Security - Telenor
Security - Telenor
Security - Telenor
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The deadline for submitting candidates to the AES<br />
was June 15, 1998. Out of a total of 21 submissions,<br />
six were discarded because of incomplete<br />
documentation. Of the remaining 15, five are from<br />
the USA, two from Canada, there is one candidate<br />
each from Australia, Belgium, Costa Rica, France,<br />
Japan, Korea, and Germany, and then a multinational<br />
candidate from Denmark, United Kingdom<br />
and Israel. This author represents the Scandinavian<br />
colours in this competition.<br />
After one year of gathering information about<br />
the 15 candidates NIST decided in August 1999<br />
to pick five candidates for a final and last round.<br />
This author was involved in the breaking of two<br />
of the 15 candidates and in the finding of serious<br />
weaknesses in a third candidate. The five candidates<br />
for the final round are in alphabetical<br />
order.<br />
• MARS by IBM, USA;<br />
• RC6 by RSA Inc., USA;<br />
• Rijndael by researchers from Belgium;<br />
• Serpent by researchers from Denmark, UK,<br />
Israel;<br />
• Twofish by Counterpane, USA.<br />
In April 2000 the last conference on the AES<br />
took place in New York, USA, and May 15,<br />
2000 was the deadline for sending in comments<br />
and analysis of the five candidates. NIST expects<br />
to announce the winner(s) some time in<br />
the year 2000.<br />
Serpent<br />
Serpent is a snake; the idea is that Serpent will<br />
slither away from all cryptanalytic attacks. My<br />
co-authors on Serpent are Ross Anderson from<br />
Cambridge University in England and Eli Biham<br />
from Technion University in Haifa, Israel. The<br />
first version of Serpent (later called Serpent-0)<br />
was developed in 1997 and presented at a conference<br />
on encryption in Paris, March 1998. The<br />
version we submitted to NIST, called Serpent, is<br />
a slightly modified version of Serpent-0. Today<br />
(July 2000) no one has managed to find any<br />
weaknesses of any kind in Serpent.<br />
Secret-key cryptosystems are traditionally constructed<br />
by running the message through several<br />
so-called substitutions and permutations dependent<br />
on the value of the secret key. Substitutions<br />
are also sometimes called S-boxes and are often<br />
implemented in terms of a look-up table, which<br />
for every input specifies the function value. The<br />
advantage of this approach is that it is relatively<br />
easy to choose and use functions with complex<br />
mathematical formulae. Permutations are often<br />
simple functions which permute (or re-order) the<br />
bits of the messages typically, one uses a set of<br />
small substitutions each modifying a small piece<br />
of the message, but such that the whole text is<br />
modified. Subsequently, the pieces are moved<br />
Telektronikk 3.2000<br />
around and mixed. This recipe is then repeated a<br />
sufficient number of times, until the resulting<br />
ciphertext looks like total gibberish (and often<br />
more than that).<br />
Serpent is constructed as above and has 32 iterations<br />
or layers. In each layer the 128-bit text is<br />
split into 32 smaller parts of four bits each. The<br />
four bits are input to a small S-box, which again<br />
returns four (other bits). Then the 32 blocks of<br />
four bits are concatenated (put together) and the<br />
128 bits are mixed using a permutation. The nice<br />
feature of Serpent is that the 32 S-box evaluations<br />
can be done in parallel. Most computers<br />
today operate on 32-bit words, which enables us<br />
to look up 32 S-box values in parallel; that is, on<br />
computers with just one processor. This means<br />
that the 32 look-ups are much faster than doing<br />
32 conventional look-ups. On 8-bit processors<br />
it is possible to do eight evaluations in parallel.<br />
The substitutions and permutations are well chosen,<br />
such that all known attacks on block cipher<br />
have to give up after 7 to 9 layers. Therefore<br />
there is a big safety margin in Serpent, big<br />
enough to handle even considerable improvements<br />
in the known techniques.<br />
On the average PC Serpent is not the fastest<br />
algorithm of the final five candidates left in the<br />
competition. On the other hand, on other platforms,<br />
e.g. in smart card applications, Serpent is<br />
one of the fastest; also in hardware Serpent is the<br />
fastest of the five. The great advantage of Serpent<br />
is that the safety margin protecting against<br />
future cryptanalytic improvements is the largest<br />
of all five candidates.<br />
Licenses?<br />
One of the great properties of the AES, apart<br />
from high security (if Serpent is chosen!) is that<br />
the system must be royalty free and free to use<br />
for everybody all over the world. It was a condition<br />
to participate in the competition that all<br />
patents and rights were waived, in case the algorithm<br />
should be selected for the AES.<br />
Hidden Trapdoors<br />
One of the favourite subjects in the boulevard<br />
press when it comes to encryption system is hidden<br />
trapdoors. As an example, when the DES<br />
was first published there was a lot of debate on<br />
the possibility that the American government<br />
had put in a trapdoor enabling them to read<br />
encrypted traffic without knowing the secret<br />
key. However, I am convinced that no such trapdoor<br />
exists for the DES, and I guarantee that no<br />
such trapdoors have been put into Serpent. It is<br />
very hard to break the encryption systems which<br />
are constructed according to the state-of-the-art,<br />
but it is even more difficult in my opinion to put<br />
a trapdoor into a public cryptosystem without<br />
being detected.<br />
11