Decorrelated Fast Cipher: an Aes Candidate Well Suited for Low Cost Smart Cards Applications

In response to the call for candidates issued by the National Institute for Standards and Technologies (the Advanced Encryption Standard project) the Ecole Normale Sup erieure proposed a candidate called DFC as for \Decorrelated Fast Cipher", based on the decorrelation technique that provides provable security against several classes of attacks (in particular the basic version of Biham and Shamir's Differential Cryptanalysis as well as Matsui's Linear Cryptanalysis). From a practical point of view, this algorithm is naturally very e cient when it is implemented on 64-bit processors. In this paper, we describe the implementation we made of DFC on a very low cost smart card based on the Motorola 6805 processor. The performances we obtain prove that DFC is also well suited for low cost devices applications. Since the beginning of commercial use of symmetric encryption (with block ciphers) in the seventies, construction design used to be heuristic-based and security was empiric: a given block cipher was considered to be secure until some researcher published an attack on. The Data Encryption Standard [1] initiated an important open research area, and some important cryptanalysis methods emerged, namely Biham and Shamir's di erential cryptanalysis [4] and Matsui's linear cryptanalysis [11], as well as further generalizations. Nyberg and Knudsen [14] showed how to build toy block ciphers which provably resist di erential cryptanalysis (and linear cryptanalysis as well as has been shown afterward [3]). This paradigm has successfully been used by Matsui in the MISTY cipher [12, 13]. However Nyberg and Knudsen's method does not provide much freedom for the design, and actually, this paradigm leads to algebraic constructions. This may open the way to other kind of weaknesses as shown by Jakobsen and Knudsen [8]. In response to the call for candidates for the Advanced Encryption Standard (AES) which has been issued by the National Institute of Standards and Technology (NIST) the ENS proposed in [6] the Decorrelated Fast Cipher (DFC). It is a block cipher which is faster than DES and hopefully more secure than triple-DES. It accepts 128-bit message blocks and any key size from 0 to 256. We believe that it can be adapted to any other cryptographic primitive such as 1 See http://www.dmi.ens.fr/~vaudenay/dfc.html stream cipher, hash function, MAC algorithm. The new design of DFC combines heuristic construction with provable security against a wide class of attacks. Unlike the Nyberg-Knudsen paradigm, our approach is combinatorial. It relies on Vaudenay's paradigm [15{19]. This construction provides much more freedom since it can be combined with heuristic designs. In [6] we provided proofs of security against some classes of general simple attacks which includes di erential and linear cryptanalysis. This result is based on the decorrelation theory. We believe that this cipher is also \naturally" secure against more complicated attacks since our design introduced no special algebraic property. Our design is guaranteed to be vulnerable against neither di erential nor linear cryptanalysis with complexity less than 2 encryptions. We believe that the best attack is still exhaustive search. Another theoretical result claims that if we admit that no key will be used more than 2 times, then the cipher is guaranteed to resist to any iterated known plaintext attack of order 1. From a practical point of view, the main computations are an a ne mapping x 7! P = ax + b where a, b and x are 64-bit operands and P a 128-bit quantity, followed by two reductions modulo 2 + 13, and modulo 2 respectively. Modern computers, like those of the AXP family, have properties that make the implementation of DFC especially e cient because of there native 64bit processor. As an example, we are able to encrypt 500 Mbps using the new Alpha processor 21264 600MHz provided that the microprocessor can input the plaintext stream and output the ciphertext stream at this rate (see [7]). The aim of this paper is to describe the implementation we made of DFC on a very low cost smart card based on a 8-bit processor Motorola 6805, using less than 100 bytes of RAM and without the help of any kind of crypto-processor. This proves that DFC is well suited for a large range of applications. Section 1 gives a high level overview of DFC (a full description can be found in [6]). Section 2 explains how to e ciently deal with the multiprecision arithmetic needed to implement the algorithm. Finally, section 3 exposes our implementation and the performances we obtained.