Project Number IST

pefav

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

285 pages

English

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

nessie deliverable

keywords nessie

bit block

submitted primitives

nessie security

ciphers considered during

assessment process

nessie project

Sujets

Project Number IST-2000-12324
Project Title NESSIE
Deliverable Type Report
Security Class Public
Deliverable Number D20
Title ofDeliverable NESSIE security report
Document Reference NES/DOC/ENS/WP5/D20/1
Contractual Date ofDelivery Y3 M9
Actual Date ofDelivery Y3 M9
Editors ENS
Abstract A ﬂrst security evaluation was published under
deliverable number D13 and has served as a basis of
a selection of the primitives that have been studied
more in detail. This report summarizes the new
results together with a comprehensive overview of the
security evaluation made by the NESSIE consortium.
Keywords NESSIE, Security evaluation.
Version 1.0
October 21, 2002yNESSIE security report
1 1 1 1B. Preneel , A. Biryukov , E. Oswald , B. van Rompay ,
2 2L. Granboulan , E. Dottax ,
3 3 3S. Murphy , A. Dent , J. White ,
4 4 4 4M. Dichtl , S. Pyka , M. Schafheutle , P. Serf ,
5 5 5E. Biham , E. Barkan , O. Dunkelman ,
6 6M. Ciet , F. Sica ,
7,8 7L. Knudsen , H. Raddum .
October 21, 2002
Version 1.0
yThe work described in this report has been supported by the Commission of the European Communities
through the IST program under contract IST-1999-12324. The information in this document is provided
as is, and no warranty is given or implied that the information is ﬂt for any particular purpose. The
user thereof uses the information at its sole risk and liability.
1KatholiekeUniversiteitLeuven,Dept. Elektrotechniek-ESAT/COSIC,KasteelparkArenberg10,B-3001
Leuven-Heverlee, Belgium
2 ¶Ecole Normale Sup¶erieure, D¶epartement d’Informatique, 45 rue d’Ulm, Paris 75230 Cedex 05, France
3Royal Holloway, Information Security Group, Egham, Surrey TW20 0EX, UK
4Siemens AG, Otto-Hahn-Ring 6, Munc˜ hen 81732, Germany
5Technion, Computer Science Dept., Haifa 32000, Israel
6Universit¶e Catholique de Louvain, Dept. ELEC, Place du Levant 3, B-1348 Louvain-la-Neuve, Belgium
7Universitetet i Bergen, Dept. of Informatics, PO Box 7800 Thormoehlensgt. 55, Bergen 5020, Norway
8Tech. Univ. of Denmark, Dept.of Mathematics, Building 303, DK-2800 Lyngby, DenmarkExecutive Summary
NESSIE security report
(NESSIE Deliverable D20)
The NESSIE project is a three year project (2000-2002) that is funded by the European
Union’s Fifth Framework Programme. The main objective of the NESSIE project is to
put forward a portfolio of strong cryptographic primitives of various types. An open
call in March 2000 led to the submission of forty cryptographic primitives to the NESSIE
project. TheNESSIEprojectisevaluating(withsomeexternalassistance)thesesubmitted
primitives from both a security and performance perspective. This document gives the
collective view of the NESSIE partners about the submissions from a security perspective.
The NESSIE evaluation process is an open process. Thus as part of the evaluation
process, the NESSIE project welcomes comments about the submitted primitives and the
evaluation process, including this report. To facilitate the open evaluation process, there
are to be four NESSIE workshops. The ﬂrst workshop was dedicated to the presentation of
thesubmittedprimitivesandthesecondworkshopwasdedicatedtoearlyresultsconcerning
the primitives. The third workshop will be dedicated to new results and will also discuss
version 1.0 of this report. A fourth NESSIE workshop is planned to take place at the end
of the project.
This document forms deliverable D20 of the NESSIE project. Version 1.0 is published
to be available for comments before the Third Workshop and version 2.0 will be
the ﬂnal security report.
iContents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
Table of contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
1 Introduction 1
1.1 NESSIE project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Security evaluation methodology . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.1 Ev criteria in NESSIE call. . . . . . . . . . . . . . . . . . . 2
1.2.2 Methodological issues . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Structure of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 The submissions received by NESSIE . . . . . . . . . . . . . . . . . . . . . 5
1.5 The Project Industrial Board . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.6 Mathematical notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.7 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Block ciphers 8
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Security requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.1 Security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.2 Classiﬂcation of attacks . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.3 Assessment process . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.3 Overview of the common designs . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.1 Feistel ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.2 Substitution-Permutation Networks (SPNs) . . . . . . . . . . . . . 25
2.3.3 Resistance against diﬁerential and linear cryptanalysis . . . . . . . 26
2.3.4 Mini-ciphers and reduced rounds . . . . . . . . . . . . . . . . . . . 26
2.3.5 Simple as opposed to complicated designs . . . . . . . . . . . . . . 27
2.3.6 A separate key-schedule . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.7 The use or otherwise of S-boxes . . . . . . . . . . . . . . . . . . . . 27
2.3.8 Ciphers which are developed from well-studied precursors . . . . . . 28
2.3.9 Making encryption and decryption identical . . . . . . . . . . . . . 28
2.3.10 Hash functions as block ciphers . . . . . . . . . . . . . . . . . . . . 28
2.3.11 Current standards . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.3.12 Block cipher primitives . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.4 64-bit block ciphers considered during Phase II. . . . . . . . . . . . . . . . 30
ii2.4.1 IDEA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.4.2 Khazad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.4.3 MISTY1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.4.4 Safer++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4564
2.4.5 Triple-DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.5 128-bit block ciphers considered during Phase II . . . . . . . . . . . . . . . 52
2.5.1 Camellia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
2.5.2 RC6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2.5.3 AES (Rijndael) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
2.5.4 Safer++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64128
2.6 Large block ciphers considered during Phase II . . . . . . . . . . . . . . . . 64
2.6.1 RC6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
2.6.2 AES Variant (Rijndael-256) . . . . . . . . . . . . . . . . . . . . . . 66
2.6.3 SHACAL-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
2.6.4 SHACAL-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.7 64-bits block ciphers not selected for Phase II . . . . . . . . . . . . . . . . 71
2.7.1 CS-cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
2.7.2 Hierocrypt-L1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
2.7.3 Nimbus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
2.7.4 Nush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
2.8 128-bits block ciphers not selected for Phase II . . . . . . . . . . . . . . . . 75
2.8.1 Anubis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
2.8.2 Grand Cru . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
2.8.3 Hierocrypt-3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
2.8.4 Noekeon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
2.8.5 Nush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.8.6 Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.8.7 SC2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.9 Comparison of studied block ciphers. . . . . . . . . . . . . . . . . . . . . . 83
2.9.1 64-bit block ciphers considered during Phase II . . . . . . . . . . . 83
2.9.2 128-bit block Phase II . . . . . . . . . . . 83
2.9.3 Large block ciphers considered during Phase II . . . . . . . . . . . . 83
2.9.4 64-bit block not selected for Phase II . . . . . . . . . . . . . 87
2.9.5 128-bit block ciphers not for Phase II . . . . . . . . . . . . 87
3 Stream ciphers 89
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
3.2 Security requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.2.1 Classiﬂcation of attacks . . . . . . . . . . . . . . . . . . . . . . . . 90
3.2.2 Assessment process . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
3.3 Overview of the common designs . . . . . . . . .