Cryptographic Algorithms and Current Trends
Cryptographic Algorithms and Current Trends
Cryptographic Algorithms and Current Trends
The 1980s saw major advances in this area but none which
rendered the RSA system insecure. Another class of
powerful and practical public-key schemes was found by El
Gamal [5] in 1985. These are also based on the discrete
logarithm problem. One of the most significant
contributions provided by public-key cryptography is the
digital signature. In 1991 the first international standard for
digital signatures (ISO/IEC 9796) was adopted. It is based
on the RSA public-key scheme. In 1994 the U.S.
Government adopted the Digital Signature Standard [6] , a
mechanism based on the El Gamal public key scheme.
* e-mail: psyllos@central.ntua.gr
2
The search for new public-key schemes, improvements to
existing cryptographic mechanisms, and proofs of security
continues at a rapid pace. Various standards and
infrastructures involving cryptography are being put in
place. Security products are being developed to address the
security needs of an information intensive society.
The purpose of this work is to give an up-to-date survey on
algorithms of interest in cryptographic practice. Also to
refer to the institutions involved in the creation of
cryptographic products.
2. CRYPTOGRAPHY BASICS
In cryptographic terminology, the message is called
plaintext or cleartext. Encoding the contents of the message
in such a way that hides its contents from outsiders is called
encryption. The encrypted message is called ciphertext. The
process of retrieving the plaintext from the ciphertext is
called decryption. Encryption and decryption usually make
use of a key, and the coding method is such that decryption
can be performed only by knowing the proper key.
There are two classes of key-based encryption algorithms,
symmetric (or secret-key) and asymmetric (or public-key)
algorithms. The difference is that symmetric algorithms use
the same key for encryption and decryption (or the
decryption key is easily derived from the encryption key),
whereas asymmetric algorithms use a different key for
encryption and decryption, and the decryption key cannot
be derived from the encryption key.
Symmetric algorithms can be divided into stream ciphers
and block ciphers. Stream ciphers encrypt a single bit of
plaintext at a time, whereas block ciphers take a number of
bits (typically 64 bits in modern ciphers), and encrypt them
as a single unit.
Asymmetric ciphers (also called public-key algorithms)
permit the encryption key to be public (it can even be
published to a web site), allowing anyone to encrypt with
the key, whereas only the proper recipient (who knows the
decryption key) can decrypt the message. The encryption
key is also called the public key and the decryption key the
private key. The security provided by these ciphers is based
on keeping the private key secret.
3. CRYPTOGRAPHY ALGORITHMS
3.1 SYMMETRIC KEY ALGORITHMS
I. BLOCK CIPHERS
Symmetric (secret key) encryption schemes use the same
key for encryption and decryption and usually have
predefined key lengths. They provide a high security and a
high performance, but suffer from the key exchange
problem. A group of n entities needs to exchange n*(n1)/2
different keys over secure channels.
32bit
[C]
32bit
[JAVA]
64bit[C and
Assembly]
8bit [C and
Assembly]
MARS
++
++
++
++
RC6
+++
+++
++
++
RIJNDAEL
++
++
+++
+++
SERPENT
TWOFISH
++
+++
++
32bit
[JAVA]
64bit[C and
Assembly]
8bit [C and
Assembly]
MARS
++
++
++
RC6
++
++
++
RIJNDAEL
+++
+++
+++
+++
SERPENT
++
++
TWOFISH
++
3
dependent on all plaintext blocks up to that point. Also, to
make each message unique, an initialization vector is used
in the first block.
CFB The cipher feedback (CFB) mode, a close relative of
CBC, makes a block cipher into a self-synchronizing stream
cipher. The operation is very similar; in particular, CFB
decryption is almost identical to CBC decryption performed
in reverse
OFB The output feedback (OFB) mode makes a block
cipher into a synchronous stream cipher: it generates
keystream blocks, which are then XORed with the plaintext
blocks to get the ciphertext. Just as with other stream
ciphers, flipping a bit in the ciphertext produces a flipped
bit in the plaintext at the same location. This property
allows many error correcting codes to function normally
even if applied before encryption. Because of the symmetry
of the XOR operation, encryption and decryption are
exactly the same.
CTR Like OFB, counter mode turns a block cipher into a
stream cipher. It generates the next keystream block by
encrypting successive values of a "counter". The counter
can be any simple function which produces a sequence
which is guaranteed not to repeat for a long time, although
an actual counter is the simplest and most popular. CTR
mode has very similar characteristics to OFB, but also
allows a random access property for decryption and is
probably secure if the block cipher is strong. CTR mode is
also known as Segmented Integer Counter (SIC) mode.
A. RIJNDAEL
Rijndael, is a block cipher adopted as an encryption
standard by the US government. It is expected to be used
worldwide and analysed extensively, as was the case with
its predecessor, the Data Encryption Standard (DES). AES
was adopted by National Institute of Standards and
Technology (NIST) as US FIPS PUB 197 in November
2001 after a 5-year standardization process (see Advanced
Encryption Standard process for more details).
The cipher was developed by two Belgian cryptographers,
Joan Daemen and Vincent Rijmen, and submitted to the
AES selection process under the name "Rijndael", a
combination of the names of the inventors..
Strictly speaking, AES is not precisely Rijndael (although
in practice they are used interchangeably) as Rijndael
supports a larger range of block and key sizes; AES has a
fixed block size of 128 bits and a key size of 128, 192 or
256 bits, whereas Rijndael can be specified with key and
block sizes in any multiple of 32 bits, with a minimum of
128 bits and a maximum of 256 bits. The key is expanded
using Rijndael's key schedule. Most of AES calculations are
done in a special finite field.
AES operates on a 44 array of bytes, termed the state versions of Rijndael with a larger block size have additional
5
Some cryptographers worry about the security of AES.
They feel that the margin between the number of rounds
specified in the cipher and the best known attacks is too
small for comfort. The risk is that some way to improve
these attacks might be found and that, if so, the cipher could
be broken. In this meaning, a cryptographic "break" is
anything faster than an exhaustive search, so an attack
against 128-bit key AES requiring 'only' 2120 operations
would be considered a break even though it would be, now,
quite unfeasible. In practical application, any break of AES
which is only this 'good' would be irrelevant. For the
moment, such concerns can be ignored. The largest
publicly-known brute-force attack has been against a 64 bit
RC5 key by distributed.net (finishing in 2002; Moore's Law
implies that this is roughly equivalent to an attack on a 66bit key today).
Another concern is the mathematical structure of AES.
Unlike most other block ciphers, AES has a very neat
mathematical description [10]. This has not yet led to any
attacks, but some researchers are worried that future attacks
may find a way to exploit this structure.
In 2002, a theoretical attack, termed the "XSL attack", was
announced by Nicolas Courtois and Josef Pieprzyk,
showing a potential weakness in the AES algorithm.
Several cryptography experts have found problems in the
underlying mathematics of the proposed attack, suggesting
that the authors may have made a mistake in their estimates.
Whether this line of attack can be made to work against
AES remains an open question. For the moment, the XSL
attack against AES appears speculative; it is unlikely that
anyone could carry out the current attack in practice.
PERFORMANCE
Due to Aoki and Lipmaa [11] Rijndael128 is able to
encrypt a 128bit block within 237 cycles on a 450 MHz
Pentium II. This leads to a throughput of 243 Mbit/s.
Lipmaa [12] claims to have a Rijndael library which nearly
reaches 1.5Gbit/s on a 3.06GHz Pentium IV. Hodjat and
Verbauwhede [13] report about a Rijndael hardware
implementation which reaches a throughput of up to
21.54Gbit/s. Following Schneier et al. [14] Rijndael
encrypts 20% slower for 192bit keys and 40% slower for
256bit keys. According to Lenstra [15] a 128bit symmetric
cipher is supposed to be secure against mathematic attacks
until at least 2090 (192bit until 2186, 256bit until 2282).
The estimates from ECRYPT [16] are done much more
carefully. They estimate 128bit keys to be secure until
2035. The 256bit keys are supposed to be secure within the
foreseeable future which explicitly includes quantum
computers. Buchmann [17] reports about the Vernam
OneTimePad which is mathematically proven
unbreakable. But its heavy requirements regarding the keys
make it unusable in normal practice.
B. CAMELLIA
The cipher was developed jointly by Mitsubishi and NTT in
2000 [18] , and has similar design elements to earlier block
ciphers (E2 and MISTY1) from these companies.
Camellia has a block size of 128 bits, and can use 128-bit,
192-bit or 256-bit keys the same interface as the
Advanced Encryption Standard. It is a Feistel cipher with
either 18 rounds (if the key is 128 bits) or 24 rounds (if the
key is 192 or 256 bits). Every six rounds, a logical
transformation layer is applied: the so-called "FL-function"
or its inverse. The cipher also uses input and output key
whitening.
We will focus on the use of the Camellia block cipher
algorithm in Cipher Block Chaining Mode, with an explicit
Initialization Vector, as a confidentiality mechanism within
the context of the IPsec Encapsulating Security Payload
(ESP). Camellia was selected as a recommended
cryptographic primitive by the EU NESSIE (New European
Schemes for Signatures, Integrity and Encryption) project
[16] and was included in the list of cryptographic
techniques for Japanese e-Government systems that was
selected by the Japan CRYPTREC (Cryptography
Research,
Evaluation
Committees)
[CRYPTREC].
Camellia has been submitted to several other
standardization bodies, such as ISO (ISO/IEC 18033) and
the IETF S/MIME Mail Security Working Group [19].
Camellia supports 128-bit block size and 128-, 192-, and
256-bit key lengths, i.e., the same interface specifications as
the Advanced Encryption Standard (AES) [20]. Camellia is
a symmetric cipher with a Feistel structure. Camillia was
developed jointly by NTT and Mitsubishi Electric
Corporation in 2000. It was designed to withstand all
known cryptanalytic attacks, and it has been scrutinized by
worldwide cryptographic experts. Camellia is suitable for
implementation in software and hardware,
offering
encryption speed in software and hardware implementations
that is comparable to AES.
Camellia supports three key sizes: 128 bits, 192 bits, and
256 bits. The default key size is 128 bits, and all
implementations
must
support
this
key
size.
Implementations may also support key sizes of 192 bits and
256 bits. Camellia uses a different number of rounds for
each of the defined key sizes. When a 128-bit key is used,
implementations must use 18 rounds. When a 192-bit key
is used, implementations must use 24 rounds. When a
256-bit key is used, implementations must use 24 rounds.
At the time of writing this document, there are no known
weak keys for Camellia.
SECURITY
Implementations are encouraged to use the largest key sizes
they can, taking into account performance considerations
for their particular hardware and software configuration.
Note that encryption necessarily affects both sides of a
secure channel, so such consideration must take into
account not only the client side, but also the server.
6
However, a key size of 128 bits is considered secure for the
foreseeable future. No security problem has been found on
Camellia [CRYPTREC][16]. Although patented, Camellia
is available under a royalty-free license [1].
PERFORMANCE
Performance figures of Camellia are available at Camellia
web site [18]. This web site also includes performance
comparison with the AES cipher and other AES finalists.
The NESSIE project [NESSIE] has reported performance of
Optimized Implementations independently.
As an opportunity to publish the Camellia open source
codes, NTT offers the codes to the open source
communities such as OpenSSL and Linux, and works so
that Camellia will become standard-equipped at an early
date. In addition, NTT plans to establish a support system
for industrial enterprises and corporations that develop
products incorporating Camellia to enrich the Camelliaequipped product lines.
The system is iterated four times, according to the nextstate function defined below, to diminish correlations
between bits in the key and bits in the internal state
variables. Finally, the counter values are re-initialized
according to:
A. RABBIT
7
SECURITY
As of March 2006, no cryptographic weaknesses are
known.
PERFORMANCE
Rabbit uses a 128-bit key and a 64-bit initialization vector.
The cipher was designed with high performance in software
in mind, where fully optimized implementations achieve an
encryption speed of up to 3.7 cycles per byte on a Pentium
3, and of 9.7 cycles per byte on an ARM7. However, the
cipher also turns out to be very fast and compact in
hardware.
The core component of the cipher is a bitstream generator
which encrypts 128 message bits per iteration. The cipher's
strength rests on a strong mixing of its inner state between
two consecutive iterations. The mixing function is entirely
based on arithmetical operations that are available on a
modern processor, i.e., no S-boxes or lookup tables are
required to implement the cipher.
2.
Compute n=pq.
3.
4.
5.
8
deleted along with the other intermediate values from the
key generation.
1) Encrypting messages
Suppose Bob wishes to send a message M to Alice. He
turns M into a number m < n, using some previously
agreed-upon reversible protocol known as a padding
scheme.
Bob now has m, and knows n and e, which Alice has
announced. He then computes the ciphertext c
corresponding to m:
c=me mod n
This can be done quickly using the method of
exponentiation by squaring. Bob then transmits c to Alice.
[edit]
2) Decrypting messages
Alice receives c from Bob, and knows her private key d.
She can recover m from c by the following procedure:
m=cd mod n
Given m, she can recover the original message M. The
decryption procedure works because
cd (me)d med (mod n)
.
Now, since ed 1 (mod p-1) and ed 1 (mod q-1),
Fermat's little theorem yields
9
given hash value. Randomness, however, has no place in a
hash function, which should be completely deterministic.
Given the exact same input twice, the hash function should
always produce the same output. Even a single bit changed
in the input, though, should produce a different hash value.
The hash value should be small enough to be manageable in
further manipulations, yet large enough to prevent an
attacker from randomly finding a block of data that
produces the same hash .In cryptography, a cryptographic
hash function is a hash function with certain additional
security properties to make it suitable for use as a primitive
in various information security applications, such as
authentication and message integrity. A hash function takes
a long string (or message) of any length as input and
produces a fixed length string as output, sometimes termed
a message digest or a digital fingerprint.
RIPEMD,
RIPEMD-128,
RIPEMD-160
H. Dobbertin, A. Bosselaers, B. Preneel
10
SHA-1, MD5, and RIPEMD-160 are among the most
commonly-used message digest algorithms as of 2005. In
August 2004, researchers found weaknesses in a number of
hash functions, including MD5, SHA-0 and RIPEMD. This
has called into question the long-term security of later
algorithms which are derived from these hash functions. In
particular, SHA-1 (a strengthened version of SHA-0),
RIPEMD-128, and RIPEMD-160 (both strengthened
versions of RIPEMD). Neither SHA-0 nor RIPEMD are
widely used since they were replaced by their strengthened
versions.
A. SHA-0,SHA-1
SHA-0 and SHA-1 produce a 160-bit digest from a message
with a maximum size of 264 bits, and is based on principles
similar to those used by Professor Ronald L. Rivest of MIT
in the design of the MD4 and MD5 message digest
algorithms.
The original specification of the algorithm was published in
1993 as the Secure Hash Standard, FIPS PUB 180, by US
government standards agency NIST (National Institute of
Standards and Technology). This version is now often
referred to as "SHA-0". It was withdrawn by the NSA
shortly after publication and was superseded by the revised
version, published in 1995 in FIPS PUB 180-1 and
commonly referred to as "SHA-1".
SHA-1 differs from SHA-0 only by a single bitwise rotation
in the message schedule of its compression function. this
was done, according to the NSA, to correct a flaw in the
original algorithm which reduced its cryptographic security.
This function takes as input a 160-bit state and a 512-bit
data word and outputs a new 160-bit state. The hash
function works by repeatedly calling this compression
function with successive 512-bit data blocks and each time
updating the state accordingly. This compression function is
easily invertible if the data block is known,- given the data
block on which it acted and the output of the compression
function, one can compute that state that went in.
Weaknesses have subsequently been reported in both SHA0 and SHA-1. SHA-1 appears to provide greater resistance
to attacks, supporting the NSA's assertion that the change
increased the security. In February 2005, an attack on
SHA-1 was reported, finding collisions in about 269 hashing
operations, rather than the 280 expected for a 160-bit hash
function. In August 2005, another attack on SHA-1 was
reported, finding collisions in 263 operations.
B. MD5 (Message-Digest algorithm 5) is a widely-used
cryptographic hash function with a 128-bit hash value. As
an Internet standard (RFC 1321), MD5 has been employed
in a wide variety of security applications, and is also
commonly used to check the integrity of files.
MD5 was designed by Ronald Rivest in 1991 to replace an
earlier hash function, MD4. In 1996, a flaw was found with
the design of MD5; while it was not a clearly fatal
11
Dobbertin, Antoon Bosselaers and Bart Preneel, and first
published in 1996. It is an improved version of RIPEMD,
which in turn was based upon the design principles used in
MD4, and is similar in performance to the more popular
SHA-1.
There also exist 128, 256 and 320-bit versions of this
algorithm, called RIPEMD-128, RIPEMD-256, and
RIPEMD-320, respectively. The 128-bit version was
intended only as a drop-in replacement for the original
RIPEMD, which was also 128-bit, and which had been
found to have questionable security. The 256 and 320-bit
versions diminish only the chance of accidental collision,
and don't have higher levels of security as compared to,
respectively, RIPEMD-128 and RIPEMD-160.
RIPEMD-160 was designed in the open academic
community, in contrast to the NSA-designed algorithm,
SHA-1. On the other hand, RIPEMD-160 is a less popular
and correspondingly less well-studied design. RIPEMD-160
is not constrained by any patents.
E. SHACAL
EUROPE
USA
12
technology organization, NSA is on the frontiers
of communications and data processing. It is also
one of the most important centers of foreign
language analysis and research within the
government.
JAPAN
INTERNATIONAL
IACR The International Association for Cryptologic
Research (IACR) is a non-profit scientific organization
whose purpose is to further research in cryptology and
related fields.
CDT The Center for Democracy and Technology works to
promote democratic values and constitutional liberties in
the digital age. With expertise in law, technology, and
policy, CDT seeks practical solutions to enhance free
expression and privacy in global communications
technologies. CDT is dedicated to building consensus
among all parties interested in the future of the Internet and
other new communications media.
EPIC It is a public interest research center in Washington,
D.C. It was established in 1994 to focus public attention on
emerging civil liberties issues and to protect privacy, the
First Amendment, and constitutional values. EPIC
publishes an award-winning e-mail and online newsletter
on civil liberties in the information age the EPIC Alert.
6. REFERENCES
[1] D. Kahn, Codebreakers: The Story of Secret Writing,
Macmillan, 1967
[2] H. Feistel, "Cryptographic coding for data bank
privacy," IBM Corp. Res. Rep. RC 2827, Mar. 1970. (I-B4,
III-B, SFR)
[3] Diffie, W. & Hellman, M. E. (1976), New directions
in cryptography, IEEE Trans. Inform. Theory IT-22 (6)
644654.
[4] R. Rivest, A. Shamir, L. Adleman,A Method for
Obtaining
Digital
Signatures
and
Public-Key
Cryptosystems, Communications of the ACM 21,2 (Feb.
1978), 120-126
13
[18] K. Aoki et., al. Camellia: A 128-Bit Block Cipher
Suitable for Multiple Platforms- Design and Analysis,
Selected Areas in Cryptography 2000, pp3956
[19] Matsui, M., Nakajima, J., and S. Moriai, "A
Description of the Camellia Encryption Algorithm",
RFC 3713, April 2004.
[20]
NIST, FIPS PUB 197, "Advanced Encryption
Standard
(AES),"
November
2001.
http://csrc.nist.gov/publications/fips/fips197/fips-197
[21]
Frankel, S., Glenn, R., and S. Kelly, "The AESCBC Cipher Algorithm and Its Use With IPsec," RFC
3602, September 2003.
[22] A. Lenstra, Unbelievable Security, 2001,
http://www.win.tue.nl/~klenstra/aes_match.pdf
[23] The NESSIE project (New European Schemes for
Signatures, Integrity and Encryption),
http://www.cosic.esat.kuleuven.ac.be/nessie/.
[24] NIST Computer Security Division, http://csrc.nist.gov/
[25] Arjen Lenstra and E. Verheul, Selecting
Cryptographic Key Sizes, 2001,
http://citeseer.ist.psu.edu/287428.html
[26] RSA Security, PKCS #1: RSA Cryptography Standard,
http://www.rsasecurity.com/rsalabs/node.asp?id=2125
[27] Ilya Mironov Microsoft Research, Silicon Valley
Campus mironov@microsoft.com November 14, 2005
[IACR] http://www.iacr.org/
[CDT] http://www.cdt.org/crypto/
[EPIC ] http://www.epic.org/epic/about.html
[NSA] www.nsa.gov
[CRYPTREC] Information-technology Promotion Agency
(IPA), Japan,
http://www.ipa.go.jp/security/enc/CRYPTREC/indexe.html.