2282:'s AES encryption. The attack required over 200 million chosen plaintexts. The custom server was designed to give out as much timing information as possible (the server reports back the number of machine cycles taken by the encryption operation). However, as Bernstein pointed out, "reducing the precision of the server's timestamps, or eliminating them from the server's responses, does not stop the attack: the client simply uses round-trip timings based on its local clock, and compensates for the increased noise by averaging over a larger number of samples."
40:
2378:) validated at the same time. Therefore, it is rare to find cryptographic modules that are uniquely FIPS 197 validated and NIST itself does not generally take the time to list FIPS 197 validated modules separately on its public web site. Instead, FIPS 197 validation is typically just listed as an "FIPS approved: AES" notation (with a specific FIPS 197 certificate number) in the current list of FIPS 140 validated cryptographic modules.
1518:
5526:
2386:(e.g., well over $ 30,000 US) and does not include the time it takes to write, test, document and prepare a module for validation. After validation, modules must be re-submitted and re-evaluated if they are changed in any way. This can vary from simple paperwork updates if the security functionality did not change to a more substantial set of re-testing if the security functionality was impacted by the change.
1999:
1128:
1085:
780:
1203:
643:
2129:. A break can thus include results that are infeasible with current technology. Despite being impractical, theoretical breaks can sometimes provide insight into vulnerability patterns. The largest successful publicly known brute-force attack against a widely implemented block-cipher encryption algorithm was against a 64-bit
2214:, is against AES-256 that uses only two related keys and 2 time to recover the complete 256-bit key of a 9-round version, or 2 time for a 10-round version with a stronger type of related subkey attack, or 2 time for an 11-round version. 256-bit AES uses 14 rounds, so these attacks are not effective against full AES.
2360:(SBU) or above. From NSTISSP #11, National Policy Governing the Acquisition of Information Assurance: "Encryption products for protecting classified information will be certified by NSA, and encryption products intended for protecting sensitive information will be certified in accordance with NIST FIPS 140-2."
2241:
This is a very small gain, as a 126-bit key (instead of 128 bits) would still take billions of years to brute force on current and foreseeable hardware. Also, the authors calculate the best attack using their technique on AES with a 128-bit key requires storing 2 bits of data. That works out to about
2308:
In March 2016, Ashokkumar C., Ravi
Prakash Giri and Bernard Menezes presented a side-channel attack on AES implementations that can recover the complete 128-bit AES key in just 6â7 blocks of plaintext/ciphertext, which is a substantial improvement over previous works that require between 100 and a
2140:
The key space increases by a factor of 2 for each additional bit of key length, and if every possible value of the key is equiprobable; this translates into a doubling of the average brute-force key search time with every additional bit of key length. This implies that the effort of a brute-force
2090:
The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect
2385:
FIPS 140-2 validation is challenging to achieve both technically and fiscally. There is a standardized battery of tests as well as an element of source code review that must be passed over a period of a few weeks. The cost to perform these tests through an approved laboratory can be significant
2237:
and is faster than brute force by a factor of about four. It requires 2 operations to recover an AES-128 key. For AES-192 and AES-256, 2 and 2 operations are needed, respectively. This result has been further improved to 2 for AES-128, 2 for AES-192 and 2 for AES-256, which are the current best
2381:
The
Cryptographic Algorithm Validation Program (CAVP) allows for independent validation of the correct implementation of the AES algorithm. Successful validation results in being listed on the NIST validations page. This testing is a pre-requisite for the FIPS 140-2 module validation. However,
2304:
In
November 2010 Endre Bangerter, David Gullasch and Stephan Krenn published a paper which described a practical approach to a "near real time" recovery of secret keys from AES-128 without the need for either cipher text or plaintext. The approach also works on AES-128 implementations that use
2225:
against a reduced 8-round version of AES-128 was released as a preprint. This known-key distinguishing attack is an improvement of the rebound, or the start-from-the-middle attack, against AES-like permutations, which view two consecutive rounds of permutation as the application of a so-called
2191:, and Ivica NikoliÄ, with a complexity of 2 for one out of every 2 keys. However, related-key attacks are not of concern in any properly designed cryptographic protocol, as a properly designed protocol (i.e., implementational software) will take care not to allow related keys, essentially by
2050:
step by transforming them into a sequence of table lookups. This requires four 256-entry 32-bit tables (together occupying 4096 bytes). A round can then be performed with 16 table lookup operations and 12 32-bit exclusive-or operations, followed by four 32-bit exclusive-or operations in the
2271:, and thus are not related to cipher security as defined in the classical context, but are important in practice. They attack implementations of the cipher on hardware or software systems that inadvertently leak data. There are several such known attacks on various implementations of AES.
2382:
successful CAVP validation in no way implies that the cryptographic module implementing the algorithm is secure. A cryptographic module lacking FIPS 140-2 validation or specific approval by the NSA is not deemed secure by the US Government and cannot be used to protect government data.
2293:
partition encryption function. One attack was able to obtain an entire AES key after only 800 operations triggering encryptions, in a total of 65 milliseconds. This attack requires the attacker to be able to run programs on the same system or platform that is performing AES.
1513:{\displaystyle {\begin{bmatrix}b_{0,j}\\b_{1,j}\\b_{2,j}\\b_{3,j}\end{bmatrix}}={\begin{bmatrix}2&3&1&1\\1&2&3&1\\1&1&2&3\\3&1&1&2\end{bmatrix}}{\begin{bmatrix}a_{0,j}\\a_{1,j}\\a_{2,j}\\a_{3,j}\end{bmatrix}}\qquad 0\leq j\leq 3}
419:
2585:
bytes. For a 256-bit block, the first row is unchanged and the shifting for the second, third and fourth row is 1 byte, 3 bytes and 4 bytes respectivelyâthis change only applies for the
Rijndael cipher when used with a 256-bit block, as AES does not use 256-bit
2305:
compression tables, such as OpenSSL. Like some earlier attacks, this one requires the ability to run unprivileged code on the system performing the AES encryption, which may be achieved by malware infection far more easily than commandeering the root account.
2242:
38 trillion terabytes of data, which was more than all the data stored on all the computers on the planet in 2016. A paper in 2015 later improved the space complexity to 2 bits, which is 9007 terabytes (while still keeping a time complexity of 2).
200:
in 2009. This attack is against AES-256 that uses only two related keys and 2 time to recover the complete 256-bit key of a 9-round version, or 2 time for a 10-round version with a stronger type of related subkey attack, or 2 time for an 11-round
1104:. For AES, the first row is left unchanged. Each byte of the second row is shifted one to the left. Similarly, the third and fourth rows are shifted by offsets of two and three respectively. In this way, each column of the output state of the
2332:. AES-192 and AES-128 are not considered quantum resistant due to their smaller key sizes. AES-192 has a strength of 96 bits against quantum attacks and AES-128 has 64 bits of strength against quantum attacks, making them both insecure.
2163:
During the AES selection process, developers of competing algorithms wrote of
Rijndael's algorithm "we are concerned about use ... in security-critical applications." In October 2000, however, at the end of the AES selection process,
293:
1886:
281:
PUB 197 (FIPS 197) on
November 26, 2001. This announcement followed a five-year standardization process in which fifteen competing designs were presented and evaluated, before the Rijndael cipher was selected as the most suitable.
672:
Each round consists of several processing steps, including one that depends on the encryption key itself. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key.
2082:(NSA) reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for U.S. Government non-classified data. In June 2003, the U.S. Government announced that AES could be used to protect
259:. Rijndael is a family of ciphers with different key and block sizes. For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits.
1108:
step is composed of bytes from each column of the input state. The importance of this step is to avoid the columns being encrypted independently, in which case AES would degenerate into four independent block ciphers.
2156:, purporting to show a weakness in the AES algorithm, partially due to the low complexity of its nonlinear components. Since then, other papers have shown that the attack, as originally presented, is unworkable; see
2172:, wrote that while he thought successful academic attacks on Rijndael would be developed someday, he "did not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic."
1062:
2217:
The practicality of these attacks with stronger related keys has been criticized, for instance, by the paper on chosen-key-relations-in-the-middle attacks on AES-128 authored by
Vincent Rijmen in 2010.
2226:
Super-S-box. It works on the 8-round version of AES-128, with a time complexity of 2, and a memory complexity of 2. 128-bit AES uses 10 rounds, so this attack is not effective against full AES-128.
638:{\displaystyle {\begin{bmatrix}b_{0}&b_{4}&b_{8}&b_{12}\\b_{1}&b_{5}&b_{9}&b_{13}\\b_{2}&b_{6}&b_{10}&b_{14}\\b_{3}&b_{7}&b_{11}&b_{15}\end{bmatrix}}}
4024:
Advances in
Cryptology â ASIACRYPT 2002: 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, December 1â5, 2002, Proceedings
2183:
was discovered that exploits the simplicity of AES's key schedule and has a complexity of 2. In
December 2009 it was improved to 2. This is a follow-up to an attack discovered earlier in 2009 by
2141:
search increases exponentially with key length. Key length in itself does not imply security against attacks, since there are ciphers with very long keys that have been found to be vulnerable.
2370:
Although NIST publication 197 ("FIPS 197") is the unique document that covers the AES algorithm, vendors typically approach the CMVP under FIPS 140 and ask to have several algorithms (such as
1765:
1981:
1708:
1666:
5506:
5336:
1931:
986:
1615:
919:, known to have good non-linearity properties. To avoid attacks based on simple algebraic properties, the S-box is constructed by combining the inverse function with an invertible
3477:
2402:
High speed and low RAM requirements were some of the criteria of the AES selection process. As the chosen algorithm, AES performed well on a wide variety of hardware, from 8-bit
4162:â AES deeply explained and animated using Flash (by Enrique Zabala / University ORT / Montevideo / Uruguay). This animation (in English, Spanish, and German) is also part of
2860:
2495:
Block sizes of 128, 160, 192, 224, and 256 bits are supported by the
Rijndael algorithm for each key size, but only the 128-bit block size is specified in the AES standard.
363:
is specified with block and key sizes that may be any multiple of 32 bits, with a minimum of 128 and a maximum of 256 bits. Most AES calculations are done in a particular
894:
3769:
2055:
step. Alternatively, the table lookup operation can be performed with a single 256-entry 32-bit table (occupying 1024 bytes) followed by circular rotation operations.
2486:
Key sizes of 128, 160, 192, 224, and 256 bits are supported by the Rijndael algorithm, but only the 128, 192, and 256-bit key sizes are specified in the AES standard.
845:
2901:
1550:
1162:
2583:
2468:
2345:
286:
233:
5189:
2557:
2256:
At present, there is no known practical attack that would allow someone without knowledge of the key to read data encrypted by AES when correctly implemented.
1770:
2394:
Test vectors are a set of known ciphers for a given input and key. NIST distributes the reference of AES test vectors as AES Known Answer Test (KAT) Vectors.
5124:
4205:
2539:
Rijndael variants with a larger block size have slightly different offsets. For blocks of sizes 128 bits and 192 bits, the shifting pattern is the same. Row
2875:
1092:
step, bytes in each row of the state are shifted cyclically to the left. The number of places each byte is shifted differs incrementally for each row.
290:
2760:
2250:
2026:; each subkey is the same size as the state. The subkey is added by combining of the state with the corresponding byte of the subkey using bitwise
4951:
4307:
3532:
3381:
2625:
1525:
Matrix multiplication is composed of multiplication and addition of the entries. Entries are bytes treated as coefficients of polynomial of order
1195:
During this operation, each column is transformed using a fixed matrix (matrix left-multiplied by column gives new value of column in the state):
278:
263:
3897:
4149:
4000:
3442:
2702:
3010:
5559:
4941:
4435:
4074:
4053:
4032:
3704:
3425:
3264:
3096:
3004:"National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information"
2961:
2349:
2289:
and Eran Tromer presented a paper demonstrating several cache-timing attacks against the implementations in AES found in OpenSSL and Linux's
4842:
2599:
340:
155:
5104:
5078:
4946:
2827:
2801:
2505:
256:
108:
2413:, AES encryption requires 18 clock cycles per byte (cpb), equivalent to a throughput of about 11 MiB/s for a 200 MHz processor.
3739:
3573:
297:
3469:
4919:
5182:
2852:
991:
5088:
4198:
2233:
on full AES were by Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger, and were published in 2011. The attack is a
733: – a linear mixing operation which operates on the columns of the state, combining the four bytes in each column.
4967:
3962:
2222:
727: – a transposition step where the last three rows of the state are shifted cyclically a certain number of steps.
3841:
3756:
2915:
Bruce Schneier; John Kelsey; Doug Whiting; David Wagner; Chris Hall; Niels Ferguson; Tadayoshi Kohno; et al. (May 2000).
1180:
function takes four bytes as input and outputs four bytes, where each input byte affects all four output bytes. Together with
5385:
5145:
3929:
3876:
2452:
2098:
By 2006, the best known attacks were on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys.
1629:(overflow must be corrected by subtraction of generating polynomial). These are special cases of the usual multiplication in
1072:) is used, which requires first taking the inverse of the affine transformation and then finding the multiplicative inverse.
4169:
3230:
3148:
2309:
million encryptions. The proposed attack requires standard user privilege and key-retrieval algorithms run under a minute.
4081:
2897:
3666:
3070:
2981:
2923:
2328:
resistant, as it has similar quantum resistance to AES-128's resistance against traditional, non-quantum, attacks at 128
5175:
2429:
4159:
3177:
5501:
5456:
5269:
5031:
4191:
2298:
2091:
national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.
4101:
Cryptography â 256 bit Ciphers: Reference source code and submissions to international cryptographic designs contests
3506:
650:
The key size used for an AES cipher specifies the number of transformation rounds that convert the input, called the
1713:
5380:
5048:
4958:
4936:
4249:
3033:
2883:
2357:
5496:
5053:
4909:
4862:
4337:
3813:
3645:
3609:
3333:
2462:
1101:
348:
142:
1947:
1674:
1632:
5486:
5476:
5331:
5119:
5001:
4876:
4245:
3061:
2898:"ISO/IEC 18033-3: Information technology â Security techniques â Encryption algorithms â Part 3: Block ciphers"
2079:
1189:
308:
267:
120:
3122:
296:
standard. AES became effective as a U.S. federal government standard on May 26, 2002, after approval by U.S.
3359:
3285:
2728:
2669:
2038:
On systems with 32-bit or larger words, it is possible to speed up execution of this cipher by combining the
190:. For biclique attacks on AES-192 and AES-256, the computational complexities of 2 and 2 respectively apply.
5481:
5471:
5274:
5234:
5227:
5217:
5212:
5058:
4847:
4218:
1895:
930:
364:
271:
1555:
5554:
5222:
5150:
5026:
5021:
4973:
3189:
2083:
909:
312:
303:. AES is available in many different encryption packages, and is the first (and only) publicly accessible
4822:
2753:
5564:
5529:
5375:
5321:
5140:
4963:
4400:
3986:
3954:
Schneier, Bruce; Kelsey, John; Whiting, Doug; Wagner, David; Hall, Chris; Ferguson, Niels (1999-02-01).
2023:
1173:
920:
3528:
3388:
2978:"byte-oriented-aes â A public domain byte-oriented implementation of AES in C â Google Project Hosting"
2632:
4138:
3901:
2940:
Bertoni, Guido; Breveglieri, Luca; Fragneto, Pasqualina; MacChetti, Marco; Marchesin, Stefano (2003).
5491:
5415:
5043:
4926:
4852:
4535:
4515:
3446:
3251:. Lecture Notes in Computer Science. Vol. 5677. Springer Berlin / Heidelberg. pp. 231â249.
2694:
162:
3003:
2356:
is required by the United States Government for encryption of all data that has a classification of
5254:
5006:
4983:
4302:
3194:
2441:
2425:
2313:
2275:
2264:
2230:
2207:
2188:
2176:
1984:
1122:
3053:
5360:
5344:
5291:
4991:
4899:
4611:
4540:
4510:
4455:
3710:
3173:
2596:
2192:
2180:
2111:
2019:
371:
343:, and is efficient in both software and hardware. Unlike its predecessor DES, AES does not use a
191:
181:
94:
4108:
3092:
2790:
2095:
AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys.
1100:
step operates on the rows of the state; it cyclically shifts the bytes in each row by a certain
857:
39:
3728:
3045:
2834:
2018:
step, the subkey is combined with the state. For each round, a subkey is derived from the main
5420:
5410:
5281:
4711:
4410:
4370:
4365:
4332:
4292:
4240:
4070:
4049:
4028:
4018:
3764:
3700:
3421:
3260:
2957:
2325:
4064:
817:
194:
can break AES-256 and AES-192 with complexities 2 and 2 in both time and data, respectively.
5355:
5083:
4978:
4857:
4716:
4596:
4565:
4259:
4119:
4043:
3692:
3565:
3554:
3413:
3252:
2949:
2530:
Large-block variants of Rijndael use an array with additional columns, but always four rows.
2329:
2149:
897:
686:
3280:
Alex Biryukov; Orr Dunkelman; Nathan Keller; Dmitry Khovratovich; Adi Shamir (2009-08-19).
2723:
Alex Biryukov; Orr Dunkelman; Nathan Keller; Dmitry Khovratovich; Adi Shamir (2009-08-19).
1528:
4930:
4914:
4903:
4837:
4796:
4761:
4691:
4671:
4545:
4425:
4420:
4375:
4132:
3234:
3185:
3049:
2800:. United States National Institute of Standards and Technology (NIST). November 26, 2001.
2603:
2457:
2432:
CPU, AES encryption using AES-NI takes about 1.3 cpb for AES-128 and 1.8 cpb for AES-256.
2234:
2134:
1138:
344:
187:
98:
90:
80:
2595:
The AES Known Answer Test (KAT) Vectors are available in Zip format within the NIST site
2562:
1881:{\displaystyle c(z)={03}_{16}\cdot z^{3}+{01}_{16}\cdot z^{2}+{01}_{16}\cdot z+{02}_{16}}
698: – each byte of the state is combined with a byte of the round key using
5430:
5350:
5311:
5259:
5244:
5068:
5016:
4827:
4812:
4751:
4746:
4631:
4380:
3842:"NSTISSP No. 11, Revised Fact Sheet, National Information Assurance Acquisition Policy"
3169:
3041:
2542:
2246:
2165:
2153:
2144:
AES has a fairly simple algebraic framework. In 2002, a theoretical attack, named the "
787:
step, each byte in the state is replaced with its entry in a fixed 8-bit lookup table,
774:
718:
252:
224:
62:
3408:
Biaoshuai Tao & Hongjun Wu (2015). "Improving the Biclique Cryptanalysis of AES".
3182:
Proceedings of Selected Areas in Cryptography, 2001, Lecture Notes in Computer Science
2352:(CSE) of the Government of Canada. The use of cryptographic modules validated to NIST
904:
array is simply the plaintext/input. This operation provides the non-linearity in the
5548:
5511:
5466:
5425:
5405:
5301:
5264:
5239:
5063:
5011:
4890:
4872:
4661:
4636:
4626:
4450:
4440:
4287:
2203:
2184:
2124:
2107:
186:
For AES-128, the key can be recovered with a computational complexity of 2 using the
173:
3955:
3793:
Bonnetain, Xavier; Naya-Plasencia, MarĂa; Schrottenloher, AndrĂŠ (December 6, 2019).
3714:
2297:
In December 2009 an attack on some hardware implementations was published that used
5461:
5306:
5296:
5286:
5249:
5198:
4996:
4817:
4781:
4646:
4525:
4480:
4312:
4264:
4214:
4096:
3848:
3282:"Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds"
3247:
NikoliÄ, Ivica (2009). "Distinguisher and Related-Key Attack on the Full AES-256".
3037:
2725:"Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds"
2027:
2007:
2006:
step, each byte of the state is combined with a byte of the round subkey using the
1942:
1618:
914:
300:
240:
3872:
3794:
2916:
1172:
step, the four bytes of each column of the state are combined using an invertible
3256:
2367:
validated cryptographic modules in unclassified applications of its departments.
2198:
Another attack was blogged by Bruce Schneier on July 30, 2009, and released as a
5440:
4606:
4601:
4485:
3926:
3417:
3227:
3144:
2410:
2278:
announced a cache-timing attack that he used to break a custom server that used
2175:
Until May 2009, the only successful published attacks against the full AES were
1889:
924:
699:
248:
58:
3933:
689:. AES requires a separate 128-bit round key block for each round plus one more.
5400:
5370:
5365:
5326:
5038:
4756:
4696:
4580:
4575:
4520:
4390:
4253:
3662:
3204:
3066:
2977:
2417:
2403:
2371:
2353:
2286:
2211:
2157:
2145:
1998:
1938:
714:
655:
229:
17:
2953:
2941:
5390:
4771:
4766:
4656:
4570:
4465:
4445:
4022:
3199:
2421:
2268:
1127:
651:
274:, meaning the same key is used for both encrypting and decrypting the data.
3873:"NIST.gov â Computer Security Division â Computer Security Resource Center"
3696:
1084:
4124:
3502:
1552:. Addition is simply XOR. Multiplication is modulo irreducible polynomial
779:
717:
substitution step where each byte is replaced with another according to a
5435:
5395:
5109:
5073:
4867:
4530:
4405:
4385:
4297:
4163:
2880:
Journal of Research of the National Institute of Standards and Technology
2364:
2199:
356:
197:
132:
112:
3380:
Andrey Bogdanov; Dmitry Khovratovich & Christian Rechberger (2011).
2121:
i.e., performing one trial decryption for each possible key in sequence
270:(DES), which was published in 1977. The algorithm described by AES is a
180:
Attacks have been published that are computationally faster than a full
4776:
4726:
4686:
4676:
4621:
4616:
4460:
4269:
3569:
2948:. Lecture Notes in Computer Science. Vol. 2523. pp. 159â171.
2279:
2249:, the NSA is doing research on whether a cryptographic attack based on
2169:
685: – round keys are derived from the cipher key using the
244:
4019:"Cryptanalysis of Block Ciphers with Overdefined Systems of Equations"
3635:"Cache Games â Bringing Access-Based Cache Attacks on AES to Practice"
3634:
3598:
3352:"Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations"
3322:
2699:
Schneier on Security, A blog covering security and security technology
5316:
5114:
4736:
4731:
4666:
4651:
4641:
4586:
4560:
4555:
4550:
4430:
4415:
4066:
Understanding Cryptography: A Textbook for Students and Practitioners
3412:. Lecture Notes in Computer Science. Vol. 9144. pp. 39â56.
3067:"Academic: Improved Cryptanalysis of Rijndael - Schneier on Security"
1135:
step, each column of the state is multiplied with a fixed polynomial
905:
304:
116:
4146:
Information technology â Security techniques â Encryption algorithms
2465:â hash function created by Vincent Rijmen and Paulo S. L. M. Barreto
1937:
step can also be viewed as a multiplication by the shown particular
3118:
2724:
2665:
1671:
In more general sense, each column is treated as a polynomial over
4832:
4791:
4741:
4721:
4706:
4495:
4475:
4395:
4360:
3689:
2016 IEEE European Symposium on Security and Privacy (EuroS&P)
3351:
3281:
1997:
1126:
1083:
923:. The S-box is also chosen to avoid any fixed points (and so is a
778:
4001:"Intel ÂŽ Advanced Encryption Standard (AES) New Instructions Set"
2876:"NIST reports measurable success of Advanced Encryption Standard"
4681:
4590:
4505:
4500:
4490:
4470:
4342:
4327:
3323:"Practical-Titled Attack on AES-128 Using Chosen-Text Relations"
2375:
2341:
1892:
equivalent of the binary representation of bit polynomials from
5171:
4187:
1617:. If processed bit by bit, then, after shifting, a conditional
315:
information when used in an NSA approved cryptographic module.
4786:
4701:
4322:
4317:
4045:
The Design of Rijndael: AES â The Advanced Encryption Standard
2942:"Efficient Software Implementation of AES on 32-Bit Platforms"
2130:
2058:
Using a byte-oriented approach, it is possible to combine the
352:
323:
The Advanced Encryption Standard (AES) is defined in each of:
4166:(menu Indiv. Procedures â Visualization of Algorithms â AES).
3599:"A Diagonal Fault Attack on the Advanced Encryption Standard"
2759:. National Institute of Standards and Technology. p. 1.
2344:(CMVP) is operated jointly by the United States Government's
2316:, which protect against timing-related side-channel attacks.
1057:{\displaystyle S(a_{i,j})\oplus a_{i,j}\neq {\text{FF}}_{16}}
3633:
Endre Bangerter; David Gullasch & Stephan Krenn (2010).
277:
In the United States, AES was announced by the NIST as U.S.
3898:"Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules"
3597:
Dhiman Saha; Debdeep Mukhopadhyay; Dipanwita RoyChowdhury.
2666:"Related-key Cryptanalysis of the Full AES-192 and AES-256"
4148:(2nd ed.). ISO. 2010-12-15. ISO/IEC 18033-3:2010(E).
3687:
Ashokkumar C.; Ravi Prakash Giri; Bernard Menezes (2016).
2428:
extensions, throughput can be multiple GiB/s. On an Intel
1625:
should be performed if the shifted value is larger than FF
2661:
Related-key Cryptanalysis of the Full AES-192 and AES-256
2798:
Federal Information Processing Standards Publication 197
4133:
AES algorithm archive information â (old, unmaintained)
2946:
Cryptographic Hardware and Embedded Systems - CHES 2002
2747:
2745:
2195:
an attacker's means of selecting keys for relatedness.
184:, though none as of 2023 are computationally feasible.
5337:
Cryptographically secure pseudorandom number generator
3663:"Breaking AES-128 in realtime, no ciphertext required"
3553:
Dag Arne Osvik; Adi Shamir; Eran Tromer (2005-11-20).
3145:"AES News, Crypto-Gram Newsletter, September 15, 2002"
2202:
on August 3, 2009. This new attack, by Alex Biryukov,
1407:
1307:
1212:
428:
3468:
SPIEGEL ONLINE, Hamburg, Germany (28 December 2014).
2565:
2545:
2301:
and allows recovery of a key with a complexity of 2.
2125:
Cryptanalysis § Computational resources required
1950:
1898:
1773:
1716:
1677:
1635:
1558:
1531:
1206:
1141:
994:
933:
860:
820:
422:
4175:
4084:(companion web site contains online lectures on AES)
3555:"Cache Attacks and Countermeasures: the Case of AES"
2917:"The Twofish Team's Final Comments on AES Selection"
2826:
Joan Daemen and Vincent Rijmen (September 3, 1999).
2363:
The Government of Canada also recommends the use of
5449:
5205:
5133:
5097:
4886:
4805:
4351:
4278:
4226:
3497:
3495:
3308:
On Some Symmetric Lightweight Cryptographic Designs
2791:"Announcing the ADVANCED ENCRYPTION STANDARD (AES)"
1983:. This process is described further in the article
743:Final round (making 10, 12 or 14 rounds in total):
171:
161:
151:
141:
131:
126:
104:
86:
76:
68:
54:
49:
3729:"Are AES x86 Cache Timing Attacks Still Feasible?"
2577:
2551:
1975:
1925:
1880:
1759:
1702:
1660:
1609:
1544:
1512:
1156:
1056:
980:
888:
839:
637:
2179:on some specific implementations. In 2009, a new
3956:"Performance Comparisons of the AES submissions"
3562:The Cryptographer's Track at RSA Conference 2006
3310:. Dissertation, Lund University. pp. 38â39.
2688:
2686:
359:of 128, 192, or 256 bits. By contrast, Rijndael
327:FIPS PUB 197: Advanced Encryption Standard (AES)
3178:"A simple algebraic representation of Rijndael"
2752:Daemen, Joan; Rijmen, Vincent (March 9, 2003).
2469:List of free and open-source software packages
2346:National Institute of Standards and Technology
1760:{\displaystyle {01}_{16}\cdot z^{4}+{01}_{16}}
339:AES is based on a design principle known as a
255:, who submitted a proposal to NIST during the
234:National Institute of Standards and Technology
27:Standard for the encryption of electronic data
5183:
4199:
347:. AES is a variant of Rijndael, with a fixed
196:Another attack was blogged and released as a
8:
2238:results in key recovery attack against AES.
988:, and also any opposite fixed points, i.e.,
30:
4017:Courtois, Nicolas; Pieprzyk, Josef (2003).
3836:
3834:
3757:"Securing the Enterprise with Intel AES-NI"
3470:"Inside the NSA's War on Internet Security"
3350:Henri Gilbert; Thomas Peyrin (2009-11-09).
232:of electronic data established by the U.S.
5190:
5176:
5168:
4206:
4192:
4184:
4180:
4176:
3930:"OpenSSL's Notes about FIPS certification"
3920:
3918:
2785:
2783:
2781:
2348:(NIST) Computer Security Division and the
1976:{\displaystyle \operatorname {GF} (2^{8})}
1888:. The coefficients are displayed in their
1703:{\displaystyle \operatorname {GF} (2^{8})}
1661:{\displaystyle \operatorname {GF} (2^{8})}
4123:
3193:
2853:"U.S. Selects a New Encryption Technique"
2564:
2544:
2168:, a developer of the competing algorithm
1964:
1949:
1897:
1872:
1867:
1851:
1846:
1836:
1823:
1818:
1808:
1795:
1790:
1772:
1751:
1746:
1736:
1723:
1718:
1715:
1691:
1676:
1649:
1634:
1589:
1576:
1563:
1557:
1536:
1530:
1474:
1454:
1434:
1414:
1402:
1302:
1279:
1259:
1239:
1219:
1207:
1205:
1140:
1048:
1043:
1027:
1005:
993:
966:
944:
932:
871:
859:
825:
819:
621:
609:
597:
585:
571:
559:
547:
535:
521:
509:
497:
485:
471:
459:
447:
435:
423:
421:
4172:â Same Animation as above made in HTML5.
4116:Federal Information Processing Standards
3382:"Biclique Cryptanalysis of the Full AES"
2655:
2653:
2626:"Biclique Cryptanalysis of the Full AES"
2659:Alex Biryukov and Dmitry Khovratovich,
2617:
2479:
2342:Cryptographic Module Validation Program
1064:. While performing the decryption, the
677:High-level description of the algorithm
658:. The number of rounds are as follows:
44:Visualization of the AES round function
4042:Daemen, Joan; Rijmen, Vincent (2002).
3814:"AES-256 joins the quantum resistance"
1926:{\displaystyle \operatorname {GF} (2)}
981:{\displaystyle S(a_{i,j})\neq a_{i,j}}
29:
3615:from the original on 22 December 2009
3535:from the original on 12 February 2007
3403:
3401:
2350:Communications Security Establishment
2070:steps into a single round operation.
1610:{\displaystyle x^{8}+x^{4}+x^{3}+x+1}
908:. The S-box used is derived from the
223:
7:
4109:"Advanced Encryption Standard (AES)"
3480:from the original on 24 January 2015
3288:from the original on 28 January 2010
3249:Advances in Cryptology - CRYPTO 2009
2863:from the original on March 28, 2017.
2807:from the original on August 23, 2024
2731:from the original on 28 January 2010
2506:Advanced Encryption Standard process
654:, into the final output, called the
167:10, 12 or 14 (depending on key size)
4063:Paar, Christof; Pelzl, Jan (2009).
3503:"Index of formal scientific papers"
3099:from the original on August 8, 2010
215:), also known by its original name
3795:"Quantum Security Analysis of AES"
3058:Improved Cryptanalysis of Rijndael
2110:"break" is anything faster than a
25:
4097:"256bit key â 128bit block â AES"
3093:"Is encryption really crackable?"
2851:John Schwartz (October 3, 2000).
2766:from the original on 5 March 2013
2285:In October 2005, Dag Arne Osvik,
239:AES is a variant of the Rijndael
5525:
5524:
4155:from the original on 2022-10-09.
3745:from the original on 2017-08-09.
3651:from the original on 2010-12-14.
3410:Information Security and Privacy
3339:from the original on 2010-07-02.
3151:from the original on 7 July 2007
2929:from the original on 2010-01-02.
2904:from the original on 2013-12-03.
341:substitutionâpermutation network
156:Substitutionâpermutation network
38:
3968:from the original on 2011-06-22
3879:from the original on 2013-01-02
3775:from the original on 2013-03-31
3669:from the original on 2011-10-03
3579:from the original on 2006-06-19
3509:from the original on 2008-09-17
3441:Jeffrey Goldberg (2011-08-18).
3362:from the original on 2010-06-04
3125:from the original on 2009-01-31
3073:from the original on 2007-02-23
3016:from the original on 2010-11-06
2984:from the original on 2013-07-20
2705:from the original on 2009-10-05
2672:from the original on 2009-09-28
2406:to high-performance computers.
2312:Many modern CPUs have built-in
2223:known-key distinguishing attack
1494:
5386:Information-theoretic security
4027:. Springer. pp. 268â287.
3812:O'Shea, Dan (April 26, 2022).
3642:IACR Cryptology ePrint Archive
3606:IACR Cryptology ePrint Archive
3443:"AES Encryption isn't Cracked"
3356:IACR Cryptology ePrint Archive
3330:IACR Cryptology ePrint Archive
2267:do not attack the cipher as a
1970:
1957:
1920:
1914:
1911:
1905:
1783:
1777:
1710:and is then multiplied modulo
1697:
1684:
1655:
1642:
1151:
1145:
1017:
998:
956:
937:
883:
864:
330:ISO/IEC 18033-3: Block ciphers
228:), is a specification for the
1:
4069:. Springer. pp. 87â122.
3932:. Openssl.org. Archived from
3091:Ou, George (April 30, 2006).
2693:Bruce Schneier (2009-07-30).
2518:
2314:hardware instructions for AES
5560:Advanced Encryption Standard
3257:10.1007/978-3-642-03356-8_14
2874:Westlund, Harold B. (2002).
2559:is shifted left circular by
2324:AES-256 is considered to be
2221:In November 2009, the first
692:Initial round key addition:
262:AES has been adopted by the
209:Advanced Encryption Standard
31:Advanced Encryption Standard
5502:Message authentication code
5457:Cryptographic hash function
5270:Cryptographic hash function
4170:HTML5 Animation of Rijndael
4021:. In Zheng, Yuliang (ed.).
3418:10.1007/978-3-319-19962-7_3
3002:Lynn Hathaway (June 2003).
2299:differential fault analysis
2210:, Dmitry Khovratovich, and
2158:XSL attack on block ciphers
2122:
668:14 rounds for 256-bit keys.
665:12 rounds for 192-bit keys.
662:10 rounds for 128-bit keys.
5581:
5381:Harvest now, decrypt later
3987:"AMD Ryzen 7 1700X Review"
2439:
2358:Sensitive but Unclassified
2034:Optimization of the cipher
1120:
889:{\displaystyle S(a_{i,j})}
772:
335:Description of the ciphers
5520:
5497:Post-quantum cryptography
5167:
5089:Time/memory/data tradeoff
4183:
4179:
851:array is replaced with a
179:
37:
5487:Quantum key distribution
5477:Authenticated encryption
5332:Random number generation
4877:Whitening transformation
3121:. University of London.
3062:Fast Software Encryption
2954:10.1007/3-540-36400-5_13
2828:"AES Proposal: Rijndael"
2754:"AES Proposal: Rijndael"
2695:"Another New AES Attack"
2080:National Security Agency
1767:with a fixed polynomial
370:AES operates on a 4 Ă 4
309:National Security Agency
268:Data Encryption Standard
5482:Public-key cryptography
5472:Symmetric-key algorithm
5275:Key derivation function
5235:Cryptographic primitive
5228:Authentication protocol
5218:Outline of cryptography
5213:History of cryptography
4848:Confusion and diffusion
4139:"Part 3: Block ciphers"
3321:Vincent Rijmen (2010).
3176:; Doug Whiting (2001).
2253:may help to break AES.
2024:Rijndael's key schedule
840:{\displaystyle a_{i,j}}
285:AES is included in the
272:symmetric-key algorithm
5223:Cryptographic protocol
3697:10.1109/EuroSP.2016.29
3306:Agren, Martin (2012).
2579:
2553:
2453:AES modes of operation
2426:AES-NI instruction set
2106:For cryptographers, a
2093:
2084:classified information
2011:
1977:
1927:
1882:
1761:
1704:
1662:
1611:
1546:
1514:
1165:
1158:
1093:
1058:
982:
910:multiplicative inverse
900:. Before round 0, the
890:
841:
807:
639:
5376:End-to-end encryption
5322:Cryptojacking malware
5141:Initialization vector
4160:Animation of Rijndael
4125:10.6028/NIST.FIPS.197
2580:
2554:
2088:
2001:
1978:
1928:
1883:
1762:
1705:
1663:
1612:
1547:
1545:{\displaystyle x^{7}}
1515:
1174:linear transformation
1159:
1130:
1087:
1068:step (the inverse of
1059:
983:
921:affine transformation
891:
842:
782:
640:
307:approved by the U.S.
298:Secretary of Commerce
257:AES selection process
5492:Quantum cryptography
5416:Trusted timestamping
4920:3-subset MITM attack
4536:Intel Cascade Cipher
4516:Hasty Pudding cipher
4118:. 26 November 2001.
3691:. pp. 261â275.
3188:. pp. 103â111.
2840:on February 3, 2007.
2563:
2543:
2336:NIST/CSEC validation
2276:D. J. Bernstein
2265:Side-channel attacks
2260:Side-channel attacks
2231:key-recovery attacks
2177:side-channel attacks
2148:", was announced by
1948:
1896:
1771:
1714:
1675:
1633:
1556:
1529:
1204:
1157:{\displaystyle c(x)}
1139:
992:
931:
858:
818:
713: – a
707:9, 11 or 13 rounds:
420:
319:Definitive standards
266:. It supersedes the
221:Dutch pronunciation:
137:128, 192 or 256 bits
5255:Cryptographic nonce
4959:Differential-linear
3529:"AES Timing Attack"
2578:{\displaystyle n-1}
2442:AES implementations
2189:Dmitry Khovratovich
1985:Rijndael MixColumns
1123:Rijndael MixColumns
225:[ËrÉindaËl]
192:Related-key attacks
34:
5361:Subliminal channel
5345:Pseudorandom noise
5292:Key (cryptography)
5032:Differential-fault
4250:internal mechanics
3818:Fierce Electronics
3570:10.1007/11605805_1
3237:, October 15, 2000
3233:2009-02-01 at the
3209:on 4 November 2006
3174:Richard Schroeppel
2602:2009-10-23 at the
2575:
2549:
2181:related-key attack
2112:brute-force attack
2012:
1973:
1923:
1878:
1757:
1700:
1658:
1607:
1542:
1510:
1488:
1396:
1293:
1166:
1154:
1094:
1054:
978:
886:
837:
808:
635:
629:
374:array of 16 bytes
372:column-major order
182:brute-force attack
5542:
5541:
5538:
5537:
5421:Key-based routing
5411:Trapdoor function
5282:Digital signature
5163:
5162:
5159:
5158:
5146:Mode of operation
4823:LaiâMassey scheme
4076:978-3-642-04101-3
4055:978-3-540-42580-9
4034:978-3-540-36178-7
3875:. Csrc.nist.gov.
3765:Intel Corporation
3706:978-1-5090-1751-5
3449:on 8 January 2015
3427:978-3-319-19961-0
3266:978-3-642-03355-1
3064:, 2000 pp213â230
2963:978-3-540-00409-7
2552:{\displaystyle n}
2508:for more details.
2247:Snowden documents
2245:According to the
1046:
243:developed by two
205:
204:
16:(Redirected from
5572:
5528:
5527:
5356:Insecure channel
5192:
5185:
5178:
5169:
5017:Power-monitoring
4858:Avalanche effect
4566:Khufu and Khafre
4219:security summary
4208:
4201:
4194:
4185:
4181:
4177:
4156:
4154:
4143:
4129:
4127:
4113:
4104:
4080:
4059:
4038:
4008:
4007:
4005:
3997:
3991:
3990:
3983:
3977:
3976:
3974:
3973:
3967:
3960:
3951:
3945:
3944:
3942:
3941:
3922:
3913:
3912:
3910:
3909:
3900:. Archived from
3894:
3888:
3887:
3885:
3884:
3869:
3863:
3862:
3860:
3859:
3853:
3847:. Archived from
3846:
3838:
3829:
3828:
3826:
3824:
3809:
3803:
3802:
3790:
3784:
3783:
3781:
3780:
3774:
3761:
3753:
3747:
3746:
3744:
3733:
3725:
3719:
3718:
3684:
3678:
3677:
3675:
3674:
3659:
3653:
3652:
3650:
3639:
3630:
3624:
3623:
3621:
3620:
3614:
3603:
3594:
3588:
3587:
3585:
3584:
3578:
3559:
3550:
3544:
3543:
3541:
3540:
3527:Bruce Schneier.
3524:
3518:
3517:
3515:
3514:
3499:
3490:
3489:
3487:
3485:
3465:
3459:
3458:
3456:
3454:
3445:. Archived from
3438:
3432:
3431:
3405:
3396:
3395:
3393:
3387:. Archived from
3386:
3377:
3371:
3370:
3368:
3367:
3347:
3341:
3340:
3338:
3327:
3318:
3312:
3311:
3303:
3297:
3296:
3294:
3293:
3277:
3271:
3270:
3244:
3238:
3226:Bruce Schneier,
3224:
3218:
3217:
3215:
3214:
3208:
3198:. Archived from
3197:
3166:
3160:
3159:
3157:
3156:
3143:Bruce Schneier.
3140:
3134:
3133:
3131:
3130:
3115:
3109:
3108:
3106:
3104:
3088:
3082:
3081:
3079:
3078:
3031:
3025:
3024:
3022:
3021:
3015:
3008:
2999:
2993:
2992:
2990:
2989:
2974:
2968:
2967:
2937:
2931:
2930:
2928:
2921:
2912:
2906:
2905:
2894:
2888:
2887:
2882:. Archived from
2871:
2865:
2864:
2848:
2842:
2841:
2839:
2833:. Archived from
2832:
2823:
2817:
2816:
2814:
2812:
2806:
2795:
2787:
2776:
2775:
2773:
2771:
2765:
2758:
2749:
2740:
2739:
2737:
2736:
2720:
2714:
2713:
2711:
2710:
2690:
2681:
2680:
2678:
2677:
2657:
2648:
2647:
2645:
2643:
2638:on March 6, 2016
2637:
2631:. Archived from
2630:
2622:
2606:
2593:
2587:
2584:
2582:
2581:
2576:
2558:
2556:
2555:
2550:
2537:
2531:
2528:
2522:
2515:
2509:
2502:
2496:
2493:
2487:
2484:
2424:CPUs supporting
2330:bits of security
2292:
2150:Nicolas Courtois
2128:
2120:
2116:
2069:
2065:
2061:
2054:
2049:
2045:
2041:
2017:
2005:
1994:
1982:
1980:
1979:
1974:
1969:
1968:
1936:
1932:
1930:
1929:
1924:
1887:
1885:
1884:
1879:
1877:
1876:
1871:
1856:
1855:
1850:
1841:
1840:
1828:
1827:
1822:
1813:
1812:
1800:
1799:
1794:
1766:
1764:
1763:
1758:
1756:
1755:
1750:
1741:
1740:
1728:
1727:
1722:
1709:
1707:
1706:
1701:
1696:
1695:
1667:
1665:
1664:
1659:
1654:
1653:
1616:
1614:
1613:
1608:
1594:
1593:
1581:
1580:
1568:
1567:
1551:
1549:
1548:
1543:
1541:
1540:
1519:
1517:
1516:
1511:
1493:
1492:
1485:
1484:
1465:
1464:
1445:
1444:
1425:
1424:
1401:
1400:
1298:
1297:
1290:
1289:
1270:
1269:
1250:
1249:
1230:
1229:
1187:
1183:
1179:
1171:
1163:
1161:
1160:
1155:
1134:
1116:
1107:
1099:
1091:
1079:
1071:
1067:
1063:
1061:
1060:
1055:
1053:
1052:
1047:
1044:
1038:
1037:
1016:
1015:
987:
985:
984:
979:
977:
976:
955:
954:
918:
898:substitution box
895:
893:
892:
887:
882:
881:
854:
846:
844:
843:
838:
836:
835:
814:step, each byte
813:
786:
768:
758:
753:
748:
738:
732:
726:
712:
697:
687:AES key schedule
684:
644:
642:
641:
636:
634:
633:
626:
625:
614:
613:
602:
601:
590:
589:
576:
575:
564:
563:
552:
551:
540:
539:
526:
525:
514:
513:
502:
501:
490:
489:
476:
475:
464:
463:
452:
451:
440:
439:
406:
399:
395:
385:
247:cryptographers,
236:(NIST) in 2001.
227:
222:
42:
35:
21:
5580:
5579:
5575:
5574:
5573:
5571:
5570:
5569:
5545:
5544:
5543:
5534:
5516:
5445:
5201:
5196:
5155:
5129:
5098:Standardization
5093:
5022:Electromagnetic
4974:Integral/Square
4931:Piling-up lemma
4915:Biclique attack
4904:EFF DES cracker
4888:
4882:
4813:Feistel network
4801:
4426:CIPHERUNICORN-E
4421:CIPHERUNICORN-A
4353:
4347:
4280:
4274:
4228:
4222:
4212:
4152:
4141:
4137:
4111:
4107:
4095:
4092:
4087:
4077:
4062:
4056:
4041:
4035:
4016:
4012:
4011:
4003:
3999:
3998:
3994:
3985:
3984:
3980:
3971:
3969:
3965:
3958:
3953:
3952:
3948:
3939:
3937:
3924:
3923:
3916:
3907:
3905:
3896:
3895:
3891:
3882:
3880:
3871:
3870:
3866:
3857:
3855:
3851:
3844:
3840:
3839:
3832:
3822:
3820:
3811:
3810:
3806:
3792:
3791:
3787:
3778:
3776:
3772:
3759:
3755:
3754:
3750:
3742:
3736:cseweb.ucsd.edu
3731:
3727:
3726:
3722:
3707:
3686:
3685:
3681:
3672:
3670:
3665:. Hacker News.
3661:
3660:
3656:
3648:
3637:
3632:
3631:
3627:
3618:
3616:
3612:
3601:
3596:
3595:
3591:
3582:
3580:
3576:
3557:
3552:
3551:
3547:
3538:
3536:
3526:
3525:
3521:
3512:
3510:
3501:
3500:
3493:
3483:
3481:
3467:
3466:
3462:
3452:
3450:
3440:
3439:
3435:
3428:
3407:
3406:
3399:
3391:
3384:
3379:
3378:
3374:
3365:
3363:
3349:
3348:
3344:
3336:
3325:
3320:
3319:
3315:
3305:
3304:
3300:
3291:
3289:
3279:
3278:
3274:
3267:
3246:
3245:
3241:
3235:Wayback Machine
3225:
3221:
3212:
3210:
3202:
3186:Springer-Verlag
3168:
3167:
3163:
3154:
3152:
3142:
3141:
3137:
3128:
3126:
3117:
3116:
3112:
3102:
3100:
3090:
3089:
3085:
3076:
3074:
3065:
3032:
3028:
3019:
3017:
3013:
3006:
3001:
3000:
2996:
2987:
2985:
2976:
2975:
2971:
2964:
2939:
2938:
2934:
2926:
2919:
2914:
2913:
2909:
2896:
2895:
2891:
2873:
2872:
2868:
2850:
2849:
2845:
2837:
2830:
2825:
2824:
2820:
2810:
2808:
2804:
2793:
2789:
2788:
2779:
2769:
2767:
2763:
2756:
2751:
2750:
2743:
2734:
2732:
2722:
2721:
2717:
2708:
2706:
2692:
2691:
2684:
2675:
2673:
2664:
2658:
2651:
2641:
2639:
2635:
2628:
2624:
2623:
2619:
2614:
2609:
2604:Wayback Machine
2594:
2590:
2561:
2560:
2541:
2540:
2538:
2534:
2529:
2525:
2519:Security of AES
2516:
2512:
2503:
2499:
2494:
2490:
2485:
2481:
2477:
2458:Disk encryption
2449:
2444:
2438:
2436:Implementations
2400:
2392:
2372:Triple DES
2338:
2322:
2320:Quantum attacks
2290:
2274:In April 2005,
2262:
2235:biclique attack
2135:distributed.net
2118:
2114:
2104:
2076:
2067:
2063:
2059:
2052:
2047:
2046:steps with the
2043:
2039:
2036:
2015:
2003:
1996:
1992:
1960:
1946:
1945:
1934:
1894:
1893:
1866:
1845:
1832:
1817:
1804:
1789:
1769:
1768:
1745:
1732:
1717:
1712:
1711:
1687:
1673:
1672:
1645:
1631:
1630:
1628:
1624:
1585:
1572:
1559:
1554:
1553:
1532:
1527:
1526:
1487:
1486:
1470:
1467:
1466:
1450:
1447:
1446:
1430:
1427:
1426:
1410:
1403:
1395:
1394:
1389:
1384:
1379:
1373:
1372:
1367:
1362:
1357:
1351:
1350:
1345:
1340:
1335:
1329:
1328:
1323:
1318:
1313:
1303:
1292:
1291:
1275:
1272:
1271:
1255:
1252:
1251:
1235:
1232:
1231:
1215:
1208:
1202:
1201:
1192:in the cipher.
1185:
1181:
1177:
1169:
1137:
1136:
1132:
1125:
1119:
1114:
1105:
1097:
1089:
1082:
1077:
1069:
1065:
1042:
1023:
1001:
990:
989:
962:
940:
929:
928:
913:
896:using an 8-bit
867:
856:
855:
852:
821:
816:
815:
811:
803:
796:
784:
777:
771:
766:
756:
751:
746:
736:
730:
724:
710:
695:
682:
679:
628:
627:
617:
615:
605:
603:
593:
591:
581:
578:
577:
567:
565:
555:
553:
543:
541:
531:
528:
527:
517:
515:
505:
503:
493:
491:
481:
478:
477:
467:
465:
455:
453:
443:
441:
431:
424:
418:
417:
405:
402:
397:
393:
391:
388:
383:
381:
378:
375:
345:Feistel network
337:
321:
264:U.S. government
220:
188:biclique attack
69:First published
45:
32:
28:
23:
22:
15:
12:
11:
5:
5578:
5576:
5568:
5567:
5562:
5557:
5547:
5546:
5540:
5539:
5536:
5535:
5533:
5532:
5521:
5518:
5517:
5515:
5514:
5509:
5507:Random numbers
5504:
5499:
5494:
5489:
5484:
5479:
5474:
5469:
5464:
5459:
5453:
5451:
5447:
5446:
5444:
5443:
5438:
5433:
5431:Garlic routing
5428:
5423:
5418:
5413:
5408:
5403:
5398:
5393:
5388:
5383:
5378:
5373:
5368:
5363:
5358:
5353:
5351:Secure channel
5348:
5342:
5341:
5340:
5329:
5324:
5319:
5314:
5312:Key stretching
5309:
5304:
5299:
5294:
5289:
5284:
5279:
5278:
5277:
5272:
5262:
5260:Cryptovirology
5257:
5252:
5247:
5245:Cryptocurrency
5242:
5237:
5232:
5231:
5230:
5220:
5215:
5209:
5207:
5203:
5202:
5197:
5195:
5194:
5187:
5180:
5172:
5165:
5164:
5161:
5160:
5157:
5156:
5154:
5153:
5148:
5143:
5137:
5135:
5131:
5130:
5128:
5127:
5122:
5117:
5112:
5107:
5101:
5099:
5095:
5094:
5092:
5091:
5086:
5081:
5076:
5071:
5066:
5061:
5056:
5051:
5046:
5041:
5036:
5035:
5034:
5029:
5024:
5019:
5014:
5004:
4999:
4994:
4989:
4981:
4976:
4971:
4964:Distinguishing
4961:
4956:
4955:
4954:
4949:
4944:
4934:
4924:
4923:
4922:
4917:
4907:
4896:
4894:
4884:
4883:
4881:
4880:
4870:
4865:
4860:
4855:
4850:
4845:
4840:
4835:
4830:
4828:Product cipher
4825:
4820:
4815:
4809:
4807:
4803:
4802:
4800:
4799:
4794:
4789:
4784:
4779:
4774:
4769:
4764:
4759:
4754:
4749:
4744:
4739:
4734:
4729:
4724:
4719:
4714:
4709:
4704:
4699:
4694:
4689:
4684:
4679:
4674:
4669:
4664:
4659:
4654:
4649:
4644:
4639:
4634:
4629:
4624:
4619:
4614:
4609:
4604:
4599:
4594:
4583:
4578:
4573:
4568:
4563:
4558:
4553:
4548:
4543:
4538:
4533:
4528:
4523:
4518:
4513:
4508:
4503:
4498:
4493:
4488:
4483:
4478:
4473:
4468:
4463:
4458:
4456:Cryptomeria/C2
4453:
4448:
4443:
4438:
4433:
4428:
4423:
4418:
4413:
4408:
4403:
4398:
4393:
4388:
4383:
4378:
4373:
4368:
4363:
4357:
4355:
4349:
4348:
4346:
4345:
4340:
4335:
4330:
4325:
4320:
4315:
4310:
4305:
4300:
4295:
4290:
4284:
4282:
4276:
4275:
4273:
4272:
4267:
4262:
4257:
4243:
4238:
4232:
4230:
4224:
4223:
4213:
4211:
4210:
4203:
4196:
4188:
4174:
4173:
4167:
4157:
4135:
4130:
4105:
4091:
4090:External links
4088:
4086:
4085:
4082:alternate link
4075:
4060:
4054:
4039:
4033:
4013:
4010:
4009:
3992:
3978:
3946:
3914:
3889:
3864:
3830:
3804:
3785:
3748:
3720:
3705:
3679:
3654:
3625:
3589:
3545:
3519:
3491:
3474:SPIEGEL ONLINE
3460:
3433:
3426:
3397:
3394:on 2012-09-05.
3372:
3342:
3313:
3298:
3272:
3265:
3239:
3219:
3195:10.1.1.28.4921
3170:Niels Ferguson
3161:
3135:
3110:
3095:. Ziff-Davis.
3083:
3042:Bruce Schneier
3026:
2994:
2969:
2962:
2932:
2907:
2889:
2886:on 2007-11-03.
2866:
2857:New York Times
2843:
2818:
2777:
2741:
2715:
2682:
2649:
2616:
2615:
2613:
2610:
2608:
2607:
2588:
2574:
2571:
2568:
2548:
2532:
2523:
2510:
2497:
2488:
2478:
2476:
2473:
2472:
2471:
2466:
2460:
2455:
2448:
2445:
2440:Main article:
2437:
2434:
2399:
2396:
2391:
2388:
2337:
2334:
2321:
2318:
2261:
2258:
2166:Bruce Schneier
2154:Josef Pieprzyk
2119:
2103:
2100:
2075:
2072:
2035:
2032:
2010:operation (â).
1995:
1989:
1972:
1967:
1963:
1959:
1956:
1953:
1922:
1919:
1916:
1913:
1910:
1907:
1904:
1901:
1875:
1870:
1865:
1862:
1859:
1854:
1849:
1844:
1839:
1835:
1831:
1826:
1821:
1816:
1811:
1807:
1803:
1798:
1793:
1788:
1785:
1782:
1779:
1776:
1754:
1749:
1744:
1739:
1735:
1731:
1726:
1721:
1699:
1694:
1690:
1686:
1683:
1680:
1657:
1652:
1648:
1644:
1641:
1638:
1626:
1622:
1606:
1603:
1600:
1597:
1592:
1588:
1584:
1579:
1575:
1571:
1566:
1562:
1539:
1535:
1523:
1522:
1521:
1520:
1509:
1506:
1503:
1500:
1497:
1491:
1483:
1480:
1477:
1473:
1469:
1468:
1463:
1460:
1457:
1453:
1449:
1448:
1443:
1440:
1437:
1433:
1429:
1428:
1423:
1420:
1417:
1413:
1409:
1408:
1406:
1399:
1393:
1390:
1388:
1385:
1383:
1380:
1378:
1375:
1374:
1371:
1368:
1366:
1363:
1361:
1358:
1356:
1353:
1352:
1349:
1346:
1344:
1341:
1339:
1336:
1334:
1331:
1330:
1327:
1324:
1322:
1319:
1317:
1314:
1312:
1309:
1308:
1306:
1301:
1296:
1288:
1285:
1282:
1278:
1274:
1273:
1268:
1265:
1262:
1258:
1254:
1253:
1248:
1245:
1242:
1238:
1234:
1233:
1228:
1225:
1222:
1218:
1214:
1213:
1211:
1153:
1150:
1147:
1144:
1121:Main article:
1118:
1111:
1081:
1074:
1051:
1041:
1036:
1033:
1030:
1026:
1022:
1019:
1014:
1011:
1008:
1004:
1000:
997:
975:
972:
969:
965:
961:
958:
953:
950:
947:
943:
939:
936:
885:
880:
877:
874:
870:
866:
863:
834:
831:
828:
824:
801:
794:
775:Rijndael S-box
773:Main article:
770:
763:
762:
761:
760:
759:
754:
749:
741:
740:
739:
734:
728:
722:
705:
704:
703:
690:
678:
675:
670:
669:
666:
663:
648:
647:
646:
645:
632:
624:
620:
616:
612:
608:
604:
600:
596:
592:
588:
584:
580:
579:
574:
570:
566:
562:
558:
554:
550:
546:
542:
538:
534:
530:
529:
524:
520:
516:
512:
508:
504:
500:
496:
492:
488:
484:
480:
479:
474:
470:
466:
462:
458:
454:
450:
446:
442:
438:
434:
430:
429:
427:
403:
400:
389:
386:
379:
376:
336:
333:
332:
331:
328:
320:
317:
253:Vincent Rijmen
203:
202:
177:
176:
169:
168:
165:
159:
158:
153:
149:
148:
145:
139:
138:
135:
129:
128:
124:
123:
106:
102:
101:
88:
84:
83:
78:
74:
73:
70:
66:
65:
63:Vincent Rijmen
56:
52:
51:
47:
46:
43:
26:
24:
18:AES encryption
14:
13:
10:
9:
6:
4:
3:
2:
5577:
5566:
5563:
5561:
5558:
5556:
5555:Block ciphers
5553:
5552:
5550:
5531:
5523:
5522:
5519:
5513:
5512:Steganography
5510:
5508:
5505:
5503:
5500:
5498:
5495:
5493:
5490:
5488:
5485:
5483:
5480:
5478:
5475:
5473:
5470:
5468:
5467:Stream cipher
5465:
5463:
5460:
5458:
5455:
5454:
5452:
5448:
5442:
5439:
5437:
5434:
5432:
5429:
5427:
5426:Onion routing
5424:
5422:
5419:
5417:
5414:
5412:
5409:
5407:
5406:Shared secret
5404:
5402:
5399:
5397:
5394:
5392:
5389:
5387:
5384:
5382:
5379:
5377:
5374:
5372:
5369:
5367:
5364:
5362:
5359:
5357:
5354:
5352:
5349:
5346:
5343:
5338:
5335:
5334:
5333:
5330:
5328:
5325:
5323:
5320:
5318:
5315:
5313:
5310:
5308:
5305:
5303:
5302:Key generator
5300:
5298:
5295:
5293:
5290:
5288:
5285:
5283:
5280:
5276:
5273:
5271:
5268:
5267:
5266:
5265:Hash function
5263:
5261:
5258:
5256:
5253:
5251:
5248:
5246:
5243:
5241:
5240:Cryptanalysis
5238:
5236:
5233:
5229:
5226:
5225:
5224:
5221:
5219:
5216:
5214:
5211:
5210:
5208:
5204:
5200:
5193:
5188:
5186:
5181:
5179:
5174:
5173:
5170:
5166:
5152:
5149:
5147:
5144:
5142:
5139:
5138:
5136:
5132:
5126:
5123:
5121:
5118:
5116:
5113:
5111:
5108:
5106:
5103:
5102:
5100:
5096:
5090:
5087:
5085:
5082:
5080:
5077:
5075:
5072:
5070:
5067:
5065:
5062:
5060:
5057:
5055:
5052:
5050:
5047:
5045:
5044:Interpolation
5042:
5040:
5037:
5033:
5030:
5028:
5025:
5023:
5020:
5018:
5015:
5013:
5010:
5009:
5008:
5005:
5003:
5000:
4998:
4995:
4993:
4990:
4988:
4987:
4982:
4980:
4977:
4975:
4972:
4969:
4965:
4962:
4960:
4957:
4953:
4950:
4948:
4945:
4943:
4940:
4939:
4938:
4935:
4932:
4928:
4925:
4921:
4918:
4916:
4913:
4912:
4911:
4908:
4905:
4901:
4898:
4897:
4895:
4892:
4891:cryptanalysis
4885:
4878:
4874:
4873:Key whitening
4871:
4869:
4866:
4864:
4861:
4859:
4856:
4854:
4851:
4849:
4846:
4844:
4841:
4839:
4836:
4834:
4831:
4829:
4826:
4824:
4821:
4819:
4816:
4814:
4811:
4810:
4808:
4804:
4798:
4795:
4793:
4790:
4788:
4785:
4783:
4780:
4778:
4775:
4773:
4770:
4768:
4765:
4763:
4760:
4758:
4755:
4753:
4750:
4748:
4745:
4743:
4740:
4738:
4735:
4733:
4730:
4728:
4725:
4723:
4720:
4718:
4715:
4713:
4710:
4708:
4705:
4703:
4700:
4698:
4695:
4693:
4690:
4688:
4685:
4683:
4680:
4678:
4675:
4673:
4670:
4668:
4665:
4663:
4662:New Data Seal
4660:
4658:
4655:
4653:
4650:
4648:
4645:
4643:
4640:
4638:
4635:
4633:
4630:
4628:
4625:
4623:
4620:
4618:
4615:
4613:
4610:
4608:
4605:
4603:
4600:
4598:
4595:
4592:
4588:
4584:
4582:
4579:
4577:
4574:
4572:
4569:
4567:
4564:
4562:
4559:
4557:
4554:
4552:
4549:
4547:
4544:
4542:
4539:
4537:
4534:
4532:
4529:
4527:
4524:
4522:
4519:
4517:
4514:
4512:
4509:
4507:
4504:
4502:
4499:
4497:
4494:
4492:
4489:
4487:
4484:
4482:
4479:
4477:
4474:
4472:
4469:
4467:
4464:
4462:
4459:
4457:
4454:
4452:
4449:
4447:
4444:
4442:
4439:
4437:
4434:
4432:
4429:
4427:
4424:
4422:
4419:
4417:
4414:
4412:
4409:
4407:
4404:
4402:
4401:BEAR and LION
4399:
4397:
4394:
4392:
4389:
4387:
4384:
4382:
4379:
4377:
4374:
4372:
4369:
4367:
4364:
4362:
4359:
4358:
4356:
4350:
4344:
4341:
4339:
4336:
4334:
4331:
4329:
4326:
4324:
4321:
4319:
4316:
4314:
4311:
4309:
4306:
4304:
4301:
4299:
4296:
4294:
4291:
4289:
4286:
4285:
4283:
4277:
4271:
4268:
4266:
4263:
4261:
4258:
4255:
4251:
4247:
4244:
4242:
4239:
4237:
4234:
4233:
4231:
4225:
4220:
4216:
4215:Block ciphers
4209:
4204:
4202:
4197:
4195:
4190:
4189:
4186:
4182:
4178:
4171:
4168:
4165:
4161:
4158:
4151:
4147:
4140:
4136:
4134:
4131:
4126:
4121:
4117:
4110:
4106:
4103:. EmbeddedSW.
4102:
4098:
4094:
4093:
4089:
4083:
4078:
4072:
4068:
4067:
4061:
4057:
4051:
4047:
4046:
4040:
4036:
4030:
4026:
4025:
4020:
4015:
4014:
4002:
3996:
3993:
3988:
3982:
3979:
3964:
3957:
3950:
3947:
3936:on 2013-01-02
3935:
3931:
3927:
3921:
3919:
3915:
3904:on 2014-12-26
3903:
3899:
3893:
3890:
3878:
3874:
3868:
3865:
3854:on 2012-04-21
3850:
3843:
3837:
3835:
3831:
3823:September 26,
3819:
3815:
3808:
3805:
3800:
3796:
3789:
3786:
3771:
3767:
3766:
3758:
3752:
3749:
3741:
3737:
3730:
3724:
3721:
3716:
3712:
3708:
3702:
3698:
3694:
3690:
3683:
3680:
3668:
3664:
3658:
3655:
3647:
3643:
3636:
3629:
3626:
3611:
3607:
3600:
3593:
3590:
3575:
3571:
3567:
3563:
3556:
3549:
3546:
3534:
3530:
3523:
3520:
3508:
3504:
3498:
3496:
3492:
3479:
3475:
3471:
3464:
3461:
3448:
3444:
3437:
3434:
3429:
3423:
3419:
3415:
3411:
3404:
3402:
3398:
3390:
3383:
3376:
3373:
3361:
3357:
3353:
3346:
3343:
3335:
3331:
3324:
3317:
3314:
3309:
3302:
3299:
3287:
3283:
3276:
3273:
3268:
3262:
3258:
3254:
3250:
3243:
3240:
3236:
3232:
3229:
3228:AES Announced
3223:
3220:
3206:
3201:
3196:
3191:
3187:
3183:
3179:
3175:
3171:
3165:
3162:
3150:
3146:
3139:
3136:
3124:
3120:
3119:"Sean Murphy"
3114:
3111:
3098:
3094:
3087:
3084:
3072:
3068:
3063:
3059:
3055:
3051:
3047:
3043:
3039:
3035:
3030:
3027:
3012:
3005:
2998:
2995:
2983:
2979:
2973:
2970:
2965:
2959:
2955:
2951:
2947:
2943:
2936:
2933:
2925:
2918:
2911:
2908:
2903:
2899:
2893:
2890:
2885:
2881:
2877:
2870:
2867:
2862:
2858:
2854:
2847:
2844:
2836:
2829:
2822:
2819:
2803:
2799:
2792:
2786:
2784:
2782:
2778:
2762:
2755:
2748:
2746:
2742:
2730:
2726:
2719:
2716:
2704:
2700:
2696:
2689:
2687:
2683:
2671:
2667:
2662:
2656:
2654:
2650:
2634:
2627:
2621:
2618:
2611:
2605:
2601:
2598:
2592:
2589:
2572:
2569:
2566:
2546:
2536:
2533:
2527:
2524:
2520:
2514:
2511:
2507:
2501:
2498:
2492:
2489:
2483:
2480:
2474:
2470:
2467:
2464:
2461:
2459:
2456:
2454:
2451:
2450:
2446:
2443:
2435:
2433:
2431:
2427:
2423:
2419:
2414:
2412:
2407:
2405:
2397:
2395:
2389:
2387:
2383:
2379:
2377:
2373:
2368:
2366:
2361:
2359:
2355:
2351:
2347:
2343:
2335:
2333:
2331:
2327:
2319:
2317:
2315:
2310:
2306:
2302:
2300:
2295:
2288:
2283:
2281:
2277:
2272:
2270:
2266:
2259:
2257:
2254:
2252:
2251:tau statistic
2248:
2243:
2239:
2236:
2232:
2227:
2224:
2219:
2215:
2213:
2209:
2208:Nathan Keller
2205:
2204:Orr Dunkelman
2201:
2196:
2194:
2190:
2186:
2185:Alex Biryukov
2182:
2178:
2173:
2171:
2167:
2161:
2159:
2155:
2151:
2147:
2142:
2138:
2136:
2132:
2126:
2113:
2109:
2108:cryptographic
2102:Known attacks
2101:
2099:
2096:
2092:
2087:
2085:
2081:
2073:
2071:
2056:
2033:
2031:
2029:
2025:
2021:
2009:
2000:
1990:
1988:
1986:
1965:
1961:
1954:
1951:
1944:
1940:
1917:
1908:
1902:
1899:
1891:
1873:
1868:
1863:
1860:
1857:
1852:
1847:
1842:
1837:
1833:
1829:
1824:
1819:
1814:
1809:
1805:
1801:
1796:
1791:
1786:
1780:
1774:
1752:
1747:
1742:
1737:
1733:
1729:
1724:
1719:
1692:
1688:
1681:
1678:
1669:
1650:
1646:
1639:
1636:
1620:
1604:
1601:
1598:
1595:
1590:
1586:
1582:
1577:
1573:
1569:
1564:
1560:
1537:
1533:
1507:
1504:
1501:
1498:
1495:
1489:
1481:
1478:
1475:
1471:
1461:
1458:
1455:
1451:
1441:
1438:
1435:
1431:
1421:
1418:
1415:
1411:
1404:
1397:
1391:
1386:
1381:
1376:
1369:
1364:
1359:
1354:
1347:
1342:
1337:
1332:
1325:
1320:
1315:
1310:
1304:
1299:
1294:
1286:
1283:
1280:
1276:
1266:
1263:
1260:
1256:
1246:
1243:
1240:
1236:
1226:
1223:
1220:
1216:
1209:
1200:
1199:
1198:
1197:
1196:
1193:
1191:
1175:
1148:
1142:
1129:
1124:
1112:
1110:
1103:
1086:
1075:
1073:
1049:
1039:
1034:
1031:
1028:
1024:
1020:
1012:
1009:
1006:
1002:
995:
973:
970:
967:
963:
959:
951:
948:
945:
941:
934:
926:
922:
916:
911:
907:
903:
899:
878:
875:
872:
868:
861:
850:
832:
829:
826:
822:
805:
797:
790:
781:
776:
764:
755:
750:
745:
744:
742:
735:
729:
723:
720:
716:
709:
708:
706:
701:
694:
693:
691:
688:
681:
680:
676:
674:
667:
664:
661:
660:
659:
657:
653:
630:
622:
618:
610:
606:
598:
594:
586:
582:
572:
568:
560:
556:
548:
544:
536:
532:
522:
518:
510:
506:
498:
494:
486:
482:
472:
468:
460:
456:
448:
444:
436:
432:
425:
416:
415:
414:
413:
412:
410:
373:
368:
366:
362:
358:
354:
350:
346:
342:
334:
329:
326:
325:
324:
318:
316:
314:
310:
306:
302:
299:
295:
292:
288:
283:
280:
275:
273:
269:
265:
260:
258:
254:
250:
246:
242:
237:
235:
231:
226:
218:
214:
210:
199:
195:
193:
189:
183:
178:
175:
174:cryptanalysis
170:
166:
164:
160:
157:
154:
150:
146:
144:
140:
136:
134:
130:
127:Cipher detail
125:
122:
118:
114:
110:
107:
105:Certification
103:
100:
96:
92:
89:
85:
82:
79:
75:
71:
67:
64:
60:
57:
53:
48:
41:
36:
19:
5565:Cryptography
5462:Block cipher
5307:Key schedule
5297:Key exchange
5287:Kleptography
5250:Cryptosystem
5199:Cryptography
5049:Partitioning
5007:Side-channel
4985:
4952:Higher-order
4937:Differential
4818:Key schedule
4235:
4145:
4115:
4100:
4065:
4048:. Springer.
4044:
4023:
3995:
3981:
3970:. Retrieved
3949:
3938:. Retrieved
3934:the original
3906:. Retrieved
3902:the original
3892:
3881:. Retrieved
3867:
3856:. Retrieved
3849:the original
3821:. Retrieved
3817:
3807:
3798:
3788:
3777:. Retrieved
3763:
3751:
3735:
3723:
3688:
3682:
3671:. Retrieved
3657:
3641:
3628:
3617:. Retrieved
3605:
3592:
3581:. Retrieved
3561:
3548:
3537:. Retrieved
3522:
3511:. Retrieved
3505:. Cr.yp.to.
3482:. Retrieved
3473:
3463:
3451:. Retrieved
3447:the original
3436:
3409:
3389:the original
3375:
3364:. Retrieved
3355:
3345:
3329:
3316:
3307:
3301:
3290:. Retrieved
3275:
3248:
3242:
3222:
3211:. Retrieved
3200:the original
3181:
3164:
3153:. Retrieved
3138:
3127:. Retrieved
3113:
3101:. Retrieved
3086:
3075:. Retrieved
3057:
3054:Doug Whiting
3050:David Wagner
3038:Stefan Lucks
3029:
3018:. Retrieved
2997:
2986:. Retrieved
2972:
2945:
2935:
2910:
2892:
2884:the original
2879:
2869:
2856:
2846:
2835:the original
2821:
2809:. Retrieved
2797:
2768:. Retrieved
2733:. Retrieved
2718:
2707:. Retrieved
2698:
2674:. Retrieved
2660:
2640:. Retrieved
2633:the original
2620:
2591:
2535:
2526:
2513:
2500:
2491:
2482:
2415:
2408:
2401:
2393:
2390:Test vectors
2384:
2380:
2369:
2362:
2339:
2323:
2311:
2307:
2303:
2296:
2284:
2273:
2263:
2255:
2244:
2240:
2228:
2220:
2216:
2197:
2193:constraining
2174:
2162:
2143:
2139:
2105:
2097:
2094:
2089:
2077:
2057:
2037:
2013:
1943:finite field
1670:
1524:
1194:
1167:
1095:
901:
848:
809:
799:
792:
788:
719:lookup table
683:KeyExpansion
671:
649:
408:
369:
365:finite field
360:
338:
322:
301:Donald Evans
284:
276:
261:
241:block cipher
238:
216:
212:
208:
206:
185:
172:Best public
77:Derived from
5450:Mathematics
5441:Mix network
5134:Utilization
5120:NSA Suite B
5105:AES process
5054:Rubber-hose
4992:Related-key
4900:Brute-force
4279:Less common
4006:. May 2010.
3484:4 September
3453:30 December
3034:John Kelsey
2770:21 February
2668:. Table 1.
2411:Pentium Pro
2404:smart cards
2398:Performance
2053:AddRoundKey
2016:AddRoundKey
2004:AddRoundKey
1993:AddRoundKey
1890:hexadecimal
1066:InvSubBytes
925:derangement
757:AddRoundKey
737:AddRoundKey
700:bitwise xor
696:AddRoundKey
407:termed the
249:Joan Daemen
143:Block sizes
59:Joan Daemen
5549:Categories
5401:Ciphertext
5371:Decryption
5366:Encryption
5327:Ransomware
5084:Chi-square
5002:Rotational
4942:Impossible
4863:Block size
4757:Spectr-H64
4581:Ladder-DES
4576:Kuznyechik
4521:Hierocrypt
4391:BassOmatic
4354:algorithms
4281:algorithms
4254:Triple DES
4229:algorithms
4164:CrypTool 1
3972:2010-12-28
3940:2012-12-23
3908:2014-06-26
3883:2012-12-23
3858:2012-05-29
3779:2017-07-26
3673:2012-12-23
3619:2009-12-08
3583:2008-11-02
3539:2007-03-17
3513:2008-11-02
3366:2010-03-11
3292:2010-03-11
3213:2006-10-06
3205:PostScript
3155:2007-07-27
3129:2008-11-02
3077:2007-03-06
3020:2011-02-15
2988:2012-12-23
2811:August 26,
2735:2010-03-11
2709:2010-03-11
2676:2010-02-16
2612:References
2418:Intel Core
2354:FIPS 140-2
2287:Adi Shamir
2229:The first
2212:Adi Shamir
2146:XSL attack
2068:MixColumns
2048:MixColumns
1939:MDS matrix
1935:MixColumns
1186:MixColumns
1178:MixColumns
1170:MixColumns
1133:MixColumns
1115:MixColumns
731:MixColumns
715:non-linear
656:ciphertext
349:block size
313:top secret
311:(NSA) for
230:encryption
87:Successors
33:(Rijndael)
5391:Plaintext
5059:Black-bag
4979:Boomerang
4968:Known-key
4947:Truncated
4772:Threefish
4767:SXAL/MBAL
4657:MultiSwap
4612:MacGuffin
4571:KN-Cipher
4511:Grand Cru
4466:CS-Cipher
4446:COCONUT98
3925:OpenSSL,
3190:CiteSeerX
3103:August 7,
3046:Mike Stay
2570:−
2463:Whirlpool
2422:AMD Ryzen
2269:black box
2137:in 2006.
2064:ShiftRows
2044:ShiftRows
1955:
1903:
1858:⋅
1830:⋅
1802:⋅
1730:⋅
1682:
1640:
1505:≤
1499:≤
1190:diffusion
1188:provides
1182:ShiftRows
1106:ShiftRows
1098:ShiftRows
1090:ShiftRows
1078:ShiftRows
1040:≠
1021:⊕
960:≠
927:), i.e.,
752:ShiftRows
725:ShiftRows
652:plaintext
152:Structure
133:Key sizes
95:Grand Cru
55:Designers
5530:Category
5436:Kademlia
5396:Codetext
5339:(CSPRNG)
5110:CRYPTREC
5074:Weak key
5027:Acoustic
4868:Key size
4712:Red Pike
4531:IDEA NXT
4411:Chiasmus
4406:CAST-256
4386:BaseKing
4371:Akelarre
4366:Adiantum
4333:Skipjack
4298:CAST-128
4293:Camellia
4241:Blowfish
4150:Archived
3963:Archived
3877:Archived
3770:Archived
3740:Archived
3715:11251391
3667:Archived
3646:Archived
3610:Archived
3574:Archived
3533:Archived
3507:Archived
3478:Archived
3360:Archived
3334:Archived
3286:Archived
3231:Archived
3149:Archived
3123:Archived
3097:Archived
3071:Archived
3011:Archived
2982:Archived
2924:Archived
2902:Archived
2861:Archived
2802:Archived
2761:Archived
2729:Archived
2703:Archived
2670:Archived
2600:Archived
2447:See also
2430:Westmere
2365:FIPS 140
2291:dm-crypt
2200:preprint
2074:Security
2060:SubBytes
2040:SubBytes
1070:SubBytes
812:SubBytes
785:SubBytes
767:SubBytes
747:SubBytes
711:SubBytes
357:key size
355:, and a
217:Rijndael
201:version.
198:preprint
147:128 bits
113:CRYPTREC
111:winner,
5206:General
5151:Padding
5069:Rebound
4777:Treyfer
4727:SAVILLE
4687:PRESENT
4677:NOEKEON
4622:MAGENTA
4617:Madryga
4597:Lucifer
4461:CRYPTON
4270:Twofish
4260:Serpent
2586:blocks.
2326:quantum
2280:OpenSSL
2170:Twofish
2133:key by
2115:
2014:In the
2002:In the
1941:in the
1621:with 1B
1168:In the
1131:In the
1088:In the
853:SubByte
847:in the
810:In the
783:In the
398:
394:
384:
351:of 128
294:18033-3
245:Belgian
50:General
5317:Keygen
5115:NESSIE
5064:Davies
5012:Timing
4927:Linear
4887:Attack
4806:Design
4797:Zodiac
4762:Square
4737:SHACAL
4732:SC2000
4692:Prince
4672:Nimbus
4667:NewDES
4652:MULTI2
4642:MISTY1
4585:LOKI (
4561:KHAZAD
4556:KeeLoq
4551:KASUMI
4546:Kalyna
4431:CLEFIA
4416:CIKS-1
4376:Anubis
4227:Common
4128:. 197.
4073:
4052:
4031:
3713:
3703:
3424:
3263:
3192:
3052:, and
2960:
2642:May 1,
2521:below.
2066:, and
2022:using
1933:. The
1176:. The
1102:offset
906:cipher
361:per se
305:cipher
163:Rounds
117:NESSIE
99:Kalyna
91:Anubis
81:Square
5347:(PRN)
4997:Slide
4853:Round
4838:P-box
4833:S-box
4792:XXTEA
4752:Speck
4747:Simon
4742:SHARK
4722:SAFER
4707:REDOC
4632:Mercy
4591:89/91
4541:Iraqi
4506:G-DES
4496:FEA-M
4476:DES-X
4441:Cobra
4396:BATON
4381:Ascon
4361:3-Way
4352:Other
4153:(PDF)
4142:(PDF)
4112:(PDF)
4004:(PDF)
3966:(PDF)
3959:(PDF)
3852:(PDF)
3845:(PDF)
3801:: 40.
3773:(PDF)
3760:(PDF)
3743:(PDF)
3732:(PDF)
3711:S2CID
3649:(PDF)
3638:(PDF)
3613:(PDF)
3602:(PDF)
3577:(PDF)
3558:(PDF)
3392:(PDF)
3385:(PDF)
3337:(PDF)
3326:(PDF)
3203:(PDF/
3014:(PDF)
3007:(PDF)
2927:(PDF)
2920:(PDF)
2838:(PDF)
2831:(PDF)
2805:(PDF)
2794:(PDF)
2764:(PDF)
2757:(PDF)
2636:(PDF)
2629:(PDF)
2475:Notes
2409:On a
2123:(see
912:over
902:state
849:state
409:state
5125:CNSA
4984:Mod
4910:MITM
4682:NUSH
4637:MESH
4627:MARS
4501:FROG
4491:FEAL
4471:DEAL
4451:Crab
4436:CMEA
4343:XTEA
4328:SEED
4308:IDEA
4303:GOST
4288:ARIA
4071:ISBN
4050:ISBN
4029:ISBN
3825:2023
3701:ISBN
3486:2015
3455:2014
3422:ISBN
3261:ISBN
3105:2010
2958:ISBN
2813:2024
2772:2013
2644:2019
2597:here
2517:See
2504:See
2420:and
2376:SHA1
2340:The
2152:and
2078:The
2042:and
1991:The
1117:step
1113:The
1096:The
1080:step
1076:The
769:step
765:The
396:...,
353:bits
279:FIPS
251:and
207:The
72:1998
5079:Tau
5039:XSL
4843:SPN
4787:xmx
4782:UES
4717:S-1
4702:RC2
4647:MMB
4526:ICE
4481:DFC
4338:TEA
4323:RC6
4318:RC5
4313:LEA
4265:SM4
4246:DES
4236:AES
4120:doi
3799:HAL
3693:doi
3566:doi
3414:doi
3253:doi
2950:doi
2416:On
2374:or
2131:RC5
2028:XOR
2020:key
2008:XOR
1619:XOR
917:(2)
800:S(a
291:IEC
287:ISO
213:AES
121:NSA
109:AES
5551::
4607:M8
4602:M6
4589:,
4587:97
4486:E2
4252:,
4144:.
4114:.
4099:.
3961:.
3928:.
3917:^
3833:^
3816:.
3797:.
3768:.
3762:.
3738:.
3734:.
3709:.
3699:.
3644:.
3640:.
3608:.
3604:.
3572:.
3564:.
3560:.
3531:.
3494:^
3476:.
3472:.
3420:.
3400:^
3358:.
3354:.
3332:.
3328:.
3284:.
3259:.
3184:.
3180:.
3172:;
3147:.
3069:.
3060:,
3056:,
3048:,
3044:,
3040:,
3036:,
3009:.
2980:.
2956:.
2944:.
2922:.
2900:.
2878:.
2859:.
2855:.
2796:.
2780:^
2744:^
2727:.
2701:.
2697:.
2685:^
2663:,
2652:^
2206:,
2187:,
2160:.
2086::
2062:,
2030:.
1987:.
1952:GF
1900:GF
1874:16
1869:02
1853:16
1848:01
1825:16
1820:01
1797:16
1792:03
1753:16
1748:01
1725:16
1720:01
1679:GF
1668:.
1637:GF
1627:16
1623:16
1184:,
1050:16
1045:FF
915:GF
802:ij
798:=
795:ij
791:;
623:15
611:11
573:14
561:10
523:13
473:12
411::
404:15
367:.
119:,
115:,
97:,
93:,
61:,
5191:e
5184:t
5177:v
4986:n
4970:)
4966:(
4933:)
4929:(
4906:)
4902:(
4893:)
4889:(
4879:)
4875:(
4697:Q
4593:)
4256:)
4248:(
4221:)
4217:(
4207:e
4200:t
4193:v
4122::
4079:.
4058:.
4037:.
3989:.
3975:.
3943:.
3911:.
3886:.
3861:.
3827:.
3782:.
3717:.
3695::
3676:.
3622:.
3586:.
3568::
3542:.
3516:.
3488:.
3457:.
3430:.
3416::
3369:.
3295:.
3269:.
3255::
3216:.
3207:)
3158:.
3132:.
3107:.
3080:.
3023:.
2991:.
2966:.
2952::
2815:.
2774:.
2738:.
2712:.
2679:.
2646:.
2573:1
2567:n
2547:n
2127:)
2117:â
1971:)
1966:8
1962:2
1958:(
1921:]
1918:x
1915:[
1912:)
1909:2
1906:(
1864:+
1861:z
1843:+
1838:2
1834:z
1815:+
1810:3
1806:z
1787:=
1784:)
1781:z
1778:(
1775:c
1743:+
1738:4
1734:z
1698:)
1693:8
1689:2
1685:(
1656:)
1651:8
1647:2
1643:(
1605:1
1602:+
1599:x
1596:+
1591:3
1587:x
1583:+
1578:4
1574:x
1570:+
1565:8
1561:x
1538:7
1534:x
1508:3
1502:j
1496:0
1490:]
1482:j
1479:,
1476:3
1472:a
1462:j
1459:,
1456:2
1452:a
1442:j
1439:,
1436:1
1432:a
1422:j
1419:,
1416:0
1412:a
1405:[
1398:]
1392:2
1387:1
1382:1
1377:3
1370:3
1365:2
1360:1
1355:1
1348:1
1343:3
1338:2
1333:1
1326:1
1321:1
1316:3
1311:2
1305:[
1300:=
1295:]
1287:j
1284:,
1281:3
1277:b
1267:j
1264:,
1261:2
1257:b
1247:j
1244:,
1241:1
1237:b
1227:j
1224:,
1221:0
1217:b
1210:[
1164:.
1152:)
1149:x
1146:(
1143:c
1035:j
1032:,
1029:i
1025:a
1018:)
1013:j
1010:,
1007:i
1003:a
999:(
996:S
974:j
971:,
968:i
964:a
957:)
952:j
949:,
946:i
942:a
938:(
935:S
884:)
879:j
876:,
873:i
869:a
865:(
862:S
833:j
830:,
827:i
823:a
806:.
804:)
793:b
789:S
721:.
702:.
631:]
619:b
607:b
599:7
595:b
587:3
583:b
569:b
557:b
549:6
545:b
537:2
533:b
519:b
511:9
507:b
499:5
495:b
487:1
483:b
469:b
461:8
457:b
449:4
445:b
437:0
433:b
426:[
401:b
392:,
390:1
387:b
382:,
380:0
377:b
289:/
219:(
211:(
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.