Cryptix

Standard Cryptographic
Algorithm Naming

Version 0.9.9 - 9 August, 1999
Draft version, under construction
FRAMES | NO FRAMES

This document gives references for a collection of cryptographic algorithms of various types. Each algorithm is assigned a standard ASCII name, and zero or more aliases. The intention is that the references specify each algorithm in sufficient detail that independent implementations will be able to interoperate.

The list has been designed initially for use by the Java Cryptography Architecture, but should be useful in any situation where a convention is needed for referring to algorithms by a string name. It can also serve as a source of references for definitions and cryptanalysis of various algorithms. The Cryptix Development Team intends to develop API mappings for languages other than Java in future (possibly based on existing cryptography libraries).

The accompanying Definitions and Conventions document includes important information on the conventions used in compiling this list, which you should read before using it for the first time:

The following are very useful resources for a wide range of algorithms:

Contents

MessageDigest algorithms

GOST-Hash MessageDigest
Alias:
"GOST-R-34.11-94"
Published:
1994
References:
Digest length:
32 bytes.
Security comments:

HAVAL[(digestLength[,passes])] Message Digest
Designers:
Yuliang Zheng, Josef Pieprzyk, Jennifer Seberry
Published:
1992
Alias:
"OpenPGP.Digest.7" is an alias to "HAVAL(20,5)".
References:
Parameters:
Digest length:
As specified by the digestLength parameter (in bytes).

MD2 Message Digest
Designer:
Ron Rivest
Aliases:
"1.2.840.113549.2.2", "OpenPGP.Digest.5"
References:
Digest length:
16 bytes.
Security comment:
N. Rogier and P. Chauvaud have found a method of generating collisions for MD2's compression function. Quoting from RSA Laboratories Security Bulletin #4:
[C]aution requires that MD2 be no longer recommended for new applications where collision-resistance is required. Questions about the continuing suitability of MD2 for existing applications remain open. [... O]ur recommendation would be to upgrade applications away from MD2 whenever it is practical.

MD4 Message Digest
Designer:
Ron Rivest
Published:
1990
Alias:
"1.2.840.113549.2.4"
References:
Digest length:
16 bytes.
Security comment:
Bert den Boer, Antoon Bosselaers and Hans Dobbertin have found a method of generating collisions for the full MD4 algorithm. Quoting from RSA Laboratories Security Bulletin #4:
[I]t has been shown that collisions for MD4 can be found in about a minute on a typical PC. [...] MD4 [...] should not be used.

MD5 Message Digest
Designer:
Ron Rivest
Alias:
"1.2.840.113549.2.5", "OpenPGP.Digest.1"
References:
Digest length:
16 bytes.
Security comment:
Hans Dobbertin has found a method of generating collisions for MD5's compression function. Quoting from RSA Laboratories Security Bulletin #4:
Given the surprising speed with which techniques on MD4 were extended to MD5 we feel that it is only prudent to draw a cautious conclusion and to expect that collisions for the entire hash function might soon be found.

In addition, the 128-bit output is arguably not long enough to make generating collisions using a birthday attack infeasible.

Panama Message Digest
Designers:
Joan Daemen, Craig Clapp
Published:
1998
References:
Digest length:
32 bytes.

RIPEMD-128 Message Digest
Designers:
Hans Dobbertin, Antoon Bosselaers, Bart Preneel
Published:
April 1996
Aliases:
"RIPEMD128", "1.3.36.3.2.2"
References:
Digest length:
16 bytes.
Security comment:
The 128-bit output is arguably not long enough to make generating collisions using a birthday attack infeasible.

RIPEMD-160 Message Digest
Designers:
Hans Dobbertin, Antoon Bosselaers, Bart Preneel
Published:
April 1996
Aliases:
"RIPEMD160", "1.3.36.3.2.1", "OpenPGP.Digest.3"
References:
Digest length:
20 bytes.

SHA-0 Message Digest
Designers:
U.S. National Security Agency
Published:
January 1992
Alias:
"1.3.14.3.2.13"
References:
Digest length:
20 bytes.
Security comment:
This is the original version of the Secure Hash Algorithm, and has been superceded by SHA-1. Although the motivation for the change leading to SHA-1 was not made public by the NSA, the paper by Chabaud and Joux cited above provides evidence that this change improved security.

SHA-1 Message Digest
Designers:
U.S. National Security Agency
Published:
April 1995
Aliases:
"SHA", "SHA1", "1.3.14.3.2.26", "OpenPGP.Digest.2"
References:
Digest length:
20 bytes.

Tiger[(digestLength[,passes])] Message Digest
Designers:
Ross Anderson, Eli Biham
Published:
1996
Alias:
"OpenPGP.Digest.6" is an alias to "Tiger(24,3)".
References:
Parameters:
Digest length:
As specified by the digestLength parameter (in bytes).
Comment:
Although the "Tiger: A Fast New Hash Function" paper does not mention use of any number of passes/rounds other than 3, the reference implementation (available from the Tiger home page) supports a variable number of passes, and therefore we specify this as a parameter.

Parallel(digestNames+) Message Digest Construction
Description:
This output of this algorithm is obtained by concatenating the outputs of each of the listed algorithms. For example, "Parallel(SHA-1,RIPEMD-160)" produces a 40-byte output, the first half of which is calculated by applying SHA-1 to the input, and the second half by applying RIPEMD-160. Any non-zero number of algorithms may be listed, separated by commas.
Parameters:
Digest length:
The sum of the digest lengths of the component algorithms.
Security comments:

Mac algorithms (Message Authentication Codes)

CBC-MAC-DES-FIPS113 Mac
Description:
If EK denotes DES encryption, and the input message is split into blocks M0,... Mn-1 (using padding with zeroes for the last block), then:
References:
Key length:
64 bits as encoded; 56 bits excluding parity bits.
Truncated length:
Minimum 32, maximum 64, default 64 bits.
Comments:
Security comment:

? CBC-MAC(cipherName) Mac
Description:
If EK denotes encryption with the block cipher named cipherName, and the input message is split into blocks M0, ... Mn-1 (using PKCS #7-style padding for the last block), then:
References:
Parameters:
Key length:
As defined by the cipher.
Truncated length:
Minimum 32 bits, maximum equal to the cipher block size. The default truncated length is 64 bits, or half of the cipher block size rounded up to the next multiple of 8 bits, whichever is greater.
Missing information:
Test vectors.
Comment:
The input is padded to a multiple of the cipher's block length by using PKCS #7-style padding (as defined by the PKCSPadding algorithm for block ciphers).
Security comment:
The paper "MDx-MAC and building fast MACs from hash functions," describes an attack on CBC-MAC which requires on the order of 2k/2 known texts, where k is the cipher block size in bits. This means that the security of CBC-MAC using a 64-bit cipher (i.e. most block ciphers designed before the AES process) is very limited.

HMAC(digestName) Mac Construction
Designers:
Mihir Bellare, Ran Canetti, Hugo Krawczyk, Adi Shamir
Published:
June 1996
References:
Parameters:
Key length:
As defined by the cipher.
Truncated length:
Minimum 32 bits, maximum equal to the message digest output length. The default is half the message digest output length, rounded up to the next multiple of 8 bits.

MD5-MAC Mac
Designers:
Bart Preneel, P.C. van Oorschot
Description:
The Mac algorithm obtained by applying the MDx-MAC method to MD5 (MDx-MAC is not defined as a construction, since it involves changes to the internal structure of the message digest being used).
Published:
1995
References:
Truncated length:
Minimum 32, maximum 128, default 64 bits.
Security comment:
MD5-MAC is claimed to require approximately 264 operations to forge a message (increasing the truncated length property from the default, 8 bytes, does not necessarily improve this).

RIPEMD-128-MAC(macLength) Mac
Designers:
Bart Preneel, P.C. van Oorschot
Description:
The Mac algorithm obtained by applying the MDx-MAC method to RIPEMD-128 (MDx-MAC is not defined as a construction, since it involves changes to the internal structure of the message digest being used).
Published:
1995
References:
Truncated length:
Minimum 32, maximum 128, default 64 bits.
Security comment:
RIPEMD-128-MAC is claimed to require approximately 264 operations to forge a message (increasing the truncated length property from the default, 8 bytes, does not necessarily improve this).

RIPEMD-160-MAC(macLength) Mac
Designers:
Bart Preneel, P.C. van Oorschot
Description:
The Mac algorithm obtained by applying the MDx-MAC method to RIPEMD-160 (MDx-MAC is not defined as a construction, since it involves changes to the internal structure of the message digest being used).
Published:
1995
References:
Truncated length:
Minimum 32, maximum 160, default 80 bits.
Security comment:
RIPEMD-160-MAC is claimed to require approximately 280 operations to forge a message (increasing the truncated length property from the default, 10 bytes, does not necessarily improve this).

? SSL3-MAC(digestName) Mac Construction
Designers:
Mihir Bellare, Ran Canetti, Hugo Krawczyk
Alias:
"SSL3MAC"
References:
Parameters:
Truncated length:
Minimum 32 bits, maximum equal to the message digest output length. The default is half the message digest output length, rounded up to the next multiple of 8 bits.
Comment:
This is an early version of HMAC, which should now be used in preference (except for compatibility with SSL version 3). The difference is that in SSL3-MAC, the padding strings 'ipad' and 'opad' are appended to the key, whereas in HMAC, they are exclusive-or'd with the zero-extended key.

! XMACR(cipherName) Mac Construction
Designers:
Mihir Bellare, R. Guérin, Phillip Rogaway
Description:
...
Published:
October 1995
References:
Parameters:
Truncated length:
Minimum 32 bits, maximum equal to the message digest output length. The default is half the message digest output length, rounded up to the next multiple of 8 bits.
Missing information:

Symmetric Ciphers

 See also Conventions for symmetric ciphers.

3-Way Block Cipher
Designer:
Joan Daemen
Published:
1994
References:
Key length:
96 bits.
Block size:
12 bytes.
Comment:
The byte ordering convention is as follows: within each 12-byte block, the 32-bit words denoted in chapter 7 of Joan Daemen's thesis as (a0, a1, a2), are given in that order. Within each 32-bit word, the bytes are in big-endian order. This is consistent with the four test vectors in Crypto++; note that the same four test vectors are included in Applied Cryptography (page 659) with the words written in the opposite order (i.e. as a2 a1 a0).

For reference, the forth test vector in this set is: 

   key        = <D2F05B5ED6144138CAB920CD>
   plaintext  = <4059C76E83AE9DC4AD21ECF7>
   ciphertext = <478EA8716B13F17C15B155ED>
Security comment:
3-Way is vulnerable to related-key attacks, and therefore it should only be used with keys that are generated by a strong PRNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

! AES Block Cipher
Description:
This name is reserved for the cipher that wins the NIST AES (Advanced Encryption Standard) contest. Its original name will be retained as an alias. If there is more than one winning algorithm, each winner will retain its original name, and this entry will be removed.
Aliases:
"AES128", "AES192", "AES256", "OpenPGP.Cipher.7", "OpenPGP.Cipher.8", "OpenPGP.Cipher.9"
References:
Key length:
128, 192 or 256 bits. Other lengths may also be supported. The default key length for AES depends on the KeyGenerator name; see the section on KeyGenerators.
Block size:
16 bytes. Other sizes may also be supported.
Patent status:
The AES winner will be available on a wordwide, non-exclusive, royalty-free basis, regardless of any patents.
Missing information:
Which algorithm will win ;-)

Blowfish Block Cipher
Designer:
Bruce Schneier
Published:
1994
Alias:
"OpenPGP.Cipher.4"
References:
Key length:
Minimum 32, maximum 448, multiple of 8 bits; default 128 bits.
Block size:
8 bytes.
Security comment:
The weak keys described in S. Vaudenay's paper do not appear to be significant for full (16-round) Blowfish.
Variant:
"Blowfish-ISK" - the subkeys are specified (using the notation of Applied Cryptography) as P1..18 first, followed by S1, 0..255, S2, 0..255, S3, 0..255, and S4, 0..255. Each entry is represented as 4 bytes in big-endian order.

Weak keys may be avoided by ensuring that no S-box has duplicate entries (i.e. that there does not exist i, j, k where j != k such that Si, j = Si, k).

CAST-128 Block Cipher
Designers:
Carlisle Adams, Stafford Tavares
Published:
1997
Aliases:
"CAST5", "OpenPGP.Cipher.3"
References:
Key length:
Minimum 40, maximum 128, multiple of 8 bits; default 128 bits.
Block size:
8 bytes.
Comment:
Strictly speaking the alias "CAST5" only applies to CAST-128 with a key size of 80 or 128 bits. Implementations MAY enforce this.

CAST-256 Block Cipher
Designer:
Carlisle Adams, Howard Heys, Stafford Tavares, Michael Wiener
Published:
June 1998
References:
Key length:
Minimum 128, maximum 256, multiple of 32 bits; default 128 bits.
Block size:
16 bytes.
Patent status:
CAST-256 is patented by Entrust Technologies, Inc. (see references). [[need reference to statement that licensing will be royalty-free.]]

CRYPTON-0.5 Block Cipher
Designer:
Chae Hoon Lim
Published:
1998
Description:
This is the version of CRYPTON originally submitted to NIST as an AES candidate.
References:
Comment:
"CRYPTON: A New 128-bit Block Cipher - Specification and Analysis" contains an error in the description of the byte permutation phi: on the right hand side of figure 4, b33 should be b03.
Key length:
Minimum 64, maximum 256, multiple of 32 bits; default 128 bits.
Block size:
16 bytes.

CRYPTON Block Cipher
Designer:
Chae Hoon Lim
Published:
December 1998
Aliases:
"CRYPTON-1.0"
Description:
This is version 1.0 of CRYPTON (the current version, at time of writing).
References:
Key length:
Minimum 0, maximum 256, multiple of 8 bits; default 128 bits.
(Note that this is different from CRYPTON-0.5.)
Block size:
16 bytes.

CS-Cipher Block Cipher
Designers:
Jacques Stern, Serge Vaudenay
Published:
1998
References:
Key length:
Minimum 0, maximum 128, multiple of 8 bits; default 128 bits.
Block size:
8 bytes.
Patent status:
CS-Cipher may be subject to patents by the Compagnie des Signaux.

DEAL Block Cipher
Designer:
Lars Knudsen
Published:
May 1998
References:
Key length:
128, 192 or 256 bits; default 128 bits.
Block size:
16 bytes.
Comment:
The paper "DEAL: A 128-bit Block Cipher" contains an error in the description of key scheduling: the three occurrences of "<4>" should be replaced by "<3>", and the two occurrences of "<8>" should be replaced by "<4>". In other words, the constants to be XOR'd with the input keys are 0x8000000000000000, 0x4000000000000000, 0x2000000000000000 and 0x1000000000000000.
Security comments:

DES Block Cipher
Designers:
Don Coppersmith, Horst Feistel, Walt Tuchmann, U.S. National Security Agency
Published:
1976
References:
Key length:
64 bits as encoded; 56 bits excluding parity bits.
Block size:
8 bytes.
Comment:
Implementations MUST ignore (i.e. not check) the parity bits of keys. KeyGenerators for DES MUST, however, output keys with correct parity.
Security comment:
The fixed 56-bit effective key length is too short to prevent brute-force attacks.

DESede Block Cipher
Designers:
Whitfield Diffie, Martin Hellman, Walt Tuchmann
Published:
1978
Aliases:
"TripleDES", "DES-EDE3", "3DES", "OpenPGP.Cipher.2"
References:
Key length:
128 or 192 bits; default 192 bits, as encoded. 112 or 168 bits excluding parity.
Block size:
8 bytes.
Comments:
Security comment:
Quoting from the paper "Attacking Triple Encryption" cited above:
[A]bout 2108 steps of computation are sufficient to break three-key triple DES. If one concentrates on the number of single DES operations and assumes the other operations to be much faster, 290 of these are enough.
Better attacks than this are available against two-key triple DES (which should only be used for backward compatibility, if at all).

DESX Block Cipher
Designer:
Ron Rivest
Description:
If K, K1 and K2 are the subkeys encoded as described below, then encryption and decryption are defined by:
EDESX[K, K1, K2](P) = EDES[K](P XOR K1) XOR K2
DDESX[K, K1, K2](C) = DDES[K](C XOR K3) XOR K2
If the user key length is 24 bytes, the first 8 bytes represent the key K used for the DES operation, and the two subsequent blocks of 8 bytes represent the "whitening" keys K1 and K2, in that order.

If the user key length is 16 bytes, the first 8 bytes represent the key K used for the DES operation, the second 8 bytes represent the whitening key K1, and K2 is derived from K and K1 as specified in the first reference below.

References:
Key length:
128 or 192 bits; default 192 bits, as encoded. See security comments for the effective key length.
Block size:
8 bytes.
Comments:
Security comments:

DFC Block Cipher
Designers:
Henri Gilbert, Marc Girault, Philippe Hoogvorst, Fabrice Noilhan, Thomas Pornin, Guillaume Poupard, Jacques Stern, Serge Vaudenay
Published:
May 1998
References:
Key length:
Minimum 0, maximum 256 bits, multiple of 8 bits; default 128 bits.
Block size:
16 bytes.
Comments:
The additional parameters described in the "DFC Update" paper (the block size m bits, number of rounds r, and adjustment to key scheduling s) may be added in future.

If so, the proposed name for the generalised version is "DFC-m[(r[,s])]" (on the basis that each value of m will normally require a different implementation, whereas changes to r and s can easily be handled by a single implementation; also note that the variable key length does not need to be expressed as a parameter). For DFC-128, r would default to 8, and s to 4.

The key schedule change suggested in "DFC Update" is not specified precisely enough to define a new algorithm name for it, yet.

Patent status:
DFC itself is unpatented, but the decorrelation technique it uses may be covered by the patent application referenced above.

Diamond2(rounds) Block Cipher
Designer:
Michael Paul Johnson
Published:
1995
References:
Parameters:
Key length:
Minimum 8, maximum 65536, multiple of 8 bits; default 128 bits.
Block size:
16 bytes.
Comments:

E2 Block Cipher
Designers:
Kazumaro Aoki, Masayuki Kanda, Tsutomu Matsumoto, Shiho Moriai, Kazuo Ohta, Miyako Ookubo, Youichi Takashima, Hiroki Ueda
Published:
June 1998
References:
Key length:
128, 192 or 256 bits; default 128 bits.
Block size:
16 bytes.
Patent status:
NTT has several patents pending on E2 (see references).

? FROG[(blockSize[,rounds])] Block Cipher
Designers:
Dianelos Georgoudis, Damian Leroux, Billy Simón Chaves (TecApro International S.A.)
References:
Parameters:
Key length:
Minimum 40, maximum 1000, multiple of 8 bits; default 128 bits.
Block size:
As given by the blockSize parameter (in bytes).
Missing information:
Test vectors for block sizes other than 16 bytes.
Comment:
The original C reference code uses an unconventional byte order when printing test vectors (the order of bytes is reversed across the whole block). The correct byte order is that defined by the Java reference implementation, and by the NIST test vectors referenced above.
Security comment:
The paper "Cryptanalysis of FROG" describes the following attacks on weak keys:

? GOST Block Cipher
Alias:
"GOST-28147-89"
Published:
1989
References:
Parameters:
Key length:
256 bits.
Block size:
8 bytes.
Missing information:
Test vectors.
Security comment:
The paper "A chosen key attack against the secret S-boxes of GOST" cited above describes how to recover the S-boxes in about 232 encryptions. The main significance of this is on tamperproof hardware implementations where the S-boxes were assumed to be secret; for a software implementation, they should be assumed to be public in any case.

HPC(blockSize[,backup]) Block Cipher
Designer:
Rich Schroeppel
Alias:
"HastyPudding"
References:
Parameters:
Key length:
Minimum 0, maximum 65536 bits; default 128 bits.
Block size:
As given by the blockSize parameter (in bytes). Note that while HPC supports block sizes that are not a multiple of 8 bits, the JCE API does not.
Comment:
The convention for encoding keys that are not a multiple of 8 bits in length, is for the last (effectiveBitLength % 8) bits of the key to be packed in the high-order bits of the last byte of the encoding. Any unused low-order bits of the last byte are ignored. For example, the key given by the 11-bit sequence <01010101 010>2, would be encoded as the byte array { 0x55, 0x40 | junk }, where junk & 0xE0 == 0. The value of the key's effectiveBitLength parameter is used to determine how many bits of the encoding are significant.
Security comments:

ICE Block Cipher
Designer:
Matthew Kwan
References:
Key length:
Minimum 64, multiple of 64 bits; default 128 bits.
Block size:
8 bytes.
Comment:
The length of the key defines the "level" parameter (note that the "Thin ICE" variant is not included).
Security comment:
The paper "Differential cryptanalysis of the ICE encryption algorithm" describes several differential attacks, including an attack against a variant reduced to 15 rounds, with 256 work and at most 256 chosen plaintexts. (The full algorithm has n/4 rounds when the key length is n bits.) The paper concludes:
[...] The main conclusion of this paper is that keyed permutation does not prevent differential cryptanalysis. Although the analysis is more complicated and becomes key dependent, in our opinion the intention of the design has not been reached. The best 3-round iterative characteristic that can be used in our attack has a probability of 2-13, which is higher than the probability of 2-16 of the best 3-round characteristic for LOKI91 (a similar block cipher that makes use of four identical 12 to 8-bit S-boxes).
These attacks are probably not practical when the number of rounds is 32 or higher (i.e. the key is 128 bits or longer). However, in that case ICE is slower than DES.

IDEA Block Cipher
Designers:
Xuejia Lai, James Massey
Aliases:
  • "OpenPGP.Cipher.1"
  • "1.3.6.1.4.1.188.7.1.1.1" is an alias to "IDEA/ECB"
  • "1.3.6.1.4.1.188.7.1.1.2" is an alias to "IDEA/CBC"
  • "1.3.6.1.4.1.188.7.1.1.3" is an alias to "IDEA/CFB"
  • "1.3.6.1.4.1.188.7.1.1.4" is an alias to "IDEA/OFB"
    (source for OIDs)
References:
  • [Def, An] X. Lai,
    "On the design and security of block ciphers",
    ETH Series in Information Processing (J.L. Massey, ed.), Vol. 1, Hartung-Gorre Verlag, Konstanz Technische Hochschule (Zurich), 1992.
  • [Inf, An] X. Lai, J.L. Massey, S. Murphy,
    "Markov Ciphers and Differential Cryptanalysis,"
    Advances in Cryptology - EUROCRYPT '91, Volume 547 of Lecture Notes in Computer Science (D.W. Davies, ed.), pp. 17-38. Springer-Verlag, 1991.
  • [Inf] The IDEA Algorithm page,
    http://www.ascom.ch/infosec/idea.html.
  • [Inf] Bruce Schneier,
    "Section 13.9 IDEA,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
    [[note: there is an error in the description; diagram is correct.]]
  • [Inf] A. Menezes, P.C. van Oorschot, S.A. Vanstone,
    "Section 7.6 IDEA,"
    Handbook of Applied Cryptography, CRC Press, 1997.
  • [An] Joan Daemen, René Govaerts, Joos Vandewalle,
    "Weak Keys of IDEA,"
    Advances in Cryptology - CRYPTO '93 Proceedings, Volume 773 of Lecture Notes in Computer Science (D. Stinson, ed.), pp. 224-231. Springer-Verlag, 1994.
    http://www.esat.kuleuven.ac.be/~rijmen/downloadable/daemen/ideaw.ps.gz (or here)
  • [An] Joan Daemen, René Govaerts, Joos Vandewalle,
    "Cryptanalysis of 2.5 Rounds of IDEA,"
    ESAT-COSIC Technical Report 93/1, 1993.
    http://www.esat.kuleuven.ac.be/~cosicart/ps/JD-9306.ps.gz
  • [An] J. Borst, L. Knudsen, V. Rijmen,
    "Two attacks on reduced IDEA," Advances in Cryptology - EUROCRYPT '97 Proceedings, Volume 1233 of Lecture Notes in Computer Science (W. Fumy, ed.), pp. 1-13. Springer-Verlag, 1997.
    ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/idea.ps.gz
  • [An] L. Knudsen, V. Rijmen,
    "Truncated Differentials of IDEA,"
    ESAT-COSIC Technical Report 97-1.
    ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/idea_trunc.ps.Z
  • [An] J. Kelsey, B. Schneier, D. Wagner,
    "Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES",
    Advances in Cryptology - Crypto '96 Proceedings, pp. 237-251. Springer-Verlag, August 1996.
    http://www.counterpane.com/key_schedule.html
  • [An] J. Kelsey, B. Schneier, D. Wagner, C. Hall,
    "Side Channel Cryptanalysis of Product Ciphers",
    ESORICS '98 Proceedings pp. 97-110, Springer-Verlag, September 1998.
    http://www.counterpane.com/side_channel.html
  • [An] E.G. Giessmann, G. Lassmann,
    "A Side Channel Cryptanalysis of the IDEA Cipher",
    Submitted to CRYPTO '99.
  • [Inf, An] Ascom Systec, Ltd.
    "Side Channel Attack Hardening of the IDEATM Cipher,"
    Ascom Systec White Paper (corrected version, May 1999).
    http://www.ascom.ch/infosec/downloads/sidechannel.pdf
  • [Impl, Test] Ascom Systec, Ltd.
    IDEA C Source Code and Test Data (corrected version, May 1999).
    http://www.ascom.ch/infosec/downloads.html
Key length:
128 bits.
Block size:
8 bytes.
Comment:
A version of the IDEA C reference code available in April and early May 1999 contained a bug in the code for multiplication mod 216+1, which occurs when multiplying two zero words; this bug is not caught by the standard test vectors. An additional test vector that does catch the bug (and incidentally demonstrates a weakness of IDEA's key schedule, but that's beside the point) is: 
   key        = <00000000000000000000000000000000>
   plaintext  = <0000000000000000>
   ciphertext = <0001000100000000>
Security comment:
IDEA is vulnerable to key schedule attacks, and therefore it should only be used with keys that are generated by a strong PRNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).
Patent status:
IDEA is patented in the U.S and 9 European countries by Ascom Systec Ltd., with a patent pending in Japan. The licensing policy is described here.

! ISAAC Stream Cipher
Designer:
Robert J. Jenkins Jr.
References:
Key length:
?
Missing information:
ISAAC does not appear to have a standard key schedule; this would need to be specified for it to be usable as a SCAN algorithm. Test vectors would also be needed.

! ISAAC-64 Stream Cipher
Designer:
Robert J. Jenkins Jr.
References:
Key length:
?
Missing information:
ISAAC-64 does not appear to have a standard key schedule; this would need to be specified for it to be usable as a SCAN algorithm. Test vectors would also be needed.

? JEROBOAM Stream Cipher
Designer:
Hervé Chabanne, Emmanuel Michon
Published:
1998
Description:
This algorithm refers to JEROBOAM version 2.0.
Alias:
"JEROBOAM-2.0"
References:
  • [Def, An] Hervé Chabanne, Emmanuel Michon,
    "JEROBOAM",
    Fast Software Encryption '98, Volume 1372 of Lecture Notes in Computer Science (S. Vaudenay, ed.), pp. 49-59. Springer-Verlag, 1998.
  • [Def, An] Emmanuel Michon,
    Rapport de stage d'option scientifique: étude cryptologique du chiffreur JEROBOAM,
    LATEX Document 2ε, 74 ko, Ecole Polytechnique, June 1997.
Key length:
128 or 248 bits

LOKI91 Block Cipher
Designers:
Laurence Brown, Matthew Kwan, Josef Pieprzyk, Jennifer Seberry
Published:
1991-92
References:
  • [Def, An] Laurence Brown, Matthew Kwan, Josef Pieprzyk, Jennifer Seberry,
    "Improving Resistance to Differential Cryptanalysis and the Redesign of LOKI,"
    Advances in Cryptology - ASIACRYPT '91 Proceedings, Springer-Verlag, 1993, pp. 36-50.
  • [Inf] Bruce Schneier,
    "Section 13.6 LOKI,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
  • [An] Eli Biham,
    "New Types of Cryptanalytic Attacks Using Related Keys,"
    CS 753, Computer Science Department, Technion -- Israel Institute of Technology, September 1992.
    http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1992/CS/CS0753.ps
  • [An] Lars Knudsen,
    "Cryptanalysis of LOKI91,"
    Volume 718 of Lecture Notes in Computer Science, pp. 196-208. Springer-Verlag, 1992.
    ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/loki91.ps.Z
  • [An] Lars Knudsen,
    "Block ciphers - analysis, design and applications,"
    PhD. Thesis, DAIMI PB 485, Aarhus University, 1994.
  • [An] Toshio Tokita, Tohru Sorimachi, Mitsuru Matsui,
    "Linear cryptanalysis of LOKI and S2DES,"
    Volume 917 of Lecture Notes in Computer Science, pp. 293-306. Springer-Verlag, 1994.
  • [An] Lars Knudsen, M.J.B. Robshaw,
    "Non-linear Approximations in Linear Cryptanalysis,"
    Volume 1070 of Lecture Notes in Computer Science, pp. 224-236. Springer-Verlag, 1996.
    ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/nonlinear.ps.Z
  • [An] Kouichi Sakurai, Souichi Furuya,
    "Improving Linear Cryptanalysis of LOKI91 by Probabalistic Counting Method,"
    Volume ??? of Lecture Notes in Computer Science. Springer-Verlag, 1997.
  • [An] Lars Knudsen,
    "New potentially weak keys for DES and LOKI,"
    Advances in Cryptology - EUROCRYPT '94 Proceedings, Volume 950 of Lecture Notes in Computer Science (A. De Santis, ed.), pp. 419-424. Springer Verlag, 1995.
    ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/potential.ps.Z
Key length:
64 bits.
Block size:
8 bytes.
Security comments:
  • LOKI91 is vulnerable to related-key attacks, with a work factor of about 260 operations, and therefore it should only be used with keys that are generated by a strong PRNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).
  • The attacks cited above based on Linear Cryptanalysis, are effective against reduced-round variants of LOKI91 with up to 12 rounds (the full cipher has 16 rounds).
  • The fixed 64-bit key length is too short to prevent brute-force attacks.

LOKI97 Block Cipher
Designers:
Laurence Brown, Josef Pieprzyk, Jennifer Seberry
Published:
1997
References:
Key length:
128, 192 or 256 bits; default 128 bits.
Block size:
16 bytes.
Security comment:
The paper "Weaknesses in LOKI97" describes an attack using Differential Cryptanalysis, estimated as requiring at most 256 chosen plaintexts, and an attack using Linear Cryptanalysis, estimated as requiring at most 256 known plaintexts.

MARK-4 Stream Cipher
Description:
"Modified alleged RC4". This uses the same algorithm as RC4, but with the first 256 bytes of keystream discarded after key scheduling.
References:
  • [Def] Bruce Schneier,
    "Section 17.1 RC4,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
  • [Def] Anonymous,
    Subject: RC4 Algorithm revealed,
    Posting to Usenet newsgroups sci.crypt, alt.security, comp.security.misc, and alt.privacy, September 14 1994.
    (Message-ID: <sternCvKL4B.Hyy@netcom.com>)
    Archived at ftp://idea.sec.dsi.unimi.it/pub/security/crypt/code/rc4.revealed.gz
  • [An] J. Kelsey, B. Schneier, D. Wagner,
    "Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES",
    Advances in Cryptology - Crypto '96 Proceedings, pp. 237-251. Springer-Verlag, August 1996.
    http://www.counterpane.com/key_schedule.html
Key length:
Minimum 8, maximum 2048, multiple of 8 bits; default 128 bits.
Comment:
For the purposes of SCAN, "MARK-4" will be based on the "RC4" cipher described in in the "RC4 Algorithm revealed" article and in Applied Cryptography, even in the unlikely event that differences are found between that cipher, and RSA Data Security, Inc.'s proprietary cipher of the same name.

The name "MARK-4" was apparently suggested by Brian Olson, in a posting to sci.crypt.

MARS Block Cipher
Designers:
Carolynn Burwick, Don Coppersmith, Edward D'Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas Jr., Luke O'Connor, Mohammad Peyravian, David Safford, Nevenko Zunicof
References:
Key length:
Minimum 32, maximum 1248, multiple of 32 bits; default 128 bits.
Block size:
16 bytes.
Security comment:
A 1248-bit equivalent key can be found for most keys of any length, with 232 effort. This is not a significant weakness in itself; however Markku-Juhani Saarinen suggests that "If there is more keying material than, say, 640 bits, a collision-resistant hash function should be used to create the encryption key."
Patent status:
IBM has a patent pending on MARS.

MAGENTA Block Cipher
Designers:
Michael Jacobson Jr., Klaus Huber
References:
Key length:
128, 256, or 256 bits; default 128 bits.
Block size:
16 bytes.
Security comment:
The paper "Cryptanalysis of Magenta" describes a chosen plaintext attack using 264 chosen plaintexts, and 264 work. It also notes that "given a ciphertext, one can decrypt it by swapping its two halves, re-encrypting the result, and swapping again". This would be a fatal weakness for some applications, even though it does not allow obtaining the key.
Patent status:
MAGENTA may be patented (see references).

? MDC Stream Cipher
Designer:
Peter Gutmann
Published:
October 1992
References:
Key length:
Minimum 64, maximum 640, multiple of 8 bits; default 128 bits.
Comments:
  • With regard to buffering and use of IVs, MDC behaves identically to the CFB mode of a block cipher. The length of the initialisation vector is 16 bytes. Implementations MUST support immediate processing of individual bytes.
  • MDC has nothing to do with the cipher constructions MDC-2 and MDC-4 designed at IBM (which do not have SCAN standard names).
Security comment:
A new random IV should be used for each message encrypted under a given key.

? Panama Stream Cipher
Designers:
Joan Daemen, Craig Clapp
Published:
1998
References:
Key length:
256 bits.
Missing information:
Test vectors (panama.zip only contains test vectors for hashing).
Comment:
Panama makes use of a "diversification parameter" that is appended to the key. This is handled by treating the diversification parameter as an IV (which can be set in the same way as would be used for a block cipher).

Note that this implies that an implementation must save the user key (or the state of the cipher after loading this key), in order to ensure that more than one call to setIV can be made without having to reinitialise the cipher object.

? Rainbow Block Cipher
Designers:
Chang-Hyi Lee, Jeong-Soo Kim
References:
Key length:
Minimum 128, maximum 256, multiple of 32 bits; default 128 bits.
Block size:
16 bytes.
Missing information:
Test vectors.
Comment:
Only the 128-bit block version is defined as a SCAN algorithm.

RC2 Block Cipher
Designer:
Ron Rivest
References:
  • [Def] Ron Rivest,
    "A Description of the RC2(r) Encryption Algorithm,"
    RFC 2268, March 1998.
  • [An] L.R. Knudsen, V. Rijmen, R.L. Rivest, M.J.B. Robshaw,
    "On the design and security of RC2,"
    Fast Software Encryption, Volume 1372 of Lecture Notes in Computer Science (S. Vaudenay, ed.), pp. 206-221. Springer-Verlag, 1998.
  • [An] J. Kelsey, B. Schneier, D. Wagner,
    "Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA",
    ICICS '97 Proceedings, Springer-Verlag, November 1997.
    http://www.counterpane.com/related-key_cryptanalysis.html
Key length:
Minimum 0; maximum 1024, multiple of 8 bits; default 128 bits.
Block size:
8 bytes.
Comment:
The value of the key's effectiveBitLength parameter may be different from 8 * (length of key encoding in bytes), to allow compatibility with other RC2 implementations. However, RC2 KeyGenerators should always generate keys such that the length of the encoding is equal to (effectiveBitLength + 7) / 8 bytes. (To create keys that do not satisfy this constraint, an application has to construct a SecretKey object directly.)

Note that the table given in section 6 of RFC 2268 plays no part in determining the number of effective bits (and also, the default key length is 128 bits, not 32 as implied by that section).

Security comment:
RC2 is vulnerable to related-key attacks, and therefore it should only be used with keys that are generated by a strong PRNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

RC4 Stream Cipher
Designer:
Ron Rivest
Alias:
"ARCFOUR"
References:
  • [Def] Bruce Schneier,
    "Section 17.1 RC4,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
  • [Def] Anonymous,
    Subject: RC4 Algorithm revealed,
    Posting to Usenet newsgroups sci.crypt, alt.security, comp.security.misc, and alt.privacy, September 14 1994.
    (Message-ID: <sternCvKL4B.Hyy@netcom.com>)
    Archived at ftp://idea.sec.dsi.unimi.it/pub/security/crypt/code/rc4.revealed.gz
  • [An] Andrew Roos <andrewr@vironix.co.za>,
    A Class of Weak Keys in the RC4 Stream Cipher,
    Preliminary draft posted to sci.crypt, 4th November 1997.
  • [An] David Wagner,
    Subject: Re: Weak Keys in RC4,
    Posting to sci.crypt, September 26 1995.
    (Message-ID: <447o1l$cbj@cnn.Princeton.EDU>)
    Archived at http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys
  • [An] J. Kelsey, B. Schneier, D. Wagner,
    "Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES",
    Advances in Cryptology - Crypto '96 Proceedings, pp. 237-251. Springer-Verlag, August 1996.
    http://www.counterpane.com/key_schedule.html
Key length:
Minimum 8, maximum 2048, multiple of 8 bits; default 128 bits.
Comment:
For the purposes of SCAN, "RC4" will refer to the cipher described in the "RC4 Algorithm revealed" article and in Applied Cryptography, even in the unlikely event that differences are found between that cipher, and RSA Data Security, Inc.'s proprietary cipher of the same name.
Security comment:
There are small biases at the start of the RC4 key stream, these can be eliminated by discarding the first 256 bytes of the stream (as is done automatically by the MARK-4 algorithm).

RC5[(rounds)] Block Cipher
Designer:
Ron Rivest
Alias:
"RC5-32"
References:
  • [Inf] Ron Rivest,
    "The RC5 Encryption Algorithm,"
    Dr. Dobb's Journal, vol. 20 no. 1, pp. 146-148. January 1995.
  • [Def] Ron Rivest,
    "The RC5 Encryption Algorithm," (revised 20 March 1997)
    http://theory.lcs.mit.edu/~rivest/rc5rev.ps
  • [Def] Ron Rivest,
    "The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms,"
    RFC 2040, October 1996.
  • [Inf] A. Menezes, P.C. van Oorschot, S.A. Vanstone,
    "Section 7.7.2 RC5,"
    Handbook of Applied Cryptography, CRC Press, 1997.
  • [An] B.S. Kaliski, Y.L. Yin,
    "On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm",
    Advances in Cryptology - CRYPTO '95, pp. 171-184. Springer-Verlag, 1995.
  • [An] Lars Knudsen, W. Meier,
    "Improved differential attack on RC5,"
    Advances in Cryptology - Crypto '96 Proceedings, Volume 1109 of Lecture Notes in Computer Science (N. Koblitz, ed.), pp. 216-228. Springer-Verlag, 1996.
    ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/rc5.ps.Z
  • [An] H. Heys,
    "Linearly Weak Keys of RC5,"
    IEE Electronics Letters, vol. 33, no. 10, pp. 836-838, 1997.
    http://www.engr.mun.ca/~howard/PAPERS/rc5_letter.ps
  • [An] A. Biryukov, E. Kushilevitz,
    "Improved Cryptanalysis of RC5," EUROCRYPT '98.
    http://www.cs.technion.ac.il/~eyalk/alex.ps.Z
  • [An] A. A. Selcuk,
    "New results in linear cryptanalysis of RC5,"
    Fast Software Encryption - Fifth International Workshop, Paris, France, LNCS. Springer-Verlag, 1998.
  • [An] H. Handschuh,
    "A Timing Attack on RC5,"
    Workshop on Selected Areas in Cryptography - SAC '98, Workshop record, 1998. To be published by Springer-Verlag.
    http://www.enst.fr/~handschu/rc5.ps
  • [An] H. Heys,
    "A Timing Attack on RC5,"
    Workshop on Selected Areas in Cryptography - SAC '98, Queen's University, Kingston, Ontario, Aug. 1998.
    http://www.engr.mun.ca/~howard/PAPERS/rc5_timing.ps
Parameters:
  • Integer rounds [creation/read, default 12] - the number of rounds to be performed (minimum 12, multiple of 2)
Key length:
Minimum 0; maximum 65536, multiple of 8 bits; default 128 bits.
Block size:
8 bytes.
Comments:
The block size could have been specified as a parameter; however it is unlikely that RC5 could be efficiently implemented with multiple block sizes sharing the same code, and therefore two different algorithms are specified (RC5 and RC5-64). Also note that the default (and minimum) number of rounds is different (12 vs 16).
Security comments:
[[lots of papers; need to give a summary]]
Patent status:
RSA Data Security, Inc., has a patent pending on RC5 (and RC5-64).

? RC5-64[(rounds)] Block Cipher
Designer:
Ron Rivest
References:
[see references for RC5]
Parameters:
  • Integer rounds [creation/read, default 16] - the number of rounds to be performed (minimum 16, multiple of 2)
Key length:
Minimum 0; maximum 65536, multiple of 8 bits; default 128 bits.
Block size:
16 bytes.
Comments:
The block size could have been specified as a parameter; however it is unlikely that RC5 could be efficiently implemented with multiple block sizes sharing the same code, and therefore two different algorithms are specified (RC5 and RC5-64). Also note that the default (and minimum) number of rounds is different (12 vs 16).
Patent status:
RSA Data Security, Inc., has a patent pending on RC5 (and RC5-64).

RC6[(rounds)] Block Cipher
Designers:
Ron Rivest, Matthew Robshaw, Raymond Sidney, Yiqun Lisa Yin
Alias:
"RC6-32"
References:
Parameters:
  • Integer rounds [creation/read, default 20] - the number of rounds to be performed (minimum 8, multiple of 4)
Key length:
Minimum 0; maximum 2040, multiple of 8 bits; default 128 bits.
Block size:
16 bytes.
Comments:
The block size could have been specified as a parameter; however it is unlikely that RC6 could be efficiently implemented with multiple block sizes sharing the same code, and therefore two different algorithms are specified (RC6 and RC6-64).
Patent status:
RSA Data Security, Inc., has several patents pending on RC6 (covering all versions).

? RC6-64[(rounds)] Block Cipher
Designers:
Ron Rivest, Matthew Robshaw, Raymond Sidney, Yiqun Lisa Yin
References:
[see references for RC6]
Parameters:
  • Integer rounds [creation/read, default 20] - the number of rounds to be performed (minimum 8, multiple of 4)
Key length:
Minimum 0; maximum 2040, multiple of 8 bits; default 128 bits.
Block size:
32 bytes.
Missing information:
Test vectors.
Comments:
The block size could have been specified as a parameter; however it is unlikely that RC6 could be efficiently implemented with multiple block sizes sharing the same code, and therefore two different algorithms are specified (RC6 and RC6-64).
Patent status:
RSA Data Security, Inc., has several patents pending on RC6 (covering all versions).

? RC6a[(rounds)] Block Cipher
Designers:
Ron Rivest, Matthew Robshaw, Raymond Sidney, Yiqun Lisa Yin
Alias:
"RC6a-32"
Description:
This is RC6-32 with the "tweaked" key schedule proposed as a response to the first-round AES evaluation.
References:
Parameters:
  • Integer rounds [creation/read, default 20] - the number of rounds to be performed (minimum 8, multiple of 4)
Key length:
Minimum 0; maximum 992, multiple of 8 bits; default 128 bits.
Block size:
16 bytes.
Missing information:
Test vectors.
Comments:
  • The block size could have been specified as a parameter; however it is unlikely that RC6a could be efficiently implemented with multiple block sizes sharing the same code, and therefore two different algorithms are specified (RC6a and RC6a-64).
  • The RC6a key schedule requires that the number of key words is less than 32; this defines the maximum 31 * 32 = 992-bit key length.
Patent status:
RSA Data Security, Inc., has several patents pending on RC6 (covering all versions).

? RC6a-64[(rounds)] Block Cipher
Designers:
Ron Rivest, Matthew Robshaw, Raymond Sidney, Yiqun Lisa Yin
Description:
This is RC6-64 with the "tweaked" key schedule proposed as a response to the first-round AES evaluation.
References:
Parameters:
  • Integer rounds [creation/read, default 20] - the number of rounds to be performed (minimum 8, multiple of 4)
Key length:
Minimum 0; maximum 1984, multiple of 8 bits; default 128 bits.
Block size:
32 bytes.
Missing information:
Test vectors.
Comments:
  • The block size could have been specified as a parameter; however it is unlikely that RC6a could be efficiently implemented with multiple block sizes sharing the same code, and therefore two different algorithms are specified (RC6a and RC6a-64).
  • The RC6a key schedule requires that the number of key words is less than 32; this defines the maximum 31 * 64 = 1984-bit key length.
Patent status:
RSA Data Security, Inc., has several patents pending on RC6 (covering all versions).

Rijndael Block Cipher
Designers:
Joan Daemen, Vincent Rijmen
Description:
This is Rijndael with a 128-bit block size. The number of rounds is 10 for a 128-bit key, 12 for a 192-bit key, and 14 for a 256-bit key.
References:
Key length:
128, 192 or 256 bits; default 128 bits.
Block size:
16 bytes.
Comments:
  • The errors in the "AES Proposal: Rijndael" paper (pointed out by Jim Foti of NIST) are:
    1. With respect to the ShiftRow transformation of the state matrix, according to the algorithm description (see section 4.2.2), the bytes are shifted to the right. However, the ANSI C reference code appears to shift the bytes to the LEFT. (Ref: "rijndael-alg-ref.c" line 57.)
    2. With respect to the Round Constant Array RCON used in the generation of the key schedule, in the algorithm description the recursion is initialized with RCON(0)=01 (see section 4.3.1). However, RCON(0) would never be used, and the simulator sets RCON(1)=01. (Ref: "rijndael-alg-ref.c" line 147.)

    The C reference code (available from the Rijndael Page and on the AES CD) is correct, as are the KAT and MCT test vectors.

  • Rijndael is pronounced with 'ij' like 'ai' in the English word 'air', and with 'ae' like 'a' in the English word 'far'.

Rijndael-192 Block Cipher
Designers:
Joan Daemen, Vincent Rijmen
Description:
This is Rijndael with a 192-bit block size. The number of rounds is 12 for a 128- or 192-bit key, and 14 for a 256-bit key.
References:
[see references for Rijndael]
Key length:
128, 192 or 256 bits; default 128 bits.
Block size:
24 bytes.
Comments:
[see comments for Rijndael]

Rijndael-256 Block Cipher
Designers:
Joan Daemen, Vincent Rijmen
Description:
This is Rijndael with a 256-bit block size. The number of rounds is always 14.
References:
[see references for Rijndael]
Key length:
128, 192 or 256 bits; default 128 bits.
Block size:
32 bytes.
Comments:
[see comments for Rijndael]

SAFER-K[(rounds)] Block Cipher
Designer:
James Massey
Published:
December 1993.
Description:
This algorithm refers to the original version of SAFER, designed in 1993.
References:
  • [Def] Massey, J. L.,
    "SAFER K-64: A Byte-Oriented Block Ciphering Algorithm",
    Fast Software Encryption (R. Anderson, ed.), Proceedings of the Cambridge Security Workshop, Cambridge, U.K., December 9-11, 1993, pp. 1-17.
    Volume 809 of Lecture Notes in Computer Science, Springer, 1994.
  • [Inf] Massey, J. L.,
    "SAFER K-64: One Year Later",
    Preliminary manuscript of a paper presented at the K. U. Leuven Workshop on Cryptographic Algorithms, December 14-16, 1994.
    To be published in the Proceedings of this workshop by Springer.
  • [Inf] A. Menezes, P.C. van Oorschot, S.A. Vanstone,
    "Section 7.7.1 SAFER,"
    Handbook of Applied Cryptography, CRC Press, 1997.
  • [Inf, Test, Impl] Richard De Moliner,
    SAFER toolkit V1.2. Includes C implementation, additional notes, test data, test program.
    ftp://ftp.isi.ee.ethz.ch/pub/simpl/safer.V1.2.tar.Z
  • [An] Lars Knudsen,
    "A Key-Schedule Weakness in SAFER K-64",
    Advances in Cryptology - Crypto '95 Proceedings, Volume 963 of Lecture Notes in Computer Science, Springer-Verlag, 1995.
    ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/saferkey.ps.Z
    (appendix with corrections: ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/tillaeg.ps.Z)
  • [An] C. Harpes,
    "A Generalization of Linear Cryptanalysis Applied to SAFER,"
    Internal report, Signal and Information Processing Lab., Swiss Federal Institute of Technology, Zurich, March 9, 1995.
    http://www.isi.ee.ethz.ch/~harpes/GLCsafer.ps
  • [An] Lars Knudsen, T.A. Berson,
    "Truncated differentials of SAFER,"
    Fast Software Encryption, Volume 1039 of Lecture Notes in Computer Science (D. Gollmann, ed.), pp. 15-26. Springer-Verlag, 1996.
    ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/trunc_dif_saf.ps.Z
  • [An] J. Kelsey, B. Schneier, D. Wagner,
    "Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES",
    Advances in Cryptology - Crypto '96 Proceedings, pp. 237-251. Springer-Verlag, August 1996.
    http://www.counterpane.com/key_schedule.html
Parameters:
  • Integer rounds [creation/read, default null (indicating key-length-dependent)] - the number of rounds to be performed (minimum 6). When the value of this property is null, 6 rounds are used for a 64-bit key, and 10 rounds for a 128-bit key.
Key length:
64 or 128 bits; default 128 bits.
Block size:
8 bytes.
Comment:
Conventionally, the key length for SAFER is included in the algorithm name, e.g. "SAFER K-64", "SAFER K-128", etc. Because a SCAN algorithm may have variable-length keys, all of these are referred to as "SAFER-K".
Security comment:
As a result of the key schedule attack by Lars Knudsen cited above, SAFER-K has been superceded by SAFER-SK.

SAFER-SK[(rounds)] Block Cipher
Designer:
James Massey
Published:
September 1995.
Description:
This algorithm refers to the version of SAFER with a strengthened key schedule, designed in 1995 (see SAFER_SK.TXT, cited below).
Alias:
"OpenPGP.Cipher.6" is an alias to "SAFER-SK(13)".
References:
  • [Def (excluding key schedule)] Massey, J. L.,
    "SAFER K-64: A Byte-Oriented Block Ciphering Algorithm",
    Fast Software Encryption (R. Anderson, ed.), Proceedings of the Cambridge Security Workshop, Cambridge, U.K., December 9-11, 1993, pp. 1-17.
    Volume 809 of Lecture Notes in Computer Science, Springer, 1994.
  • [Def] Massey, J. L.,
    "Announcement of a Strengthened Key Schedule for the Cipher SAFER",
    September 9, 1995, (see file 'SAFER_SK.TXT' included in the SAFER toolkit, below).
  • [Inf, Test, Impl] Richard De Moliner,
    SAFER toolkit V1.2. Includes C implementation, additional notes, test data, test program.
    ftp://ftp.isi.ee.ethz.ch/pub/simpl/safer.V1.2.tar.Z
  • [An] C. Harpes,
    "A Generalization of Linear Cryptanalysis Applied to SAFER,"
    Internal report, Signal and Information Processing Lab., Swiss Federal Institute of Technology, Zurich, March 9, 1995.
    http://www.isi.ee.ethz.ch/~harpes/GLCsafer.ps
  • [An] Lars Knudsen, T.A. Berson,
    "Truncated differentials of SAFER,"
    Fast Software Encryption, Volume 1039 of Lecture Notes in Computer Science (D. Gollmann, ed.), pp. 15-26. Springer-Verlag, 1996.
    ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/trunc_dif_saf.ps.Z
  • [An] J. Kelsey, B. Schneier, D. Wagner,
    "Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES",
    Advances in Cryptology - Crypto '96 Proceedings, pp. 237-251. Springer-Verlag, August 1996.
    http://www.counterpane.com/key_schedule.html
Parameters:
  • Integer rounds [creation/read, default null (indicating key-length-dependent)] - the number of rounds to be performed (minimum 8). When the value of this property is null, 8 rounds are used for a 64-bit key, and 10 rounds for a 128-bit key.
Key length:
64 or 128 bits; default 128 bits.
Block size:
8 bytes.
Comments:
  • Conventionally, the key length for SAFER with strengthened key schedule is included in the algorithm name, e.g. "SAFER SK-64", "SAFER SK-128", etc. Because a SCAN algorithm may have variable-length keys, all of these are referred to as "SAFER-SK".
  • SAFER_SK.TXT suggests a maximum of 10 rounds for a 64-bit key, and 12 rounds for a 128-bit key; however here we do not specify any limit on the number of rounds. Also note that because the number of rounds can be given in the algorithm name before the key length is known, it is possible to use a 128-bit key with 8 or 9 rounds (i.e. less than the default), but this is definitely not recommended.
  • A 40-bit key schedule has also been specified for SAFER-SK; this is not required to be implemented, and applications should not assume that a SAFER-SK implementation will support 40-bit keys.

SAFER+ Block Cipher
Designers:
James Massey, Gurgen Khachatrian, Melsik Kuregian
References:
Key length:
128, 192 or 256 bits; default 128 bits.
Block size:
16 bytes.
Comment:
The original C reference code uses an unconventional byte order when printing test vectors (the order of bytes is reversed across the whole block). The correct byte order is that defined by the Java reference implementation, and by the NIST test vectors referenced above.

Sapphire-II Stream Cipher
Designer:
Michael Paul Johnson
Published:
January? 1995
References:
Key length:
Minimum 8, maximum 2040, multiple of 8 bits; default 128 bits.
Missing information:
Test vectors.

SEAL Stream Cipher
Designers:
Phillip Rogaway, Don Coppersmith
Alias:
"SEAL-3.0"
References:
  • [Def] P. Rogaway, D. Coppersmith,
    "A software-optimized encryption algorithm,"
    Fast Software Encryption, Cambridge Security Workshop Proceedings, Volume 809 of Lecture Notes in Computer Science (R. Anderson, ed.), Springer-Verlag, 1993.
    Full paper (revised September 1997): http://www.cs.ucdavis.edu/~rogaway/papers/seal-abstract.html
  • [Inf] Bruce Schneier,
    "Section 17.2 SEAL,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
  • [Inf] A. Menezes, P.C. van Oorschot, S.A. Vanstone,
    "Section 6.4.1 SEAL,"
    Handbook of Applied Cryptography, CRC Press, 1997.
  • [Patent] P. Rogaway, D. Coppersmith,
    "Software-efficient pseudorandom function and the use thereof for encryption,"
    U.S. Patent #5,454,039. 26 September 1995.
  • [An] H. Handschuhand, H. Gilbert,
    "X2 [chi-squared] Cryptanalysis of the SEAL Encryption Algorithm,"
    Fast Software Encryption - FSE4, Volume 1267 of Lecture Notes in Computer Science, pp. 1-12, 1997.
    http://www.enst.fr/~handschu/seal.ps
Key length:
160 bits.
Patent status:
SEAL is patented in the United States by IBM (US patent numbers 5454039 and 5675652, filed in 1993 and 1995 respectively).

Serpent Block Cipher
Designers:
Ross Anderson, Eli Biham, Lars Knudsen
References:
Key length:
128, 192 or 256 bits; default 128 bits.
Block size:
16 bytes.
Comment:
The original C reference code uses an unconventional byte order when printing test vectors (the order of bytes is reversed across the whole block). The correct byte order is that defined by the Java reference implementation, and by the NIST test vectors referenced above.
Patent status:
A patent has been applied for on Serpent (see references). However, quoting from the Serpent home page:
Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August 1998 at the AES conference.

SHARK-A Block Cipher
Designers:
Vincent Rijmen, Joan Daemen, Bart Preneel Antoon Bosselaers, Erik De Win
Designers:
This is the "Affine Transformation" variant of SHARK.
References:
Key length:
128 bits.
Block size:
8 bytes.
Missing information:
Test vectors.
Security comment:
"The Interpolation Attack on Block Ciphers" analyses a "variant of SHARK, which deviates only slightly from the proposed SHARK", reduced to 5 rounds. SHARK normally has 6 rounds.

SHARK-E Block Cipher
Designers:
Vincent Rijmen, Joan Daemen, Bart Preneel Antoon Bosselaers, Erik De Win
Designers:
This is the "Exor" variant of SHARK.
References:
Key length:
128 bits.
Block size:
8 bytes.
Security comment:
"The Interpolation Attack on Block Ciphers" analyses a "variant of SHARK, which deviates only slightly from the proposed SHARK", reduced to 5 rounds. SHARK normally has 6 rounds.

SKIPJACK Block Cipher
Designer:
U.S. National Security Agency
Published:
June 1998
References:
Key length:
80 bits.
Block size:
8 bytes.
Security comment:
The "Observations on the SkipJack Encryption Algorithm" pages cited above describe the following attack, among others:
This note summarizes our first week of analysis. The main result is an attack on a variant, which we call SkipJack-3XOR (SkipJack minus 3 XORs). The only difference between SkipJack and SkipJack-3XOR is the removal of 3 out of the 320 XOR operations. The attack uses the ciphertexts derived from about 500 plaintexts which are identical except for the second 16 bit word. Its total running time is equivalent to about one million SkipJack encryptions, which can be carried out in seconds on a personal computer.

This is still a preliminary result, but it reiterates our earlier comment that SkipJack does not have a conservative design with a large margin of safety.

SPEED-64[(rounds)] Block Cipher
Designer:
Yuliang Zheng
Published:
February 1997
References:
Parameters:
  • Integer rounds [creation/read, default 64] - the number of rounds to be performed (minimum 64, multiple of 4)
Key length:
Minimum 48, maximum 256, multiple of 16 bits; default 128 bits.
Block size:
8 bytes.
Security comment:
The "Cryptanalysis of SPEED" paper cited above breaks a reduced round variant of SPEED with 28 rounds, using 231 chosen plaintexts, and argues that variants of SPEED with sufficient rounds to resist the attacks given in the paper, are slower than many other ciphers with comparable security.

SPEED-128[(rounds)] Block Cipher
Designer:
Yuliang Zheng
Published:
February 1997
References:
[see references for SPEED-64]
Parameters:
  • Integer rounds [creation/read, default 64] - the number of rounds to be performed (minimum 48, multiple of 4)
Key length:
Minimum 48, maximum 256, multiple of 16 bits; default 128 bits.
Block size:
16 bytes.
Security comment:
[see security comment for SPEED-64]

SPEED-256[(rounds)] Block Cipher
Designer:
Yuliang Zheng
Published:
February 1997
References:
[see references for SPEED-64]
Parameters:
  • Integer rounds [creation/read, default 64] - the number of rounds to be performed (minimum 48, multiple of 4)
Key length:
Minimum 48, maximum 256, multiple of 16 bits; default 128 bits.
Block size:
32 bytes.
Security comment:
[see security comment for SPEED-64]

Square[(rounds)] Block Cipher
Designers:
Joan Daemen, Vincent Rijmen
Published:
1997
References:
Parameters:
  • Integer rounds [creation/read, default 8] - the number of rounds to be performed (minimum 8, multiple of 2)
Key length:
128 bits.
Block size:
16 bytes.

? TEA Block Cipher
Designers:
David Wheeler, Roger Needham
Published:
1994
References:
  • [Def, Impl] David Wheeler, R. Needham,
    "TEA, a Tiny Encryption Algorithm,"
    Fast Software Encryption, Cambridge Security Workshop Proceedings, Volume 809 of Lecture Notes in Computer Science (R. Anderson, ed.), pp. 363-366. Springer-Verlag, 1994.
    http://www.cl.cam.ac.uk/ftp/users/djw3/tea.ps
  • [An] J. Kelsey, B. Schneier, D. Wagner,
    "Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA",
    ICICS '97 Proceedings, Springer-Verlag, November 1997.
    http://www.counterpane.com/related-key_cryptanalysis.html
Key length:
128 bits.
Block size:
8 bytes.
Missing information:
Test vectors.
Security comment:
TEA is vulnerable to related-key attacks, and therefore it should only be used with keys that are generated by a strong PRNG, or by a source of bits that are sufficiently uncorrelated (such as the output of a hash function).

? XTEA Block Cipher
Designers:
David Wheeler, Roger Needham
Published:
1994
References:
Key length:
128 bits.
Block size:
8 bytes.
Comment:
This algorithm refers to the first algorithm described in the above referenced paper, not Block TEA. Block TEA does not have a SCAN standard name.
Missing information:
Test vectors.

Twofish Block Cipher
Designers:
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson
Published:
1998
References:
Key length:
Minimum 8, maximum 256, multiple of 8 bits; default 128 bits.
Block size:
16 bytes.

! WAKE Stream Cipher
Designer:
David Wheeler
Published:
1993
References:
  • [Def, Impl] David Wheeler,
    "A Bulk Data Encryption Algorithm,"
    Fast Software Encryption, Cambridge Security Workshop Proceedings, Volume 809 of Lecture Notes in Computer Science (R. Anderson, ed.), pp. 127-134. Springer-Verlag, 1994.
    http://www.cl.cam.ac.uk/Research/Security/docs/wake.ps
  • [An] J. Daemen, R. Govaerts, J. Vanderwalle,
    "Resynchronization Weaknesses in Synchronous Stream Ciphers,"
    Advances in Cryptology - EUROCRYPT '93 Proceedings, pp. 159-167. Springer-Verlag, 1994.
    [[check that this is the right paper]]
Key length:
128 bits.
Missing information:
The specification of the key schedule is not complete.
Security comments:
WAKE is insecure against a chosen-plaintext or chosen-ciphertext attack.

WiderWake4+1 Stream Cipher
Designer:
Craig Clapp (based on WAKE, by David Wheeler)
Published:
January 1997
References:
Key length:
128 bits.

WiderWake4+3 Stream Cipher
Designer:
Craig Clapp (based on WAKE, by David Wheeler)
Published:
January 1997
References:
Key length:
128 bits.

PBE-PKCS5(digestName,DES/CBC) Block Cipher Construction
Designers:
RSA Data Security, Inc.
Aliases:
"pbeWithMD2AndDES-CBC", "PBEWithMD2AndDES", and "1.2.840.113549.1.5.1" are aliases to PBE-PKCS5(MD2,DES/CBC).
"pbeWithMD5AndDES-CBC", "PBEWithMD5AndDES", and "1.2.840.113549.1.5.3" are aliases to PBE-PKCS5(MD5,DES/CBC).
Description:
The passphrase-based encryption algorithm specified in version 1.5 of PKCS #5. For the Java mapping, the key MUST be an instance of PBEKeySpec, or a subclass of PBEKeySpec. [[Need more details.]]
References:
Parameters:
  • String digestName [creation/read, no default] - the name of the message digest to be used to generate the key and IV.
Key length:
64 bits as encoded, 56 bits excluding parity bits.
Block size:
8 bytes.
Comment:
The method described in PKCS #5 v1.5 cannot easily be generalised to support ciphers other than DES. However, DES/CBC MUST still be specified as if it were a parameter, for consistency with the names of other passphrase-based cipher constructions.
Security comment:
The 56-bit effective key length is too short to prevent brute-force attacks.

PBE-PKCS12(digestName,cipherName
[,keyLength]) 		Cipher Construction
Designers:
RSA Data Security, Inc.
Aliases:
  • "pbeWithSHAAnd128BitRC4" and "1.2.840.113549.1.12.1.1" are aliases to PBE-PKCS12(SHA-1,RC4,128).
  • "pbeWithSHAAnd40BitRC4" and "1.2.840.113549.1.12.1.2" are aliases to PBE-PKCS12(SHA-1,RC4,40).
  • "pbeWithSHAAnd3-KeyTripleDES-CBC" and "1.2.840.113549.1.12.1.3" are aliases to PBE-PKCS12(SHA-1,DESede/CBC,168).
  • "pbeWithSHAAnd2-KeyTripleDES-CBC" and "1.2.840.113549.1.12.1.4" are aliases to PBE-PKCS12(SHA-1,DESede/CBC,112).
  • "pbeWithSHAAnd128BitRC2-CBC" and "1.2.840.113549.1.12.1.5" are aliases to PBE-PKCS12(SHA-1,RC2/CBC,128).
  • "pbeWithSHAAnd40BitRC2-CBC" and "1.2.840.113549.1.12.1.6" are aliases to PBE-PKCS12(SHA-1,RC2/CBC,40).
Description:
The passphrase-based encryption algorithm specified in version 1.0 of PKCS #12. For the Java mapping, the key MUST be an instance of PBEKeySpec, or a subclass of PBEKeySpec. [Need more details.]
References:
Parameters:
  • String digestName [creation/read, no default] - the name of the message digest to be used to generate the key and (if needed) the IV.
  • String cipherName [creation/read, no default] - the name of the cipher to be used for encryption/decryption.
  • Integer keyLength [creation/read, default equal to the default key length of the cipher given by cipherName] - the effective bit length (i.e. excluding parity bits) to be used for the key.
Key length:
Same as the value of the keyLength property.
Block size:
Same as the block size of the cipher given by cipherName.
Security comment:
PBE-PKCS12 does not define any way to iterate the hashing operation in order to slow down a dictionary attack against the passphrase. It will therefore become more vulnerable than necessary to attacks against weak passphrases, as the performance of computing hardware increases.

NullCipher Stream Cipher
Description:
A "no-op" algorithm, for which the ciphertext is identical to the plaintext.
Key length:
0 bits.
Security comment:
This algorithm provides no security. (Note that its existance is not in itself a security weakness; even without a no-op algorithm, it would not be valid for applications to assume that an arbitrary Cipher object or algorithm will provide adequate security.)

Block Cipher Modes

ECB Mode
Description:
Electronic Codebook Mode, as defined in NBS FIPS PUB 81.
References:
Comment:
If a padding scheme is not specified (i.e. the algorithm name is given in the form "cipherName/ECB"), then NoPadding MUST be assumed (note that this is intentionally different to CBC and PCBC modes, for which PKCSPadding would be used). The standard name always specifies padding, however.
Security comment:
ECB mode will always encrypt identical plaintext blocks to identical ciphertexts. This can be a weakness when the plaintext is not random and uniformly distributed, and in that case, a different mode should probably be used.

CBC Mode
Description:
Cipher Block Chaining Mode, as defined in NBS FIPS PUB 81.
References:
Comment:
If a padding scheme is not specified (i.e. the algorithm name is given in the form "cipherName/CBC"), then PKCSPadding MUST be assumed. The standard name always specifies padding, however.

PCBC Mode
Description:
Propagating Cipher Block Chaining Mode.
References:
Comment:
If a padding scheme is not specified (i.e. the algorithm name is given in the form "cipherName/PCBC"), then PKCSPadding MUST be assumed. The standard name always specifies padding, however.

CFB(feedbackBits) Mode
Description:
Cipher Feedback Mode, as defined in NBS FIPS PUB 81, with a feedback vector of length feedbackBits bits.
References:
Parameters:
  • Integer feedbackBits [creation/read, default equal to the number of bits in a block] - the length of the feedback vector in bits (from 1 bit, to the number of bits in a block)
Comment:
The value of feedbackBits does not affect the granularity of data that can be encrypted or decrypted. Implementations MUST support immediate processing of individual bytes, in a similar fashion to a stream cipher. This means that it is never necessary to specify a padding scheme.

OFB Mode
Description:
Output Feedback Mode, as defined in NBS FIPS PUB 81, except that the feedback vector is restricted to be the same size as a block.
References:
  • [Inf] U.S. National Bureau of Standards (now NIST),
    "DES Modes of Operation,"
    NBS FIPS PUB 81, U.S. Department of Commerce, December 1980.
    http://www.itl.nist.gov/div897/pubs/fip81.htm
  • [Inf] Bruce Schneier,
    "Section 9.8 Output-Feedback Mode,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
  • [Inf] sci.crypt FAQ, "Part 5: Product Ciphers,"
    ftp://ftp.rtfm.mit.edu/pub/usenet/news.answers/cryptography-faq/part05
  • [An] D.W. Davies, G.I.P. Parkin,
    "The Average Size of the Key Stream in Output Feedback Mode,"
    Cryptography, Proceedings of the Workshop on Cryptography, Burg-Feuerstein, Germany, March 29-April 2, 1982, Springer-Verlag, 1983, pp. 263-279.
    Also in Advances in Cryptology - Crypto '82 Proceedings, Plenum Press, 1983, pp. 97-98.
Comments:
  • Implementations MUST support immediate processing of individual bytes, in a similar fashion to a stream cipher. This means that it is never necessary to specify a padding scheme.
  • The reason for not supporting feedback sizes less than the block size, is that this greatly reduces the period of the keystream (e.g. from 260 bytes to 229 bytes, for a cipher with a block size of 8 bytes).

InterleavedCBC(nStreams) Mode
Description:
Interleaved Cipher Block Chaining Mode, with nStreams independent IVs. The length of the IV array required by setIV (or generated randomly) will be nStreams * blockSize bytes.
References:
Parameters:
  • Integer nStreams [creation/read, no default] - the number of interleaved streams (minimum 1)
If a padding scheme is not specified (i.e. the algorithm name is given in the form "cipherName/InterleavedCBC(nStreams)"), then PKCSPadding MUST be assumed. The standard name always specifies padding, however.

InterleavedPCBC(nStreams) Mode
Description:
Interleaved Propagating Cipher Block Chaining Mode, with nStreams independent IVs. The length of the IV array required by setIV (or generated randomly) will be nStreams * blockSize bytes.
References:
Parameters:
  • Integer nStreams [creation/read, no default] - the number of interleaved streams (minimum 1)
Comment:
If a padding scheme is not specified (i.e. the algorithm name is given in the form "cipherName/InterleavedPCBC(nStreams)"), then PKCSPadding MUST be assumed. The standard name always specifies padding, however.

InterleavedCFB(nStreams) Mode
Description:
Interleaved Cipher Feedback Mode, with nStreams independent IVs, and with each feedback vector of equal size to a block. The length of the IV array required by setIV (or generated randomly) will be nStreams * blockSize bytes.
References:
Parameters:
  • Integer nStreams [creation/read, no default] - the number of interleaved streams (minimum 1)
Comment:
Implementations MUST support immediate processing of individual bytes, in a similar fashion to a stream cipher. This means that it is never necessary to specify a padding scheme.

Block Cipher Padding

 Note that a padding algorithm is only required for block ciphers in modes that do not allow byte-oriented operation. Of the modes defined in this document, ECB, CBC, InterleavedCBC, PCBC and InterleavedPCBC require a padding algorithm, whereas CFB, InterleavedCFB, and OFB do not.

PKCSPadding Padding
Aliases:
"PKCS#5", "PKCS#7", "PKCS5Padding"
Description:
The padding scheme described in PKCS #7 section 10.3, note 2 (this is a generalisation of the scheme described in PKCS #5 section 6.2, to block sizes between 1 and 255 bytes inclusive).
References:
Comment:
When this algorithm is referenced using the "PKCS#5" or "PKCS5Padding" aliases, it should not be assumed that block sizes other than 8 bytes will be supported.

OneAndZeroes Padding
Description:
An algorithm that adds a single binary 1 bit, followed by as many binary 0 bits as needed to complete a block. (Viewed in terms of bytes, this corresponds to a byte of 0x80, followed by as many 0x00 bytes as needed to complete a block.)
Missing information:
Def reference, test vectors.

CTS Padding
Alias:
"CiphertextStealing"
References:
  • [Inf] Bruce Schneier,
    "Section 9.1 Electronic Code Book Mode,"
    "Figure 9.1 Ciphertext stealing in ECB mode,"
    "Section 9.3 Cipher Block Chaining Mode," and
    "Figure 9.5 Ciphertext stealing in CBC mode,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
  • [Inf, Test] Ron Rivest,
    "The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms,"
    RFC 2040, October 1996.
    (The "RC5-CTS" mode is equivalent to RC5/CBC/CTS; this gives a source of test vectors, at least for one cipher.)
Missing information:
Def reference.
Comment:
The amount of data that must be buffered by the cipher implementation is increased when ciphertext stealing is used (specifically, up to two blocks minus one byte can be buffered, for both encryption and decryption).

NoPadding Padding
Description:
An algorithm name used to specify that for encryption, a BadPaddingException will be thrown when the plaintext input is not an exact number of blocks, and for decryption, that no unpadding will be done.
Alias:
"NONE"

KeyGenerators

For each symmetric cipher, there is a KeyGenerator with the same standard name and aliases, that can be used to generate random keys for that cipher. Since the valid key lengths, and any comments on the key encoding are given with the cipher descriptions (and there is generally only one valid key encoding for a symmetric cipher), there is no need for each KeyGenerator algorithm to be described separately.

Typically, the default key length for each algorithm is the one that will be used in most cases. A possible exception to this is AES, for which it is likely that various standards will allow 128-, 192- and 256-bit keys to be used (for example, OpenPGP has three different algorithm numbers for AES, according to key length). For that reason, we specify three key generator names for AES, with different default key lengths, which should allow a straightforward mapping between a SCAN name, and the algorithms specified in these standards.

! AES128 Block Cipher
Description:
This KeyGenerator name is reserved for the cipher that wins the NIST AES (Advanced Encryption Standard) contest, with 128-bit keys. If there is more than one winning algorithm, this entry will be removed.
Aliases:
"AES", "OpenPGP.Cipher.7"
References:
[see references for AES]

! AES192 Block Cipher
Description:
This KeyGenerator name is reserved for the cipher that wins the NIST AES (Advanced Encryption Standard) contest, with 192-bit keys. If there is more than one winning algorithm, this entry will be removed.
Alias:
"OpenPGP.Cipher.8"
References:
[see references for AES]

! AES256 Block Cipher
Description:
This KeyGenerator name is reserved for the cipher that wins the NIST AES (Advanced Encryption Standard) contest, with 256-bit keys. If there is more than one winning algorithm, this entry will be removed.
Alias:
"OpenPGP.Cipher.9"
References:
[see references for AES]

PRF algorithms (Pseudo Random Functions)

MGF1(digestName) PRF Construction
Designers:
P1363 Working Group
Published:
1999
References:
  • [Def] IEEE P1363 (draft), Standard for Public-Key Cryptography, 1999.
Missing information:
Test vectors. P1363 is only a draft.
Parameters:
  • String digestName [creation/read, no default] - the name of the message digest on which this PRF is to be based.

SSL3-PRF PRF
Designers:
Netscape Communications Corp.
Published:
?
Description:
SSL3-PRF is defined as follows: 
   SSL3-PRF(secret, seed) =
       MD5(secret + SHA-1("A" + secret + seed)) + 
       MD5(secret + SHA-1("BB" + secret + seed)) +
       MD5(secret + SHA-1("CCC" + secret + seed)) +
       [...];
A maximum of 26 * 16 = 416 bytes may be generated.
References:
Missing information:
Test vectors.

TLS-PRF PRF
Designers:
IETF Transport Layer Security Working Group
Published:
?
Description:
...
References:
  • [Def] TLS spec.
Missing information:
Everything...

Passphrase Hashes

crypt3-BSD(mechanism) PassphraseHash
Designers:
Dennis Ritchie (Traditional mechanism), various others
Published:
?
Description:
The BSD passphrase hash is used by OpenBSD; it is upwardly compatible with the hash used by NetBSD, and the "traditional" Unix crypt(3) algorithm ("crypt3-DES"). It is defined only for generation of authenticators. The definition of each mechanism is as follows:

Traditional
See crypt3-DES.
MD5
...
Blowfish
...

When a passphrase is verified, the first few characters of the authenticator determine which mechanism is used:

  • If the first two characters are "$1", the MD5 mechanism is used.
  • If the first two characters are "$2", the Blowfish mechanism is used.
  • If the first character is not "$" or "_", the Traditional mechanism is used.
  • Otherwise, the mechanism is unrecognised, and the passphrase is always considered to be invalid.
References:
Parameters:
  • String mechanism [creation/read, no default] - the name of the mechanism to be used when hashing passphrases (Traditional, Extended, MD5 or Blowfish, as described above). This parameter is ignored when verifying passphrases.
Output length:
Variable.
Missing information:
Test vectors, definitions for MD5 and Blowfish mechanisms.
Security comment:
The security of this algorithm depends on which mechanism is used. The "Traditional" mechanism is fairly weak; see "crypt3-DES" for problems with it. The "MD5" mechanism lacks a method to slow down dictionary attacks. The "Blowfish" mechanism does not appear to have any significant weaknesses.

crypt3-DES PassphraseHash
Designers:
Dennis Ritchie
Published:
?
Description:
This is the "traditional" Unix crypt(3) algorithm.
References:
  • [Def] ...,
Output length:
Variable.
Missing information:
Test vectors.
Security comments:
[[...]]

Simple(digestName) PassphraseHash
Designers:
Phil Zimmerman, OpenPGP working group
Published:
1998 (for the OpenPGP version using a UTF8 passphrase)
Description:
A Simple passphrase hash is calculated by applying the message digest specified by digestName, to a UTF8 representation of the passphrase (which is case-sensitive, and of unlimited length). It is defined only for generation of a symmetric encryption key.
References:
  • [Def] Jon Callas, Lutz Donnerhacke, Hal Finney, Rodney Thayer
    "OpenPGP Message Format,"
    RFC 2440, November 1998.
Parameters:
  • String digestName [creation/read, no default] - the name of the message digest on which this Mac is to be based.
Output length:
Same as the digest length of the given message digest function.
Security comments:
  • The lack of any salt, or method of slowing down the hash function, makes dictionary attacks much easier than necessary.
  • The fact that the same key is always generated for a given passphrase means that breaking this key immediately compromises all data encrypted under the same passphrase, and also that it is completely insecure to use this hash to generate keys for an OFB stream cipher.
  • Therefore, the Simple hash SHOULD NOT be used for new applications.

WindowsNT PassphraseHash
Designers:
Microsoft Corp.
Description:
A WindowsNT passphrase hash is calculated by applying the MD4 message digest to a big-endian UCS-2 representation of the passphrase (which is case-sensitive, and of length 0 to 256 Unicode characters). It is defined for generation of authenticators only.
References:
  • [Def] RFC 2433.
  • [Inf, Impl (for MD4)] Ron Rivest,
    "The MD4 Message-Digest Algorithm,"
    RFC 1320, April 1992.
Security comments:
  • The lack of any salt, or method of slowing down the hash function, makes dictionary attacks much easier than necessary.
  • The fact that the same authenticator is always generated for a given passphrase is the cause of many security holes in Microsoft-designed protocols that use this hash. It should therefore only be used for backward compatibility with those protocols, if at all.

Asymmetric Ciphers

Where an asymmetric cipher requires an encoding method in order to be specified completely, the naming convention is "encryption-primitive/encryption-encoding".

Some existing JCE providers will accept the use of a block cipher mode and padding with an asymmetric cipher (e.g. "RSA/CBC/PKCS#7"); this is not recommended, and providers MUST now reject this usage. An encryption primitive name on its own (e.g. "RSA", as opposed to a complete encryption scheme such as "DL-DHAES(...)") SHOULD also be rejected.

See the Conventions for further explanation.

DL-DHAES(digestName,
cipherName,macName
[,cipherKeyLength[,macKeyLength]]) 		Asymmetric Cipher Construction
Designers:
Michel Abdalla, Mihir Bellare, Phillip Rogaway
Published:
August 1998, updated March 1999
Description:
This is the version of DHAES based on conventional Diffie-Hellman (i.e. over GF(p)). Public and private keys belong to the "DH" key family.

This algorithm is referred to as "DLES" in the DHAES paper; however that name has also been proposed for other algorithms, and could therefore cause ambiguity.

References:
Comment:
It is recommended that implementations make no practical restriction on the lengths of the key parameters. In particular, values of p (the prime modulus) up to at least 4096 bits should be supported.
Security comments:
  • DL-DHAES has been proven semantically secure and non-malleable, under the "Hash Diffie-Hellman Assumption" (that is, the assumption that the Diffie-Hellman Problem is hard when a hash function is used to derive keys from the shared secret), and that the MAC and symmetric cipher algorithms are secure. See the Abdalla/Bellare/Rogaway paper for details.
  • The keys used for this algorithm should be separate from those used for any other discrete-log-based algorithms (e.g. Elgamal encryption and signatures, Diffie-Hellman key exchange, etc.) This cannot be enforced by the algorithm implementation; it is usually achieved by associating an unambiguous specification of the algorithm with the public key when it is included in a certificate (or otherwise authenticated).

EC-DHAES(digestName,
cipherName,macName
[,cipherKeyLength[,macKeyLength]]) 		Asymmetric Cipher Construction
Designers:
Michel Abdalla, Mihir Bellare, Phillip Rogaway
Published:
August 1998, updated March 1999
Description:
This is the version of DHAES based on Diffie-Hellman over an elliptic curve. Public and private keys belong to the "ECDH" key family.

This algorithm is referred to as "ECES" in the DHAES paper; however that name has also been proposed for other algorithms, and could therefore cause ambiguity.

References:
Security comments:
  • EC-DHAES has been proven semantically secure and non-malleable, under the "Hash Elliptic Curve Diffie-Hellman Assumption" (that is, the assumption that the Elliptic Curve Diffie-Hellman Problem is hard when a hash function is used to derive keys from the shared secret), and that the MAC and symmetric cipher algorithms are secure. See the Abdalla/Bellare/Rogaway paper for details.
  • The keys used for this algorithm should be separate from those used for any other elliptic curve discrete-log-based algorithms (e.g. Elliptic Curve Diffie-Hellman key exchange, etc.) This cannot be enforced by the algorithm implementation; it is usually achieved by associating an unambiguous specification of the algorithm with the public key when it is included in a certificate (or otherwise authenticated).

ElgamalEnc Asymmetric Cipher
Designer:
Taher Elgamal
References:
  • [Def] Taher Elgamal,
    "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,"
    IEEE Transactions on Information Theory, v. IT-31, n. 4, 1985, pp. 469-472.
  • [Inf] Bruce Schneier,
    "Section 19.6 ElGamal,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
  • [An] Y. Tsiounis, M. Yung,
    "On the security of ElGamal-based encryption,"
    1998 International Workshop on Practice and Theory in Public Key Cryptography (PKC '98), February 5-6, Yokohama, Japan.
    http://www.ccs.neu.edu/home/yiannis/papers/eg.ps
  • [An] Paul Kocher,
    "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,"
    http://www.cryptography.com/timingattack/paper.html
Comments:
  • Taher Elgamal currently spells his name, and the name of this algorithm with a lowercase 'g'.
  • The reason for choosing separate names "ElgamalEnc" and "ElgamalSig", for Elgamal encryption and signatures respectively, is that ElgamalEnc keys can use the "DH" key family, while ElgamalSig requires its own key family (because Elgamal signature keys have additional security constraints).
  • It is recommended that implementations make no practical restriction on the lengths of the key parameters p, g and x (in particular, values of p up to at least 4096 bits should be supported).

RSA Asymmetric Cipher
Designers:
Ron Rivest, Adi Shamir, Leonard Adleman
Aliases:
"RSAES", "1.2.840.113549.1.1.1", "2.5.8.1.1"
References:
  • [Def] Ron Rivest, Adi Shamir, Leonard Adleman,
    "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,"
    MIT Laboratory for Computer Science and Department of Mathematics.
    Communications of the ACM, February 1978, Volume 21, Number 2, pp. 120-126.
  • [Def] PKCS #1: RSA Encryption Standard,
    An RSA Laboratories Technical Note, Version 1.5. Revised November 1, 1993.
    ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc
  • [Inf] Bruce Schneier,
    "Section 19.3 RSA,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
  • [Patent] R. Rivest, A. Shamir, L.M. Adleman,
    "Cryptographic Communications System and Method,"
    U.S. Patent 4,405,829, 1983.
  • [An] Don Coppersmith, Matthew K. Franklin, Jacques Patarin, Michael K. Reiter,
    "Low-Exponent RSA with Related Messages,"
    Advances in Cryptology - EUROCRYPT '96 Proceedings, Volume 1070 of Lecture Notes in Computer Science (U. Maurer, ed.), pp. 1-9. Springer-Verlag, 1996.
    http://www.research.att.com/~franklin/pubs/low_rsa.ps
  • [An] Paul Kocher,
    "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,"
    http://www.cryptography.com/timingattack/paper.html
Comment:
It is recommended that implementations make no practical restriction on the lengths of the key parameters n and e (in particular, values of n up to at least 4096 bits should be supported).
Patent status:
RSA is patented in the United States and Canada (see references); the patent is licensed by RSA Data Security, Inc.

Asymmetric Cipher Encoding Methods

OAEP-MGF1(digestName) Asymmetric Cipher Encoding Method
Designers:
Mihir Bellare, Phillip Rogaway
Description:
Optimal Asymmetric Encryption Padding with Mask Generation Function 1, as specified in IEEE P1363.
Alias:
"EME-OAEP", "EME1"
References:
Parameters:
  • String digestName [creation, no default] - the name of the message digest that is to be used by the MGF1 mask generation function.
Parameters:
  • byte[] diversifier [write, default zero-length array] - a byte array containing a diversifier to be used by the OAEP encoding operation (this is set by calling setParameter on the Cipher object, since there is not necessarily any object explicitly representing the encoding method).
    The implementation may or may not copy the contents of arrays used to set this parameter. If any such array is subsequently changed, the output of the encoding method is undefined (it is therefore the responsibility of the caller to make sure that a reference to this array is not accessible to untrusted code). Setting this parameter will not reset the current key.

PKCS1-1.5 Asymmetric Cipher Encoding Method
Designers:
RSA Data Security, Inc.
Description:
Block type 02, described in section 8 of PKCS #1 v1.5.
Aliases:
"PKCS#1", "PKCS1Padding", "EME-PKCS1-v1_5"
References:
  • [Def] PKCS #1: RSA Encryption Standard,
    An RSA Laboratories Technical Note, Version 1.5. Revised November 1, 1993.
    ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc
  • [Inf] Burt Kaliski, Jessica Staddon,
    PKCS #1: RSA Cryptography Specifications, Version 2.0
    Internet draft, July 1998.
  • [An] Daniel Bleichenbacher, Burt Kaliski, Jessica Staddon,
    RSA Laboratories Security Bulletin No. 7: Recent Results on PKCS #1: RSA Encryption Standard, June 26, 1998.
    ftp://ftp.rsa.com/pub/pdfs/bulletn7.pdf
  • [An] Daniel Bleichenbacher,
    "Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1,"
    Advances in Cryptology - Crypto '98 Proceedings, Volume 1462 of Lecture Notes in Computer Science (H. Krawczyk ed.), pp 1-12. Springer-Verlag, 1998.
    http://www.bell-labs.com/user/bleichen/papers/pkcs.ps
Comment:
Some existing implementations of PKCS #1 only support moduli that are a multiple of 8 bits in length. The standard in fact makes no such restriction, and SCAN requires that bit lengths that are not a multiple of 8 MUST be supported.
Security comment:
[[talk about Bleichenbacher's attack]]

Raw Asymmetric Cipher Encoding Method
Description:
A "null" encoding method, that passes its input directly to the underlying primitive. The block length is as large as necessary to ensure that all inputs to the public key primitive are possible (and no larger). This usually means that some block contents will not be valid; these will cause an IllegalArgumentException when the Cipher object's update or doFinal methods are called.
Security comment:
There are many attacks possible on public key encryption algorithms when this encoding method is used. It is intended only as a way to obtain access to a public key primitive (for those providers that support it), in order to implement encoding methods at the application rather than the provider level, or to maintain compatibility with legacy protocols.

Signature algorithms

The naming scheme described here is different from that described in Sun's documentation for the Java Cryptography Architecture. Several name formats have been used up to now for signature algorithms:

These names are now deprecated (but are still specified temporarily as aliases). The new preferred format is "signature-primitive/signature-encoding". For this format, the signature encoding will usually have a message digest name as a creation parameter, e.g. "RSA/PKCS1-1.5(SHA-1)".

See the Conventions for further explanation.

DSA[(outputFormat)] Signature
Description:
The Digital Signature Algorithm, as defined in the Digital Signature Standard (NIST FIPS PUB 186). (This algorithm is separated from the generalisation, "DSA-P1363", described below, in order to ensure that an implementation of DSA by a provider earlier in the priority list does not "mask" an implementation of DSA-P1363.)
Aliases:
  • "1.2.840.10040.4.3"
  • "SHA/DSA", "SHA-1/DSA", "SHA1withDSA", and "1.3.14.3.2.12" (all deprecated)
References:
Comment:
Some providers may implement a "RawDSA" algorithm, which takes a 20-byte input corresponding to the SHA-1 hash of the message to be signed. This is not formally defined as an algorithm name in this list; "DSA-P1363(DER)/Raw" is similar but not identical (since it uses a generalisation of DSA).
Security comments:
  • FIPS 186 specifies that:
    • the key parameter p may be between 512 and 1024 bits, in multiples of 64 bits;
    • the key parameter q must be 160 bits;
    • the encoding method must be that specified in the standard, using SHA-1 as the hash function.
    Values of p and q larger than 1024 and 160 bits respectively may be desirable for long term security, however implementations of this algorithm are not required to support such parameters. Applications that require a more general algorithm are encouraged to use "DSA-P1363" instead.
  • DSA should only be used with parameters that have been generated pseudo-randomly (as described in FIPS 186). If this is not the case, it may be possible for whoever generated the parameters to forge one or more signatures.
  • The abstract of the paper by Vaudenay cited above is:
    We explain how to forge public parameters for the Digital Signature Standard with two known messages which always produce the same set of valid signatures (what we call a collision). This attack is thwarted by using the generation algorithm suggested in the specifications of the Standard, so it proves one always need to check proper generation. We also present a similar attack when using this generation algorithm within a complexity 274, which is better than the birthday attack which seeks for collisions on the underlying hash function.

DSA-P1363[(outputFormat)][/encoding] Signature
Description:
A generalisation of the Digital Signature Algorithm, as defined in the IEEE P1363 standard. By default, the EMSA1 encoding method specified by IEEE P1363 is used, with the SHA-1 message digest algorithm.

If an encoding method is explicitly specified, it is used instead of the default (this requires that the order of the base in the DSA parameters, usually denoted q, is large enough to accomodate message representatives generated by this encoding method).

This algorithm also differs from the "DSA" algorithm, in having "P1363" as the default outputFormat. The "DER" output format should normally also be supported.

Alias:
"dsa-sha1" is an alias to "DSA-P1363/EMSA1(SHA-1)" (for SPKI support).
References:
Comment:
It is recommended that implementations make no practical restriction on the lengths of the key parameters p, q, g and x (in particular, values of p up to at least 4096 bits should be supported).
Security comments:
  • The security properties of DSA-P1363 when used with an encoding method other than the default have not been extensively studied.
  • DSA-P1363 should only be used with parameters that have been generated pseudo-randomly (as described in FIPS 186). If this is not the case, it may be possible for whoever generated the parameters to forge one or more signatures.
  • The abstract of the paper by Vaudenay cited above is:
    We explain how to forge public parameters for the Digital Signature Standard with two known messages which always produce the same set of valid signatures (what we call a collision). This attack is thwarted by using the generation algorithm suggested in the specifications of the Standard, so it proves one always need to check proper generation. We also present a similar attack when using this generation algorithm within a complexity 274, which is better than the birthday attack which seeks for collisions on the underlying hash function.
    These attacks apply to the default encoding method.

ECDSA[(outputFormat)][/encoding] Signature
Description:
A generalisation of the Elliptic Curve Digital Signature Algorithm, as defined in the IEEE P1363 standard. By default, the EMSA1 encoding method specified by IEEE P1363 is used, with the SHA-1 message digest algorithm.

If an encoding method is explicitly specified, it is used instead of the default (this requires that the order of the base point in the elliptic curve parameters, usually denoted n, is large enough to accomodate message representatives generated by this encoding method).

The default outputFormat is "P1363".

Alias:
"ecdsa-sha1" is an alias to "ECDSA(P1363)/EMSA1(SHA-1)" (for SPKI support).
"1.2.840.10045.4.1.4.1" is an alias to "ECDSA(DER)/EMSA1(SHA-1)".
References:
  • [Def] IEEE P1363 (draft), Standard for Public-Key Cryptography, 1998.
  • [Inf] X9.62-199x (draft), Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA).
  • [An] Paul Kocher,
    "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,"
    http://www.cryptography.com/timingattack/paper.html
Comment:
It is recommended that implementations make effectively no practical restriction on the lengths of the key parameters.
Security comment:
The security properties of ECDSA when used with an encoding method other than the default have not been extensively studied.
Patent status:
  • Certicom has patents pending on several techniques for efficient implementation of elliptic curve arithmetic (these mainly apply to hardware implementations using an Optimal Normal Basis).
  • Hewlett Packard has a patent pending on elliptic curve point compression [[is this only compression of x coordinates??]].
  • RSA Data Security, Inc. has a patent [[pending??]] on a technique for efficient conversion between polynomial and Optimal Normal Basis representations of elements of GF(2m).

ElgamalSig(outputFormat)/encoding Signature
Designer:
Taher Elgamal
Aliases:
  • "MD2/ElGamal" and "MD2/ElGamal/PKCS#1" are deprecated aliases to "ElgamalSig(OpenPGP)/PKCS1-1.5(MD2)".
  • "MD5/ElGamal" and "MD5/ElGamal/PKCS#1" are deprecated aliases to "ElgamalSig(OpenPGP)/PKCS1-1.5(MD5)".
  • "SHA/ElGamal", "SHA-1/ElGamal", "SHA/ElGamal/PKCS#1", and "SHA-1/ElGamal/PKCS#1" are deprecated aliases to "ElgamalSig(OpenPGP)/PKCS1-1.5(SHA-1)".
  • "RIPEMD160/ElGamal", "RIPEMD-160/ElGamal", "RIPEMD160/ElGamal/PKCS#1" and "RIPEMD-160/ElGamal/PKCS#1" are deprecated aliases to "ElgamalSig(OpenPGP)/PKCS1-1.5(RIPEMD-160)".
References:
  • [Def] Taher Elgamal,
    "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,"
    IEEE Transactions on Information Theory, v. IT-31, n. 4, 1985, pp. 469-472.
  • [Inf] Bruce Schneier,
    "Section 19.6 ElGamal,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
  • [Inf] D. Bleichenbacher,
    "Generating ElGamal signatures without knowing the secret key,"
    Advances in Cryptology - EUROCRYPT '96 (corrected version), Volume 1070 of Lecture Notes in Computer Science, pp. 10-18. Springer Verlag, 1996.
    ftp://ftp.inf.ethz.ch/pub/publications/papers/ti/isc/ElGamal.ps
  • [An] Paul Kocher,
    "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,"
    http://www.cryptography.com/timingattack/paper.html
Comments:
  • Taher Elgamal currently spells his name, and the name of the Elgamal algorithm with a lowercase 'g'.
  • The reason for choosing separate names "ElgamalEnc" and "ElgamalSig", for Elgamal encryption and signatures respectively, is that ElgamalEnc keys can use the "DH" key family, while ElgamalSig requires its own key family (because Elgamal signature keys have additional security constraints).
  • It is recommended that implementations make no practical restriction on the lengths of the key parameters p, g and x (in particular, values of p up to at least 4096 bits SHOULD be supported).

RSA/encoding Signature
Designers:
Ron Rivest, Adi Shamir, Leonard Adleman
Aliases:
  • "RSASSA", "1.2.840.113549.1.1.1"
  • "rsa-pkcs1-sha1" is an alias to "RSA/PKCS1-1.5(SHA-1)" (for SPKI support).
  • "rsa-pkcs1-md5" is an alias to "RSA/PKCS1-1.5(MD5)" (for SPKI support).
  • "MD2/RSA", "MD2withRSA", and "MD2/RSA/PKCS#1" are deprecated aliases to "RSA/PKCS1-1.5(MD2)".
  • "MD5/RSA", "MD5withRSA", and "MD5/RSA/PKCS#1" are deprecated aliases to "RSA/PKCS1-1.5(MD5)".
  • "SHA/RSA", "SHA-1/RSA", "SHA1withRSA", "SHA/RSA/PKCS#1", and "SHA-1/RSA/PKCS#1" are deprecated aliases to "RSA/PKCS1-1.5(SHA-1)".
  • "RIPEMD160/RSA", "RIPEMD-160/RSA", "RIPEMD160withRSA", "RIPEMD160/RSA/PKCS#1" and "RIPEMD-160/RSA/PKCS#1" are deprecated aliases to "RSA/PKCS1-1.5(RIPEMD-160)".
References:
  • [Def] Ron Rivest, Adi Shamir, Leonard Adleman,
    "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,"
    MIT Laboratory for Computer Science and Department of Mathematics.
    Communications of the ACM, February 1978, Volume 21, Number 2, pp. 120-126.
  • [Def] PKCS #1: RSA Encryption Standard,
    An RSA Laboratories Technical Note, Version 1.5. Revised November 1, 1993.
    ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc
  • [Inf] Bruce Schneier,
    "Section 19.3 RSA,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
  • [Patent] R. Rivest, A. Shamir, L.M. Adleman,
    "Cryptographic Communications System and Method,"
    U.S. Patent 4,405,829, 1983.
  • [An] Paul Kocher,
    "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,"
    http://www.cryptography.com/timingattack/paper.html
Comment:
It is recommended that implementations make no practical restriction on the lengths of the key parameters n and e (in particular, values of n up to at least 4096 bits SHOULD be supported).
Patent status:
RSA is patented in the United States and Canada (see references); the patent is licensed by RSA Data Security, Inc.

RW/encoding Signature
Designers:
M.O. Rabin, Hugh Williams
Description:
The Rabin-Williams signature scheme, as defined in IEEE P1363.
Alias:
"Rabin-Williams"
References:
Comment:
It is recommended that implementations make no practical restriction on the lengths of the key parameters n and e (in particular, values of n up to at least 4096 bits should be supported).

Signature Encoding Methods

EMSA1(digestName) Signature Encoding Method
Description:
The encoding scheme described as "EMSA1" in the P1363 standard.
References:
  • [Def] IEEE P1363 (draft), Standard for Public-Key Cryptography, 1998.
Parameters:
  • String digestName [creation, no default] - the name of the message digest that is to be used to calculate the message representative. The only message digest algorithms for which this encoding method is defined are SHA-1 and RIPEMD-160.
Comment:
EMSA1(SHA-1) is compatible with the encoding used for DSA in FIPS 186, and for ECDSA in X9.62.
Security comment:
The message representatives output by this encoding method do not contain any specification of which message digest algorithm was used. Therefore, unless public keys are certified in such a way that each key is tied to use of only one digest algorithm, there is the risk of a collision between different algorithms (i.e. Hash1(X) == Hash2(Y) for distinct algorithms Hash1 and Hash2, and messages X and Y). To reduce the possibility of such collisions, implementations of this encoding MUST NOT support message digests other than SHA-1 and RIPEMD-160, and applications are strongly advised to use only SHA-1 for the digest, if they use this encoding method.

EMSA2(digestName) Signature Encoding Method
Description:
The encoding scheme described as "EMSA2" in the P1363 standard, based on ANSI-X9.31.
Alias:
"X9.31"
References:
  • [Def] IEEE P1363 (draft), Standard for Public-Key Cryptography, 1998.
  • [Inf] ANSI-X9.31 [need full reference]
Parameters:
  • String digestName [creation, no default] - the name of the message digest that is to be used to calculate the message representative. The only message digest algorithms for which this encoding method is defined are SHA-1 and RIPEMD-160.

PKCS1-1.5(digestName) Signature Encoding Method
Designers:
RSA Data Security, Inc.
Description:
Block type 01, described in section 10.1 of PKCS #1 v1.5.
Aliases:
"PKCS#1", "EMSA-PKCS1-v1_5"
References:
  • [Def] PKCS #1: RSA Encryption Standard,
    An RSA Laboratories Technical Note, Version 1.5. Revised November 1, 1993.
    ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc
  • [Inf] Burt Kaliski, Jessica Staddon,
    PKCS #1: RSA Cryptography Specifications, Version 2.0
    Internet draft, July 1998.
Parameters:
  • String digestName [creation, no default] - the name of the message digest that is to be used to calculate the message representative. Only message digests for which an ASN.1 OBJECT IDENTIFIER has been defined, may be used.
Comment:
Some existing implementations of PKCS #1 only support moduli that are a multiple of 8 bits in length. The standard in fact makes no such restriction, and SCAN requires that bit lengths that are not a multiple of 8 MUST be supported.

PSS-MGF1(digestName[,wLen[,seedLen]]) Signature Encoding Method
Designers:
Mihir Bellare, Phillip Rogaway
Description:
The encoding described as "EMSA-PSS Encoding (with multiple-argument mask generation function)" in "PSS: Provably Secure Encoding Method for Digital Signatures".
Aliases:
"EMSA-PSS"
References:
  • [Def] Mihir Bellare, Phillip Rogaway,
    PSS: Provably Secure Encoding Method for Digital Signatures,
    Submission to IEEE P1363a, August 1998.
  • [Inf] Mihir Bellare, Phillip Rogaway,
    "The Exact Security of Digital Signatures: How to Sign with RSA and Rabin,"
    http://www-cse.ucsd.edu/users/mihir/papers/exactsigs.html
Parameters:
  • String digestName [creation, no default] - the name of the message digest that is to be used by the MGF1 mask generation function.
  • Integer wLen [creation, default equal to the digest length of the named message digest] - the length in bytes of the w value.
  • Integer seedLen [creation, default equal to wLen] - the length in bytes of the seed value.
  • byte[] diversifier [write, default zero-length array] - a byte array containing a diversifier to be used by the PSS encoding operation (this is set by calling setParameter on the Signature object, since there is not necessarily any object explicitly representing the encoding method).
    The implementation may or may not copy the contents of arrays used to set this parameter. If any such array is subsequently changed, the output of the encoding method is undefined (it is therefore the responsibility of the caller to make sure that a reference to this array is not accessible to untrusted code). Setting this parameter will not reset the current key.
Patent status:
The University of California has a patent pending on PSS. It has stated, in a letter to the IEEE, that:
If PSS is included in an IEEE standard, the University of California will, when that standard is adopted, FREELY license any conforming implementation of PSS as a technique for achieving a digital signature with appendix. No registration fee or other administrative procedure will be required.
Note that this is different to the licensing position for PSSR.

PSSR-MGF1(digestName[,wLen[,seedLen]]) Signature Encoding Method
Designers:
Mihir Bellare, Phillip Rogaway
Description:
The encoding described as "Encoding Method for Signatures with Message Recovery: EMSR-PSS" in "PSS: Provably Secure Encoding Method for Digital Signatures".
Aliases:
"EMSR-PSS"
References:
  • [Def] Mihir Bellare, Phillip Rogaway,
    PSS: Provably Secure Encoding Method for Digital Signatures,
    Submission to IEEE P1363a, August 1998.
  • [Inf] Mihir Bellare, Phillip Rogaway,
    "The Exact Security of Digital Signatures: How to Sign with RSA and Rabin,"
    http://www-cse.ucsd.edu/users/mihir/papers/exactsigs.html
Parameters:
  • String digestName [creation, no default] - the name of the message digest that is to be used by the MGF1 mask generation function.
  • Integer wLen [creation, default equal to the digest length of the named message digest] - the length in bytes of the w value.
  • Integer seedLen [creation, default equal to wLen] - the length in bytes of the seed value.
  • byte[] diversifier [write, default zero-length array] - a byte array containing a diversifier to be used by the PSSR encoding operation (this is set by calling setParameter on the Signature object, since there is not necessarily any object explicitly representing the encoding method).
    The implementation may or may not copy the contents of arrays used to set this parameter. If any such array is subsequently changed, the output of the encoding method is undefined (it is therefore the responsibility of the caller to make sure that a reference to this array is not accessible to untrusted code). Setting this parameter will not reset the current key.
Patent status:
The University of California has a patent pending on PSSR. It has stated, in a letter to the IEEE, that use of this technique will require a license to be acquired "under very reasonable terms and conditions". Note that this is different to the licensing position for PSS.

Raw Signature Encoding Method
Description:
A "null" encoding method, that passes its input directly to the underlying primitive. The block length is as large as necessary to ensure that all inputs to the public key primitive are possible (and no larger). This usually means that some block contents will not be valid; these will cause the signature to be rejected when the Signature object's verify method is called, or an IllegalArgumentException to be thrown when the sign method is called.
Security comment:
There are many attacks possible on public key signature algorithms when this encoding method is used. It is intended only as a way to obtain access to a public key primitive (for those providers that support it), in order to implement encoding methods at the application rather than the provider level, or to maintain compatibility with legacy protocols.

Signature Output Formats

P1363 Signature Output Format
Description:
Where there are several possible output formats for a signature algorithm, this name indicates that the alternative consistent with P1363 annex E must be used.

The convention used by P1363 for formatting more than one arbitrary-length integer, is to concatenate their big-endian unsigned representations. Each integer is padded on the left with zeroes, to the length defined by the algorithm parameters (for example if an integer is in the range 0..n-1, the result will have the same number of bytes as is needed to represent n). The signature algorithm is assumed to specify a canonical order for the integers.

To parse this format, the receiver must split it into blocks of the correct lengths (usually equal), one for each integer. If this cannot be done, the signature MUST be treated as invalid.

DER Signature Output Format
Description:
Where there are several possible output formats for a signature algorithm, this name indicates that the DER-encoded alternative must be used.

The type used to DER-encode more than one arbitrary-length integer, is SEQUENCE { INTEGER a, INTEGER b, ... }. The signature algorithm is assumed to specify a canonical order for the integers.

To parse this format, the receiver must always interpret it as DER, not BER. If the signature is not a DER encoding of the correct type, it MUST be treated as invalid.

OpenPGP Signature Output Format
Description:
Where there are several possible output formats for a signature algorithm, this name indicates that the alternative specified by OpenPGP must be used.

The convention used by OpenPGP for formatting more than one arbitrary-length integer, is to encode each integer as a two-byte big-endian length field indicating the number of following bytes, followed by the bytes of the integer in big-endian order, with no leading zeroes (however, the zero integer is encoded as <00 01 00>, not <00 00>). The signature algorithm is assumed to specify a canonical order for the integers.

When parsing this format, if the length fields are inconsistent with the total length of the signature, it MUST be treated as invalid.

References:
  • [Def] Jon Callas, Lutz Donnerhacke, Hal Finney, Rodney Thayer
    "OpenPGP Message Format,"
    RFC 2440, November 1998.

KeyAgreement algorithms

 [TODO: DH, ECDH, STS, SRP-3, MQV, etc.]

DH KeyAgreement
Description:
[[need more detail]]
References:
  • [Inf] Whitfield Diffie et al,
    "New Directions in Cryptography,"
    IEEE Transactions on Information Theory, Vol. IT-22, No. 6, pp. 644-654. November 1976.
  • [Inf] Whitfield Diffie et al,
    "Multiuser Cryptographic Techniques,"
    AFIPS Conference Proceedings, Vol. 45, pp. 109-112. June 8, 1976.
  • [Patent] M. E. Hellman, R. C. Merkle,
    "Public Key Cryptographic Apparatus and Method,"
    U.S. Patent 4,218,582, 1980.
  • [An] Paul Kocher,
    "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,"
    http://www.cryptography.com/timingattack/paper.html
Patent status:
The patent referenced above, although it only directly describes knapsack-based cryptosystems, was claimed to cover all public key cryptography. It expired in 1997.

KeyPairGenerators

 [TODO: ECDH, ECDSA, RSA, RW]

DH KeyPairGenerator
Description:
[[need more detail]]
References:
  • [Inf] Whitfield Diffie et al,
    "New Directions in Cryptography,"
    IEEE Transactions on Information Theory, vol. IT-22, No. 6, pp. 644-654. November 1976.
PublicKey parameters:
  • BigInteger p [read] - the prime modulus, p
  • BigInteger g [read] - the base, g
  • BigInteger y [read] - the public value, gx mod p
PrivateKey parameters:
  • BigInteger p [read] - the prime, p
  • BigInteger g [read] - the base, g
  • BigInteger x [read] - the private value, x
  • BigInteger y [read] - the public value, gx mod p

DSA KeyPairGenerator
Description:
The key pair generation algorithm described in NIST FIPS PUB 186 for DSA.
Alias:
"1.2.840.10040.4.3"
Length:
The length, in bits, of the modulus p. This can be any integer that is a multiple of 8, greater than or equal to 512.
References:
PublicKey parameters:
  • BigInteger p [read] - the prime modulus, p
  • BigInteger q [read] - a prime factor of p-1, q
  • BigInteger g [read] - h(p-1)/q mod p, where h is less than p-1 and g > 1
  • BigInteger y [read] - gx mod p
PrivateKey parameters:
  • BigInteger p [read] - the prime, p
  • BigInteger q [read] - a prime factor of p-1, q
  • BigInteger g [read] - h(p-1)/q mod p, where h is less than p-1 and g > 1
  • BigInteger x [read] - the private value, < q
  • BigInteger y [read] - gx mod p
Parameter defaults:
The following default parameter values are used for lengths of 512, 768, and 1024 bits.

Modulus Seed Counter
512 bits b869c82b 35d70e1b 1ff91b28 e37a62ec dc34409b 123
768 bits 77d0f8c4 dad15eb8 c4f2f8d6 726cefd9 6d5bb399 263
1024 bits 8d515589 4229d5e6 89ee01e6 018a237e 2cae64cd 92

RSA KeyPairGenerator
Aliases:
"1.2.840.113549.1.1.1", "2.5.8.1.1"
References:
  • [Inf] PKCS #1: RSA Encryption Standard,
    An RSA Laboratories Technical Note, Version 1.5. Revised November 1, 1993.
    ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc
  • [Inf] Bruce Schneier,
    "Section 19.3 RSA,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
PublicKey parameters:
  • BigInteger modulus [read] - the modulus, n
  • BigInteger publicExponent [read] - the public exponent, e
PrivateKey parameters:
Either, or both, of the following two sets of parameters:
  • BigInteger modulus [read] - the modulus, n
  • BigInteger privateExponent [read] - the private exponent, d
and
  • BigInteger primeP [read] - one of the prime factors of the modulus, p
  • BigInteger primeQ [read] - the other prime factor of the modulus, q
  • BigInteger primeExponentP [read] - d mod (p-1)
  • BigInteger primeExponentQ [read] - d mod (q-1)
  • BigInteger crtCoefficient [read] - q-1 mod p

It does not matter which of p and q is larger.

KeyFactory algorithms

 [TODO: DH/ASN.1, DSA/ASN.1, RW/ASN.1, DH/OpenPGP, DSA/OpenPGP, RSA/OpenPGP]

Generic/ASN.1(transferFormat) KeyFactory
Description:
For public keys, this KeyFactory uses the format of a BER or DER-encoded SubjectPublicKeyInfo object, as defined in X.509 and RFC 1422 (and also given in PKCS #6 appendix A.1): 
   SubjectPublicKeyInfo ::= SEQUENCE {
       algorithm AlgorithmIdentifier,
       subjectPublicKey BIT STRING
   }

   AlgorithmIdentifier ::= SEQUENCE {
       algorithm OBJECT IDENTIFIER,
       parameters ANY DEFINED BY algorithm OPTIONAL
   }
The BIT STRING for 'subjectPublicKey' is generally a BER or DER encoding of some algorithm-dependent type (e.g. RSAPublicKey for RSA), which is converted to a bit string in the obvious way (i.e. the most significant bit of the first octet becomes the first bit of the string, etc.)

For private keys, the format is that of a BER or DER-encoded PrivateKeyInfo object, as defined in PKCS #8 (section 6): 

   PrivateKeyInfo ::= SEQUENCE {
       version Version,
       privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
       privateKey PrivateKey,
       attributes [0] IMPLICIT Attributes OPTIONAL
   }

   Version ::= INTEGER

   PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier

   AlgorithmIdentifier ::= SEQUENCE {
       algorithm OBJECT IDENTIFIER,
       parameters ANY DEFINED BY algorithm OPTIONAL
   }

   PrivateKey ::= OCTET STRING

   Attributes ::= SET OF Attribute
The OCTET STRING for 'privateKey' is generally a BER or DER encoding of some algorithm-dependent type (e.g. RSAPrivateKey for RSA). 'version' is 0 for the current version of PKCS #8 (although for forward compatibility, other values MUST be accepted on input). The 'attributes' field is intended for information that would not be considered part of a private key according to the SCAN conventions, and therefore it SHOULD be ignored on input, and omitted on output.

This format is not algorithm-specific, since the 'algorithm' field of AlgorithmIdentifier specifies the key family, and therefore keys from different families (e.g. RSA, DSA, etc.) can be unambiguously distinguished.

Generic/ASN.1 should normally be implemented by expressing the algorithm OID as a dot-separated string, then looking up an algorithm-specific KeyFactory based on that string, e.g. "1.2.3.4" if the OID is { 1 2 3 4 }. This allows new public key algorithms to be added without having to change existing classes.

This factory follows the conventions for encoding of keys in ASN.1 described here.

References:
  • [Def] S. T. Kent, J. Linn,
    "Privacy enhancement for Internet electronic mail: Part II: Certificate-based key management,"
    RFC 1422, February 1993.
  • [Def] PKCS #6: Extended-Certificate Syntax Standard,
    An RSA Laboratories Technical Note, Version 1.5. Revised November 1, 1993.
    ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-6.asc
  • [Def] PKCS #8: Private-Key Information Syntax Standard,
    An RSA Laboratories Technical Note, Version 1.2. Revised November 1, 1993.
    ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-8.asc
  • [Inf] ITU-T Recommendation X.690 (1994), Information Technology - ASN.1 Encoding Rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) (equivalent to ISO/IEC 8825-1: 1995).
  • [Inf] "Multipurpose Internet Mail Extensions (MIME) Part One, Format of Internet Message Bodies,"
    RFC 2045 Section 6.8 - Base64 Content-Transfer-Encoding.
    http://www.imc.org/rfc2045
Parameters:
  • String transferFormat [creation/read, default "binary"] - one of the following:
    • "binary" indicates that the standard BER binary format is used.
    • "base64" indicates that the encoding is an ASCII representation of the BER data after being converted to base64 format (as specified in RFC 2045), with the header line "-----BEGIN PUBLIC KEY-----", and the trailer line "-----END PUBLIC KEY-----". On output, each line MUST end with CR LF, and there MUST be no more than 72 ASCII characters per line, with no whitespace. On input, whitespace and non-standard line endings MUST be ignored.

ECDSA/ASN.1 KeyFactory
Description:
A KeyFactory for BER or DER-encoded ECDSA public and private keys. ECDSA is defined in X9.62. The current X9.62 draft does not define specific types for keys; however it states that a public key is represented using the ECPoint type. There is no agreed type for private keys; this algorithm name is reserved for whatever is eventually specified.

ECDSA public keys may have either 'implicit' or 'explicit' parameters. If the parameters field of the algorithm identifier is NULL, the parameters will be implicit; otherwise this field is of type ECParameters (defined below), and specifies the explicit parameters.

A key with implicit parameters can only be used if an appropriate AlgorithmParameterSpec object is passed into the Signature object's setParameter method.

The ASN.1 types used in ECDSA keys are: 

   ECParameters ::= SEQUENCE {
       version INTEGER { ecpVer1(1) } (ecpVer1),
           -- version is always 1
       fieldID FieldID { {FieldTypes} },
           -- the finite field over which the curve is defined
       curve Curve,
           -- coefficients a and b of the elliptic curve
       base ECPoint,
           -- the base point P on the elliptic curve
       order INTEGER,
           -- the order n of the base point
       cofactor INTEGER,
           -- #E(Fq)/n (used only in parameter validation)
       ...
   }

   FieldElement ::= OCTET STRING

   Curve ::= SEQUENCE {
       a FieldElement,
       b FieldElement,
       seed BIT STRING OPTIONAL
   }

   ECPoint ::= OCTET STRING

   FieldID { FIELD-ID:IOSet } ::= SEQUENCE {
       fieldType FIELD-ID.&id({IOSet}),
       parameters FIELD-ID.&Type({IOSet}{@fieldType}) OPTIONAL
   }

   FieldTypes FIELD-ID ::= {
       { Prime-p IDENTIFIED BY prime-field } |
       { Characteristic-two
                 IDENTIFIED BY characteristic-two-field },
       ...
   }

   FIELD-ID ::= TYPE-IDENTIFIER

This factory follows the conventions for encoding of keys in ASN.1 described here.

Aliases:
"1.2.840.10045.2.1"
References:
  • [Def] X9.62-199x (draft), Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA).
  • [Inf] Internet X.509 Public Key Infrastructure: Representation of Elliptic Curve Digital Signature Algorithm (ECDSA) Keys and Signatures in Internet X.509 Public Key Infrastructure Certificates, November 1997 Internet draft.
    http://www.pca.dfn.de/eng/team/ske/drafts/draft-ietf-pkix-ipki-ecdsa-00.txt
Patent status:
  • Certicom has patents pending on several techniques for efficient implementation of elliptic curve arithmetic.
  • Hewlett Packard has a patent pending on elliptic curve point compression [[is this only compression of x coordinates??]].

RSA/ASN.1 KeyFactory
Description:
A KeyFactory for BER or DER-encoded RSA public and private keys, as defined in X.509 and PKCS #1: 
   RSAPublicKey ::= SEQUENCE {
       modulus INTEGER, -- n
       publicExponent INTEGER -- e
   }

   RSAPrivateKey ::= SEQUENCE {
       version Version,
       modulus INTEGER, -- n
       publicExponent INTEGER, -- e
       privateExponent INTEGER, -- d
       prime1 INTEGER, -- p
       prime2 INTEGER, -- q
       exponent1 INTEGER, -- d mod (p-1)
       exponent2 INTEGER, -- d mod (q-1)
       coefficient INTEGER -- (inverse of q) mod p
   }

   Version ::= INTEGER
The 'version' field in private keys is 0 for the current version of PKCS #1 (although for forward compatibility, other values MUST be accepted on input).

This factory follows the conventions for encoding of keys in ASN.1 described here.

Aliases:
"1.2.840.113549.1.1.1", "2.5.8.1.1"
References:
  • [Def] PKCS #1: RSA Encryption Standard,
    An RSA Laboratories Technical Note, Version 1.5. Revised November 1, 1993.
    ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc
  • [Inf] Bruce Schneier,
    "Section 19.3 RSA,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.

DH/OpenPGP KeyFactory
Alias:
"Elgamal/OpenPGP"
Description:
A KeyFactory for OpenPGP-encoded DH public and private keys, as defined in RFC 2440. Version 4 key packets MUST be supported.

A version 4 packet contains:

  • A one-octet version number (4).
  • A four-octet number denoting the time that the key was created (unsigned number of seconds elapsed since midnight, 1 January 1970 UTC).
  • A one-octet number denoting the public key algorithm of this key (16 = Elgamal encrypt only, 20 = Elgamal encrypt or sign).
  • A series of multi-precision integers comprising the key material. This algorithm-specific portion is:
    • MPI of Elgamal prime p;
    • MPI of Elgamal group generator g;
    • MPI of Elgamal public key value y (= gx where x is secret).

Implementations MAY ignore fields that are not considered part of a public key according to SCAN conventions (for example, the creation time). The version number and public key algorithm fields SHOULD be checked for correctness.

References:
  • [Def] Jon Callas, Lutz Donnerhacke, Hal Finney, Rodney Thayer
    "OpenPGP Message Format,"
    RFC 2440, November 1998.

DSA/OpenPGP KeyFactory
Description:
A KeyFactory for OpenPGP-encoded DSA public and private keys, as defined in RFC 2440. Version 4 key packets MUST be supported.

A version 4 packet contains:

  • A one-octet version number (4).
  • A four-octet number denoting the time that the key was created (unsigned number of seconds elapsed since midnight, 1 January 1970 UTC).
  • A one-octet number denoting the public key algorithm of this key (17 = DSA).
  • A series of multi-precision integers comprising the key material. This algorithm-specific portion is:
    • MPI of DSA prime p;
    • MPI of DSA group order q (q is a prime divisor of p-1);
    • MPI of DSA public key value y (= gx where x is secret).

Implementations MAY ignore fields that are not considered part of a public key according to SCAN conventions (for example, the creation time). The version number and public key algorithm fields SHOULD be checked for correctness.

References:
  • [Def] Jon Callas, Lutz Donnerhacke, Hal Finney, Rodney Thayer
    "OpenPGP Message Format,"
    RFC 2440, November 1998.

RSA/OpenPGP KeyFactory
Description:
A KeyFactory for OpenPGP-encoded RSA public or private keys, as defined in RFC 2440. Version 4 key packets MUST be supported; version 3 packets MAY be supported.

A version 3 packet contains:

  • A one-octet version number (3).
  • A four-octet number denoting the time that the key was created (unsigned number of seconds elapsed since midnight, 1 January 1970 UTC).
  • A two-octet number denoting the time in days that this key is valid. If this number is zero, then it does not expire.
  • A one-octet number denoting the public key algorithm of this key (1 = RSA encrypt or sign, 2 = RSA encrypt only, 3 = RSA sign only).
  • A series of multi-precision integers comprising the key material:
    • MPI of RSA public modulus n;
    • MPI of RSA public encryption exponent e.
  • For private keys only:
    • One octet indicating string-to-key usage conventions. 0 indicates that the secret key data is not encrypted. 255 indicates that a string-to-key specifier is being given. Any other value is a symmetric-key encryption algorithm specifier.
    • [Optional] If string-to-key usage octet was 255, a one-octet symmetric encryption algorithm.
    • [Optional] If string-to-key usage octet was 255, a string-to-key specifier. The length of the string-to-key specifier is implied by its type, as described above.
    • [Optional] If secret data is encrypted, an eight-octet Initialisation Vector (IV).
    • Encrypted multi-precision integers comprising the secret key data. These algorithm-specific fields are:
      • MPI of RSA secret exponent d.
      • MPI of RSA secret prime value p.
      • MPI of RSA secret prime value q (p < q).
      • MPI of u, the multiplicative inverse of p, mod q.
    • Two-octet checksum of the plaintext of the algorithm-specific portion (sum of all octets, mod 65536, stored in the clear).

    Encryption/decryption of the secret data is done in CFB mode using the key created from the passphrase and the Initialisation Vector from the packet. A different mode is used with V3 keys (which are only RSA) than with other key formats. With V3 keys, the MPI bit count prefix (i.e., the first two octets) is not encrypted. Only the MPI non-prefix data is encrypted. Furthermore, the CFB state is resynchronized at the beginning of each new MPI value, so that the CFB block boundary is aligned with the start of the MPI data.

V3 keys SHOULD only be used for backward compatibility because of various weaknesses (see security comments).

A version 4 packet contains:

  • A one-octet version number (4).
  • A four-octet number denoting the time that the key was created (unsigned number of seconds elapsed since midnight, 1 January 1970 UTC).
  • A one-octet number denoting the public key algorithm of this key.
  • A series of multi-precision integers comprising the key material. This algorithm-specific portion is:
    • MPI of RSA public modulus n;
    • MPI of RSA public encryption exponent e.
  • For private keys only:
    • One octet indicating string-to-key usage conventions. 0 indicates that the secret key data is not encrypted. 255 indicates that a string-to-key specifier is being given. Any other value is a symmetric-key encryption algorithm specifier.
    • [Optional] If string-to-key usage octet was 255, a one-octet symmetric encryption algorithm.
    • [Optional] If string-to-key usage octet was 255, a string-to-key specifier. The length of the string-to-key specifier is implied by its type, as described above.
    • [Optional] If secret data is encrypted, an eight-octet Initialisation Vector (IV).
    • Encrypted multi-precision integers comprising the secret key data. These algorithm-specific fields are:
      • MPI of RSA secret exponent d.
      • MPI of RSA secret prime value p.
      • MPI of RSA secret prime value q (p < q).
      • MPI of u, the multiplicative inverse of p, mod q.
    • Encrypted two-octet checksum of the plaintext of the algorithm-specific portion (sum of all octets, mod 65536).

Implementations MAY ignore fields that are not considered part of a public key according to SCAN conventions (for example, the creation time, and for V3 keys the validity period). The version number and public key algorithm fields SHOULD be checked for correctness.

References:
  • [Def] Jon Callas, Lutz Donnerhacke, Hal Finney, Rodney Thayer
    "OpenPGP Message Format,"
    RFC 2440, November 1998.
  • [Inf] PKCS #1: RSA Encryption Standard,
    An RSA Laboratories Technical Note, Version 1.5. Revised November 1, 1993.
    ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc
  • [Inf] Bruce Schneier,
    "Section 19.3 RSA,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
Security comments:
V3 keys SHOULD only be used for backward compatibility because of three weaknesses in them. First, it is relatively easy to construct a V3 key that has the same key ID as any other key because the key ID is simply the low 64 bits of the public modulus. Secondly, because the fingerprint of a V3 key hashes the key material, but not its length, which increases the opportunity for fingerprint collisions. Third, there are minor weaknesses in the MD5 hash algorithm that make developers prefer other algorithms.

AlgorithmParameterGenerators

 [TODO: BBS, DH, DSA, ECDSA]

AlgorithmParameters

 [TODO: AlgorithmInfo, ParameterInfo, DH/ASN.1, DSA/ASN.1, ECDSA/ASN.1]

ECDSA/ASN.1 AlgorithmParameters
Description:
The format of a BER or DER-encoded ECParameters object, as defined in X9.62.
Aliases:
"ECParameters", "1.2.840.10045.2.1"
References:
  • [Def] X9.62-199x (draft), Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA).
Patent status:
  • Certicom has patents pending on several techniques for efficient implementation of elliptic curve arithmetic.
  • Hewlett Packard has a patent pending on elliptic curve point compression [[is this only compression of x coordinates??]].

RSA/* AlgorithmParameters
Description:
This is a "dummy" parameter format, since RSA keys do not require any cryptographic parameters. However, the parameter object may include a specification of which algorithms the key can be used with (i.e. the RSA signature algorithm, and/or the RSA encryption algorithm).

'*' means that any format specifier may be given.

RW/* AlgorithmParameters
Description:
This is a "dummy" parameter format, since RW keys do not require any cryptographic parameters. However, the parameter object may include a specification of which algorithms the key can be used with (currently, only the RW signature algorithm has a standard name).

'*' means that any format specifier may be given.

SecureRandom algorithms

 In addition to the names and aliases given below, each provider may choose to define a default algorithm, for general-purpose use. The class to be used for this algorithm is declared using a provider property with the key "SecureRandom" (i.e. with no algorithm name).

Although there is no way to enforce this constraint, choices for default SecureRandom algorithms should be believed to be at least as conservative as "SHA1PRNG", which was the default algorithm in JDK 1.1. new SecureRandom() will return the first default SecureRandom found by searching providers in preference order.

SHA1PRNG SecureRandom
Description:
This is the algorithm that was implemented by the SecureRandom class in JDK 1.1. It is similar (but not identical) to the random number generator suggested in Annex D of the P1363 standard. [[need full description]]
References:
  • [Inf] IEEE P1363 (draft), Standard for Public-Key Cryptography, 1998.

BBS SecureRandom
Designers:
L. Blum, Manuel Blum, M. Shub
Alias:
"Blum-Blum-Shub"
Description:
[[need to say how to derive x, and how updating of the seed is handled]]
References:
  • [Def] L. Blum, M. Blum, M. Shub,
    "A Simple Unpredictable Pseudo-Random Number Generator,"
    SIAM Journal on Computing, vol. 15 no. 2, 1996, pp. 364-383.
  • [Inf] Bruce Schneier,
    "Section 17.9 Complexity-Theoretic Approach to Stream-Cipher Design,"
    Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
  • [Inf] A. Menezes, P.C. van Oorschot, S.A. Vanstone,
    "Section 5.5.2 Blum-Blum-Shub pseudorandom bit generator,"
    Handbook of Applied Cryptography, CRC Press, 1997.
Parameters:
  • BigInteger n [write once, no default] - a Blum integer (the product of two primes, both congruent to 3 mod 4).
Security comment:
The security of this PRNG depends on the complexity of factoring the parameter n.

Trademarks

Cryptix is a trademark of Systemics Ltd.

Java is a registered trademark of Sun Microsystems, Inc.

DESX, RC2, RC4, RC5, RC6, MD2, MD4, and MD5 are registered trademarks of RSA Data Security, Inc., and/or Security Dynamics Technologies, Inc.

CAST5 and CAST-128 [[and CAST-256?]] are registered trademarks of Entrust Technologies, Inc.

"Diamond2 Block Cipher" is a trademark of Michael Paul Johnson.

IDEA is a registered trademark of Ascom Systec Ltd.

Other brand, product, and algorithm names may be trademarks or registered trademarks of their respective holders.

Author: David Hopwood <hopwood@zetnet.co.uk>
Current maintainer: David Hopwood <hopwood@zetnet.co.uk>

Copyright © 1997-1999 Systemics Ltd
on behalf of the Cryptix Development Team.
All rights reserved.
Cryptix is a trademark of Systemics Ltd.