Recent Developments In The Design Of Conventional Cryptographic Algorithms

Recent Developments in the Design of
Conventional Cryptographic Algorithms
Bart Preneel?, Vincent Rijmen??, and Antoon Bosselaers
Katholieke Universiteit Leuven, Dept. Electrical Engineering{ESAT
Kardinaal Mercierlaan 94, B{3001 Heverlee, Belgium
fbart.preneel,vincent.rijmen,antoon.bosselaersg@esat.kuleuven.ac.be
18 September 1998
Abstract. This paper examines proposals for threecryptographic prim-
itives: block ciphers, stream ciphers, and hash functions. It provides an
overview of the design principles of a large number of recent proposals,
which includes the global structure, the number of rounds, the way of in-
troducing non-linearity and diusion, and the key schedule. The software
performance of about twenty primitives is compared based on highly op-
timizedimplementations for the Pentium. The goal of the paper is to
provided a technical perspective on the wide variety of primitives that
exist today.
1 Introduction
An increasing number of applications uses software implementations of crypto-
graphic algorithms in order to provide an acceptable security level at a low cost.
An important constraint is that the performance of the application should be
inuenced as little as possible by the introduction of cryptography. The design of
secure cryptographic primitives which achieve very high software performance
is a challenging problem for the cryptologic research community. This paper
intends to report on the state of the art on this problem.
The best which can be achieved currently is to design fast primitives with
some provable properties,but the general paradigm is still a `trial-and-error'
procedure, which consists of the publication of candidate algorithms and an
evaluation by cryptanalysts. In this process, the cryptographic community gath-
ers knowledge on how to design cryptographic algorithms. Note that primitives
exist which are provably secure based on some reasonable assumptions (such as
the diculty of factoring theproduct of two large primes), but these are several
order of magnitude slower than the fastest algorithms currently in use.
This paper intends to summarize the state of the art by comparing the dif-
ferent approaches and design choices and their performance in software. It is not
? F.W.O. postdoctoral researcher, sponsored by the Fund for Scientic Research {
Flanders (Belgium).
?? F.W.O.research assistant, sponsored by the Fund for Scientic Research { Flanders
(Belgium).
1
our intention to give an in-depth security analysis of any primitive or to assess
their suitability for a certain application. The main goal is to extract some gen-
eral principles, such that potential users, cryptanalysts, and designers have an
idea of the diverse approaches of the present daycryptographic primitives.
In this paper three types of cryptographic primitives are considered: additive
stream ciphers, hash functions, and block ciphers. First these primitives will be
introduced brie
y. Next, brute force attacks on them will be presented. In x4
the dierent design principles are described. x5 discusses the evaluation of their
security and x6 compares the software performance. Theconclusions are given
in x7. The status of selected primitives is listed in Appendix A.
2 Cryptographic primitives
This paper focuses on the three most common cryptographic primitives: addi-
tive stream ciphers, cryptographic hash functions, and block ciphers. It will be
assumed that the reader is familiar with the basic requirements for these prim-
itives, as well as with the ways how theseprimitives can be used to provide
security services such as condentiality and authentication.
2.1 Additive stream ciphers
Additive stream ciphers stretch a short key and an initial value to a key-stream
sequence. If data condentiality is required, the sender will add this key-stream
sequence to the data, simulating the operation of a one-time pad (but without
the perfect secrecy). The...