Standard Cryptographic Algorithm Naming

Symmetric Ciphers

Also see the notes for block cipher modes and KeyGenerators.

Key scheduling

Ciphers that have different key schedules, but are otherwise identical are given different names (for example, SAFER-K and SAFER-SK). Sometimes it is useful to bypass the normal key scheduling process, and specify the subkeys (which should be random and independent) directly in the input key. The name of such a cipher is derived by adding "-Direct" to the standard name (except that if part of the name already specifies the key schedule, that part is dropped). For example, "DES-Direct" and "SAFER-Direct" refer to DES and SAFER respectively with independent subkeys. This convention can also be used for experimental ciphers that have no defined key schedule. [A previous version of SCAN specified "-ISK" instead of "-Direct". This is a backward-incompatible change, although an alias has been added for "Blowfish-ISK".]

If the subkeys are not in fact random and independent (to a close-enough approximation), the cipher may become vulnerable to related-key attacks, and therefore particular care is needed from the application designer in choosing how to generate subkeys.

Subkeys are encoded in the order in which they are used for encryption (or if this is ambiguous, the order in which they are presented or numbered in the original document specifying the cipher). Where applicable, they have the same byte order as is used in the rest of the cipher. However, in some cases these conventions may still not be sufficient to decide how to encode the subkeys; if you wish to use a "-Direct" algorithm where the subkey encoding is not clear, ask for a comment to be added to the algorithm definition.

3-Way

Block Cipher

Designer:

Joan Daemen

Published:

1994

Alias:

"ThreeWay" (use for identifiers)

References:

[Def, An] Joan Daemen,
"Cipher and Hash Function Design, Strategies based on linear and differential cryptanalysis,"
Ph.D. Thesis, Katholieke Universiteit Leuven, March 1995. http://www.esat.kuleuven.ac.be/~cosicart/ps/JD-9500/
(in particular see chapter 7, "block cipher design").
[Def, An] J. Daemen, R. Govaerts, J. Vandewalle,
"A New Approach to Block Cipher Design,"
Fast Software Encryption, Cambridge Security Workshop Proceedings, Volume 809 of Lecture Notes in Computer Science (Ross Anderson, ed.), pp. 18-32. Springer-Verlag, 1994.
[Inf] Bruce Schneier,
"Section 14.5 3-Way,"
Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
[An] John Kelsey, Bruce Schneier, David Wagner,
"Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES".
http://www.counterpane.com/key_schedule.html
[An] John Kelsey, Bruce Schneier, David Wagner,
"Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA",
ICICS '97 Proceedings, Springer-Verlag, November 1997.
http://www.counterpane.com/related-key_cryptanalysis.html
[Test] Wei Dai,
Crypto++ 3.0, file 3wayval.dat
http://www.eskimo.com/~weidai/cryptlib.html

Key length:

96 bits.

Block size:

12 bytes.

Comment:

The byte ordering convention is as follows: within each 12-byte block, the 32-bit words are represented in the same order as they are written in chapter 7 of Joan Daemen's thesis. Within each 32-bit word, the bytes are in big-endian order. This is consistent with the four test vectors in Crypto++ (note that the same four test vectors are included on page 659 of Applied Cryptography, 2nd edition, with the words written in the opposite order).

For reference, the fourth test vector in this set is:

   key        = <D2F05B5ED6144138CAB920CD>
   plaintext  = <4059C76E83AE9DC4AD21ECF7>
   ciphertext = <478EA8716B13F17C15B155ED>

Security comment:

3-Way is vulnerable to related-key attacks, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

AES128

Block Cipher

Designers:

Joan Daemen, Vincent Rijmen

Alias:

"OpenPGP.Cipher.7"

Object Identifiers:

2.16.840.1.101.3.4.1.1 for AES128/ECB/NoPadding
2.16.840.1.101.3.4.1.2 for AES128/CBC/PKCSPadding
2.16.840.1.101.3.4.1.3 for AES128/CFB
2.16.840.1.101.3.4.1.4 for AES128/OFB

Description:

AES128 is defined as Rijndael with a 128-bit block size and 10 rounds.

References:

[see references for Rijndael]
[Inf] NIST,
AES Home Page,
http://www.nist.gov/aes/
[Inf] AES Round 1 Information,
http://csrc.nist.gov/encryption/aes/round1/round1.htm
[Inf] AES Round 2 Information,
http://csrc.nist.gov/encryption/aes/round2/round2.htm
[Inf] The CAESAR - Candidate AES for Analysis and Reviews project,
http://www.dice.ucl.ac.be/crypto/CAESAR/caesar.html
[Inf] Lars Knudsen, Vincent Rijmen,
The Block Cipher Lounge - AES,
http://www.ii.uib.no/~larsr/aes.html
[Inf] John Savard,
Towards the 128-bit Era - AES Candidates,
http://fn2.freenet.edmonton.ab.ca/~jsavard/crypto/co0408.htm
[An] Eli Biham,
"A Note on Comparing the AES Candidates,"
Presented at the 2nd AES Conference.
http://csrc.nist.gov/encryption/aes/round1/conf2/papers/biham2.pdf
[An] Olivier Baudron, Henri Gilbert, Louis Granboulan, Helena Handschuh, Antoine Joux, Phong Nguyen, Fabrice Noilhan, David Pointcheval, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay,
"Report on the AES Candidates,"
Presented at the 2nd AES Conference.
http://csrc.nist.gov/encryption/aes/round1/conf2/papers/baudron1.pdf
[An] G. Carter, E. Dawson, L. Nielsen,
"Key Schedule Classification of the AES Candidates,"
Presented at the 2nd AES Conference.
http://csrc.nist.gov/encryption/aes/round1/conf2/papers/carter.pdf
[An] B. Preneel, A. Bosselaers, V. Rijmen, B. Van Rompay, L. Granboulan, J. Stern, S. Murphy, M. Dichtl, P. Serf, E. Biham, O. Dunkelman, V. Furman, F. Koeune, G. Piret, J-J. Quisquater, L. Knudsen, H. Raddum,
"Comments by the NESSIE Project on the AES Finalists,"
Submitted to NIST as an AES comment, May 2000.
http://csrc.nist.gov/encryption/aes/round2/comments/20000524-bpreneel.pdf
[An] Thomas S. Messerges,
"Securing the AES Finalists Against Power Analysis Attacks,"
Presented at Fast Software Encryption 2000, New York.

Key length:

128 bits.

Block size:

16 bytes.

AES192

Block Cipher

Designers:

Joan Daemen, Vincent Rijmen

Alias:

"OpenPGP.Cipher.8"

Object Identifiers:

2.16.840.1.101.3.4.1.21 for AES192/ECB/NoPadding
2.16.840.1.101.3.4.1.22 for AES192/CBC/PKCSPadding
2.16.840.1.101.3.4.1.23 for AES192/CFB
2.16.840.1.101.3.4.1.24 for AES192/OFB

Description:

AES192 is defined as Rijndael with a 128-bit block size and 12 rounds.

References:

[see references for AES128 and Rijndael]

Key length:

192 bits.

Block size:

16 bytes.

AES256

Block Cipher

Designers:

Joan Daemen, Vincent Rijmen

Alias:

"OpenPGP.Cipher.9"

Object Identifiers:

2.16.840.1.101.3.4.1.41 for AES256/ECB/NoPadding
2.16.840.1.101.3.4.1.42 for AES256/CBC/PKCSPadding
2.16.840.1.101.3.4.1.43 for AES256/CFB
2.16.840.1.101.3.4.1.44 for AES256/OFB

Description:

AES256 is defined as Rijndael with a 128-bit block size and 14 rounds.

References:

[see references for AES128 and Rijndael]

Key length:

256 bits.

Block size:

16 bytes.

Anubis

Block Cipher

Designers:

Paulo Barreto, Vincent Rijmen

Published:

November 2000

References:

[Def, An] Paulo Barreto, Vincent Rijmen,
The Anubis Block Cipher,
Presented at the First Open NESSIE Workshop, November 2000.
https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/anubis.zip
[Inf, Test] Paulo Barreto, Vincent Rijmen,
The Anubis Page,
http://www.esat.kuleuven.ac.be/~rijmen/anubis/
[Test] Paulo Barreto, Vincent Rijmen,
Anubis Test Values,
https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/anubis.zip

Key length:

Minimum 128, maximum 320, multiple of 32 bits; default 128 bits.

Block size:

16 bytes.

Blowfish

Block Cipher

Designer:

Bruce Schneier

Published:

1994

Alias:

"OpenPGP.Cipher.4"

References:

[Def] Bruce Schneier,
"Description of a New Variable-Length Key, 64-Bit Cipher (Blowfish),"
Fast Software Encryption, Cambridge Security Workshop Proceedings, pp. 191-204. Springer-Verlag, 1994.
http://www.counterpane.com/bfsverlag.html
[Inf, Impl] Bruce Schneier,
The Blowfish Encryption Algorithm page,
http://www.counterpane.com/blowfish.html
[Inf] Bruce Schneier,
"Blowfish -- One Year Later,"
Dr. Dobb's Journal, September 1995.
http://www.counterpane.com/bfdobsoyl.html
[Inf] Bruce Schneier,
"Section 14.3 Blowfish,"
Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
(Note: the C source in the appendix contains a bug; this bug is not present in Eric Young's C reference implementation.)
[An] Serge Vaudenay,
"On the weak keys of Blowfish,"
Fast Software Encryption, Third International Workshop, Volume 1008 of Lecture Notes in Computer Science (B. Preneel, ed.), pp. 286-297. Springer-Verlag, 1995.
[Test] Eric Young,
Blowfish test vectors,
http://www.counterpane.com/vectors.txt (also in C syntax)

Key length:

Minimum 32, maximum 448, multiple of 8 bits; default 128 bits.

Block size:

8 bytes.

Security comment:

The weak keys described in Vaudenay's paper do not appear to be significant for full (16-round) Blowfish.

Variant:

"Blowfish-Direct" or "Blowfish-ISK" - the subkeys are specified (using the notation of Applied Cryptography) as P_1..18 first, followed by S_1, 0..255, S_2, 0..255, S_3, 0..255, and S_4, 0..255. Each entry is represented as 4 bytes in big-endian order.

Weak keys may be avoided by ensuring that no S-box has duplicate entries (i.e. that there does not exist i, j, k where j != k such that S_i, j = S_i, k).

BMGL	Stream Cipher

Designers:

Johan Håstad, Mats Näslund

Published:

October 2000

Description:

BMGL is an alias for "Rijndael-256/KFB(40)"; that is, Rijndael with a 256-bit block size, used in KFB mode, with 40 bits of keystream taken for each application of Rijndael. See the description of KFB mode for further detail.

References:

[Def, An] Johan Håstad, Mats Näslund,
BMGL: Synchronous Key-stream Generator with Provable Security,
https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/bmgl.zip
[Test] Johan Håstad, Mats Näslund,
BMGL Test Values,
https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/bmgl.zip

Key length:

Minimum 128, maximum 320, multiple of 32 bits; default 128 bits.

Security comment:

The security bounds proven for BMGL in Corollary 13 of Håstad and Näslund's paper, hold provided that less than 2³⁰ bits (128 MBytes) of output are used. The "provable security" referred to in the paper is in the sense of a proven reduction from predicting the keystream generator, to breaking Rijndael-256 as a one-way function.

CAST-128

Block Cipher

Designers:

Carlisle Adams, Stafford Tavares

Published:

1997

Aliases:

"CAST5", "OpenPGP.Cipher.3"

References:

[Def, Test] Carlisle Adams,
"The CAST-128 Encryption Algorithm,"
RFC 2144, May 1997.
[Inf, An] CAST Encryption Algorithm Related Publications,
http://adonis.ee.queensu.ca:8000/cast/
[Inf] Carlisle Adams,
"Constructing Symmetric Ciphers Using the CAST Design Procedure,"
Selected Areas in Cryptography (E. Kranakis and P. van Oorschot, ed.), pp. 71-104. Kluwer Academic Publishers, 1997, and
Designs, Codes, and Cryptography, Vol. 12, No. 3, pp. 283-316, 1997.
http://www.entrust.com/resourcecenter/pdf/cast.pdf
Also "CAST Design Procedure Addendum,"
http://www.entrust.com/downloads/castadd.pdf
[Patent] Carlisle Adams,
"Symmetric cryptographic system for data encryption,"
U.S. Patent 5,511,123, filed August 4 1994, issued April 23 1996.
Also see:
Canadian Patent Application 2,134,410.
Japanese Patent Application 6-295746.
U.S. Patent Application 08/761,763.
Canadian Patent Application 2,164,768.
PCT Patent Application CA96/00782.
U.S. Patent Application 08/895,875.

Key length:

Minimum 40, maximum 128, multiple of 8 bits; default 128 bits.

Block size:

8 bytes.

Comment:

Strictly speaking the alias "CAST5" only applies to CAST-128 with a key size of 80 or 128 bits. Implementations MAY enforce this.

Patent status:

The design procedure that was used to obtain the CAST S-boxes is patented by Entrust Technologies, Inc.. However, quoting from RFC 2144,

The CAST-128 cipher described in this document is available worldwide on a royalty-free basis for commercial and non-commercial uses.

CAST-256

Block Cipher

Designer:

Carlisle Adams, Howard Heys, Stafford Tavares, Michael Wiener

Published:

June 1998

Alias:

"CAST6"

References:

[Def, An] Carlisle Adams,
The CAST-256 Encryption Algorithm,
http://www.entrust.com/resources/pdf/cast-256.pdf
[Def, Test] Carlisle Adams, Jeff Gilchrist,
"The CAST-256 Encryption Algorithm,"
RFC 2612, June 1999.
[Inf] Carlisle Adams,
"Constructing Symmetric Ciphers Using the CAST Design Procedure,"
Selected Areas in Cryptography (E. Kranakis and P. van Oorschot, ed.), pp. 71-104. Kluwer Academic Publishers, 1997, and
Designs, Codes, and Cryptography, Vol. 12, No. 3, pp. 283-316, 1997.
http://www.entrust.com/resources/pdf/cast.pdf
Also "CAST Design Procedure Addendum,"
http://www.entrust.com/resources/pdf/castadd.pdf
(This does not describe CAST-256, but is relevant to its design.)
[An] C. Adams, H. Heys, S. Tavares, M. Wiener,
"An Analysis of the CAST-256 Cipher,"
Proceedings of IEEE Canadian Conference on Electrical and Computer Engineering, 1999.
http://www.engr.mun.ca/~howard/PAPERS/cast256.ps
[Patent] Carlisle Adams,
"Symmetric cryptographic system for data encryption,"
U.S. Patent 5,511,123, filed August 4 1994, issued April 23 1996.
Also see:
Canadian Patent Application 2,134,410.
Japanese Patent Application 6-295746.
U.S. Patent Application 08/761,763.
Canadian Patent Application 2,164,768.
PCT Patent Application CA96/00782.
U.S. Patent Application 08/895,875.
[Test] NIST,
CAST-256 Test Values,
http://www-08.nist.gov/encryption/aes/round1/testvals/cast-256-vals.zip

Key length:

Minimum 128, maximum 256, multiple of 32 bits; default 128 bits.

Block size:

16 bytes.

Patent status:

The design procedure that was used to obtain the CAST S-boxes is patented by Entrust Technologies, Inc.. However, quoting from RFC 2612,

The CAST-256 cipher described in this document is available worldwide on a royalty-free and licence-free basis for commercial and non-commercial uses.

CRYPTON-0.5

Block Cipher

Designer:

Chae Hoon Lim

Published:

1998

Alias:

"CRYPTONv05" (use for identifiers)

Description:

This is the version of CRYPTON originally submitted to NIST as an AES candidate.

References:

[Def, An] Chae Hoon Lim, Hyo Sun Hwang,
CRYPTON: A New 128-bit Block Cipher - Specification and Analysis (Version 0.5),
http://crypt.future.co.kr/~chlim/pub/cryptonv05.ps (PDF version).
[Inf, Test] The CRYPTON: A new 128-bit block cipher page.
http://crypt.future.co.kr/~chlim/crypton.html
[An] D'Halluin, Bijnens, Rijmen, Preneel,
"Attack on six rounds of CRYPTON,"
Presented at Fast Software Encryption '99, Rome.
[Test] NIST,
CRYPTON v0.5 Test Values,
http://www-08.nist.gov/encryption/aes/round1/testvals/crypton-vals.zip

Comment:

"CRYPTON: A New 128-bit Block Cipher - Specification and Analysis" contains an error in the description of the byte permutation phi: on the right hand side of figure 4, b₃₃ should be b₀₃.

Key length:

Minimum 64, maximum 256, multiple of 32 bits; default 128 bits.

Block size:

16 bytes.

Security comments:

[[need reference to key schedule attacks]]
CRYPTON-0.5 has been superceded by CRYPTON-1.0.

CRYPTON-1.0

Block Cipher

Designer:

Chae Hoon Lim

Published:

December 1998

Alias:

"CRYPTONv10" (use for identifiers)

Description:

This is version 1.0 of CRYPTON (the current version, at time of writing).

References:

[Def, An] Chae Hoon Lim, Hyo Sun Hwang,
CRYPTON: A New 128-bit Block Cipher - Specification and Analysis (Version 1.0),
http://crypt.future.co.kr/~chlim/pub/cryptonv10.ps.
[Inf, Test] The CRYPTON: A new 128-bit block cipher page.
http://crypt.future.co.kr/~chlim/crypton.html
[An] Marine Minier, Henri Gilbert,
"Stochastic Cryptanalysis of Crypton,"
Presented at Fast Software Encryption 2000, New York.

Key length:

Minimum 0, maximum 256, multiple of 8 bits; default 128 bits.
(Note that this is different from CRYPTON-0.5.)

Block size:

16 bytes.

CS-Cipher

Block Cipher

Designers:

Jacques Stern, Serge Vaudenay

Published:

1998

References:

[Def, An, Test, Impl] Serge Vaudenay, Jacques Stern,
"CS-Cipher,"
Presented at Fast Software Encryption '98, Paris, France. Lecture Notes in Computer Science No. 1372, pp. 189-205, Springer-Verlag, 1998.
http://lasecwww.epfl.ch/query.msql?ref=SV98
[An] Serge Vaudenay,
"On the Security of CS-Cipher,"
Presented at Fast Software Encryption '99, Rome. To appear in Lecture Notes in Computer Science, Springer-Verlag.
http://lasecwww.epfl.ch/query.msql?ref=Vau99b
[An] Bart van Rompey, Vincent Rijmen, Jorge Nakahara Jr.,
"A First Report on CS-Cipher, Hierocrypt, Grand Cru, SAFER++ and SHACAL,"
NESSIE Project public report, March 12, 2001.
https://www.cosic.esat.kuleuven.ac.be/nessie/reports/kulwp3-006-1.pdf

Key length:

Minimum 0, maximum 128, multiple of 8 bits; default 128 bits.

Block size:

8 bytes.

Patent status:

CS-Cipher may be subject to patents by the Compagnie des Signaux.

DEAL	Block Cipher

Designer:

Lars Knudsen

Published:

May 1998

References:

[Def, An] Lars Knudsen,
DEAL: A 128-bit Block Cipher, February 1998 (revised May 15, 1998).
http://www.ii.uib.no/~larsr/newblock.html
(Note: this paper contains an error; see the comments below.)
[An] Stefan Lucks,
On the Security of the 128-Bit Block Cipher DEAL.
http://th.informatik.uni-mannheim.de/m/lucks/papers.html
[An] John Kelsey, Bruce Schneier,
"Key-Schedule Cryptanalysis of DEAL,"
Sixth Annual Workshop on Selected Areas in Cryptography,
Springer-Verlag, August 1999, to appear.
http://www.counterpane.com/deal.html
[Test] NIST,
DEAL Test Values,
http://www-08.nist.gov/encryption/aes/round1/testvals/deal-vals.zip

Key length:

128, 192 or 256 bits; default 128 bits.

Block size:

16 bytes.

Comment:

The paper "DEAL: A 128-bit Block Cipher" contains an error in the description of key scheduling: the three occurrences of "<4>" should be replaced by "<3>", and the two occurrences of "<8>" should be replaced by "<4>". In other words, the constants to be XOR'd with the input keys are 0x8000000000000000, 0x4000000000000000, 0x2000000000000000 and 0x1000000000000000.

Security comments:

The paper "On the Security of the 128-Bit Block Cipher DEAL," describes some certificational weaknesses of DEAL with a key size of 192 bits; these attacks are impractical.
John Kelsey of Counterpane Systems has found some related-key attacks and equivalent keys for DEAL (described in the DEAL AES forum on NIST's web site, and in the paper "Key-Schedule Cryptanalysis of DEAL"). These appear to be impractical when DEAL is used as a cipher (as opposed to a hash function using a construction such as Davies-Meyer).

DES	Block Cipher

Designers:

Don Coppersmith, Horst Feistel, Walt Tuchmann, U.S. National Security Agency

Published:

1976

References:

[Def] U.S. National Institute of Standards and Technology,
NIST FIPS PUB 46-2 (supercedes FIPS PUB 46-1), "Data Encryption Standard", U.S. Department of Commerce, December 1993.
http://www.itl.nist.gov/div897/pubs/fip46-2.htm
[Inf, Test] U.S. National Institute of Standards and Technology,
NIST FIPS PUB 74, "Guidelines for Implementing and Using the NBS Data Encryption Standard".
[Inf] Bruce Schneier,
"Chapter 12 Data Encryption Standard,"
Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
[Inf, Test] A. Menezes, P.C. van Oorschot, S.A. Vanstone,
"Section 7.4 DES,"
Handbook of Applied Cryptography, CRC Press, 1997.
http://www.cacr.math.uwaterloo.ca/hac/about/chap7.pdf, .ps
[An] Eli Biham, Adi Shamir,
"Differential Cryptanalysis of the Full 16-Round DES,"
CS 708, Proceedings of CRYPTO '92, Volume 740 of Lecture Notes in Computer Science, December 1991.
http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1991/CS/CS0708.ps
[An] Eli Biham, Adi Shamir,
"Differential cryptanalysis of DES-like cryptosystems,"
Technical report CS90-16, Weizmann Institute of Science.
Advances in Cryptology - CRYPTO '90 Proceedings and
Journal of Cryptology, Vol. 4, No. 1, pp. 3-72, 1991.
http://www.cs.technion.ac.il/~biham/Reports/Weizmann/cs90-16.ps.gz
[An] Eli Biham, Adi Shamir,
Differential Cryptanalysis of the Data Encryption Standard,
Springer-Verlag, 1993.
[An] M. Matsui,
"Linear cryptanalysis method for DES cipher,"
Advances in Cryptology - EUROCRYPT '93 Proceedings, Volume 765 of Lecture Notes in Computer Science (T. Helleseth, ed.), pp. 386-397. Springer-Verlag, 1994.
[An] M. Matsui,
"The First Experimental Cryptanalysis of the Data Encryption Standard,"
Advances in Cryptology - CRYPTO '94 Proceedings, Volume 839 of Lecture Notes in Computer Science, Springer-Verlag, 1994.
[An] M. Matsui,
"On Correlation Between the Order of S-boxes and the Strength of DES,"
Advances in Cryptology - EUROCRYPT '94 Proceedings, Volume 950 of Lecture Notes in Computer Science, Springer-Verlag, 1995.
[An] Eli Biham, A. Biryukov,
"An Improvement of Davies' Attack on DES,"
CS 817, EUROCRYPT '94 Proceedings (May 1994), Volume 950 of Lecture Notes in Computer Science (A. De Santis, ed.), Springer Verlag, 1995, and
Journal of Cryptology, Vol. 10, No. 3, pp. 195-206, 1997.
http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1994/CS/CS0817.ps
[An] Lars Knudsen,
"New potentially weak keys for DES and LOKI,"
Advances in Cryptology - EUROCRYPT '94 Proceedings, Volume 950 of Lecture Notes in Computer Science (A. De Santis, ed.), pp. 419-424. Springer Verlag, 1995.
ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/potential.ps.Z
[An] Lars Knudsen, John Erik Mathiassen,
"A Chosen-Plaintext Linear Attack on DES,"
Proceedings of Fast Software Encryption 2000, Volume 1978 of Lecture Notes in Computer Science. Springer-Verlag, 2001.
http://link.springer.de/link/service/series/0558/bibs/1978/19780262.htm
(requires subscription)
[Test] U.S. National Institute of Science and Technology,
NIST Special Publication 800-17, pp. 124 et seq.
http://csrc.nist.gov/nistpubs/800-17.pdf

Key length:

64 bits as encoded; 56 bits excluding parity bits.

Block size:

8 bytes.

Comment:

Implementations MUST ignore (i.e. not check) the parity bits of keys. KeyGenerators for DES MUST, however, output keys with correct parity.

Security comment:

The fixed 56-bit effective key length is too short to prevent brute-force attacks.

DESede

Block Cipher

Designers:

Whitfield Diffie, Martin Hellman, Walt Tuchmann

Published:

1978-79

Aliases:

"DES-EDE2" (always 2-key)
"DES-EDE3", "OpenPGP.Cipher.2" (always 3-key)
"TripleDES", "3DES" (default key length implemented inconsistently by different providers)

References:

[Def] U.S. National Institute of Standards and Technology,
DRAFT FIPS PUB 46-3, "Data Encryption Standard",
U.S. Department of Commerce, 1999.
http://csrc.nist.gov/cryptval/des/fr990115.htm
[Inf] Walt Tuchman,
"Hellman Presents No Shortcut Solutions To DES,"
IEEE Spectrum, v. 16, n. 7, July 1979, pp. 40-41.
[Inf] U.S. National Institute of Standards and Technology,
NIST FIPS PUB 46-2, "Data Encryption Standard",
U.S. Department of Commerce, December 1993.
http://www.itl.nist.gov/div897/pubs/fip46-2.htm
[Inf] Bruce Schneier,
"Chapter 12 Data Encryption Standard," and "Section 15.2 Triple Encryption,"
Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
[Inf, An] Ralph C. Merkle,
Secrecy, authentication, and public key systems,
UMI Research Press, Ann Arbor, Michigan, 1979.
[Inf, An] Ralph C. Merkle, Martin Hellman,
"On the Security of Multiple Encryption,"
Communications of the ACM, vol. 24 no. 7, 1981, pp. 465-467.
[An] Paul van Oorshot, Michael Wiener,
"A Known-Plaintext Attack on Two-Key Triple Encryption,"
Advances in Cryptology - EUROCRYPT '90 Proceedings, Volume 473 of Lecture Notes in Computer Science (I.B. Damgård, ed.), pp. 318-325. Springer-Verlag, 1991.
[An] John Kelsey, Bruce Schneier, David Wagner,
"Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES".
http://www.counterpane.com/key_schedule.html
[An] Stefan Lucks,
"Attacking Triple Encryption,"
Fast Software Encryption '98,
Volume 1372 of Lecture Notes in Computer Science (Serge Vaudenay, ed.), Springer-Verlag, 1998.
http://th.informatik.uni-mannheim.de/m/lucks/papers.html
[An] Helena Handschuh, Bart Preneel,
"On the security of double and 2-key triple modes of operation."
Fast Software Encryption 6,
Volume 1636 of Lecture Notes in Computer Science (L. Knudsen, ed.), Springer-Verlag, 1999.
http://perso.enst.fr/~handschu/fse6.ps
[Test] U.S. National Institute of Standards and Technology,
Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures,
NIST Special Publication 800-20, April 2000.
http://csrc.nist.gov/publications/nistpubs/800-20/800-20.pdf
[Test] U.S. National Institute of Standards and Technology,
Triple DES Test Vectors,
http://csrc.nist.gov/cryptval/des/tripledes-vectors.zip

Key length:

128 or 192 bits, as encoded (112 or 168 bits excluding parity). The default key length depends on the name of the KeyGenerator: 128 bits for DES-EDE2, and 192 bits for DES-EDE3 or OpenPGP.Cipher.2.

The default key length for DESede and the other aliases is implemented inconsistently between different providers, and therefore if an application needs to create a specific length of DESede key in a way that is guaranteed to work across providers, it should explicitly create a SecretKeySpec.

Block size:

8 bytes.

Comments:

If the key length is 128 bits including parity (i.e. two-key triple DES), the first 8 bytes of the encoding represent the key used for the two outer DES operations, and the second 8 bytes represent the key used for the inner DES operation.
If the key length is 192 bits including parity (i.e. three-key triple DES), then three independent DES keys are represented, in the order in which they are used for encryption.
Implementations MUST ignore (i.e. not check) the parity bits of keys. KeyGenerators for DESede MUST, however, output keys with correct parity.

Security comment:

Quoting from the paper "Attacking Triple Encryption" cited above:

[A]bout 2¹⁰⁸ steps of computation are sufficient to break three-key triple DES. If one concentrates on the number of single DES operations and assumes the other operations to be much faster, 2⁹⁰ of these are enough.

Better attacks than this are available against two-key triple DES (which should only be used for backward compatibility, if at all).

DESX	Block Cipher

Designer:

Ron Rivest

Description:

If K, K1 and K2 are the subkeys encoded as described below, then encryption and decryption are defined by:

E_{DESX[K, K1, K2]}(P) = E_DES[K](P XOR K1) XOR K2
D_{DESX[K, K1, K2]}(C) = D_DES[K](C XOR K3) XOR K2

If the user key length is 24 bytes, the first 8 bytes represent the key K used for the DES operation, and the two subsequent blocks of 8 bytes represent the "whitening" keys K1 and K2, in that order.

If the user key length is 16 bytes, the first 8 bytes represent the key K used for the DES operation, the second 8 bytes represent the whitening key K1, and K2 is derived from K and K1 as specified in the first reference below.

References:

[Def] Mark Riordan,
Subject: Re: Ladder DES.
Posting to Usenet newsgroup sci.crypt, 1 Mar 1994.
(Message-ID: <2ku9uc$sr8@msuinfo.cl.msu.edu>)
Archived at ftp://ftp.replay.com/pub/replay/mirror/ftp.cryptography.org/DESX/
desx.algorithm.description
[An] Joe Kilian, Phillip Rogaway,
"How to protect DES against exhaustive key search,"
Earlier version in Advances in Cryptology - CRYPTO '96, Volume 1109 of Lecture Notes in Computer Science (N. Koblitz, ed.), pp. 252-267. Springer-Verlag, 1996.
Full version: http://wwwcsif.cs.ucdavis.edu/~rogaway/papers/desx.ps
[Inf] U.S. National Institute of Standards and Technology,
NIST FIPS PUB 46-2 (supercedes FIPS PUB 46-1), "Data Encryption Standard", U.S. Department of Commerce, December 1993.
http://www.itl.nist.gov/div897/pubs/fip46-2.htm
[Inf] Bruce Schneier,
"Chapter 12 Data Encryption Standard,"
Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
[An] John Kelsey, Bruce Schneier, David Wagner,
"Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA",
ICICS '97 Proceedings, Springer-Verlag, November 1997.
http://www.counterpane.com/related-key_cryptanalysis.html

Key length:

128 or 192 bits; default 192 bits, as encoded. See security comments for the effective key length.

Block size:

8 bytes.

Comments:

Implementations MUST ignore (i.e. not check) the parity bits of the single-DES key. KeyGenerators for DESX SHOULD generate entirely random keys (possibly avoiding DES weak keys). In the case of a 16-byte key, the input to the "hash procedure" which generates K2 is the original user key, without any adjustment to parity.

There do not appear to be any "official" test vectors for DESX, so for reference we provide the following (the first was calculated using Mark Riordan's C implementation, and the second by hand based on official DES test data):

   key        = <0123456789ABCDEF1011121314151617>
   plaintext  = <4445535864657378>
   ciphertext = <D8FA5084FAD4B35C>

   key        = <01010101010101010123456789ABCDEF1011121314151617>
   plaintext  = <94DBE082549A14EF>
   ciphertext = <9011121314151617>

Security comments:

The paper "How to protect DES against exhaustive key search" proves that attacks on DESX that assume a "black-box" model for DES require a work factor of 2¹¹⁸. This does not take into account any possible weaknesses of DES, apart from the key complementation property. In particular, DESX is no more secure than DES against linear and differential cryptanalysis.
DESX is vulnerable to related-key attacks, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

DFC	Block Cipher

Designers:

Henri Gilbert, Marc Girault, Philippe Hoogvorst, Fabrice Noilhan, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay

Published:

May 1998

References:

[Def, An] Henri Gilbert, Marc Girault, Philippe Hoogvorst, Fabrice Noilhan, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay,
Decorrelated Fast Cipher: an AES Candidate,
http://lasecwww.epfl.ch/query.msql?ref=GG%2B98b
(also see errata at the DFC home page)
[Inf] The Decorrelated Fast Cipher Home Page,
http://lasecwww.epfl.ch/dfc.shtml.
[Inf] Serge Vaudenay,
"The Decorrelation Technique,"
http://lasecwww.epfl.ch/decorrelation.shtml
[An] Lars Knudsen, Vincent Rijmen,
"On the decorrelated fast cipher (DFC) and its theory,"
Presented at Fast Software Encryption '99, Rome.
[Patent] Serge Vaudenay,
"Procédé de décorrélation des données,"
French patent application num. 96 13411. Requested on 4 November 1996. (Extension to other countries in process.)
[Test] NIST,
DFC Test Values,
http://www-08.nist.gov/encryption/aes/round1/testvals/dfc-vals.zip

Key length:

Minimum 0, maximum 256 bits, multiple of 8 bits; default 128 bits.

Block size:

16 bytes.

Patent status:

DFC itself is unpatented, but the decorrelation technique it uses may be covered by the patent application referenced above.

DFCv2-128(rounds,s)

Block Cipher

Designers:

Louis Granboulan, Phong Nguyen, Fabrice Noilhan, Serge Vaudenay

Published:

August 2000

References:

[Def, An, Test] Louis Granboulan, Phong Nguyen, Fabrice Noilhan, Serge Vaudenay,
"DFCv2,"
In Selected Areas in Cryptography - Proceedings of SAC '2000 (D. Stinson and S. Tavares, eds.), Waterloo, Ontario, Canada, August 14-15 2000. To appear in Lecture Notes in Computer Science, Springer-Verlag.
http://www.di.ens.fr/~granboul/recherche/publications/
[Inf] The Decorrelated Fast Cipher Home Page,
http://lasecwww.epfl.ch/dfc.shtml.
[Inf] Serge Vaudenay,
"The Decorrelation Technique,"
http://lasecwww.epfl.ch/decorrelation.shtml
[Inf] Olivier Baudron, Henri Gilbert, Louis Granboulan, Helena Handschuh, Robert Harley, Antoine Joux, Phong Nguyen, Fabrice Noilhan, David Pointcheval, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay,
"DFC Update,"
Presented at the 2nd AES Conference.
http://lasecwww.epfl.ch/query.msql?ref=BG%2B99b
[An] Lars Knudsen, Vincent Rijmen,
"On the decorrelated fast cipher (DFC) and its theory,"
Presented at Fast Software Encryption '99, Rome.
[Patent] Serge Vaudenay,
"Procédé de décorrélation des données,"
French patent application num. 96 13411. Requested on 4 November 1996. (Extension to other countries in process.)

Parameters:

Integer rounds [creation/read, no default] - the number of rounds to be performed (minimum 8, default 12, multiple of 2)
Integer s [creation/read] - adjustment to key scheduling (minimum 4, default 4?)

Key length:

128, 192 or 256 bits; default 128 bits.

Block size:

16 bytes.

Comments:

Note that DFCv2 is not the same as the algorithm defined in the "DFC Update" paper (which did not have a sufficiently well-specified key schedule). That paper is included in the references only for comparison.

Patent status:

DFCv2 itself is unpatented, but the decorrelation technique it uses may be covered by the patent application referenced above.

Diamond2(rounds)

Block Cipher

Designer:

Michael Paul Johnson

Published:

1995

References:

[Def] Michael Paul Johnson,
"The Diamond2 Block Cipher,"
diamond2.{ps,doc} in ftp://ftp.zedz.com/pub/cryptoI/mirror/ftp.cryptography.org/libraries/dlock2.zip
[Inf] Michael Paul Johnson,
"Beyond DES: Data Compression and the MPJ Encryption Algorithm,"
Master's Thesis at the University of Colorado at Colorado Springs, 1989.
thesis.txt in ftp://ftp.zedz.com/pub/cryptoI/mirror/ftp.cryptography.org/libraries/dlock2.zip
(Note: this describes an earlier version of Diamond, not Diamond2.)
[Impl, Test] Michael Paul Johnson,
Diamond2 reference implementation (in C++),
ftp://ftp.zedz.com/pub/cryptoI/mirror/ftp.cryptography.org/libraries/dlock2.zip

Parameters:

Integer rounds [creation/read, no default] - the number of rounds to be performed (minimum 10)

Key length:

Minimum 8, maximum 65536, multiple of 8 bits; default 128 bits.

Block size:

16 bytes.

Comments:

The paper "The Diamond2 Block Cipher" does not appear to specify a recommended number of rounds, only a minimum number of rounds. For that reason, the rounds parameter has been made mandatory.
The "Diamond2 Lite" variant does not have a standard name.

E2	Block Cipher

Designers:

Kazumaro Aoki, Masayuki Kanda, Tsutomu Matsumoto, Shiho Moriai, Kazuo Ohta, Miyako Ookubo, Youichi Takashima, Hiroki Ueda

Published:

June 1998

References:

[Def, An] Specification of E2 - a 128-bit Block Cipher,
http://info.isl.ntt.co.jp/e2/E2spec.pdf
[Inf] The E2 Home Page,
http://info.isl.ntt.co.jp/e2/
[Inf] Supporting Document on E2,
(corrected version, April 16 1999)
http://info.isl.ntt.co.jp/e2/E2support.pdf
[Inf] Kazumaro Aoki, Hiroki Ueda,
"Optimized Software Implementations of E2,"
Presented at the 2nd AES Conference.
http://csrc.nist.gov/encryption/aes/round1/conf2/papers/aoki.pdf
[Inf] Kazumaro Aoki, Hiroki Ueda,
"Optimized Software Implementations of E2,"
Revised April 15, 1999.
http://info.isl.ntt.co.jp/e2/RelDocs/implE2.pdf
[Def, An] M. Kanda, Y. Takashima, T. Matsumoto, K. Aoki, K. Ohta,
"A Strategy for Constructing Fast Round Functions with Practical Security against Differential and Linear Cryptanalysis,"
Presented at the 5th annual workshop on Selected Areas in Cryptography (SAC '98) in August, 1998.
[An] Makoto Sugita, Kazukuni Kobara, Hideki Imai,
"Pseudorandomness and Maximum Average of Differential Probability of Block Ciphers with SPN-Structures like E2,"
Presented at the 2nd AES Conference.
http://csrc.nist.gov/encryption/aes/round1/conf2/papers/sugita.pdf
[An] Yuji Hori, Toshinobu Kaneko,
"A study of E2 by higher order differential attack,"
Technical report of IEICE. ISEC98-39, Science University of Tokyo
(in Japanese - brief English summary here).
[An] Mitsuru Matsui, Toshio Tokita,
"On cryptanalysis of a byte-oriented cipher,"
The 1999 Symposium on Cryptography and Information Security, SCIS99-W2-1.5
(in Japanese - brief English summary here).
[An] Mitsuru Matsui, Toshio Tokita,
"Cryptanalysis of a Reduced Version of the Block Cipher E2,"
Fast Software Encryption '99 (March 1999), pp. 70-79 (abstract here).
[An] NTT Laboratories,
"Security of E2 aginst Truncated Differential Cryptanalysis (in progress),"
April 15 1999.
http://info.isl.ntt.co.jp/e2/RelDocs/E2trunc.pdf
[An] Makoto Sugita, Kazukuni Kobara, Kazuhiro Uehara, Shuji Kubota, Hideki Imai,
"Relationships among Differential, Truncated Differential, Impossible Differential Cryptanalyses against Word-Oriented Block Ciphers like Rijndael, E2,"
Presented at the 3rd AES Candidate Conference.
http://csrc.nist.gov/encryption/aes/round2/conf3/papers/32-msugita.pdf
[An] Matsui, Tokita,
"Cryptanalysis of block cipher E2,"
Presented at Fast Software Encryption '99, Rome.
[Patent] NTT (assignee),
"Data Randomize Device and Symmetric Cipher Devices (translated),"
Japanese Patent Application JP 173672/1997.
[Patent] NTT (assignee),
[[need patent titles]]
Japanese Patent Application JP 013572/1998.
Japanese Patent Application JP 013573/1998.
Japanese Patent Application JP 153066/1998.
Japanese Patent Application JP 147479/1998.
(Corresponding applications will be filed in other countries.)
[Test] NIST,
E2 Test Values,
http://www-08.nist.gov/encryption/aes/round1/testvals/e2-vals.zip

Key length:

128, 192 or 256 bits; default 128 bits.

Block size:

16 bytes.

Patent status:

NTT has several patents pending on E2 (see references).

? FROG[(blockSize[,rounds])]

Block Cipher

Designers:

Dianelos Georgoudis, Damian Leroux, Billy Simón Chaves

Published:

1998

References:

[Def, An, Impl] Dianelos Georgoudis, Damian Leroux, Billy Simón Chaves,
The "FROG" Encryption Algorithm,
June 15, 1998.
http://www.tecapro.com/aesfrog.htm
[An] F. Koeune, G.F. Piret, J.J. Quisquater,
Our first few comments about FROG,
August 1998.
http://www.dice.ucl.ac.be/crypto/CAESAR/frog.html
[An] David Wagner, Niels Ferguson, Bruce Schneier,
Cryptanalysis of FROG,
Corrected version, March 16, 1999. Presented at the 2nd AES Conference.
http://www.cs.berkeley.edu/~daw/papers/frog-final.ps
(slides: http://www.cs.berkeley.edu/~daw/papers/frog-slides.ps)
[Also see: http://www.counterpane.com/frog.html - is this the earlier version?]
[Test] NIST,
FROG Test Values,
http://www-08.nist.gov/encryption/aes/round1/testvals/frog-vals.zip

Parameters:

Integer blockSize [creation/read, default 16] - the length of a block in bytes (8 to 128)
Integer rounds [creation/read, default 8] - the number of rounds to be performed (minimum 8)

Key length:

Minimum 40, maximum 1000, multiple of 8 bits; default 128 bits.

Block size:

As given by the blockSize parameter (in bytes).

Missing information:

Test vectors for block sizes other than 16 bytes.

Comment:

The original C reference code uses an unconventional byte order when printing test vectors (the order of bytes is reversed across the whole block). The correct byte order is that defined by the Java reference implementation, and by the NIST test vectors referenced above.

Security comment:

The paper "Cryptanalysis of FROG" describes the following attacks on weak keys:

A differential attack requiring 2⁵⁸ chosen plaintexts and very little time for the analysis; it works for about 2^-33.0 of the keyspace.
A linear attack that uses 2⁵⁶ known texts and works for 2^-31.8 of the keyspace.
A ciphertext-only linear attack using 2⁶⁴ ciphertexts (also for 2^-31.8 of the keyspace).
A differential attack on the decryption function that requires 2³⁶ chosen ciphertexts and works for 2^-29.3 of the keyspace.

? GOST

Block Cipher

Alias:

"GOST-28147-89"

Published:

1989

References:

[Def] GOST, Gosudarstvennyi Standard 28147-89,
"Cryptographic Protection for Data Processing Systems,"
Government Committee of the USSR for Standards, 1989 (in Russian).
[Def, Inf] Bruce Schneier,
"Section 14.1 GOST,"
Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
[Inf] J. Pieprzyk, L. Tombak,
"Soviet Encryption Algorithm,"
Preprint 94-10, Department of Computer Science, The University of Wollongong, 1994.
ftp://ftp.cs.uow.edu.au/pub/papers/1994/tr-94-10.ps.Z
[An] Markku-Juhani Saarinen,
A chosen key attack against the secret S-boxes of GOST,
http://www.cc.jyu.fi/~mjos/gost_cka.ps
[An] C. Charnes, L. O'Connor, J. Pieprzyk, R. Savafi-Naini, Y. Zheng,
"Comments on Soviet encryption algorithm,"
Advances in Cryptology - EUROCRYPT '94 Proceedings, Volume 950 of Lecture Notes in Computer Science (A. De Santis, ed.), pp. 433-438. Springer Verlag, 1995.
[An] C. Charnes, L. O'Connor, J. Pieprzyk, R. Safavi-Naini, Y. Zheng,
"Further comments on GOST encryption algorithm,"
Preprint 94-9, Department of Computer Science, The University of Wollongong, 1994.
ftp://ftp.cs.uow.edu.au/pub/papers/1994/tr-94-9.ps.Z
[An] John Kelsey, Bruce Schneier, David Wagner,
"Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES,"
Advances in Cryptology - CRYPTO '96 Proceedings. Springer-Verlag, August 1996.
http://www.cs.berkeley.edu/~daw/papers/keysched-crypto96.ps
[Inf] Markku-Juhani Saarinen,
C implementation and test vectors for GOST hash function,
http://www.tcs.hut.fi/~mjos/gosthash.tar.gz
[The implementation is of GOST-Hash, but this archive also contains a draft translation into English of the GOST 28147-89 standard.]

Parameters:

byte[][] sboxes [write only, default as given in Applied Cryptography] - the S-boxes to be used by this cipher instance. sboxes[i-1][j] represents the output of S-box i, for an input value j.
The implementation may or may not copy the contents of arrays used to set this parameter. If any such arrays are subsequently changed, the output of the cipher is undefined (it is therefore the responsibility of the caller to make sure that references to these arrays are not accessible to untrusted code). Setting this parameter will reset the current key and feedback vector, if applicable.

Key length:

256 bits.

Block size:

8 bytes.

Missing information:

Test vectors.

Security comment:

The paper "A chosen key attack against the secret S-boxes of GOST" cited above describes how to recover the S-boxes in about 2³² encryptions. The main significance of this is on tamperproof hardware implementations where the S-boxes were assumed to be secret; for a software implementation, they should be assumed to be public in any case.

HPC-1(blockSize[,backup])

Block Cipher

Designer:

Rich Schroeppel

Published:

1998

Description:

This is the original HPC cipher submitted as a first round AES candidate.

References:

[Def] Rich Schroeppel, Hilarie Orman,
Specification for the Hasty Pudding Cipher,
http://www.cs.arizona.edu/~rcs/hpc/hpc-spec
[Inf, Test] Rich Schroeppel,
The Hasty Pudding Cipher page,
http://www.cs.arizona.edu/~rcs/hpc/
[An] David Wagner,
Equivalent keys for HPC,
Rump session talk at the 2nd AES Conference.
Slides at: http://www.cs.berkeley.edu/~daw/papers/hpc-aes99-slides.ps
[An] Carl D'Halluin, Gert Bijnens, Bart Preneel, Vincent Rijmen,
Equivalent keys of HPC,
Katholieke Universiteit Leuven, ESAT-COSIC.
http://www.esat.kuleuven.ac.be/~rijmen/pub99.html
[Inf] Rich Schroeppel,
"The Hasty Pudding Cipher: One Year Later,"
June 12, 1999.
http://www.cs.arizona.edu/~rcs/hpc/hpc-oneyearlater
[Test] NIST,
HPC Test Values,
http://www-08.nist.gov/encryption/aes/round1/testvals/hpc-vals.zip

Parameters:

Integer blockSize [creation/read, default 16] - the length of a block in bytes (minimum 1)
Integer backup [creation/read, default 0] - a parameter that can be increased to make the cipher more conservative, at the cost of speed (minimum 0)
long[] spice [write, default all-zeroes] - an array of 8 64-bit words containing a diversifier.
The implementation may or may not copy the contents of arrays used to set this parameter. If any such array is subsequently changed, the output of the cipher is undefined, unless the parameter is set again immediately (it is therefore the responsibility of the caller to make sure that a reference to this array is not accessible to untrusted code). Setting this parameter will not reset the current key and feedback vector.

Key length:

Minimum 0, maximum 65536 bits; default 128 bits.

Block size:

As given by the blockSize parameter (in bytes). Note that while HPC supports block sizes that are not a multiple of 8 bits, the JCE API does not.

Comment:

The convention for encoding keys that are not a multiple of 8 bits in length, is for the last (effectiveBitLength % 8) bits of the key to be packed in the high-order bits of the last byte of the encoding. Any unused low-order bits of the last byte are ignored. For example, the key given by the 11-bit sequence <01010101 010>₂, would be encoded as the byte array { 0x55, 0x40 | junk }, where junk & 0xE0 == 0. The value of the key's effectiveBitLength parameter is used to determine how many bits of the encoding are significant.

Security comments:

The paper "Equivalent keys of HPC" by D'Halluin et al, describes an attack which, for 128-bit keys, has an expected work factor of 2⁸⁹, and works for 1/256 of the keyspace. The analysis is extended to HPC with a 192-bit key and a 256-bit key, with similar results. For some other key lengths (including 56 bits), all keys are shown to be weak. The "tweak" described in "Tweaking the Hasty Pudding Cipher," (see HPC-2) is intended to correct this problem, but has not yet had a significant amount of analysis.
Also note that with the default all-zeroes spice value, much of the work being done by the cipher has no cryptographic effect.

? HPC-2(blockSize[,backup])

Block Cipher

Designer:

Rich Schroeppel

Published:

June 1999

Description:

This is the "tweaked" version of HPC, with a modified key schedule.

References:

[Def] Rich Schroeppel,
"Tweaking the Hasty Pudding Cipher,"
http://www.cs.arizona.edu/~rcs/hpc/tweak
[Inf] Rich Schroeppel,
"The Hasty Pudding Cipher: One Year Later,"
June 12, 1999.
http://www.cs.arizona.edu/~rcs/hpc/hpc-oneyearlater
[see references for HPC-1]

Parameters:

Integer blockSize [creation/read, default 16] - the length of a block in bytes (minimum 1)
Integer backup [creation/read, default 0] - a parameter that can be increased to make the cipher more conservative, at the cost of speed (minimum 0)
long[] spice [write, default all-zeroes] - an array of 8 64-bit words containing a diversifier.
The implementation may or may not copy the contents of arrays used to set this parameter. If any such array is subsequently changed, the output of the cipher is undefined, unless the parameter is set again immediately (it is therefore the responsibility of the caller to make sure that a reference to this array is not accessible to untrusted code). Setting this parameter will not reset the current key and feedback vector.

Key length:

Minimum 0, maximum 65536 bits; default 128 bits.

Block size:

As given by the blockSize parameter (in bytes). Note that while HPC supports block sizes that are not a multiple of 8 bits, the JCE API does not.

Missing information:

Test vectors.

Comment:

[see comment for HPC-1]

Security comment:

Note that with the default all-zeroes spice value, much of the work being done by the cipher has no cryptographic effect.

ICE	Block Cipher

Designer:

Matthew Kwan

Published:

1997

References:

[Def, Test] Matthew Kwan,
"The Design of the ICE Encryption Algorithm,"
Proceedings of Fast Software Encryption - Fourth International Workshop, Haifa, Israel, pp. 69-82. Springer-Verlag, 1997.
http://www.darkside.com.au/ice/paper.html
[Inf, Impl] The ICE Home Page,
http://www.darkside.com.au/ice/
[An] Matthew Kwan,
Cryptanalysis of ICE,
http://www.darkside.com.au/ice/cryptanalysis.html
[An] B. Van Rompay, Lars Knudsen, Vincent Rijmen,
"Differential cryptanalysis of the ICE encryption algorithm,"
Fast Software Encryption, Volume 1372 of Lecture Notes in Computer Science (Serge Vaudenay, ed.), pp. 270-283. Springer-Verlag, 1998.
ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/vrompay/fse98.ps.gz

Key length:

Minimum 64, multiple of 64 bits; default 128 bits.

Block size:

8 bytes.

Comment:

The length of the key defines the "level" parameter (note that the "Thin ICE" variant is not included).

Security comment:

The paper "Differential cryptanalysis of the ICE encryption algorithm" describes several differential attacks, including an attack against a variant reduced to 15 rounds, with 2⁵⁶ work and at most 2⁵⁶ chosen plaintexts. (The full algorithm has n/4 rounds when the key length is n bits.) The paper concludes:

[...] The main conclusion of this paper is that keyed permutation does not prevent differential cryptanalysis. Although the analysis is more complicated and becomes key dependent, in our opinion the intention of the design has not been reached. The best 3-round iterative characteristic that can be used in our attack has a probability of 2^-13, which is higher than the probability of 2^-16 of the best 3-round characteristic for LOKI91 (a similar block cipher that makes use of four identical 12 to 8-bit S-boxes).

These attacks are probably not practical when the number of rounds is 32 or higher (i.e. the key is 128 bits or longer). However, in that case ICE is slower than DES.

IDEA	Block Cipher

Designers:

Xuejia Lai, James Massey

Published:

1992

Alias:

"OpenPGP.Cipher.1"

Object Identifiers:

1.3.6.1.4.1.188.7.1.1.1 for IDEA/ECB
1.3.6.1.4.1.188.7.1.1.2 for IDEA/CBC
1.3.6.1.4.1.188.7.1.1.3 for IDEA/CFB
1.3.6.1.4.1.188.7.1.1.4 for IDEA/OFB
(source for OIDs)

References:

[Def, An] X. Lai,
"On the design and security of block ciphers",
ETH Series in Information Processing (J.L. Massey, ed.), Vol. 1, Hartung-Gorre Verlag, Konstanz Technische Hochschule (Zurich), 1992.
[Inf, An] X. Lai, J.L. Massey, S. Murphy,
"Markov Ciphers and Differential Cryptanalysis,"
Advances in Cryptology - EUROCRYPT '91, Volume 547 of Lecture Notes in Computer Science (D.W. Davies, ed.), pp. 17-38. Springer-Verlag, 1991.
[Inf] The IDEA Algorithm page.
http://www.mediacrypt.com/
Older version archived at http://web.archive.org/web/20000816173927/http://www.ascom.ch/infosec/idea/oid.html
[Inf] Bruce Schneier,
"Section 13.9 IDEA,"
Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
(Note: there is an error in the description; the diagram is correct.)
[Inf] A. Menezes, P.C. van Oorschot, S.A. Vanstone,
"Section 7.6 IDEA,"
Handbook of Applied Cryptography, CRC Press, 1997.
http://www.cacr.math.uwaterloo.ca/hac/about/chap7.pdf, .ps
[An] Joan Daemen, René Govaerts, Joos Vandewalle,
"Weak Keys of IDEA,"
Advances in Cryptology - CRYPTO '93 Proceedings, Volume 773 of Lecture Notes in Computer Science (D. Stinson, ed.), pp. 224-231. Springer-Verlag, 1994.
http://www.esat.kuleuven.ac.be/~cosicart/ps/JD-9304.ps.gz
[An] Joan Daemen, René Govaerts, Joos Vandewalle,
"Cryptanalysis of 2.5 Rounds of IDEA,"
ESAT-COSIC Technical Report 93/1, 1993.
http://www.esat.kuleuven.ac.be/~cosicart/ps/JD-9306.ps.gz
[An] J. Borst, L. Knudsen, V. Rijmen,
"Two attacks on reduced IDEA,"
Advances in Cryptology - EUROCRYPT '97 Proceedings, Volume 1233 of Lecture Notes in Computer Science (W. Fumy, ed.), pp. 1-13. Springer-Verlag, 1997.
ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/idea.ps.gz
[An] L. Knudsen, V. Rijmen,
"Truncated Differentials of IDEA,"
ESAT-COSIC Technical Report 97-1.
ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/idea_trunc.ps.Z
[An] John Kelsey, Bruce Schneier, David Wagner,
"Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES".
http://www.counterpane.com/key_schedule.html
[An] Phillip Hawkes,
"Differential-Linear Weak Key Classes of IDEA,"
Advances in Cryptology - EUROCRYPT '98 Proceedings, pp. 112-126, Springer-Verlag, 1998.
[An] E. Biham, A. Biruykov, A. Shamir,
"Miss in the middle attacks on IDEA, Khufu and Khafre,"
Presented at Fast Software Encryption '99, Rome.
[An] John Kelsey, Bruce Schneier, David Wagner, Chris Hall,
"Side Channel Cryptanalysis of Product Ciphers",
ESORICS '98 Proceedings pp. 97-110, Springer-Verlag, September 1998.
http://www.counterpane.com/side_channel.html
[Inf, An] Ascom Systec, Ltd.
"Side Channel Attack Hardening of the IDEA^TM Cipher,"
Ascom Systec White Paper (corrected version, May 1999).
http://web.archive.org/web/20000823133119/www.ascom.ch/infosec/downloads/sidechannel.pdf
[An] Jorge Nakahara Jr., Paulo Barreto, Bart Preneel, Joos Vandewalle, Hae Y. Kim,
"SQUARE Attacks on Reduced-Round PES and IDEA Block Ciphers,"
NESSIE Project phase 2 public report, 19 November 2001.
https://www.cosic.esat.kuleuven.ac.be/nessie/reports/phase2/nessie-idea.pdf
[An] Alex Biryukov, Jorge Nakahara Jr., Bart Preneel, Joos Vandewalle,
"New Weak Key Classes of IDEA,"
NESSIE Project phase 2 public report, 29 June 2002.
https://www.cosic.esat.kuleuven.ac.be/nessie/reports/phase2/keyidea5.pdf
[Patent] James Massey, Xuejia Lai,
"Device for Converting a Digital Block and the Use Thereof",
International Patent WO09118459A2, filed May 16 1991, issued November 28 1991.
[Patent] James Massey, Xuejia Lai,
"Device for Converting a Digital Block and the Use Thereof,"
European Patent EP00482154A1, filed May 16 1991, issued April 29 1992.
[Patent] James Massey, Xuejia Lai,
"Device for Converting a Digital Block and the Use Thereof,"
European Patent EP00482154B1, filed May 16 1991, issued June 30 1993.
[Patent] James Massey, Xuejia Lai,
"Device for the Conversion of a Digital Block and Use of Same",
U.S. Patent 5,214,703, filed January 7 1992, issued May 25 1993.
[Patent] James Massey, Xuejia Lai,
[[filed Japanese Patent Application No. 508119/1991]]
[Impl, Test] Ascom Systec, Ltd.
IDEA C Source Code and Test Data (corrected version, May 1999).
http://web.archive.org/web/20000816173624/www.ascom.ch/infosec/downloads.html

Key length:

128 bits.

Block size:

8 bytes.

Comments:

A version of the IDEA C reference code available in April and early May 1999 contained a bug in the code for multiplication mod 2¹⁶+1, which occurs when multiplying two zero words; this bug is not caught by the standard test vectors. An additional test vector that does catch the bug (and incidentally demonstrates a weakness of IDEA's key schedule, but that's beside the point) is:
```
   key        = <00000000000000000000000000000000>
   plaintext  = <0000000000000000>
   ciphertext = <0001000100000000>
```
The test vectors, reference implementation and papers that were previously available from the Ascom web site (including the important paper on side channel attack hardening) have all disappeared from that site. Congratulations to Ascom, iT_Security, Mediacrypt, or whatever its name is this week, for providing an excellent example of how not to handle web site reorganisations. Fortunately all of these files were recoverable from web.archive.org (thanks to Jason Harris for pointing this out).

Security comment:

IDEA is vulnerable to key schedule attacks, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

Patent status:

IDEA is patented in the U.S and 9 European countries by Ascom Systec Ltd., with a patent pending in Japan.

× ISAAC-BE

Stream Cipher

Designer:

Robert J. Jenkins Jr.

Published:

1996

References:

[Def, An] Robert J. Jenkins Jr.,
ISAAC and RC4,
http://www.burtleburtle.net/bob/rand/isaac.html
[Inf, An, Test, Impl] Robert J. Jenkins Jr.,
ISAAC: a fast cryptographic random number generator,
http://www.burtleburtle.net/bob/rand/isaacafa.html
[Inf] Robert J. Jenkins Jr.,
"ISAAC,"
Fast Software Encryption, Third International Workshop, Volume 1039 of Lecture Notes in Computer Science (D. Gollman, ed.), pp. 41-49. Springer-Verlag, 1996.

Key length:

Missing information:

ISAAC does not appear to have a standard key schedule; this would need to be specified for it to be usable as a SCAN algorithm. Test vectors would also be needed.

× ISAAC-LE

Stream Cipher

Designer:: Robert J. Jenkins Jr.
Published:: 1996
References:: [see references for ISAAC-BE]
Key length:: ?
Missing information:: [see ISAAC-BE]

× ISAAC-64-BE

Stream Cipher

Designer:

Robert J. Jenkins Jr.

Published:

1996

References:

[Def, An] Robert J. Jenkins Jr.,
ISAAC and RC4,
http://www.burtleburtle.net/bob/rand/isaac.html

Key length:

Missing information:

ISAAC-64 does not appear to have a standard key schedule; this would need to be specified for it to be usable as a SCAN algorithm. Test vectors would also be needed.

× ISAAC-64-LE

Stream Cipher

Designer:: Robert J. Jenkins Jr.
Published:: 1996
References:: [see references for ISAAC-64-BE]
Key length:: ?
Missing information:: [see ISAAC-BE]

? JEROBOAM

Stream Cipher

Designers:

Hervé Chabanne, Emmanuel Michon

Published:

1998

Description:

This algorithm refers to JEROBOAM version 2.0.

Alias:

"JEROBOAM-2.0"

References:

[Def, An] Hervé Chabanne, Emmanuel Michon,
"JEROBOAM",
Fast Software Encryption '98, Volume 1372 of Lecture Notes in Computer Science (Serge Vaudenay, ed.), pp. 49-59. Springer-Verlag, 1998.
[Def, An] Emmanuel Michon,
Rapport de stage d'option scientifique: étude cryptologique du chiffreur JEROBOAM,
Ecole Polytechnique, June 1997.

Key length:

128 or 248 bits

Missing information:

I have not yet read either of the referenced papers, so I don't know whether byte-order is specified, status of test vectors, etc.

× LEVIATHAN-BE

Stream Cipher

Designers:

David McGrew, Scott Fluhrer

Published:

October 2000

Description:

This is LEVIATHAN using big-endian byte order, when XORing the keystream with the plaintext for encryption.

References:

[Def, An] David McGrew, Scott Fluhrer,
The Stream Cipher LEVIATHAN - Specification and Supporting Documentation,
Presented at the First Open NESSIE Workshop, November 2000.
https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/leviathan.zip
[Def, An] Paul Crowley,
Analysis of LEVIATHAN,
http://www.cluefactory.org.uk/paul/crypto/leviathan.html

Key length:

128 or 256 bits

Security comment:

The output of LEVIATHAN can be distinguished from a random stream given about ??? MBytes of output.

× LEVIATHAN-LE

Stream Cipher

Designers:: David McGrew, Scott Fluhrer
Published:: October 2000
Description:: This is LEVIATHAN using little-endian byte order, when XORing the keystream with the plaintext for encryption.
References:: [see references for LEVIATHAN-BE]
Key length:: 128 or 256 bits
Security comment:: [see Security comment for LEVIATHAN-BE]

LOKI91

Block Cipher

Designers:

Laurence Brown, Matthew Kwan, Josef Pieprzyk, Jennifer Seberry

Published:

1991-92

References:

[Def, An] Laurence Brown, Matthew Kwan, Josef Pieprzyk, Jennifer Seberry,
"Improving Resistance to Differential Cryptanalysis and the Redesign of LOKI,"
Advances in Cryptology - ASIACRYPT '91 Proceedings, Springer-Verlag, 1993, pp. 36-50.
[Inf] Bruce Schneier,
"Section 13.6 LOKI,"
Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
[An] Eli Biham,
"New Types of Cryptanalytic Attacks Using Related Keys,"
CS 753, Computer Science Department, Technion -- Israel Institute of Technology, September 1992.
http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1992/CS/CS0753.ps
[An] Lars Knudsen,
"Cryptanalysis of LOKI91,"
Volume 718 of Lecture Notes in Computer Science, pp. 196-208. Springer-Verlag, 1992.
ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/loki91.ps.Z
[An] Lars Knudsen,
"Block ciphers - analysis, design and applications,"
PhD. Thesis, DAIMI PB 485, Aarhus University, 1994.
[An] Toshio Tokita, Tohru Sorimachi, Mitsuru Matsui,
"Linear cryptanalysis of LOKI and S2DES,"
Volume 917 of Lecture Notes in Computer Science, pp. 293-306. Springer-Verlag, 1994.
[An] Lars Knudsen, M.J.B. Robshaw,
"Non-linear Approximations in Linear Cryptanalysis,"
Volume 1070 of Lecture Notes in Computer Science, pp. 224-236. Springer-Verlag, 1996.
ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/nonlinear.ps.Z
[An] Kouichi Sakurai, Souichi Furuya,
"Improving Linear Cryptanalysis of LOKI91 by Probabalistic Counting Method,"
Volume ??? of Lecture Notes in Computer Science. Springer-Verlag, 1997.
[An] Lars Knudsen,
"New potentially weak keys for DES and LOKI,"
Advances in Cryptology - EUROCRYPT '94 Proceedings, Volume 950 of Lecture Notes in Computer Science (A. De Santis, ed.), pp. 419-424. Springer Verlag, 1995.
ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/potential.ps.Z

Key length:

64 bits.

Block size:

8 bytes.

Security comments:

LOKI91 is vulnerable to related-key attacks, with a work factor of about 2⁶⁰ operations, and therefore it should only be used with keys that are generated by a strong RNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).
The attacks cited above based on Linear Cryptanalysis, are effective against reduced-round variants of LOKI91 with up to 12 rounds (the full cipher has 16 rounds).
The fixed 64-bit key length is too short to prevent brute-force attacks.

LOKI97

Block Cipher

Designers:

Laurence Brown, Josef Pieprzyk, Jennifer Seberry

Published:

1997

References:

[Def, An] Laurence Brown, Josef Pieprzyk,
Introducing the new LOKI97 Block Cipher,
http://www.adfa.oz.au/~lpb/research/loki97/loki97spec.ps
[Inf, Impl] Laurence Brown,
The LOKI97 Block Cipher page,
http://www.adfa.oz.au/~lpb/research/loki97/
[An] Vincent Rijmen, Lars Knudsen,
Weaknesses in LOKI97,
ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/loki97.pdf
[Test] NIST,
LOKI97 Test Values,
http://www-08.nist.gov/encryption/aes/round1/testvals/loki97-vals.zip

Key length:

128, 192 or 256 bits; default 128 bits.

Block size:

16 bytes.

Security comment:

The paper "Weaknesses in LOKI97" describes an attack using Differential Cryptanalysis, estimated as requiring at most 2⁵⁶ chosen plaintexts, and an attack using Linear Cryptanalysis, estimated as requiring at most 2⁵⁶ known plaintexts.

MAGENTA

Block Cipher

Designers:

Michael Jacobson Jr., Klaus Huber

Published:

August 1998

References:

[Def, An] M.J. Jacobson Jr., K. Huber,
The MAGENTA Block Cipher Algorithm,
http://www.gel.ulaval.ca/~klein/maitrise/aes/magenta.pdf
[An] Eli Biham, Alex Biryukov, Niels Ferguson, Lars Knudsen, Bruce Schneier, Adi Shamir,
"Cryptanalysis of Magenta,"
Distributed at the first AES conference, August 20, 1998.
http://www.counterpane.com/magenta.html
[Patent] [[need patent title]]
German Patent DE 44 25 158 A1, [[need date]].
[Test] NIST,
MAGENTA Test Values,
http://www-08.nist.gov/encryption/aes/round1/testvals/magenta-vals.zip

Key length:

128, 256, or 256 bits; default 128 bits.

Block size:

16 bytes.

Security comment:

The paper "Cryptanalysis of Magenta" describes a chosen plaintext attack using 2⁶⁴ chosen plaintexts, and 2⁶⁴ work. It also notes that "given a ciphertext, one can decrypt it by swapping its two halves, re-encrypting the result, and swapping again". This would be a fatal weakness for some applications, even though it does not allow obtaining the key.

Patent status:

MAGENTA may be patented (see references).

MARS	Block Cipher

Designers:

Carolynn Burwick, Don Coppersmith, Edward D'Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas Jr., Luke O'Connor, Mohammad Peyravian, David Safford, Nevenko Zunicof

Published:

August? 1999

Description:

This is the "tweaked" version of MARS submitted as a second round AES candidate.

Alias:

"MARS-2"

References:

[Def, An] Carolynn Burwick, Don Coppersmith, Edward D'Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas Jr., Luke O'Connor, Mohammad Peyravian, David Safford, Nevenko Zunicof,
"MARS - A candidate cipher for AES," (corrected version).
Available from http://www.research.ibm.com/security/mars.html
[Note that the key schedule described here (in mars.pdf/.ps) is for the initial version of MARS submitted as a first round AES candidate.]
[Def] Shai Halevi,
"MARS key setup,"
http://www.research.ibm.com/security/key-setup.txt
[An] Scott Contini, Yiqun Lisa Yin,
"On Differential Properties of Data-Dependent Rotations and Their Use in MARS and RC6,"
Presented at the 2nd AES Conference.
http://csrc.nist.gov/encryption/aes/round1/conf2/papers/contini.pdf
[An] John Kelsey, Bruce Schneier,
"MARS Attacks! Preliminary Cryptanalysis of Reduced-Round MARS Variants,"
Presented at the 3rd AES Candidate Conference.
http://www.counterpane.com/mars-attacks.html
[An] Eli Biham, Vladimir Furman,
"Impossible Differential on 8-Round MARS' Core,"
March 15, 2000. Presented at the 3rd AES Candidate Conference.
http://csrc.nist.gov/encryption/aes/round2/conf3/papers/07-ebiham.pdf
[An] L. Burnett, G. Carter, E. Dawson, W. Millan,
"Efficient methods for generating MARS-like S-boxes,"
Presented at Fast Software Encryption 2000.
[An] L. Knudsen, H. Raddum,
"Linear Approximations to MARS S-Box,"
Submitted to NIST as an AES comment, April 2000.
http://csrc.nist.gov/encryption/aes/round2/comments/20000407-lknudsen.pdf
[An] M. Robshaw, Y. Lin,
"Potential Flaws in the Conjectured Resistance of MARS to Linear Cryptanalysis,"
Submitted to NIST as an AES comment, May 2000.
http://csrc.nist.gov/encryption/aes/round2/comments/20000502-mrobshaw.pdf
[An] B. Preneel, A. Bosselaers, V. Rijmen, B. Van Rompay, L. Granboulan, J. Stern, S. Murphy, M. Dichtl, P. Serf, E. Biham, O. Dunkelman, V. Furman, F. Koeune, G. Piret, J-J. Quisquater, L. Knudsen, H. Raddum,
"Comments by the NESSIE Project on the AES Finalists,"
Submitted to NIST as an AES comment, May 2000.
http://csrc.nist.gov/encryption/aes/round2/comments/20000524-bpreneel.pdf
[An] IBM MARS Team,
"Comments on MARS's linear analysis,"
Submitted to NIST as an AES comment, May 2000.
http://csrc.nist.gov/encryption/aes/round2/comments/20000515-ibm-2.pdf
[An] Tetsu Iwata, Kaoru Kurosawa,
"On the Pseudorandomness of AES Finalists - RC6, Serpent, MARS and Twofish,"
Presented at Fast Software Encryption 2000, New York.
[An] John Kelsey, Tadayoshi Kohno, Bruce Schneier,
"Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent,"
Presented at Fast Software Encryption 2000, New York.
http://www.counterpane.com/boomerang.html
[Patent] [[need patent title and date]]
U.S. Patent Application: IBM application CR998021.
[Test] IBM Corporation,
New MARS Test Vectors,
http://www.research.ibm.com/security/test-vectors/

Key length:

Minimum 128, maximum 448, multiple of 32 bits; default 128 bits.

Block size:

16 bytes.

Patent status:

IBM has a patent pending on MARS. It has said that "... we are making MARS available on a royalty-free basis, worldwide, regardless of AES outcome." (See this press release.) However, it is not clear whether "royalty-free" excludes the possibility of up-front license fees.

? MDC

Stream Cipher

Designer:

Peter Gutmann

Published:

October 1992

References:

[Def] Peter Gutmann,
Subject: MDC cipher code (long),
ftp://ftp.zedz.com/pub/crypto/libraries/mdc/mdc-gutmann.c.gz
[Impl] Peter Gutmann,
MDC reference implementation (in C),
ftp://ftp.zedz.com/pub/crypto/libraries/mdc/

Key length:

Minimum 64, maximum 640, multiple of 8 bits; default 128 bits.

Missing information:

Test vectors.

Comments:

With regard to buffering and use of IVs, MDC behaves identically to the CFB mode of a block cipher. The length of the initialisation vector is 16 bytes. Implementations MUST support immediate processing of individual bytes.
MDC has nothing to do with the cipher constructions MDC-2 and MDC-4 designed at IBM (which do not have SCAN standard names).

Security comment:

A new random IV should be used for each message encrypted under a given key.

MISTY1[(rounds)]

Block Cipher

Designer:

M. Matsui

Published:

January 1997

References:

[Def] M. Matsui,
"New Block Encryption Algorithm MISTY,"
4th Fast Software Encryption Workshop, January 1997.
http://www.mitsubishi.com/ghp_japan/misty/misty_e_b.pdf, .ps
[Inf] Mitsubishi Electric,
MISTY home page,
http://www.mitsubishi.com/ghp_japan/misty/200misty.htm
[Inf] M. Matsui,
"Block Encryption Algorithm MISTY," (in Japanese)
Technical Report of IEICE, ISEC96-11 (1996-07).
http://www.mitsubishi.com/ghp_japan/misty/misty_j_b.pdf, .ps
[Inf] M. Matsui,
"New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis,"
3rd Fast Software Encryption Workshop, February 1996.

Parameters:

Integer rounds [creation/read, default 8] - the number of rounds to be performed (minimum 8, multiple of 4)

Key length:

128 bits.

Block size:

8 bytes.

? MISTY2[(rounds)]

Block Cipher

Designer:

M. Matsui

Published:

January 1997

References:

[Def] M. Matsui,
"New Block Encryption Algorithm MISTY,"
4th Fast Software Encryption Workshop, January 1997.
http://www.mitsubishi.com/ghp_japan/misty/misty_e_b.pdf, .ps
[Inf] Mitsubishi Electric,
MISTY home page,
http://www.mitsubishi.com/ghp_japan/misty/200misty.htm
[Inf] M. Matsui,
"Block Encryption Algorithm MISTY," (in Japanese)
Technical Report of IEICE, ISEC96-11 (1996-07).
http://www.mitsubishi.com/ghp_japan/misty/misty_j_b.pdf, .ps
[Inf] M. Matsui,
"New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis,"
3rd Fast Software Encryption Workshop, February 1996.

Parameters:

Integer rounds [creation/read, default 12] - the number of rounds to be performed (minimum 12, multiple of 4)

Key length:

128 bits.

Block size:

8 bytes.

Missing information:

Test vectors.

Noekeon[(rounds)]

Block Cipher

Designers:

Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen

Published:

November 2000

References:

[Def, An] Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen,
The Noekeon Block Cipher,
Presented at the First Open NESSIE Workshop, November 2000.
https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/noekeon.zip
[Inf] Proton World,
Research: Noekeon, a 128-bit block cipher,
http://www.protonworld.com/research/noekeon/
[Test] Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen,
Noekeon Test Values,
https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/noekeon.zip

Parameters:

Integer rounds [creation/read, default 16] - the number of rounds to be performed (minimum 16)

Key length:

128 bits.

Block size:

16 bytes.

Noekeon-Direct[(rounds)]

Block Cipher

Designers:

Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen

Published:

November 2000

Description:

This is the "direct-key" variant of Noekeon, i.e. where the working key is provided directly. This key should be generated at random, or as the output of a hash or PRF.

References:

[Def, An] Joan Daemen, Michaël Peeters, Gilles van Assche, Vincent Rijmen,
The Noekeon Block Cipher,
http://www.cryptonessie.org/submissions/noekeon/noekeon.zip
[Inf, Test] Joan Daemen, Vincent Rijmen,
The Noekeon Page,
http://www.esat.kuleuven.ac.be/~rijmen/noekeon/
[Test] NIST,
Noekeon Test Values,
http://www.cryptonessie.org/submissions/noekeon/noekeon.zip

Parameters:

Integer rounds [creation/read, default 16] - the number of rounds to be performed (minimum 16)

Key length:

128 bits.

Block size:

16 bytes.

? Panama

Stream Cipher

Designers:: Joan Da