Decorrelated Fast Cipher: An AES Candidate Well Suited for Low Cost Smart Card Applications

In response to the call for candidates issued by the National Institute for Standards and Technologies (the Advanced Encryp-tion Standard project) the Ecole Normale Sup erieure proposed a candidate called DFC as for \Decorrelated Fast Cipher", based on the decor-relation technique that provides provable security against several classes of attacks (in particular the basic version of Biham and Shamir's Differential Cryptanalysis as well as Matsui's Linear Cryptanalysis). From a practical point of view, this algorithm is naturally very eecient when it is implemented on 64-bit processors. In this paper, we describe the implementation we made of DFC on a very low cost smart card based on the Motorola 6805 processor. The performances we obtain prove that DFC is also well suited for low cost devices applications. Since the beginning of commercial use of symmetric encryption (with block ciphers) in the seventies, construction design used to be heuristic-based and security was empiric: a given block cipher was considered to be secure until some researcher published an attack on. The Data Encryption Standard 1] initiated an important open research area, and some important cryptanalysis methods emerged, namely Biham and Shamir's diierential cryptanalysis 4] and Matsui's linear cryptanalysis 11], as well as further generalizations. Nyberg and Knudsen 14] showed how to build toy block ciphers which provably resist diierential cryptanalysis (and linear crypt-analysis as well as has been shown afterward 3]). This paradigm has successfully been used by Matsui in the MISTY cipher 12, 13]. However Nyberg and Knud-sen's method does not provide much freedom for the design, and actually, this paradigm leads to algebraic constructions. This may open the way to other kind of weaknesses as shown by Jakobsen and Knudsen 8]. In response to the call for candidates for the Advanced Encryption Standard (AES) which has been issued by the National Institute of Standards and Technology (NIST) the ENS proposed in 6] the Decorrelated Fast Cipher (DFC) 1. It is a block cipher which is faster than DES and hopefully more secure than triple-DES. It accepts 128-bit message blocks and any key size from 0 to 256. We believe that it can be adapted to any other cryptographic primitive such as 1 See