2282:'s AES encryption. The attack required over 200 million chosen plaintexts. The custom server was designed to give out as much timing information as possible (the server reports back the number of machine cycles taken by the encryption operation). However, as Bernstein pointed out, "reducing the precision of the server's timestamps, or eliminating them from the server's responses, does not stop the attack: the client simply uses round-trip timings based on its local clock, and compensates for the increased noise by averaging over a larger number of samples."
40:
5538:
2378:) validated at the same time. Therefore, it is rare to find cryptographic modules that are uniquely FIPS 197 validated and NIST itself does not generally take the time to list FIPS 197 validated modules separately on its public web site. Instead, FIPS 197 validation is typically just listed as an "FIPS approved: AES" notation (with a specific FIPS 197 certificate number) in the current list of FIPS 140 validated cryptographic modules.
1999:
1128:
1085:
780:
1518:
2386:(e.g., well over $ 30,000 US) and does not include the time it takes to write, test, document and prepare a module for validation. After validation, modules must be re-submitted and re-evaluated if they are changed in any way. This can vary from simple paperwork updates if the security functionality did not change to a more substantial set of re-testing if the security functionality was impacted by the change.
1203:
643:
2129:. A break can thus include results that are infeasible with current technology. Despite being impractical, theoretical breaks can sometimes provide insight into vulnerability patterns. The largest successful publicly known brute-force attack against a widely implemented block-cipher encryption algorithm was against a 64-bit
2214:, is against AES-256 that uses only two related keys and 2 time to recover the complete 256-bit key of a 9-round version, or 2 time for a 10-round version with a stronger type of related subkey attack, or 2 time for an 11-round version. 256-bit AES uses 14 rounds, so these attacks are not effective against full AES.
2360:(SBU) or above. From NSTISSP #11, National Policy Governing the Acquisition of Information Assurance: "Encryption products for protecting classified information will be certified by NSA, and encryption products intended for protecting sensitive information will be certified in accordance with NIST FIPS 140-2."
2241:
This is a very small gain, as a 126-bit key (instead of 128 bits) would still take billions of years to brute force on current and foreseeable hardware. Also, the authors calculate the best attack using their technique on AES with a 128-bit key requires storing 2 bits of data. That works out to about
2308:
In March 2016, Ashokkumar C., Ravi
Prakash Giri and Bernard Menezes presented a side-channel attack on AES implementations that can recover the complete 128-bit AES key in just 6â7 blocks of plaintext/ciphertext, which is a substantial improvement over previous works that require between 100 and a
2140:
The key space increases by a factor of 2 for each additional bit of key length, and if every possible value of the key is equiprobable; this translates into a doubling of the average brute-force key search time with every additional bit of key length. This implies that the effort of a brute-force
2090:
The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect
2385:
FIPS 140-2 validation is challenging to achieve both technically and fiscally. There is a standardized battery of tests as well as an element of source code review that must be passed over a period of a few weeks. The cost to perform these tests through an approved laboratory can be significant
2237:
and is faster than brute force by a factor of about four. It requires 2 operations to recover an AES-128 key. For AES-192 and AES-256, 2 and 2 operations are needed, respectively. This result has been further improved to 2 for AES-128, 2 for AES-192 and 2 for AES-256, which are the current best
2381:
The
Cryptographic Algorithm Validation Program (CAVP) allows for independent validation of the correct implementation of the AES algorithm. Successful validation results in being listed on the NIST validations page. This testing is a pre-requisite for the FIPS 140-2 module validation. However,
2304:
In
November 2010 Endre Bangerter, David Gullasch and Stephan Krenn published a paper which described a practical approach to a "near real time" recovery of secret keys from AES-128 without the need for either cipher text or plaintext. The approach also works on AES-128 implementations that use
2225:
against a reduced 8-round version of AES-128 was released as a preprint. This known-key distinguishing attack is an improvement of the rebound, or the start-from-the-middle attack, against AES-like permutations, which view two consecutive rounds of permutation as the application of a so-called
2191:, and Ivica NikoliÄ, with a complexity of 2 for one out of every 2 keys. However, related-key attacks are not of concern in any properly designed cryptographic protocol, as a properly designed protocol (i.e., implementational software) will take care not to allow related keys, essentially by
2050:
step by transforming them into a sequence of table lookups. This requires four 256-entry 32-bit tables (together occupying 4096 bytes). A round can then be performed with 16 table lookup operations and 12 32-bit exclusive-or operations, followed by four 32-bit exclusive-or operations in the
2271:, and thus are not related to cipher security as defined in the classical context, but are important in practice. They attack implementations of the cipher on hardware or software systems that inadvertently leak data. There are several such known attacks on various implementations of AES.
2382:
successful CAVP validation in no way implies that the cryptographic module implementing the algorithm is secure. A cryptographic module lacking FIPS 140-2 validation or specific approval by the NSA is not deemed secure by the US Government and cannot be used to protect government data.
2293:
partition encryption function. One attack was able to obtain an entire AES key after only 800 operations triggering encryptions, in a total of 65 milliseconds. This attack requires the attacker to be able to run programs on the same system or platform that is performing AES.
1513:{\displaystyle {\begin{bmatrix}b_{0,j}\\b_{1,j}\\b_{2,j}\\b_{3,j}\end{bmatrix}}={\begin{bmatrix}2&3&1&1\\1&2&3&1\\1&1&2&3\\3&1&1&2\end{bmatrix}}{\begin{bmatrix}a_{0,j}\\a_{1,j}\\a_{2,j}\\a_{3,j}\end{bmatrix}}\qquad 0\leq j\leq 3}
419:
2585:
bytes. For a 256-bit block, the first row is unchanged and the shifting for the second, third and fourth row is 1 byte, 3 bytes and 4 bytes respectivelyâthis change only applies for the
Rijndael cipher when used with a 256-bit block, as AES does not use 256-bit
2305:
compression tables, such as OpenSSL. Like some earlier attacks, this one requires the ability to run unprivileged code on the system performing the AES encryption, which may be achieved by malware infection far more easily than commandeering the root account.
2242:
38 trillion terabytes of data, which was more than all the data stored on all the computers on the planet in 2016. A paper in 2015 later improved the space complexity to 2 bits, which is 9007 terabytes (while still keeping a time complexity of 2).
200:
in 2009. This attack is against AES-256 that uses only two related keys and 2 time to recover the complete 256-bit key of a 9-round version, or 2 time for a 10-round version with a stronger type of related subkey attack, or 2 time for an 11-round
1104:. For AES, the first row is left unchanged. Each byte of the second row is shifted one to the left. Similarly, the third and fourth rows are shifted by offsets of two and three respectively. In this way, each column of the output state of the
2332:. AES-192 and AES-128 are not considered quantum resistant due to their smaller key sizes. AES-192 has a strength of 96 bits against quantum attacks and AES-128 has 64 bits of strength against quantum attacks, making them both insecure.
2163:
During the AES selection process, developers of competing algorithms wrote of
Rijndael's algorithm "we are concerned about use ... in security-critical applications." In October 2000, however, at the end of the AES selection process,
1886:
281:
PUB 197 (FIPS 197) on
November 26, 2001. This announcement followed a five-year standardization process in which fifteen competing designs were presented and evaluated, before the Rijndael cipher was selected as the most suitable.
672:
Each round consists of several processing steps, including one that depends on the encryption key itself. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key.
2082:(NSA) reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for U.S. Government non-classified data. In June 2003, the U.S. Government announced that AES could be used to protect
259:. Rijndael is a family of ciphers with different key and block sizes. For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits.
1108:
step is composed of bytes from each column of the input state. The importance of this step is to avoid the columns being encrypted independently, in which case AES would degenerate into four independent block ciphers.
2156:, purporting to show a weakness in the AES algorithm, partially due to the low complexity of its nonlinear components. Since then, other papers have shown that the attack, as originally presented, is unworkable; see
2172:, wrote that while he thought successful academic attacks on Rijndael would be developed someday, he "did not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic."
293:
1062:
2217:
The practicality of these attacks with stronger related keys has been criticized, for instance, by the paper on chosen-key-relations-in-the-middle attacks on AES-128 authored by
Vincent Rijmen in 2010.
2226:
Super-S-box. It works on the 8-round version of AES-128, with a time complexity of 2, and a memory complexity of 2. 128-bit AES uses 10 rounds, so this attack is not effective against full AES-128.
638:{\displaystyle {\begin{bmatrix}b_{0}&b_{4}&b_{8}&b_{12}\\b_{1}&b_{5}&b_{9}&b_{13}\\b_{2}&b_{6}&b_{10}&b_{14}\\b_{3}&b_{7}&b_{11}&b_{15}\end{bmatrix}}}
4021:
Advances in
Cryptology â ASIACRYPT 2002: 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, December 1â5, 2002, Proceedings
2183:
was discovered that exploits the simplicity of AES's key schedule and has a complexity of 2. In
December 2009 it was improved to 2. This is a follow-up to an attack discovered earlier in 2009 by
2141:
search increases exponentially with key length. Key length in itself does not imply security against attacks, since there are ciphers with very long keys that have been found to be vulnerable.
2370:
Although NIST publication 197 ("FIPS 197") is the unique document that covers the AES algorithm, vendors typically approach the CMVP under FIPS 140 and ask to have several algorithms (such as
1765:
1981:
1708:
1666:
1931:
986:
1615:
919:, known to have good non-linearity properties. To avoid attacks based on simple algebraic properties, the S-box is constructed by combining the inverse function with an invertible
3477:
2402:
High speed and low RAM requirements were some of the criteria of the AES selection process. As the chosen algorithm, AES performed well on a wide variety of hardware, from 8-bit
4159:â AES deeply explained and animated using Flash (by Enrique Zabala / University ORT / Montevideo / Uruguay). This animation (in English, Spanish, and German) is also part of
2860:
2495:
Block sizes of 128, 160, 192, 224, and 256 bits are supported by the
Rijndael algorithm for each key size, but only the 128-bit block size is specified in the AES standard.
363:
is specified with block and key sizes that may be any multiple of 32 bits, with a minimum of 128 and a maximum of 256 bits. Most AES calculations are done in a particular
894:
3769:
2055:
step. Alternatively, the table lookup operation can be performed with a single 256-entry 32-bit table (occupying 1024 bytes) followed by circular rotation operations.
2486:
Key sizes of 128, 160, 192, 224, and 256 bits are supported by the Rijndael algorithm, but only the 128, 192, and 256-bit key sizes are specified in the AES standard.
845:
2901:
1550:
1162:
2583:
2557:
5518:
5348:
2256:
At present, there is no known practical attack that would allow someone without knowledge of the key to read data encrypted by AES when correctly implemented.
1770:
2394:
Test vectors are a set of known ciphers for a given input and key. NIST distributes the reference of AES test vectors as AES Known Answer Test (KAT) Vectors.
2539:
Rijndael variants with a larger block size have slightly different offsets. For blocks of sizes 128 bits and 192 bits, the shifting pattern is the same. Row
2875:
1092:
step, bytes in each row of the state are shifted cyclically to the left. The number of places each byte is shifted differs incrementally for each row.
2760:
2026:; each subkey is the same size as the state. The subkey is added by combining of the state with the corresponding byte of the subkey using bitwise
3532:
3381:
2625:
1525:
Matrix multiplication is composed of multiplication and addition of the entries. Entries are bytes treated as coefficients of polynomial of order
1195:
During this operation, each column is transformed using a fixed matrix (matrix left-multiplied by column gives new value of column in the state):
3897:
2207:
4146:
3997:
3442:
2702:
3053:
3010:
2468:
2345:
286:
233:
5186:
3096:
3004:"National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information"
2289:
and Eran Tromer presented a paper demonstrating several cache-timing attacks against the implementations in AES found in OpenSSL and Linux's
2599:
5121:
4202:
2827:
2801:
2413:, AES encryption requires 18 clock cycles per byte (cpb), equivalent to a throughput of about 11 MiB/s for a 200 MHz processor.
3739:
3573:
3045:
3469:
290:
2852:
2250:
991:
4948:
4304:
278:
263:
2233:
on full AES were by Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger, and were published in 2011. The attack is a
733: – a linear mixing operation which operates on the columns of the state, combining the four bytes in each column.
3959:
727: – a transposition step where the last three rows of the state are shifted cyclically a certain number of steps.
3841:
3756:
2915:
Bruce Schneier; John Kelsey; Doug Whiting; David Wagner; Chris Hall; Niels Ferguson; Tadayoshi Kohno; et al. (May 2000).
1180:
function takes four bytes as input and outputs four bytes, where each input byte affects all four output bytes. Together with
5571:
4938:
4432:
4071:
4050:
4029:
3926:
3876:
3704:
3425:
3264:
2961:
2349:
2098:
By 2006, the best known attacks were on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys.
1629:(overflow must be corrected by subtraction of generating polynomial). These are special cases of the usual multiplication in
1072:) is used, which requires first taking the inverse of the affine transformation and then finding the multiplicative inverse.
5101:
5075:
4943:
4839:
4166:
3230:
3148:
2505:
2309:
million encryptions. The proposed attack requires standard user privilege and key-retrieval algorithms run under a minute.
340:
256:
155:
108:
4078:
2897:
3666:
3070:
2981:
2923:
2328:
resistant, as it has similar quantum resistance to AES-128's resistance against traditional, non-quantum, attacks at 128
297:
4916:
4156:
3177:
2192:
2091:
national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.
5179:
4098:
Cryptography â 256 bit Ciphers: Reference source code and submissions to international cryptographic designs contests
3506:
650:
The key size used for an AES cipher specifies the number of transformation rounds that convert the input, called the
1713:
5085:
4195:
2883:
4964:
3813:
3645:
3609:
3333:
2222:
1947:
1674:
1632:
5397:
5328:
5142:
2898:"ISO/IEC 18033-3: Information technology â Security techniques â Encryption algorithms â Part 3: Block ciphers"
2452:
3122:
2124:
296:
standard. AES became effective as a U.S. federal government standard on May 26, 2002, after approval by U.S.
3359:
3285:
2728:
2669:
2038:
On systems with 32-bit or larger words, it is possible to speed up execution of this cipher by combining the
190:. For biclique attacks on AES-192 and AES-256, the computational complexities of 2 and 2 respectively apply.
1895:
930:
5172:
2429:
1555:
303:. AES is available in many different encryption packages, and is the first (and only) publicly accessible
5513:
5468:
5271:
5028:
4188:
2753:
2298:
3983:
3951:
Schneier, Bruce; Kelsey, John; Whiting, Doug; Wagner, David; Hall, Chris; Ferguson, Niels (1999-02-01).
2246:
5392:
5045:
4955:
4933:
4246:
3528:
3388:
3033:
2978:"byte-oriented-aes â A public domain byte-oriented implementation of AES in C â Google Project Hosting"
2632:
2357:
4135:
3901:
2940:
Bertoni, Guido; Breveglieri, Luca; Fragneto, Pasqualina; MacChetti, Marco; Marchesin, Stefano (2003).
5508:
5050:
4906:
4859:
4334:
3446:
3251:. Lecture Notes in Computer Science. Vol. 5677. Springer Berlin / Heidelberg. pp. 231â249.
2694:
2462:
1101:
348:
142:
3003:
2356:
is required by the United States Government for encryption of all data that has a classification of
2157:
5498:
5488:
5343:
5116:
4998:
4873:
4242:
3194:
3061:
2079:
1189:
308:
267:
120:
5493:
5483:
5276:
5236:
5229:
5214:
5209:
5055:
4844:
4215:
2596:
364:
343:, and is efficient in both software and hardware. Unlike its predecessor DES, AES does not use a
271:
17:
4105:
3092:
2790:
2095:
AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys.
1100:
step operates on the rows of the state; it cyclically shifts the bytes in each row by a certain
857:
5566:
5281:
5224:
5147:
5023:
5018:
4970:
3728:
3189:
2834:
2083:
2018:
step, the subkey is combined with the state. For each round, a subkey is derived from the main
909:
312:
4015:
5576:
5541:
5387:
5333:
5137:
4960:
4819:
4397:
4061:
2023:
1173:
920:
817:
194:
can break AES-256 and AES-192 with complexities 2 and 2 in both time and data, respectively.
4040:
3554:
2530:
Large-block variants of Rijndael use an array with additional columns, but always four rows.
5503:
5427:
5040:
4923:
4849:
4532:
4512:
3280:
Alex Biryukov; Orr Dunkelman; Nathan Keller; Dmitry Khovratovich; Adi Shamir (2009-08-19).
2723:
Alex Biryukov; Orr Dunkelman; Nathan Keller; Dmitry Khovratovich; Adi Shamir (2009-08-19).
1528:
162:
4129:
3279:
2800:. United States National Institute of Standards and Technology (NIST). November 26, 2001.
2722:
2432:
CPU, AES encryption using AES-NI takes about 1.3 cpb for AES-128 and 1.8 cpb for AES-256.
1138:
8:
5256:
5003:
4980:
4299:
2595:
The AES Known Answer Test (KAT) Vectors are available in Zip format within the NIST site
2562:
2441:
2425:
2313:
2275:
2264:
2230:
2188:
2176:
1984:
1881:{\displaystyle c(z)={03}_{16}\cdot z^{3}+{01}_{16}\cdot z^{2}+{01}_{16}\cdot z+{02}_{16}}
1122:
698: – each byte of the state is combined with a byte of the round key using
5372:
5356:
5298:
4988:
4896:
4608:
4537:
4507:
4452:
3842:"NSTISSP No. 11, Revised Fact Sheet, National Information Assurance Acquisition Policy"
3710:
3173:
2542:
2180:
2144:
AES has a fairly simple algebraic framework. In 2002, a theoretical attack, named the "
2111:
2019:
787:
step, each byte in the state is replaced with its entry in a fixed 8-bit lookup table,
371:
191:
181:
94:
3408:
Biaoshuai Tao & Hongjun Wu (2015). "Improving the Biclique Cryptanalysis of AES".
3379:
3182:
Proceedings of Selected Areas in Cryptography, 2001, Lecture Notes in Computer Science
2352:(CSE) of the Government of Canada. The use of cryptographic modules validated to NIST
904:
array is simply the plaintext/input. This operation provides the non-linearity in the
5432:
5422:
5288:
4708:
4407:
4367:
4362:
4329:
4289:
4237:
4067:
4046:
4025:
3764:
3700:
3421:
3260:
2957:
2325:
186:
For AES-128, the key can be recovered with a computational complexity of 2 using the
3952:
3793:
Bonnetain, Xavier; Naya-Plasencia, MarĂa; Schrottenloher, AndrĂ© (December 6, 2019).
3714:
2297:
In December 2009 an attack on some hardware implementations was published that used
5367:
5219:
5080:
4975:
4854:
4713:
4593:
4562:
4256:
4116:
4093:
3848:
3692:
3565:
3413:
3282:"Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds"
3252:
3247:
NikoliÄ, Ivica (2009). "Distinguisher and Related-Key Attack on the Full AES-256".
2949:
2725:"Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds"
2329:
2149:
2006:
step, each byte of the state is combined with a byte of the round subkey using the
897:
686:
3872:
3794:
2916:
1172:
step, the four bytes of each column of the state are combined using an invertible
4927:
4911:
4900:
4834:
4793:
4758:
4688:
4668:
4542:
4422:
4417:
4372:
3596:
3256:
3234:
3185:
3049:
2914:
2603:
2457:
2367:
validated cryptographic modules in unclassified applications of its departments.
2234:
2198:
Another attack was blogged by Bruce Schneier on July 30, 2009, and released as a
2134:
344:
187:
98:
90:
80:
3417:
3227:
3144:
2278:
announced a cache-timing attack that he used to break a custom server that used
2175:
Until May 2009, the only successful published attacks against the full AES were
39:
5442:
5362:
5318:
5261:
5246:
5065:
5013:
4824:
4809:
4748:
4743:
4628:
4377:
3930:
3169:
3041:
2165:
2153:
774:
718:
689:. AES requires a separate 128-bit round key block for each round plus one more.
252:
224:
62:
3662:
3066:
2977:
5560:
5523:
5478:
5437:
5417:
5308:
5266:
5241:
5060:
5008:
4887:
4869:
4658:
4633:
4623:
4447:
4437:
4284:
3686:
2953:
2941:
2203:
2184:
2107:
173:
3199:
3168:
274:, meaning the same key is used for both encrypting and decrypting the data.
5473:
5313:
5303:
5293:
5251:
5195:
4993:
4814:
4778:
4643:
4522:
4477:
4309:
4261:
4211:
3873:"NIST.gov â Computer Security Division â Computer Security Resource Center"
3696:
3037:
2027:
2007:
1942:
1618:
914:
300:
240:
4121:
3632:
3502:
1552:. Addition is simply XOR. Multiplication is modulo irreducible polynomial
717:
substitution step where each byte is replaced with another according to a
5452:
4603:
4598:
4482:
2880:
Journal of Research of the National Institute of Standards and Technology
2410:
1889:
924:
699:
248:
58:
3380:
Andrey Bogdanov; Dmitry Khovratovich & Christian Rechberger (2011).
2121:
i.e., performing one trial decryption for each possible key in sequence
270:(DES), which was published in 1977. The algorithm described by AES is a
180:
Attacks have been published that are computationally faster than a full
5412:
5382:
5377:
5338:
5035:
4753:
4693:
4577:
4572:
4517:
4387:
4250:
3569:
3204:
2948:. Lecture Notes in Computer Science. Vol. 2523. pp. 159â171.
2417:
2403:
2371:
2353:
2286:
2249:, the NSA is doing research on whether a cryptographic attack based on
2211:
2145:
1938:
714:
685: – round keys are derived from the cipher key using the
655:
229:
4016:"Cryptanalysis of Block Ciphers with Overdefined Systems of Equations"
3635:"Cache Games â Bringing Access-Based Cache Attacks on AES to Practice"
3634:
3598:
3352:"Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations"
3322:
2699:
Schneier on Security, A blog covering security and security technology
5402:
4768:
4763:
4653:
4567:
4462:
4442:
4063:
Understanding Cryptography: A Textbook for Students and Practitioners
4019:
3792:
3412:. Lecture Notes in Computer Science. Vol. 9144. pp. 39â56.
3067:"Academic: Improved Cryptanalysis of Rijndael - Schneier on Security"
2421:
2268:
1135:
step, each column of the state is multiplied with a fixed polynomial
651:
4143:
Information technology â Security techniques â Encryption algorithms
2465:â hash function created by Vincent Rijmen and Paulo S. L. M. Barreto
1937:
step can also be viewed as a multiplication by the shown particular
5447:
5407:
5106:
5070:
4864:
4527:
4402:
4382:
4294:
4160:
3552:
3118:
2939:
2724:
2665:
2364:
2199:
1671:
In more general sense, each column is treated as a polynomial over
356:
197:
132:
112:
3689:
2016 IEEE European Symposium on Security and Privacy (EuroS&P)
3351:
3281:
1998:
923:. The S-box is also chosen to avoid any fixed points (and so is a
4773:
4723:
4683:
4673:
4618:
4613:
4457:
4266:
3998:"Intel Âź Advanced Encryption Standard (AES) New Instructions Set"
2876:"NIST reports measurable success of Advanced Encryption Standard"
2279:
2169:
1127:
244:
3467:
3323:"Practical-Titled Attack on AES-128 Using Chosen-Text Relations"
1892:
equivalent of the binary representation of bit polynomials from
1084:
5323:
5111:
4733:
4728:
4663:
4648:
4638:
4583:
4557:
4552:
4547:
4427:
4412:
1617:. If processed bit by bit, then, after shifting, a conditional
905:
779:
315:
information when used in an NSA approved cryptographic module.
304:
116:
4042:
The Design of Rijndael: AES â The Advanced Encryption Standard
2942:"Efficient Software Implementation of AES on 32-Bit Platforms"
2825:
2058:
Using a byte-oriented approach, it is possible to combine the
323:
The Advanced Encryption Standard (AES) is defined in each of:
4829:
4788:
4738:
4718:
4703:
4492:
4472:
4392:
4357:
4163:(menu Indiv. Procedures â Visualization of Algorithms â AES).
3599:"A Diagonal Fault Attack on the Advanced Encryption Standard"
2759:. National Institute of Standards and Technology. p. 1.
2344:(CMVP) is operated jointly by the United States Government's
2316:, which protect against timing-related side-channel attacks.
1057:{\displaystyle S(a_{i,j})\oplus a_{i,j}\neq {\text{FF}}_{16}}
3633:
Endre Bangerter; David Gullasch & Stephan Krenn (2010).
277:
In the United States, AES was announced by the NIST as U.S.
4678:
4587:
4502:
4497:
4487:
4467:
4339:
4324:
3950:
3898:"Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules"
3597:
Dhiman Saha; Debdeep Mukhopadhyay; Dipanwita RoyChowdhury.
2666:"Related-key Cryptanalysis of the Full AES-192 and AES-256"
2375:
2341:
4145:(2nd ed.). ISO. 2010-12-15. ISO/IEC 18033-3:2010(E).
3687:
Ashokkumar C.; Ravi Prakash Giri; Bernard Menezes (2016).
3349:
2428:
extensions, throughput can be multiple GiB/s. On an Intel
1625:
should be performed if the shifted value is larger than FF
676:
4783:
4698:
4319:
4314:
2661:
Related-key Cryptanalysis of the Full AES-192 and AES-256
2130:
352:
3924:
2798:
Federal Information Processing Standards Publication 197
4130:
AES algorithm archive information â (old, unmaintained)
3407:
2946:
Cryptographic Hardware and Embedded Systems - CHES 2002
2747:
2745:
2195:
an attacker's means of selecting keys for relatedness.
184:, though none as of 2023 are computationally feasible.
5349:
Cryptographically secure pseudorandom number generator
3663:"Breaking AES-128 in realtime, no ciphertext required"
3553:
Dag Arne Osvik; Adi Shamir; Eran Tromer (2005-11-20).
3145:"AES News, Crypto-Gram Newsletter, September 15, 2002"
2202:
on August 3, 2009. This new attack, by Alex Biryukov,
1407:
1307:
1212:
428:
3468:
SPIEGEL ONLINE, Hamburg, Germany (28 December 2014).
2565:
2545:
2301:
and allows recovery of a key with a complexity of 2.
2125:
Cryptanalysis § Computational resources required
1950:
1898:
1773:
1716:
1677:
1635:
1558:
1531:
1206:
1141:
994:
933:
860:
820:
422:
4210:
4172:
4081:(companion web site contains online lectures on AES)
3555:"Cache Attacks and Countermeasures: the Case of AES"
2917:"The Twofish Team's Final Comments on AES Selection"
2826:
Joan Daemen and Vincent Rijmen (September 3, 1999).
2742:
2363:
The Government of Canada also recommends the use of
3497:
3495:
3308:
On Some Symmetric Lightweight Cryptographic Designs
2791:"Announcing the ADVANCED ENCRYPTION STANDARD (AES)"
1983:. This process is described further in the article
743:Final round (making 10, 12 or 14 rounds in total):
3729:"Are AES x86 Cache Timing Attacks Still Feasible?"
3162:
2577:
2551:
1975:
1925:
1880:
1759:
1702:
1660:
1609:
1544:
1512:
1156:
1056:
980:
888:
839:
637:
2179:on some specific implementations. In 2009, a new
5558:
4013:
3953:"Performance Comparisons of the AES submissions"
3562:The Cryptographer's Track at RSA Conference 2006
3492:
3440:
3310:. Dissertation, Lund University. pp. 38â39.
2688:
2686:
359:of 128, 192, or 256 bits. By contrast, Rijndael
327:FIPS PUB 197: Advanced Encryption Standard (AES)
3178:"A simple algebraic representation of Rijndael"
2752:Daemen, Joan; Rijmen, Vincent (March 9, 2003).
3320:
2692:
2469:List of free and open-source software packages
2346:National Institute of Standards and Technology
1760:{\displaystyle {01}_{16}\cdot z^{4}+{01}_{16}}
339:AES is based on a design principle known as a
255:, who submitted a proposal to NIST during the
234:National Institute of Standards and Technology
27:Standard for the encryption of electronic data
5180:
4196:
3001:
2850:
2683:
2033:
347:. AES is a variant of Rijndael, with a fixed
334:
196:Another attack was blogged and released as a
4038:
2751:
2238:results in key recovery attack against AES.
988:, and also any opposite fixed points, i.e.,
4014:Courtois, Nicolas; Pieprzyk, Josef (2003).
3836:
3834:
3757:"Securing the Enterprise with Intel AES-NI"
3470:"Inside the NSA's War on Internet Security"
3350:Henri Gilbert; Thomas Peyrin (2009-11-09).
2890:
232:of electronic data established by the U.S.
5187:
5173:
4203:
4189:
3927:"OpenSSL's Notes about FIPS certification"
3920:
3918:
3811:
3526:
3142:
3084:
2785:
2783:
2781:
2348:(NIST) Computer Security Division and the
1976:{\displaystyle \operatorname {GF} (2^{8})}
1888:. The coefficients are displayed in their
1703:{\displaystyle \operatorname {GF} (2^{8})}
1661:{\displaystyle \operatorname {GF} (2^{8})}
4120:
4059:
3193:
2853:"U.S. Selects a New Encryption Technique"
2819:
2168:, a developer of the competing algorithm
4169:â Same Animation as above made in HTML5.
4113:Federal Information Processing Standards
3831:
3382:"Biclique Cryptanalysis of the Full AES"
3027:
2873:
2655:
2653:
2626:"Biclique Cryptanalysis of the Full AES"
2489:
1997:
1126:
1083:
778:
3915:
3246:
2778:
2659:Alex Biryukov and Dmitry Khovratovich,
2342:Cryptographic Module Validation Program
2335:
2259:
1064:. While performing the decryption, the
677:High-level description of the algorithm
658:. The number of rounds are as follows:
318:
44:Visualization of the AES round function
14:
5559:
4039:Daemen, Joan; Rijmen, Vincent (2002).
3814:"AES-256 joins the quantum resistance"
2480:
1926:{\displaystyle \operatorname {GF} (2)}
1112:
981:{\displaystyle S(a_{i,j})\neq a_{i,j}}
5168:
4184:
3615:from the original on 22 December 2009
3535:from the original on 12 February 2007
3403:
3401:
3305:
2650:
2350:Communications Security Establishment
2070:steps into a single round operation.
1610:{\displaystyle x^{8}+x^{4}+x^{3}+x+1}
1075:
908:. The S-box used is derived from the
223:
4106:"Advanced Encryption Standard (AES)"
3480:from the original on 24 January 2015
3288:from the original on 28 January 2010
3249:Advances in Cryptology - CRYPTO 2009
2863:from the original on March 28, 2017.
2807:from the original on August 23, 2024
2731:from the original on 28 January 2010
2618:
2506:Advanced Encryption Standard process
764:
654:, into the final output, called the
167:10, 12 or 14 (depending on key size)
4060:Paar, Christof; Pelzl, Jan (2009).
3503:"Index of formal scientific papers"
3099:from the original on August 8, 2010
215:), also known by its original name
24:
3795:"Quantum Security Analysis of AES"
3398:
3090:
3058:Improved Cryptanalysis of Rijndael
2435:
2319:
2110:"break" is anything faster than a
1990:
25:
5588:
4094:"256bit key â 128bit block â AES"
4086:
3093:"Is encryption really crackable?"
2851:John Schwartz (October 3, 2000).
2766:from the original on 5 March 2013
2285:In October 2005, Dag Arne Osvik,
239:AES is a variant of the Rijndael
5537:
5536:
5194:
4152:from the original on 2022-10-09.
3745:from the original on 2017-08-09.
3651:from the original on 2010-12-14.
3410:Information Security and Privacy
3339:from the original on 2010-07-02.
3151:from the original on 7 July 2007
2929:from the original on 2010-01-02.
2904:from the original on 2013-12-03.
2101:
341:substitutionâpermutation network
156:Substitutionâpermutation network
38:
3990:
3976:
3965:from the original on 2011-06-22
3944:
3890:
3879:from the original on 2013-01-02
3865:
3805:
3786:
3775:from the original on 2013-03-31
3749:
3721:
3680:
3669:from the original on 2011-10-03
3655:
3626:
3590:
3579:from the original on 2006-06-19
3546:
3520:
3509:from the original on 2008-09-17
3461:
3441:Jeffrey Goldberg (2011-08-18).
3434:
3373:
3362:from the original on 2010-06-04
3343:
3314:
3299:
3273:
3240:
3220:
3136:
3125:from the original on 2009-01-31
3111:
3073:from the original on 2007-02-23
3016:from the original on 2010-11-06
2995:
2984:from the original on 2013-07-20
2970:
2933:
2908:
2867:
2844:
2705:from the original on 2009-10-05
2672:from the original on 2009-09-28
2589:
2533:
2524:
2511:
2498:
2406:to high-performance computers.
2389:
2312:Many modern CPUs have built-in
2223:known-key distinguishing attack
1494:
5398:Information-theoretic security
4024:. Springer. pp. 268â287.
3925:OpenSSL, openssl@openssl.org.
3812:O'Shea, Dan (April 26, 2022).
3642:IACR Cryptology ePrint Archive
3606:IACR Cryptology ePrint Archive
3443:"AES Encryption isn't Cracked"
3356:IACR Cryptology ePrint Archive
3330:IACR Cryptology ePrint Archive
2716:
2397:
2267:do not attack the cipher as a
1970:
1957:
1920:
1914:
1911:
1905:
1783:
1777:
1710:and is then multiplied modulo
1697:
1684:
1655:
1642:
1151:
1145:
1017:
998:
956:
937:
883:
864:
330:ISO/IEC 18033-3: Block ciphers
228:), is a specification for the
13:
1:
4066:. Springer. pp. 87â122.
3929:. Openssl.org. Archived from
3091:Ou, George (April 30, 2006).
2693:Bruce Schneier (2009-07-30).
2611:
2518:
2314:hardware instructions for AES
5572:Advanced Encryption Standard
3257:10.1007/978-3-642-03356-8_14
2874:Westlund, Harold B. (2002).
2559:is shifted left circular by
2324:AES-256 is considered to be
2221:In November 2009, the first
692:Initial round key addition:
262:AES has been adopted by the
209:Advanced Encryption Standard
31:Advanced Encryption Standard
7:
5514:Message authentication code
5469:Cryptographic hash function
5272:Cryptographic hash function
4167:HTML5 Animation of Rijndael
4018:. In Zheng, Yuliang (ed.).
3418:10.1007/978-3-319-19962-7_3
3002:Lynn Hathaway (June 2003).
2446:
2299:differential fault analysis
2210:, Dmitry Khovratovich, and
2158:XSL attack on block ciphers
2122:
2073:
668:14 rounds for 256-bit keys.
665:12 rounds for 192-bit keys.
662:10 rounds for 128-bit keys.
10:
5593:
5393:Harvest now, decrypt later
3984:"AMD Ryzen 7 1700X Review"
2439:
2358:Sensitive but Unclassified
2034:Optimization of the cipher
1120:
889:{\displaystyle S(a_{i,j})}
772:
335:Description of the ciphers
5532:
5509:Post-quantum cryptography
5461:
5202:
5164:
5130:
5094:
5086:Time/memory/data tradeoff
4883:
4802:
4348:
4275:
4223:
4180:
4176:
851:array is replaced with a
179:
171:
161:
151:
141:
131:
126:
104:
86:
76:
68:
54:
49:
37:
5499:Quantum key distribution
5489:Authenticated encryption
5344:Random number generation
4874:Whitening transformation
3121:. University of London.
3062:Fast Software Encryption
2954:10.1007/3-540-36400-5_13
2828:"AES Proposal: Rijndael"
2754:"AES Proposal: Rijndael"
2695:"Another New AES Attack"
2474:
2080:National Security Agency
1767:with a fixed polynomial
370:AES operates on a 4 Ă 4
309:National Security Agency
268:Data Encryption Standard
5494:Public-key cryptography
5484:Symmetric-key algorithm
5277:Key derivation function
5237:Cryptographic primitive
5230:Authentication protocol
5215:Outline of cryptography
5210:History of cryptography
4845:Confusion and diffusion
4136:"Part 3: Block ciphers"
3321:Vincent Rijmen (2010).
3176:; Doug Whiting (2001).
2253:may help to break AES.
2024:Rijndael's key schedule
840:{\displaystyle a_{i,j}}
285:AES is included in the
272:symmetric-key algorithm
5282:Secure Hash Algorithms
5225:Cryptographic protocol
3697:10.1109/EuroSP.2016.29
3306:Agren, Martin (2012).
2579:
2553:
2453:AES modes of operation
2426:AES-NI instruction set
2106:For cryptographers, a
2093:
2084:classified information
2011:
1977:
1927:
1882:
1761:
1704:
1662:
1611:
1546:
1514:
1165:
1158:
1093:
1058:
982:
910:multiplicative inverse
900:. Before round 0, the
890:
841:
807:
639:
5388:End-to-end encryption
5334:Cryptojacking malware
5138:Initialization vector
4157:Animation of Rijndael
4122:10.6028/NIST.FIPS.197
2580:
2554:
2088:
2001:
1978:
1928:
1883:
1762:
1705:
1663:
1612:
1547:
1545:{\displaystyle x^{7}}
1515:
1174:linear transformation
1159:
1130:
1087:
1068:step (the inverse of
1059:
983:
921:affine transformation
891:
842:
782:
640:
307:approved by the U.S.
298:Secretary of Commerce
257:AES selection process
5504:Quantum cryptography
5428:Trusted timestamping
4917:3-subset MITM attack
4533:Intel Cascade Cipher
4513:Hasty Pudding cipher
4115:. 26 November 2001.
3691:. pp. 261â275.
3188:. pp. 103â111.
2840:on February 3, 2007.
2563:
2543:
2336:NIST/CSEC validation
2276:D. J. Bernstein
2265:Side-channel attacks
2260:Side-channel attacks
2231:key-recovery attacks
2177:side-channel attacks
2148:", was announced by
1948:
1896:
1771:
1714:
1675:
1633:
1556:
1529:
1204:
1157:{\displaystyle c(x)}
1139:
992:
931:
858:
818:
713: – a
707:9, 11 or 13 rounds:
420:
319:Definitive standards
266:. It supersedes the
221:Dutch pronunciation:
137:128, 192 or 256 bits
5257:Cryptographic nonce
4956:Differential-linear
3529:"AES Timing Attack"
2578:{\displaystyle n-1}
2442:AES implementations
2189:Dmitry Khovratovich
1985:Rijndael MixColumns
1123:Rijndael MixColumns
225:[ËrÉindaËl]
192:Related-key attacks
34:
5373:Subliminal channel
5357:Pseudorandom noise
5299:Key (cryptography)
5029:Differential-fault
4247:internal mechanics
3818:Fierce Electronics
3570:10.1007/11605805_1
3237:, October 15, 2000
3233:2009-02-01 at the
3209:on 4 November 2006
3174:Richard Schroeppel
2602:2009-10-23 at the
2575:
2549:
2181:related-key attack
2112:brute-force attack
2012:
1973:
1923:
1878:
1757:
1700:
1658:
1607:
1542:
1510:
1488:
1396:
1293:
1166:
1154:
1094:
1054:
978:
886:
837:
808:
635:
629:
374:array of 16 bytes
372:column-major order
182:brute-force attack
30:
5554:
5553:
5550:
5549:
5433:Key-based routing
5423:Trapdoor function
5289:Digital signature
5160:
5159:
5156:
5155:
5143:Mode of operation
4820:LaiâMassey scheme
4073:978-3-642-04101-3
4052:978-3-540-42580-9
4031:978-3-540-36178-7
3875:. Csrc.nist.gov.
3765:Intel Corporation
3706:978-1-5090-1751-5
3449:on 8 January 2015
3427:978-3-319-19961-0
3266:978-3-642-03355-1
3064:, 2000 pp213â230
2963:978-3-540-00409-7
2552:{\displaystyle n}
2508:for more details.
2247:Snowden documents
2245:According to the
1046:
243:developed by two
205:
204:
16:(Redirected from
5584:
5540:
5539:
5368:Insecure channel
5220:Classical cipher
5189:
5182:
5175:
5166:
5165:
5014:Power-monitoring
4855:Avalanche effect
4563:Khufu and Khafre
4216:security summary
4205:
4198:
4191:
4182:
4181:
4178:
4177:
4174:
4173:
4153:
4151:
4140:
4126:
4124:
4110:
4101:
4077:
4056:
4035:
4005:
4004:
4002:
3994:
3988:
3987:
3980:
3974:
3973:
3971:
3970:
3964:
3957:
3948:
3942:
3941:
3939:
3938:
3922:
3913:
3912:
3910:
3909:
3900:. Archived from
3894:
3888:
3887:
3885:
3884:
3869:
3863:
3862:
3860:
3859:
3853:
3847:. Archived from
3846:
3838:
3829:
3828:
3826:
3824:
3809:
3803:
3802:
3790:
3784:
3783:
3781:
3780:
3774:
3761:
3753:
3747:
3746:
3744:
3733:
3725:
3719:
3718:
3684:
3678:
3677:
3675:
3674:
3659:
3653:
3652:
3650:
3639:
3630:
3624:
3623:
3621:
3620:
3614:
3603:
3594:
3588:
3587:
3585:
3584:
3578:
3559:
3550:
3544:
3543:
3541:
3540:
3527:Bruce Schneier.
3524:
3518:
3517:
3515:
3514:
3499:
3490:
3489:
3487:
3485:
3465:
3459:
3458:
3456:
3454:
3445:. Archived from
3438:
3432:
3431:
3405:
3396:
3395:
3393:
3387:. Archived from
3386:
3377:
3371:
3370:
3368:
3367:
3347:
3341:
3340:
3338:
3327:
3318:
3312:
3311:
3303:
3297:
3296:
3294:
3293:
3277:
3271:
3270:
3244:
3238:
3226:Bruce Schneier,
3224:
3218:
3217:
3215:
3214:
3208:
3198:. Archived from
3197:
3166:
3160:
3159:
3157:
3156:
3143:Bruce Schneier.
3140:
3134:
3133:
3131:
3130:
3115:
3109:
3108:
3106:
3104:
3088:
3082:
3081:
3079:
3078:
3031:
3025:
3024:
3022:
3021:
3015:
3008:
2999:
2993:
2992:
2990:
2989:
2974:
2968:
2967:
2937:
2931:
2930:
2928:
2921:
2912:
2906:
2905:
2894:
2888:
2887:
2882:. Archived from
2871:
2865:
2864:
2848:
2842:
2841:
2839:
2833:. Archived from
2832:
2823:
2817:
2816:
2814:
2812:
2806:
2795:
2787:
2776:
2775:
2773:
2771:
2765:
2758:
2749:
2740:
2739:
2737:
2736:
2720:
2714:
2713:
2711:
2710:
2690:
2681:
2680:
2678:
2677:
2657:
2648:
2647:
2645:
2643:
2638:on March 6, 2016
2637:
2631:. Archived from
2630:
2622:
2606:
2593:
2587:
2584:
2582:
2581:
2576:
2558:
2556:
2555:
2550:
2537:
2531:
2528:
2522:
2515:
2509:
2502:
2496:
2493:
2487:
2484:
2424:CPUs supporting
2330:bits of security
2292:
2150:Nicolas Courtois
2128:
2120:
2116:
2069:
2065:
2061:
2054:
2049:
2045:
2041:
2017:
2005:
1994:
1982:
1980:
1979:
1974:
1969:
1968:
1936:
1932:
1930:
1929:
1924:
1887:
1885:
1884:
1879:
1877:
1876:
1871:
1856:
1855:
1850:
1841:
1840:
1828:
1827:
1822:
1813:
1812:
1800:
1799:
1794:
1766:
1764:
1763:
1758:
1756:
1755:
1750:
1741:
1740:
1728:
1727:
1722:
1709:
1707:
1706:
1701:
1696:
1695:
1667:
1665:
1664:
1659:
1654:
1653:
1616:
1614:
1613:
1608:
1594:
1593:
1581:
1580:
1568:
1567:
1551:
1549:
1548:
1543:
1541:
1540:
1519:
1517:
1516:
1511:
1493:
1492:
1485:
1484:
1465:
1464:
1445:
1444:
1425:
1424:
1401:
1400:
1298:
1297:
1290:
1289:
1270:
1269:
1250:
1249:
1230:
1229:
1187:
1183:
1179:
1171:
1163:
1161:
1160:
1155:
1134:
1116:
1107:
1099:
1091:
1079:
1071:
1067:
1063:
1061:
1060:
1055:
1053:
1052:
1047:
1044:
1038:
1037:
1016:
1015:
987:
985:
984:
979:
977:
976:
955:
954:
918:
898:substitution box
895:
893:
892:
887:
882:
881:
854:
846:
844:
843:
838:
836:
835:
814:step, each byte
813:
786:
768:
758:
753:
748:
738:
732:
726:
712:
697:
687:AES key schedule
684:
644:
642:
641:
636:
634:
633:
626:
625:
614:
613:
602:
601:
590:
589:
576:
575:
564:
563:
552:
551:
540:
539:
526:
525:
514:
513:
502:
501:
490:
489:
476:
475:
464:
463:
452:
451:
440:
439:
406:
399:
395:
385:
247:cryptographers,
236:(NIST) in 2001.
227:
222:
42:
35:
29:
21:
5592:
5591:
5587:
5586:
5585:
5583:
5582:
5581:
5557:
5556:
5555:
5546:
5528:
5457:
5198:
5193:
5152:
5126:
5095:Standardization
5090:
5019:Electromagnetic
4971:Integral/Square
4928:Piling-up lemma
4912:Biclique attack
4901:EFF DES cracker
4885:
4879:
4810:Feistel network
4798:
4423:CIPHERUNICORN-E
4418:CIPHERUNICORN-A
4350:
4344:
4277:
4271:
4225:
4219:
4209:
4149:
4138:
4134:
4108:
4104:
4092:
4089:
4084:
4074:
4053:
4032:
4009:
4008:
4000:
3996:
3995:
3991:
3982:
3981:
3977:
3968:
3966:
3962:
3955:
3949:
3945:
3936:
3934:
3923:
3916:
3907:
3905:
3896:
3895:
3891:
3882:
3880:
3871:
3870:
3866:
3857:
3855:
3851:
3844:
3840:
3839:
3832:
3822:
3820:
3810:
3806:
3791:
3787:
3778:
3776:
3772:
3759:
3755:
3754:
3750:
3742:
3736:cseweb.ucsd.edu
3731:
3727:
3726:
3722:
3707:
3685:
3681:
3672:
3670:
3665:. Hacker News.
3661:
3660:
3656:
3648:
3637:
3631:
3627:
3618:
3616:
3612:
3601:
3595:
3591:
3582:
3580:
3576:
3557:
3551:
3547:
3538:
3536:
3525:
3521:
3512:
3510:
3501:
3500:
3493:
3483:
3481:
3466:
3462:
3452:
3450:
3439:
3435:
3428:
3406:
3399:
3391:
3384:
3378:
3374:
3365:
3363:
3348:
3344:
3336:
3325:
3319:
3315:
3304:
3300:
3291:
3289:
3278:
3274:
3267:
3245:
3241:
3235:Wayback Machine
3225:
3221:
3212:
3210:
3202:
3186:Springer-Verlag
3167:
3163:
3154:
3152:
3141:
3137:
3128:
3126:
3117:
3116:
3112:
3102:
3100:
3089:
3085:
3076:
3074:
3065:
3032:
3028:
3019:
3017:
3013:
3006:
3000:
2996:
2987:
2985:
2976:
2975:
2971:
2964:
2938:
2934:
2926:
2919:
2913:
2909:
2896:
2895:
2891:
2872:
2868:
2849:
2845:
2837:
2830:
2824:
2820:
2810:
2808:
2804:
2793:
2789:
2788:
2779:
2769:
2767:
2763:
2756:
2750:
2743:
2734:
2732:
2721:
2717:
2708:
2706:
2691:
2684:
2675:
2673:
2664:
2658:
2651:
2641:
2639:
2635:
2628:
2624:
2623:
2619:
2614:
2609:
2604:Wayback Machine
2594:
2590:
2564:
2561:
2560:
2544:
2541:
2540:
2538:
2534:
2529:
2525:
2519:Security of AES
2516:
2512:
2503:
2499:
2494:
2490:
2485:
2481:
2477:
2458:Disk encryption
2449:
2444:
2438:
2436:Implementations
2400:
2392:
2372:Triple DES
2338:
2322:
2320:Quantum attacks
2290:
2274:In April 2005,
2262:
2235:biclique attack
2135:distributed.net
2118:
2114:
2104:
2076:
2067:
2063:
2059:
2052:
2047:
2046:steps with the
2043:
2039:
2036:
2015:
2003:
1996:
1992:
1964:
1960:
1949:
1946:
1945:
1934:
1897:
1894:
1893:
1872:
1867:
1866:
1851:
1846:
1845:
1836:
1832:
1823:
1818:
1817:
1808:
1804:
1795:
1790:
1789:
1772:
1769:
1768:
1751:
1746:
1745:
1736:
1732:
1723:
1718:
1717:
1715:
1712:
1711:
1691:
1687:
1676:
1673:
1672:
1649:
1645:
1634:
1631:
1630:
1628:
1624:
1589:
1585:
1576:
1572:
1563:
1559:
1557:
1554:
1553:
1536:
1532:
1530:
1527:
1526:
1487:
1486:
1474:
1470:
1467:
1466:
1454:
1450:
1447:
1446:
1434:
1430:
1427:
1426:
1414:
1410:
1403:
1402:
1395:
1394:
1389:
1384:
1379:
1373:
1372:
1367:
1362:
1357:
1351:
1350:
1345:
1340:
1335:
1329:
1328:
1323:
1318:
1313:
1303:
1302:
1292:
1291:
1279:
1275:
1272:
1271:
1259:
1255:
1252:
1251:
1239:
1235:
1232:
1231:
1219:
1215:
1208:
1207:
1205:
1202:
1201:
1192:in the cipher.
1185:
1181:
1177:
1169:
1140:
1137:
1136:
1132:
1125:
1119:
1114:
1105:
1097:
1089:
1082:
1077:
1069:
1065:
1048:
1043:
1042:
1027:
1023:
1005:
1001:
993:
990:
989:
966:
962:
944:
940:
932:
929:
928:
913:
896:using an 8-bit
871:
867:
859:
856:
855:
852:
825:
821:
819:
816:
815:
811:
803:
796:
784:
777:
771:
766:
756:
751:
746:
736:
730:
724:
710:
695:
682:
679:
628:
627:
621:
617:
615:
609:
605:
603:
597:
593:
591:
585:
581:
578:
577:
571:
567:
565:
559:
555:
553:
547:
543:
541:
535:
531:
528:
527:
521:
517:
515:
509:
505:
503:
497:
493:
491:
485:
481:
478:
477:
471:
467:
465:
459:
455:
453:
447:
443:
441:
435:
431:
424:
423:
421:
418:
417:
405:
402:
397:
393:
391:
388:
383:
381:
378:
375:
345:Feistel network
337:
321:
264:U.S. government
220:
188:biclique attack
69:First published
45:
32:
28:
23:
22:
15:
12:
11:
5:
5590:
5580:
5579:
5574:
5569:
5552:
5551:
5548:
5547:
5545:
5544:
5533:
5530:
5529:
5527:
5526:
5521:
5519:Random numbers
5516:
5511:
5506:
5501:
5496:
5491:
5486:
5481:
5476:
5471:
5465:
5463:
5459:
5458:
5456:
5455:
5450:
5445:
5443:Garlic routing
5440:
5435:
5430:
5425:
5420:
5415:
5410:
5405:
5400:
5395:
5390:
5385:
5380:
5375:
5370:
5365:
5363:Secure channel
5360:
5354:
5353:
5352:
5341:
5336:
5331:
5326:
5321:
5319:Key stretching
5316:
5311:
5306:
5301:
5296:
5291:
5286:
5285:
5284:
5279:
5274:
5264:
5262:Cryptovirology
5259:
5254:
5249:
5247:Cryptocurrency
5244:
5239:
5234:
5233:
5232:
5222:
5217:
5212:
5206:
5204:
5200:
5199:
5192:
5191:
5184:
5177:
5169:
5162:
5161:
5158:
5157:
5154:
5153:
5151:
5150:
5145:
5140:
5134:
5132:
5128:
5127:
5125:
5124:
5119:
5114:
5109:
5104:
5098:
5096:
5092:
5091:
5089:
5088:
5083:
5078:
5073:
5068:
5063:
5058:
5053:
5048:
5043:
5038:
5033:
5032:
5031:
5026:
5021:
5016:
5011:
5001:
4996:
4991:
4986:
4978:
4973:
4968:
4961:Distinguishing
4958:
4953:
4952:
4951:
4946:
4941:
4931:
4921:
4920:
4919:
4914:
4904:
4893:
4891:
4881:
4880:
4878:
4877:
4867:
4862:
4857:
4852:
4847:
4842:
4837:
4832:
4827:
4825:Product cipher
4822:
4817:
4812:
4806:
4804:
4800:
4799:
4797:
4796:
4791:
4786:
4781:
4776:
4771:
4766:
4761:
4756:
4751:
4746:
4741:
4736:
4731:
4726:
4721:
4716:
4711:
4706:
4701:
4696:
4691:
4686:
4681:
4676:
4671:
4666:
4661:
4656:
4651:
4646:
4641:
4636:
4631:
4626:
4621:
4616:
4611:
4606:
4601:
4596:
4591:
4580:
4575:
4570:
4565:
4560:
4555:
4550:
4545:
4540:
4535:
4530:
4525:
4520:
4515:
4510:
4505:
4500:
4495:
4490:
4485:
4480:
4475:
4470:
4465:
4460:
4455:
4453:Cryptomeria/C2
4450:
4445:
4440:
4435:
4430:
4425:
4420:
4415:
4410:
4405:
4400:
4395:
4390:
4385:
4380:
4375:
4370:
4365:
4360:
4354:
4352:
4346:
4345:
4343:
4342:
4337:
4332:
4327:
4322:
4317:
4312:
4307:
4302:
4297:
4292:
4287:
4281:
4279:
4273:
4272:
4270:
4269:
4264:
4259:
4254:
4240:
4235:
4229:
4227:
4221:
4220:
4208:
4207:
4200:
4193:
4185:
4171:
4170:
4164:
4154:
4132:
4127:
4102:
4088:
4087:External links
4085:
4083:
4082:
4079:alternate link
4072:
4057:
4051:
4036:
4030:
4010:
4007:
4006:
3989:
3975:
3943:
3914:
3889:
3864:
3830:
3804:
3785:
3748:
3720:
3705:
3679:
3654:
3625:
3589:
3545:
3519:
3491:
3474:SPIEGEL ONLINE
3460:
3433:
3426:
3397:
3394:on 2012-09-05.
3372:
3342:
3313:
3298:
3272:
3265:
3239:
3219:
3195:10.1.1.28.4921
3170:Niels Ferguson
3161:
3135:
3110:
3095:. Ziff-Davis.
3083:
3042:Bruce Schneier
3026:
2994:
2969:
2962:
2932:
2907:
2889:
2886:on 2007-11-03.
2866:
2857:New York Times
2843:
2818:
2777:
2741:
2715:
2682:
2649:
2616:
2615:
2613:
2610:
2608:
2607:
2588:
2574:
2571:
2568:
2548:
2532:
2523:
2510:
2497:
2488:
2478:
2476:
2473:
2472:
2471:
2466:
2460:
2455:
2448:
2445:
2440:Main article:
2437:
2434:
2399:
2396:
2391:
2388:
2337:
2334:
2321:
2318:
2261:
2258:
2166:Bruce Schneier
2154:Josef Pieprzyk
2119:
2103:
2100:
2075:
2072:
2035:
2032:
2010:operation (â).
1995:
1989:
1972:
1967:
1963:
1959:
1956:
1953:
1922:
1919:
1916:
1913:
1910:
1907:
1904:
1901:
1875:
1870:
1865:
1862:
1859:
1854:
1849:
1844:
1839:
1835:
1831:
1826:
1821:
1816:
1811:
1807:
1803:
1798:
1793:
1788:
1785:
1782:
1779:
1776:
1754:
1749:
1744:
1739:
1735:
1731:
1726:
1721:
1699:
1694:
1690:
1686:
1683:
1680:
1657:
1652:
1648:
1644:
1641:
1638:
1626:
1622:
1606:
1603:
1600:
1597:
1592:
1588:
1584:
1579:
1575:
1571:
1566:
1562:
1539:
1535:
1523:
1522:
1521:
1520:
1509:
1506:
1503:
1500:
1497:
1491:
1483:
1480:
1477:
1473:
1469:
1468:
1463:
1460:
1457:
1453:
1449:
1448:
1443:
1440:
1437:
1433:
1429:
1428:
1423:
1420:
1417:
1413:
1409:
1408:
1406:
1399:
1393:
1390:
1388:
1385:
1383:
1380:
1378:
1375:
1374:
1371:
1368:
1366:
1363:
1361:
1358:
1356:
1353:
1352:
1349:
1346:
1344:
1341:
1339:
1336:
1334:
1331:
1330:
1327:
1324:
1322:
1319:
1317:
1314:
1312:
1309:
1308:
1306:
1301:
1296:
1288:
1285:
1282:
1278:
1274:
1273:
1268:
1265:
1262:
1258:
1254:
1253:
1248:
1245:
1242:
1238:
1234:
1233:
1228:
1225:
1222:
1218:
1214:
1213:
1211:
1153:
1150:
1147:
1144:
1121:Main article:
1118:
1111:
1081:
1074:
1051:
1041:
1036:
1033:
1030:
1026:
1022:
1019:
1014:
1011:
1008:
1004:
1000:
997:
975:
972:
969:
965:
961:
958:
953:
950:
947:
943:
939:
936:
885:
880:
877:
874:
870:
866:
863:
834:
831:
828:
824:
801:
794:
775:Rijndael S-box
773:Main article:
770:
763:
762:
761:
760:
759:
754:
749:
741:
740:
739:
734:
728:
722:
705:
704:
703:
690:
678:
675:
670:
669:
666:
663:
648:
647:
646:
645:
632:
624:
620:
616:
612:
608:
604:
600:
596:
592:
588:
584:
580:
579:
574:
570:
566:
562:
558:
554:
550:
546:
542:
538:
534:
530:
529:
524:
520:
516:
512:
508:
504:
500:
496:
492:
488:
484:
480:
479:
474:
470:
466:
462:
458:
454:
450:
446:
442:
438:
434:
430:
429:
427:
403:
400:
389:
386:
379:
376:
336:
333:
332:
331:
328:
320:
317:
253:Vincent Rijmen
203:
202:
177:
176:
169:
168:
165:
159:
158:
153:
149:
148:
145:
139:
138:
135:
129:
128:
124:
123:
106:
102:
101:
88:
84:
83:
78:
74:
73:
70:
66:
65:
63:Vincent Rijmen
56:
52:
51:
47:
46:
43:
26:
9:
6:
4:
3:
2:
5589:
5578:
5575:
5573:
5570:
5568:
5567:Block ciphers
5565:
5564:
5562:
5543:
5535:
5534:
5531:
5525:
5524:Steganography
5522:
5520:
5517:
5515:
5512:
5510:
5507:
5505:
5502:
5500:
5497:
5495:
5492:
5490:
5487:
5485:
5482:
5480:
5479:Stream cipher
5477:
5475:
5472:
5470:
5467:
5466:
5464:
5460:
5454:
5451:
5449:
5446:
5444:
5441:
5439:
5438:Onion routing
5436:
5434:
5431:
5429:
5426:
5424:
5421:
5419:
5418:Shared secret
5416:
5414:
5411:
5409:
5406:
5404:
5401:
5399:
5396:
5394:
5391:
5389:
5386:
5384:
5381:
5379:
5376:
5374:
5371:
5369:
5366:
5364:
5361:
5358:
5355:
5350:
5347:
5346:
5345:
5342:
5340:
5337:
5335:
5332:
5330:
5327:
5325:
5322:
5320:
5317:
5315:
5312:
5310:
5309:Key generator
5307:
5305:
5302:
5300:
5297:
5295:
5292:
5290:
5287:
5283:
5280:
5278:
5275:
5273:
5270:
5269:
5268:
5267:Hash function
5265:
5263:
5260:
5258:
5255:
5253:
5250:
5248:
5245:
5243:
5242:Cryptanalysis
5240:
5238:
5235:
5231:
5228:
5227:
5226:
5223:
5221:
5218:
5216:
5213:
5211:
5208:
5207:
5205:
5201:
5197:
5190:
5185:
5183:
5178:
5176:
5171:
5170:
5167:
5163:
5149:
5146:
5144:
5141:
5139:
5136:
5135:
5133:
5129:
5123:
5120:
5118:
5115:
5113:
5110:
5108:
5105:
5103:
5100:
5099:
5097:
5093:
5087:
5084:
5082:
5079:
5077:
5074:
5072:
5069:
5067:
5064:
5062:
5059:
5057:
5054:
5052:
5049:
5047:
5044:
5042:
5041:Interpolation
5039:
5037:
5034:
5030:
5027:
5025:
5022:
5020:
5017:
5015:
5012:
5010:
5007:
5006:
5005:
5002:
5000:
4997:
4995:
4992:
4990:
4987:
4985:
4984:
4979:
4977:
4974:
4972:
4969:
4966:
4962:
4959:
4957:
4954:
4950:
4947:
4945:
4942:
4940:
4937:
4936:
4935:
4932:
4929:
4925:
4922:
4918:
4915:
4913:
4910:
4909:
4908:
4905:
4902:
4898:
4895:
4894:
4892:
4889:
4888:cryptanalysis
4882:
4875:
4871:
4870:Key whitening
4868:
4866:
4863:
4861:
4858:
4856:
4853:
4851:
4848:
4846:
4843:
4841:
4838:
4836:
4833:
4831:
4828:
4826:
4823:
4821:
4818:
4816:
4813:
4811:
4808:
4807:
4805:
4801:
4795:
4792:
4790:
4787:
4785:
4782:
4780:
4777:
4775:
4772:
4770:
4767:
4765:
4762:
4760:
4757:
4755:
4752:
4750:
4747:
4745:
4742:
4740:
4737:
4735:
4732:
4730:
4727:
4725:
4722:
4720:
4717:
4715:
4712:
4710:
4707:
4705:
4702:
4700:
4697:
4695:
4692:
4690:
4687:
4685:
4682:
4680:
4677:
4675:
4672:
4670:
4667:
4665:
4662:
4660:
4659:New Data Seal
4657:
4655:
4652:
4650:
4647:
4645:
4642:
4640:
4637:
4635:
4632:
4630:
4627:
4625:
4622:
4620:
4617:
4615:
4612:
4610:
4607:
4605:
4602:
4600:
4597:
4595:
4592:
4589:
4585:
4581:
4579:
4576:
4574:
4571:
4569:
4566:
4564:
4561:
4559:
4556:
4554:
4551:
4549:
4546:
4544:
4541:
4539:
4536:
4534:
4531:
4529:
4526:
4524:
4521:
4519:
4516:
4514:
4511:
4509:
4506:
4504:
4501:
4499:
4496:
4494:
4491:
4489:
4486:
4484:
4481:
4479:
4476:
4474:
4471:
4469:
4466:
4464:
4461:
4459:
4456:
4454:
4451:
4449:
4446:
4444:
4441:
4439:
4436:
4434:
4431:
4429:
4426:
4424:
4421:
4419:
4416:
4414:
4411:
4409:
4406:
4404:
4401:
4399:
4398:BEAR and LION
4396:
4394:
4391:
4389:
4386:
4384:
4381:
4379:
4376:
4374:
4371:
4369:
4366:
4364:
4361:
4359:
4356:
4355:
4353:
4347:
4341:
4338:
4336:
4333:
4331:
4328:
4326:
4323:
4321:
4318:
4316:
4313:
4311:
4308:
4306:
4303:
4301:
4298:
4296:
4293:
4291:
4288:
4286:
4283:
4282:
4280:
4274:
4268:
4265:
4263:
4260:
4258:
4255:
4252:
4248:
4244:
4241:
4239:
4236:
4234:
4231:
4230:
4228:
4222:
4217:
4213:
4212:Block ciphers
4206:
4201:
4199:
4194:
4192:
4187:
4186:
4183:
4179:
4175:
4168:
4165:
4162:
4158:
4155:
4148:
4144:
4137:
4133:
4131:
4128:
4123:
4118:
4114:
4107:
4103:
4100:. EmbeddedSW.
4099:
4095:
4091:
4090:
4080:
4075:
4069:
4065:
4064:
4058:
4054:
4048:
4044:
4043:
4037:
4033:
4027:
4023:
4022:
4017:
4012:
4011:
3999:
3993:
3985:
3979:
3961:
3954:
3947:
3933:on 2013-01-02
3932:
3928:
3921:
3919:
3904:on 2014-12-26
3903:
3899:
3893:
3878:
3874:
3868:
3854:on 2012-04-21
3850:
3843:
3837:
3835:
3823:September 26,
3819:
3815:
3808:
3800:
3796:
3789:
3771:
3767:
3766:
3758:
3752:
3741:
3737:
3730:
3724:
3716:
3712:
3708:
3702:
3698:
3694:
3690:
3683:
3668:
3664:
3658:
3647:
3643:
3636:
3629:
3611:
3607:
3600:
3593:
3575:
3571:
3567:
3563:
3556:
3549:
3534:
3530:
3523:
3508:
3504:
3498:
3496:
3479:
3475:
3471:
3464:
3448:
3444:
3437:
3429:
3423:
3419:
3415:
3411:
3404:
3402:
3390:
3383:
3376:
3361:
3357:
3353:
3346:
3335:
3331:
3324:
3317:
3309:
3302:
3287:
3283:
3276:
3268:
3262:
3258:
3254:
3250:
3243:
3236:
3232:
3229:
3228:AES Announced
3223:
3206:
3201:
3196:
3191:
3187:
3183:
3179:
3175:
3171:
3165:
3150:
3146:
3139:
3124:
3120:
3119:"Sean Murphy"
3114:
3098:
3094:
3087:
3072:
3068:
3063:
3059:
3055:
3051:
3047:
3043:
3039:
3035:
3030:
3012:
3005:
2998:
2983:
2979:
2973:
2965:
2959:
2955:
2951:
2947:
2943:
2936:
2925:
2918:
2911:
2903:
2899:
2893:
2885:
2881:
2877:
2870:
2862:
2858:
2854:
2847:
2836:
2829:
2822:
2803:
2799:
2792:
2786:
2784:
2782:
2762:
2755:
2748:
2746:
2730:
2726:
2719:
2704:
2700:
2696:
2689:
2687:
2671:
2667:
2662:
2656:
2654:
2634:
2627:
2621:
2617:
2605:
2601:
2598:
2592:
2572:
2569:
2566:
2546:
2536:
2527:
2520:
2514:
2507:
2501:
2492:
2483:
2479:
2470:
2467:
2464:
2461:
2459:
2456:
2454:
2451:
2450:
2443:
2433:
2431:
2427:
2423:
2419:
2414:
2412:
2407:
2405:
2395:
2387:
2383:
2379:
2377:
2373:
2368:
2366:
2361:
2359:
2355:
2351:
2347:
2343:
2333:
2331:
2327:
2317:
2315:
2310:
2306:
2302:
2300:
2295:
2288:
2283:
2281:
2277:
2272:
2270:
2266:
2257:
2254:
2252:
2251:tau statistic
2248:
2243:
2239:
2236:
2232:
2227:
2224:
2219:
2215:
2213:
2209:
2208:Nathan Keller
2205:
2204:Orr Dunkelman
2201:
2196:
2194:
2190:
2186:
2185:Alex Biryukov
2182:
2178:
2173:
2171:
2167:
2161:
2159:
2155:
2151:
2147:
2142:
2138:
2136:
2132:
2126:
2113:
2109:
2108:cryptographic
2102:Known attacks
2099:
2096:
2092:
2087:
2085:
2081:
2071:
2056:
2031:
2029:
2025:
2021:
2009:
2000:
1988:
1986:
1965:
1961:
1954:
1951:
1944:
1940:
1917:
1908:
1902:
1899:
1891:
1873:
1868:
1863:
1860:
1857:
1852:
1847:
1842:
1837:
1833:
1829:
1824:
1819:
1814:
1809:
1805:
1801:
1796:
1791:
1786:
1780:
1774:
1752:
1747:
1742:
1737:
1733:
1729:
1724:
1719:
1692:
1688:
1681:
1678:
1669:
1650:
1646:
1639:
1636:
1620:
1604:
1601:
1598:
1595:
1590:
1586:
1582:
1577:
1573:
1569:
1564:
1560:
1537:
1533:
1507:
1504:
1501:
1498:
1495:
1489:
1481:
1478:
1475:
1471:
1461:
1458:
1455:
1451:
1441:
1438:
1435:
1431:
1421:
1418:
1415:
1411:
1404:
1397:
1391:
1386:
1381:
1376:
1369:
1364:
1359:
1354:
1347:
1342:
1337:
1332:
1325:
1320:
1315:
1310:
1304:
1299:
1294:
1286:
1283:
1280:
1276:
1266:
1263:
1260:
1256:
1246:
1243:
1240:
1236:
1226:
1223:
1220:
1216:
1209:
1200:
1199:
1198:
1197:
1196:
1193:
1191:
1175:
1148:
1142:
1129:
1124:
1110:
1103:
1086:
1073:
1049:
1039:
1034:
1031:
1028:
1024:
1020:
1012:
1009:
1006:
1002:
995:
973:
970:
967:
963:
959:
951:
948:
945:
941:
934:
926:
922:
916:
911:
907:
903:
899:
878:
875:
872:
868:
861:
850:
832:
829:
826:
822:
805:
797:
790:
781:
776:
755:
750:
745:
744:
742:
735:
729:
723:
720:
716:
709:
708:
706:
701:
694:
693:
691:
688:
681:
680:
674:
667:
664:
661:
660:
659:
657:
653:
630:
622:
618:
610:
606:
598:
594:
586:
582:
572:
568:
560:
556:
548:
544:
536:
532:
522:
518:
510:
506:
498:
494:
486:
482:
472:
468:
460:
456:
448:
444:
436:
432:
425:
416:
415:
414:
413:
412:
410:
373:
368:
366:
362:
358:
354:
350:
346:
342:
329:
326:
325:
324:
316:
314:
310:
306:
302:
299:
295:
292:
288:
283:
280:
275:
273:
269:
265:
260:
258:
254:
250:
246:
242:
237:
235:
231:
226:
218:
214:
210:
199:
195:
193:
189:
183:
178:
175:
174:cryptanalysis
170:
166:
164:
160:
157:
154:
150:
146:
144:
140:
136:
134:
130:
127:Cipher detail
125:
122:
118:
114:
110:
107:
105:Certification
103:
100:
96:
92:
89:
85:
82:
79:
75:
71:
67:
64:
60:
57:
53:
48:
41:
36:
19:
5577:Cryptography
5474:Block cipher
5314:Key schedule
5304:Key exchange
5294:Kleptography
5252:Cryptosystem
5196:Cryptography
5046:Partitioning
5004:Side-channel
4982:
4949:Higher-order
4934:Differential
4815:Key schedule
4232:
4142:
4112:
4097:
4062:
4045:. Springer.
4041:
4020:
3992:
3978:
3967:. Retrieved
3946:
3935:. Retrieved
3931:the original
3906:. Retrieved
3902:the original
3892:
3881:. Retrieved
3867:
3856:. Retrieved
3849:the original
3821:. Retrieved
3817:
3807:
3798:
3788:
3777:. Retrieved
3763:
3751:
3735:
3723:
3688:
3682:
3671:. Retrieved
3657:
3641:
3628:
3617:. Retrieved
3605:
3592:
3581:. Retrieved
3561:
3548:
3537:. Retrieved
3522:
3511:. Retrieved
3505:. Cr.yp.to.
3482:. Retrieved
3473:
3463:
3451:. Retrieved
3447:the original
3436:
3409:
3389:the original
3375:
3364:. Retrieved
3355:
3345:
3329:
3316:
3307:
3301:
3290:. Retrieved
3275:
3248:
3242:
3222:
3211:. Retrieved
3200:the original
3181:
3164:
3153:. Retrieved
3138:
3127:. Retrieved
3113:
3101:. Retrieved
3086:
3075:. Retrieved
3057:
3054:Doug Whiting
3050:David Wagner
3038:Stefan Lucks
3029:
3018:. Retrieved
2997:
2986:. Retrieved
2972:
2945:
2935:
2910:
2892:
2884:the original
2879:
2869:
2856:
2846:
2835:the original
2821:
2809:. Retrieved
2797:
2768:. Retrieved
2733:. Retrieved
2718:
2707:. Retrieved
2698:
2674:. Retrieved
2660:
2640:. Retrieved
2633:the original
2620:
2591:
2535:
2526:
2513:
2500:
2491:
2482:
2415:
2408:
2401:
2393:
2390:Test vectors
2384:
2380:
2369:
2362:
2339:
2323:
2311:
2307:
2303:
2296:
2284:
2273:
2263:
2255:
2244:
2240:
2228:
2220:
2216:
2197:
2193:constraining
2174:
2162:
2143:
2139:
2105:
2097:
2094:
2089:
2077:
2057:
2037:
2013:
1943:finite field
1670:
1524:
1194:
1167:
1095:
901:
848:
809:
799:
792:
788:
719:lookup table
683:KeyExpansion
671:
649:
408:
369:
365:finite field
360:
338:
322:
301:Donald Evans
284:
276:
261:
241:block cipher
238:
216:
212:
208:
206:
185:
172:Best public
77:Derived from
5462:Mathematics
5453:Mix network
5131:Utilization
5117:NSA Suite B
5102:AES process
5051:Rubber-hose
4989:Related-key
4897:Brute-force
4276:Less common
4003:. May 2010.
3484:4 September
3453:30 December
3034:John Kelsey
2770:21 February
2668:. Table 1.
2411:Pentium Pro
2404:smart cards
2398:Performance
2053:AddRoundKey
2016:AddRoundKey
2004:AddRoundKey
1993:AddRoundKey
1890:hexadecimal
1066:InvSubBytes
925:derangement
757:AddRoundKey
737:AddRoundKey
700:bitwise xor
696:AddRoundKey
407:termed the
249:Joan Daemen
143:Block sizes
59:Joan Daemen
5561:Categories
5413:Ciphertext
5383:Decryption
5378:Encryption
5339:Ransomware
5081:Chi-square
4999:Rotational
4939:Impossible
4860:Block size
4754:Spectr-H64
4578:Ladder-DES
4573:Kuznyechik
4518:Hierocrypt
4388:BassOmatic
4351:algorithms
4278:algorithms
4251:Triple DES
4226:algorithms
4161:CrypTool 1
3969:2010-12-28
3937:2012-12-23
3908:2014-06-26
3883:2012-12-23
3858:2012-05-29
3779:2017-07-26
3673:2012-12-23
3619:2009-12-08
3583:2008-11-02
3539:2007-03-17
3513:2008-11-02
3366:2010-03-11
3292:2010-03-11
3213:2006-10-06
3205:PostScript
3155:2007-07-27
3129:2008-11-02
3077:2007-03-06
3020:2011-02-15
2988:2012-12-23
2811:August 26,
2735:2010-03-11
2709:2010-03-11
2676:2010-02-16
2612:References
2418:Intel Core
2354:FIPS 140-2
2287:Adi Shamir
2229:The first
2212:Adi Shamir
2146:XSL attack
2068:MixColumns
2048:MixColumns
1939:MDS matrix
1935:MixColumns
1186:MixColumns
1178:MixColumns
1170:MixColumns
1133:MixColumns
1115:MixColumns
731:MixColumns
715:non-linear
656:ciphertext
349:block size
313:top secret
311:(NSA) for
230:encryption
87:Successors
33:(Rijndael)
5403:Plaintext
5056:Black-bag
4976:Boomerang
4965:Known-key
4944:Truncated
4769:Threefish
4764:SXAL/MBAL
4654:MultiSwap
4609:MacGuffin
4568:KN-Cipher
4508:Grand Cru
4463:CS-Cipher
4443:COCONUT98
3190:CiteSeerX
3103:August 7,
3046:Mike Stay
2570:−
2463:Whirlpool
2422:AMD Ryzen
2269:black box
2137:in 2006.
2064:ShiftRows
2044:ShiftRows
1955:
1903:
1858:⋅
1830:⋅
1802:⋅
1730:⋅
1682:
1640:
1505:≤
1499:≤
1190:diffusion
1188:provides
1182:ShiftRows
1106:ShiftRows
1098:ShiftRows
1090:ShiftRows
1078:ShiftRows
1040:≠
1021:⊕
960:≠
927:), i.e.,
752:ShiftRows
725:ShiftRows
652:plaintext
152:Structure
133:Key sizes
95:Grand Cru
55:Designers
5542:Category
5448:Kademlia
5408:Codetext
5351:(CSPRNG)
5329:Machines
5107:CRYPTREC
5071:Weak key
5024:Acoustic
4865:Key size
4709:Red Pike
4528:IDEA NXT
4408:Chiasmus
4403:CAST-256
4383:BaseKing
4368:Akelarre
4363:Adiantum
4330:Skipjack
4295:CAST-128
4290:Camellia
4238:Blowfish
4147:Archived
3960:Archived
3877:Archived
3770:Archived
3740:Archived
3715:11251391
3667:Archived
3646:Archived
3610:Archived
3574:Archived
3533:Archived
3507:Archived
3478:Archived
3360:Archived
3334:Archived
3286:Archived
3231:Archived
3149:Archived
3123:Archived
3097:Archived
3071:Archived
3011:Archived
2982:Archived
2924:Archived
2902:Archived
2861:Archived
2802:Archived
2761:Archived
2729:Archived
2703:Archived
2670:Archived
2600:Archived
2447:See also
2430:Westmere
2365:FIPS 140
2291:dm-crypt
2200:preprint
2074:Security
2060:SubBytes
2040:SubBytes
1070:SubBytes
812:SubBytes
785:SubBytes
767:SubBytes
747:SubBytes
711:SubBytes
357:key size
355:, and a
217:Rijndael
201:version.
198:preprint
147:128 bits
113:CRYPTREC
111:winner,
5203:General
5148:Padding
5066:Rebound
4774:Treyfer
4724:SAVILLE
4684:PRESENT
4674:NOEKEON
4619:MAGENTA
4614:Madryga
4594:Lucifer
4458:CRYPTON
4267:Twofish
4257:Serpent
2586:blocks.
2326:quantum
2280:OpenSSL
2170:Twofish
2133:key by
2115:
2014:In the
2002:In the
1941:in the
1621:with 1B
1168:In the
1131:In the
1088:In the
853:SubByte
847:in the
810:In the
783:In the
398:
394:
384:
351:of 128
294:18033-3
245:Belgian
50:General
18:AES-256
5324:Keygen
5112:NESSIE
5061:Davies
5009:Timing
4924:Linear
4884:Attack
4803:Design
4794:Zodiac
4759:Square
4734:SHACAL
4729:SC2000
4689:Prince
4669:Nimbus
4664:NewDES
4649:MULTI2
4639:MISTY1
4582:LOKI (
4558:KHAZAD
4553:KeeLoq
4548:KASUMI
4543:Kalyna
4428:CLEFIA
4413:CIKS-1
4373:Anubis
4224:Common
4125:. 197.
4070:
4049:
4028:
3713:
3703:
3424:
3263:
3192:
3052:, and
2960:
2642:May 1,
2521:below.
2066:, and
2022:using
1933:. The
1176:. The
1102:offset
906:cipher
361:per se
305:cipher
163:Rounds
117:NESSIE
99:Kalyna
91:Anubis
81:Square
5359:(PRN)
4994:Slide
4850:Round
4835:P-box
4830:S-box
4789:XXTEA
4749:Speck
4744:Simon
4739:SHARK
4719:SAFER
4704:REDOC
4629:Mercy
4588:89/91
4538:Iraqi
4503:G-DES
4493:FEA-M
4473:DES-X
4438:Cobra
4393:BATON
4378:Ascon
4358:3-Way
4349:Other
4150:(PDF)
4139:(PDF)
4109:(PDF)
4001:(PDF)
3963:(PDF)
3956:(PDF)
3852:(PDF)
3845:(PDF)
3801:: 40.
3773:(PDF)
3760:(PDF)
3743:(PDF)
3732:(PDF)
3711:S2CID
3649:(PDF)
3638:(PDF)
3613:(PDF)
3602:(PDF)
3577:(PDF)
3558:(PDF)
3392:(PDF)
3385:(PDF)
3337:(PDF)
3326:(PDF)
3203:(PDF/
3014:(PDF)
3007:(PDF)
2927:(PDF)
2920:(PDF)
2838:(PDF)
2831:(PDF)
2805:(PDF)
2794:(PDF)
2764:(PDF)
2757:(PDF)
2636:(PDF)
2629:(PDF)
2475:Notes
2409:On a
2123:(see
912:over
902:state
849:state
409:state
5122:CNSA
4981:Mod
4907:MITM
4679:NUSH
4634:MESH
4624:MARS
4498:FROG
4488:FEAL
4468:DEAL
4448:Crab
4433:CMEA
4340:XTEA
4325:SEED
4305:IDEA
4300:GOST
4285:ARIA
4068:ISBN
4047:ISBN
4026:ISBN
3825:2023
3701:ISBN
3486:2015
3455:2014
3422:ISBN
3261:ISBN
3105:2010
2958:ISBN
2813:2024
2772:2013
2644:2019
2597:here
2517:See
2504:See
2420:and
2376:SHA1
2340:The
2152:and
2078:The
2042:and
1991:The
1117:step
1113:The
1096:The
1080:step
1076:The
769:step
765:The
396:...,
353:bits
279:FIPS
251:and
207:The
72:1998
5076:Tau
5036:XSL
4840:SPN
4784:xmx
4779:UES
4714:S-1
4699:RC2
4644:MMB
4523:ICE
4478:DFC
4335:TEA
4320:RC6
4315:RC5
4310:LEA
4262:SM4
4243:DES
4233:AES
4117:doi
3799:HAL
3693:doi
3566:doi
3414:doi
3253:doi
2950:doi
2416:On
2374:or
2131:RC5
2028:XOR
2020:key
2008:XOR
1619:XOR
917:(2)
800:S(a
291:IEC
287:ISO
213:AES
121:NSA
109:AES
5563::
4604:M8
4599:M6
4586:,
4584:97
4483:E2
4249:,
4141:.
4111:.
4096:.
3958:.
3917:^
3833:^
3816:.
3797:.
3768:.
3762:.
3738:.
3734:.
3709:.
3699:.
3644:.
3640:.
3608:.
3604:.
3572:.
3564:.
3560:.
3531:.
3494:^
3476:.
3472:.
3420:.
3400:^
3358:.
3354:.
3332:.
3328:.
3284:.
3259:.
3184:.
3180:.
3172:;
3147:.
3069:.
3060:,
3056:,
3048:,
3044:,
3040:,
3036:,
3009:.
2980:.
2956:.
2944:.
2922:.
2900:.
2878:.
2859:.
2855:.
2796:.
2780:^
2744:^
2727:.
2701:.
2697:.
2685:^
2663:,
2652:^
2206:,
2187:,
2160:.
2086::
2062:,
2030:.
1987:.
1952:GF
1900:GF
1874:16
1869:02
1853:16
1848:01
1825:16
1820:01
1797:16
1792:03
1753:16
1748:01
1725:16
1720:01
1679:GF
1668:.
1637:GF
1627:16
1623:16
1184:,
1050:16
1045:FF
915:GF
802:ij
798:=
795:ij
791:;
623:15
611:11
573:14
561:10
523:13
473:12
411::
404:15
367:.
119:,
115:,
97:,
93:,
61:,
5188:e
5181:t
5174:v
4983:n
4967:)
4963:(
4930:)
4926:(
4903:)
4899:(
4890:)
4886:(
4876:)
4872:(
4694:Q
4590:)
4253:)
4245:(
4218:)
4214:(
4204:e
4197:t
4190:v
4119::
4076:.
4055:.
4034:.
3986:.
3972:.
3940:.
3911:.
3886:.
3861:.
3827:.
3782:.
3717:.
3695::
3676:.
3622:.
3586:.
3568::
3542:.
3516:.
3488:.
3457:.
3430:.
3416::
3369:.
3295:.
3269:.
3255::
3216:.
3207:)
3158:.
3132:.
3107:.
3080:.
3023:.
2991:.
2966:.
2952::
2815:.
2774:.
2738:.
2712:.
2679:.
2646:.
2573:1
2567:n
2547:n
2127:)
2117:â
1971:)
1966:8
1962:2
1958:(
1921:]
1918:x
1915:[
1912:)
1909:2
1906:(
1864:+
1861:z
1843:+
1838:2
1834:z
1815:+
1810:3
1806:z
1787:=
1784:)
1781:z
1778:(
1775:c
1743:+
1738:4
1734:z
1698:)
1693:8
1689:2
1685:(
1656:)
1651:8
1647:2
1643:(
1605:1
1602:+
1599:x
1596:+
1591:3
1587:x
1583:+
1578:4
1574:x
1570:+
1565:8
1561:x
1538:7
1534:x
1508:3
1502:j
1496:0
1490:]
1482:j
1479:,
1476:3
1472:a
1462:j
1459:,
1456:2
1452:a
1442:j
1439:,
1436:1
1432:a
1422:j
1419:,
1416:0
1412:a
1405:[
1398:]
1392:2
1387:1
1382:1
1377:3
1370:3
1365:2
1360:1
1355:1
1348:1
1343:3
1338:2
1333:1
1326:1
1321:1
1316:3
1311:2
1305:[
1300:=
1295:]
1287:j
1284:,
1281:3
1277:b
1267:j
1264:,
1261:2
1257:b
1247:j
1244:,
1241:1
1237:b
1227:j
1224:,
1221:0
1217:b
1210:[
1164:.
1152:)
1149:x
1146:(
1143:c
1035:j
1032:,
1029:i
1025:a
1018:)
1013:j
1010:,
1007:i
1003:a
999:(
996:S
974:j
971:,
968:i
964:a
957:)
952:j
949:,
946:i
942:a
938:(
935:S
884:)
879:j
876:,
873:i
869:a
865:(
862:S
833:j
830:,
827:i
823:a
806:.
804:)
793:b
789:S
721:.
702:.
631:]
619:b
607:b
599:7
595:b
587:3
583:b
569:b
557:b
549:6
545:b
537:2
533:b
519:b
511:9
507:b
499:5
495:b
487:1
483:b
469:b
461:8
457:b
449:4
445:b
437:0
433:b
426:[
401:b
392:,
390:1
387:b
382:,
380:0
377:b
289:/
219:(
211:(
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.