September 3, 1999, 63. Joan Daemen and Vincent Rijmen. The Design of Rijndael: AES -TheAdvanced Encryption Standard. Springer, 2002. 64. Hamid Mala, Mohammad Dakhilalian, Vincent Rijmen, and Mahmoud Modarres-Hashemi, Improved Impossible Differential Cryptanalysis of 7-Round AES-128, In INDOCRYPT‘10, volume 6498 of Lecture Notes in Computer Science, pages 282–291. Springer, 2010. 65. Henri Gilbert and Marine Minier, A Collision Attack on 7 Rounds of Rijndael. In AES Candidate Conference, pages 230–241, 2000. 66. Niels Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Michael Stay, David Wagner, and Doug Whiting, Improved cryptanalysis of Rijndael. In FSE‘00, volume 1978 of Lecture Notes in ComputerScience, pages 213– 230. Springer, 2000. 67. Orr Dunkelman, Nathan Keller, and Adi Shamir, Improved Single-Key Attacks on 8-Round AES-192 and AES256. In ASIACRYPT‘10, volume 6477 of Lecture Notes in Computer Science, pages 158–176. Springer, 2010. 68. Alex Biryukov and Dmitry Khovratovich, Related-Key Cryptanalysis of the Full AES-192 and AES-256. In ASIACRYPT‘09, volume 5912 of Lecture Notes in Computer Science, pages 1–18. Springer, 2009. 69. Henri Gilbert and Thomas Peyrin, Super-Sbox cryptanalysis: Improved attacks for AES-like permutations.In FSE‘10, volume 6147 of Lecture Notes in Computer Science, pages 365–383. Springer, 2010. 70. James L. Massey, SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm, Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer, 1994, pp: 1-17. 71. James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard, 1st Advanced Encryption Standard Canditate Conference, CA, Aug: 20-22, 1998, pp 1-14 72. James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER++ as Candidate Algorithm for the New European Schemes for Signatures, Integrity, and Encryption (NESSIE), Presented in First Open NESSIE Workshop, November, 2000. 73. RJ Anderson, E Biham, LR Knudsen, Serpent: A Proposal for the Advanced Encryption Standard, submitted to NIST as an AES candidate. A short version of the paper appeared at the AES conference, August 1998; both papers are available at http://www.cl.cam.ac.uk/~rja14/serpent.html 74. PC Kocher, Timing Attacks on Implementations of Diffe-Hellman, RSA, DSS,and Other Systems, in Advances in Cryptology Crypto 96, Springer LNCSv 1109 pp 104-113. 75. AJ Elbirt, W Yip, B Chetwynd, C Paar, An FPGA-Based Performance Evaluation of the AES Block Cipher Candidate Algorithm Finalists, IEEE Transactions on Very Large Scale Integration (VLSI) Systems, Aug. 2001, Volume: 9, Issue: 4, pp. 545 - 557.

Review of the Journey from DES to AES

365

76. B.Weeks, M. Bean, T. Rozylowicz, C Ficke, ―Hardware Performance Simulations of Round 2 Advanced Encryption Standard Algorithms‖, to appear in the proceedings of the 3rd AES Candidate Conference, April 1314, 2000 77. R.J .Anderson, E .Biham, L.R .Knudsen, Serpent and Smartcards, in Cardis 98, Springer Verlag (2000) pp 257264; also available at http://www.cl.cam.ac.uk/~rja14/serpent.html. 78. Bruce Schneier, John Kelsey, DougWhiting, David Wagner, Chris Hall, and Niels Ferguson, Twofish: A 128-bit block cipher, In AES Round 1 Technical Evaluation CD-1: Documentation.NIST, August 1998. Available at http://www.nist.gov/aes. 79. Bruce Schneier, John Kelsey, DougWhiting , David Wagner, Chris Hall, and Niels Ferguson, The Twofish Encryption Algorithm, A 128-Bit Block Cipher Wiley,1999. 80. Niels Ferguson, Impossible differentials in Twofish, Twofish Technical Report 5, Counterpane Systems, October 1999. See http://www.counterpane.com/twofish.html