http://www.ii.uib.no/~larsr/aes.html
The page is maintained by Lars R. Knudsen and Vincent Rijmen .

 


The Block Cipher Lounge - AES

(This page was last updated 13.09.99)


 
 
The NIST Press Release

The Final 5 


Name  Author(s)  Report(s) 
MARS IBM (11 authors) "Tweak"
RC6  Rivest, Robshaw, Sidney, Yin  KM99 
RIJNDAEL Daemen, Rijmen  ?
SERPENT Anderson, Biham, Knudsen  ?
TWOFISH Schneier, Kelsey, Whiting, Wagner, Hall, Ferguson  MM99

The 15 AES Proposals 

Name  Author(s)  Rounds  Attack(s) 
CAST-256  Adams  48  ?
CRYPTON Lim  12  C:32/56/32 (6) [DB99] 
DEAL  Knudsen, Outerbridge 6,8  [Luc98] , [KS99] 
DFC  Vaudenay et al [KR99] 
E2 Aoki, Kanda, Matsumoto, Moriai, Ohta, Ookubo, Takashima, Ueda  12  C:100/./. (8) [MT99] 
FROG Georgoudis, Leroux, Chaves  [W98] 
Hasty Pudding R. Schroeppel  ?
LOKI97  Brown, Pieprzyk  16  K:56/./., C:56/./., [RK98] 
MARS IBM  32  [Saar98] 
Magenta Deutsche Telekomm 6,8  [BBFKS] 
RC6  Rivest, Robshaw, Sidney, Yin  20  ?
RIJNDAEL Daemen, Rijmen  10,12,14 ?
SAFER+  Massey, Khachatrian, Kuregian 8,12,16 [KSW99] 
SERPENT Anderson, Biham, Knudsen  32 ?
TWOFISH Schneier, Kelsey, Whiting, Wagner, Hall, Ferguson  16 MM99

 
 
 

The notation of the table: 

Name  Name of the block cipher 
Author  Name of the designer 
Rounds  the number of rounds of the cipher
Attack 
K:a/b/c denotes that the best known plaintext attack requires 2a plaintext/ciphertexts, has a workload of 2b encryptions and requires 2c words of memory. 
C:a/b/c denotes that the best chosen plaintext attack requires 2a plaintext/ciphertexts, has a workload of 2b encryptions and requires 2c words of memory. 

A `.' means that this resource requirement is either negligible or unknown to us. 

(r): the number of rounds of the attack. If blank, r=Rounds 
[SA]: the paper describing the attack 
?: No attacks known 

 

If you have some attacks on some of the ciphers here, or if you have comments to this page, please contact Lars or Vincent .
 
 

References

[A98]
C. Adams, The CAST-256 Encryption Algorithm
[ABK98]
R. Anderson, E. Biham, L. Knudsen, SERPENT
[BBFKS]
E. Biham, A. Biryukov, N. Ferguson, L. Knudsen, B. Schneier, A. Shamir, Cryptanalysis of MAGENTA

(pdf)
[BP98]
L. Brown, J. Pieprzyk, ``Introducing the new LOKI97 Block Cipher''
[IBM98]
Burwick, Coppersmith, D'Avignon, Gennaro, Halevi, Jutla, Matyas Jr., O'Connor, Peyravian, Safford, Zunic, ``MARS - a candidate cipher for AES''
[CL98]
Cylink Corporation, "SAFER+" (No link, LK, 11.08.99.)
[DR98]
J. Daemen, V. Rijmen, ``AES Proposal: Rijndael''
[DB99]
C. D'Halluin, G. Bijnens, V. Rijmen, B. Preneel, ``Attack on 6 rounds of Crypton,'' FSE'99, LNCS.
[GLC]
D. Georgoudis, D. Leroux, B.S. Chaves, ``The "FROG" Encryption Algorithm''
[KSW99]
J. Kelsey, B. Schneier, D. Wagner, ``Key schedule weaknesses in SAFER+''
[KS99]
J. Kelsey, B. Schneier, ``Key schedule cryptanalysis of DEAL'', SAC 99
[DEAL]
L. Knudsen, ``DEAL: A 128-bit Block Cipher''
[KM99]
L. Knudsen, W. Meier, Correlations in RC6
[KR99AL]
L. Knudsen, V. Rijmen, ``On the Decorrelated Fast Cipher (DFC) and its theory,'' FSE'99, LNCS.
[Luc98]
S. Lucks, ``On the Security of the 128-bit Block Cipher DEAL''
[MT99]
M. Matsui, T. Tokita, ``Cryptanalysis of a reduced version of the block cipher E2,'' FSE'99, LNCS.
[E2]
Nippon Telegraph and Telephone Corporation, ``The 128-Bit Block Cipher E2"''
[Lim98]
C. H. Lim, ``CRYPTON''
[MM99]
F. Mirza, S. Murphy, ``An Observation on the Key Schedule of Twofish''
[RK98]
V. Rijmen, L.R. Knudsen, ``Weaknesses in LOKI97''

(pdf)(pdf)
[RRSY]
R. Rivest, M.J.B. Robshaw, R. Sidney, Y.L. Yin, "The RC6 Block Cipher"

(pdf) . See also here .
[Saar98]
M-J. Saarinen, "Equivalent keys in MARS"

M-J. Saarinen, "A note regarding the hash function use of MARS and RC6"
[TF98]
Schneier, Kelsey, Whiting, Wagner, Hall, Ferguson, ``Twofish: A 128-bit Block Cipher''
[S98]
R. Schroppel, The Hasty Pudding Cipher
[V98]
S. Vaudenay et al, DFC
[W98]
D. Wagner, N. Ferguson, and B. Schneier, "Cryptanalysis of Frog,"

 
 
 

This page was created 15.06.97 by Lars R. Knudsen and Vincent Rijmen.

The page is maintained by Lars R. Knudsen and Vincent Rijmen .
All comments welcome
 

NIST's AES page
Block Cipher Lounge
Lars's homepage
Vincent's homepage