The Block Cipher Lounge - AES


 
 
Rijndael is proposed as the AES. NIST press release

The NIST Press Release for the final five.

The Final Five

Name  Author(s)  Report(s) 
MARS IBM (11 authors) "Tweak" BF2000, KS2000, Sub.stat.
RC6  Rivest, Robshaw, Sidney, Yin  KM99 , Gil2000, Sub.stat.
RIJNDAEL Daemen, Rijmen  GM2000, BK2000, Lu2000, MR00, DR00, Sub.stat.
SERPENT Anderson, Biham, Knudsen  KKS2000, Sub.stat.
TWOFISH Schneier, Kelsey, Whiting, Wagner, Hall, Ferguson  MM99, SM00, LK00, WK99, SK98 Sub.stat.
"Sub.stat." are the final statements from the submitters.

The 15 AES Proposals 

Name  Author(s)  Rounds  Attack(s) 
CAST-256  Adams  48  ?
CRYPTON Lim  12  C:32/56/32 (6) [DB99] 
DEAL  Knudsen, Outerbridge 6,8  [Luc98] , [KS99] 
DFC  Vaudenay et al [KR99] 
E2 Aoki, Kanda, Matsumoto, Moriai, Ohta, Ookubo, Takashima, Ueda  12  C:100/./. (8) [MT99] 
FROG Georgoudis, Leroux, Chaves  [W98] 
Hasty Pudding R. Schroeppel  ?
LOKI97  Brown, Pieprzyk  16  K:56/./., C:56/./., [RK98] 
MARS IBM  32  [Saar98] 
Magenta Deutsche Telekomm 6,8  [BBFKS] 
RC6  Rivest, Robshaw, Sidney, Yin  20  ?
RIJNDAEL Daemen, Rijmen  10,12,14 ?
SAFER+  Massey, Khachatrian, Kuregian 8,12,16 [KSW99] 
SERPENT Anderson, Biham, Knudsen  32 ?
TWOFISH Schneier, Kelsey, Whiting, Wagner, Hall, Ferguson  16 MM99

 
 
 

The notation of the table: 
Name  Name of the block cipher 
Author  Name of the designer 
Rounds  the number of rounds of the cipher
Attack 
K:a/b/c denotes that the best known plaintext attack requires 2a plaintext/ciphertexts, has a workload of 2b encryptions and requires 2c words of memory. 
C:a/b/c denotes that the best chosen plaintext attack requires 2a plaintext/ciphertexts, has a workload of 2b encryptions and requires 2c words of memory. 

A `.' means that this resource requirement is either negligible or unknown to us. 
(r): the number of rounds of the attack. If blank, r=Rounds 
[SA]: the paper describing the attack 
?: No attacks known 

 

If you have some attacks on some of the ciphers here, or if you have comments to this page, please contact Lars or Vincent (see links below).
 
 

References

[NES2000]
B. Preneel et al.: Comments by the NESSIE Project on the AES Finalists
[A98]
C. Adams: The CAST-256 Encryption Algorithm
[GM2000]
H. Gilbert, M. Minier: A collision attack on 7 rounds of Rijndael
[KS2000]
J. Kelsey, B. Schneier: MARS Attacks! Preliminary Cryptanalysis of Reduced-Round MARS Variants
[KKS2000]
T. Kohno, J. Kelsey, B. Schneier: Preliminary Cryptanalysis of Reduced-Round Serpent
[BK2000]
E. Biham, N. Keller: Cryptanalysis of Reduced Variants of Rijndael
[Fe2000]
N. Ferguson, J. Kelsey, B. Schneier, M. Stay, D. Wagner, D. Whiting: "Improved Cryptanalysis of Rijndael", FSE2000
[Lu2000]
S. Lucks: Attacking Seven Rounds of Rijndael under 192-bit and 256-bit Keys
[ABK98]
R. Anderson, E. Biham, L. Knudsen: SERPENT
[BBFKS]
E. Biham, A. Biryukov, N. Ferguson, L. Knudsen, B. Schneier, A. Shamir: Cryptanalysis of MAGENTA

(pdf)
[BP98]
L. Brown, J. Pieprzyk: Introducing the new LOKI97 Block Cipher
[IBM98]
Burwick, Coppersmith, D'Avignon, Gennaro, Halevi, Jutla, Matyas Jr., O'Connor, Peyravian, Safford, Zunic: MARS - a candidate cipher for AES
[Gil2000]
H. Gilbert, H. Handschuh, A. Joux, S. Vaudenay: "A Statistical Attack on RC6", FSE2000
[CL98]
Cylink Corporation: SAFER+ (No link, LK, 11.08.99.)
[DR98]
J. Daemen, V. Rijmen: AES Proposal: Rijndael
[DR00]
J. Daemen, V. Rijmen: Answer to "new observations on Rijndael"
[SK98]
B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson: On the Twofish Key Schedule
[WK99]
D. Whiting, J. Kelsey, B. Schneier, D. Wagner, N. Ferguson, and C. Hall: Further Observations on the Key Schedule of Twofish
[DB99]
C. D'Halluin, G. Bijnens, V. Rijmen, B. Preneel: "Attack on 6 rounds of Crypton", FSE'99, LNCS.
[GLC]
D. Georgoudis, D. Leroux, B.S. Chaves: The FROG Encryption Algorithm
[KSW99]
J. Kelsey, B. Schneier, D. Wagner: Key schedule weaknesses in SAFER+
[KS99]
J. Kelsey, B. Schneier: Keyschedule Cryptanalysis of DEAL, SAC 99
[DEAL]
L. Knudsen: DEAL: A 128-bit Block Cipher
[KM99]
L. Knudsen, W. Meier: Correlations in RC6
[KR99AL]
L. Knudsen, V. Rijmen: "On the Decorrelated Fast Cipher (DFC) and its theory", FSE'99, LNCS.
[LK00]
L. Knudsen: Trawling Twofish (revisited)
[Luc98]
S. Lucks: On the Security of the 128-bit Block Cipher DEAL
[MT99]
M. Matsui, T. Tokita: "Cryptanalysis of a reduced version of the block cipher E2", FSE'99, LNCS.
[E2]
Nippon Telegraph and Telephone Corporation: The 128-Bit Block Cipher E2
[Lim98]
C. H. Lim: CRYPTON
[MM99]
F. Mirza, S. Murphy: An Observation on the Key Schedule of Twofish
[SM00]
S. Murphy: The Key Separation of Twofish
[MR00]
S. Murphy, M. Robshaw: New Observations on Rijndael
[RK98]
V. Rijmen, L.R. Knudsen: Weaknesses in LOKI97

(pdf)(pdf)
[RRSY]
R. Rivest, M.J.B. Robshaw, R. Sidney, Y.L. Yin: The RC6 Block Cipher

(pdf) . See also here .
[Saar98]
M-J. Saarinen: Equivalent keys in MARS

M-J. Saarinen: A note regarding the hash function use of MARS and RC6
[TF98]
Schneier, Kelsey, Whiting, Wagner, Hall, Ferguson: Twofish: A 128-bit Block Cipher
[S98]
R. Schroppel: The Hasty Pudding Cipher
[BF2000]
E. Biham, V. Furman: Impossible Differential on 8-Round MARS' Core
[V98]
S. Vaudenay et al.: DFC
[W98]
D. Wagner, N. Ferguson, and B. Schneier: Cryptanalysis of Frog

 
 
 

This page was created 15.06.97 by Lars R. Knudsen and Vincent Rijmen.

The page is maintained by Lars R. Knudsen and Vincent Rijmen .
All comments welcome
 

NIST's AES page
Block Cipher Lounge
Lars's homepage
Vincent's homepage