Loading...

PPT – The Advanced Encryption Standard (Rijndael) PowerPoint presentation | free to download - id: 6ceef5-MTBkM

The Adobe Flash plugin is needed to view this content

The Advanced Encryption Standard (Rijndael)

AES Why a new Standard?

- Old standard insecure against brute-force attacks
- Straightforward fixes lead to inefficientTriple

DES - implementations
- New trends in fast software encryption
- use of basic instructions of the microprocessor
- New ways of assessing cipher strength
- differential cryptanalysis
- linear cryptanalysis

AES Why a Contest?

- Speed-up the acceptance of the standard
- Small number of specialists in the open research
- Focus the effort of cryptographic community
- Stimulate the research on methods of constructing
- secure ciphers
- Avoid backdoor theories

AES General Form

AES Rules of the Game

- Each team submits
- Detailed cipher description
- Justification of design decisions
- Tentative results of cryptanalysis
- Source code in C
- Source code in Java
- Test vectors

AES Candidates

- Round 1, June 1998
- 15 Candidates
- from USA, Canada, Belgium, France, Germany,

Norway, UK, Isreal, Korea, Japan, Australia,

Costa Rica. - Security, Software efficiency
- Round 2, August 1999
- 5 final candidates
- Mars, RC6, Rijndael, Serpent, Twofish
- Security, Hardware efficiency
- October 2000
- 1 winner Rijndael
- Belgium

AES Candidates

- USA Mars, RC6, Twofish, Safer, HPC
- Canada CAST-256, Deal
- Costa Rica Frog
- Australia LOKI97
- Japan E2
- Korea Crypton
- Belgium Rijndael
- France DFC
- Germany Magenta
- Israel, GB, Norway Serpent
- America (8) Europe (4) Asia (2)
- Australia (1)

AES Candidates

- Survey filled by 104 participants of the
- Second AES Conference in Rome, March 1999
- Middle-of-the-Road
- 7. CAST-256 -2
- 8. Safer -4
- 9. DFC -5
- Mild NO
- 10. Crypton -15
- Overwhelming NO
- 11. DEAL -70
- 12. HPC -77
- 13. Magenta -83
- 14. Loki97 -85
- 15. Frog -85

AES Candidates

- Survey filled by 104 participants of the
- Second AES Conference in Rome, March 1999
- Overwhelming YES
- 1. Rijndael 76
- 2. RC6 73
- 3. Twofish 61
- 4. Mars 52
- 5. Serpent 45
- Mild YES
- 6. E2 14

AES Final 5

- USA
- Mars - IBM
- C. Burwick, D. Coppersmith, E. DAvignon,
- R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas,
- L. OConnor, M. Peyravian, D. Safford,
- N. Zunic
- RC6 - RSA Data Security, Inc.
- R. Rivest - MIT
- M. Robshaw, R. Sidney, Y. L. Yin - RSA
- Twofish - Counterpane Systems
- B. Schneier, J. Kelsey, C. Hall, N. Ferguson
- - Counterpane, D.Whiting - Hi/fn,
- D. Wagner - Berkeley

AES Final 5

- Europe
- Rijndael - J. Daemen, V. Rijmen
- Katholieke Universiteit Leuven
- Belgium
- Serpent - R. Anderson, Cambridge, England
- E. Biham - Technion, Israel
- L. Knudsen, University of Bergen, Norway
- AES Finalists (2)

RC6The elegant AES choice

- Ron Rivest rivest_at_mit.edu
- Matt Robshaw mrobshaw_at_supanet.com
- Yiqun Lisa Yin yiqun_at_nttmcl.com

RC6 is the right AES choice

- Security
- Performance
- Ease of implementation
- Simplicity
- Flexibility

RC6 is simple only 12 lines

- B B S 0 D D S 1 for i 1

to 20 do t ( B x ( 2B 1

) ) ltltlt 5 u ( D x ( 2D 1 ) )

ltltlt 5 A ( ( A ? t ) ltltlt u ) S

2i C ( ( C ? u ) ltltlt t ) S

2i 1 (A, B, C, D) (B, C, D, A)

A A S 42 C C S 43

Simplicity

- Facilitates and encourages analysis
- allows rapid understanding of security
- makes direct analysis straightforward (contrast

with Mars and Twofish) - Enables easy implementation
- allows compilers to produce high-quality code
- obviates complicated optimizations
- provides good performance with minimal effort

RC6 key schedule is rock-solid

- Studied for more than six years
- Secure
- thorough mixing
- one-way function
- no key separation (cf. Twofish)
- no related-key attacks (cf. Rijndael)

Original analysis still accurate

- RC6 meets original design criteria
- Security estimates from 1998 still good today

independent analyses supportive. - Secure, even in theory, even with analysis

improvements far beyond those seen for DES during

its lifetime - RC6 provides a solid, well-tuned margin for

security

How do we grade candidates?

- Security (corroborated)
- Performance (speedmemory)
- 32-bit (30)
- Java (20)
- DSP (15)
- 64-bit (15)
- Hardware (15)
- 8-bit (5)
- Ease of implementation
- Simplicity
- Flexibility
- Overall 40/25/15/10/10

Conclusions

- RC6 is a simple yet remarkably strong cipher
- good performance on most important platforms
- simple to code for good performance
- excellent flexibility
- the most studied finalist
- the best understood finalist
- RC6 is the secure and elegant choice for the AES

(The End)

AES Performance Evaluation

AES Performance Evaluation

AES Performance Evaluation

AES Performance Evaluation

AES Performance Evaluation

AES Performance Evaluation

AES Performance Evaluation

AES Performance Evaluation

AES Performance Evaluation

AES Performance Evaluation

AES Performance Evaluation

AES Performance Evaluation

AES Performance Evaluation

AES Performance Evaluation

AES Summary of Final-5 Evaluation

- Serpent 2
- Pluses
- large security margin
- cryptanalytical reputation of authors
- conservative construction
- very fast in hardware
- Minuses
- slow in software
- moderate flexibility

AES Summary of Final-5 Evaluation

- Rijndael 1
- Pluses
- fastest in hardware
- close to the fastest in software
- security margin
- novel ideas
- very high flexibility
- Minuses
- security margin

AES Summary of Final-5 Evaluation

- Twofish
- Pluses
- good security margin
- fast encryption/decryption in software
- US
- strongly advertized
- Minuses
- moderately fast in hardware
- slow key setup in software
- moderate flexibility

Rijndael OverView

- Designed by Joan Daemen and Vincent Rijmen (from

Leuven Belgium) - Based upon the Square Cipher
- 3 Design Goals
- Resistance against known attacks
- Speed and code compactness on a variety of

platforms - Design simplicity

Rijndael OverView

- Rijndael/AES Designed by Joan Daemen,

Proton World International Vincent

Rijmen, Katholique Universiteit LuevenBlock

cypherSymmetric keyArithmetic based in the

Galois Field GF(28)Fast and scalableResistant

to all known cryptanalysis attacks

Dr. Vincent Rijmen

Rijndael

- The block cipher Rijndael is designed to use only

simple whole-byte operations. Also, it provides

extra flexibility over that required of an AES

candidate, in that both the key size and the

block size may be chosen to be any of 128, 192,

or 256 bits.

Rijndael OverView

- Rijndael is not a Feistel cipher
- 3 distinct invertible layers per round
- Encryption and decryption algorithms are

different - Rijndael uses the Wide Trail Strategy
- Non-linear layer (confusion)
- Linear mixing layer (diffusion)
- Key addition layer

Rijndael OverView

- State and Round Key representations
- The State is the intermediate cipher result
- Both the State and the Round Key are interpreted

as rectangular arrays of bytes - Number of columns in the State and Round Key

arrays depend on block and key sizes,

respectively

Rijndael OverView

- Rijndael is a block cipher that encrypts and

decrypts 128, 192, and 256 bit blocks, using 128,

192, and 256 byte keys in any combination. The

block is considered to be structured as 4, 6, or

8 columns of 4 bytes, depending on block size.

Rijndael

- During an early stage of the AES process, a draft

version of the requirements would have required

each algorithm to have three versions, with both

the key and block sizes equal to each of 128,

192, and 256 bits. This was later changed to make

the three required versions have those three key

sizes, but only a block size of 128 bits, which

is more easily accommodated by many types of

block cipher design.

Rijndael

- The original description of Rijndael is available

at http//www.esat.kuleuven.ac.be/rijmen/rijndae

l/. - However, the variations of Rijndael which act on

larger block sizes apparently will not be

included in the actual standard, on the basis

that the cryptanalytic study of Rijndael during

the standards process primarily focused on the

version with the 128-bit block size. - Rijndael is a relatively simple cipher in many

respects.

Rijndael Number of Rounds

- Rijndael has a variable number of rounds. The

number of rounds in Rijndael is - 10 if both the block and the key are 128 bits

long. - 12 if either the block or the key is 192 bits

long, and neither of them is longer than that. - 14 if either the block or the key is 256 bits

long.

Rijndael OverView

- Each round consists of 4 steps
- Step 1 ByteSub Transformation (Confusion)
- Step 2 ShiftRow Transformation (Diffusion)
- Step 3 MixColumn Transformation (Diffusion)
- Step 4 Round Key Addition
- Final round slightly different from other rounds

Rijndael OverView

- The basic operations applied to the block are
- 1) ByteSub Applying an S-box (substituting each
- byte with another, based on an equation in

GF(28)) - 2) ShiftRow Shifting the rows in a circular way,

the - amount of shift (0, 1, 2, 3, or 4 bytes)

depending on the - position from the top and on the block size,

Rijndael OverView

- 3) MixColumn Mixing the 4, 6, or 8 columns

vertically - by taking invertible linear combinations (in

GF(28) of - the elements in each column and
- 4) Round Key Addition XORing each byte with a

round key (done before the first round for

whitening, and again at the end of each round),

Rijndael Algorithm

- Rijndael CypherAES(data_block, key) in State,

RoundKeysState Â State xor RoundKey0for Round

1 to Nr SubBytes(State) ShiftRow (State) If

not(last Round) then MixColumn(State) State Â

State xor RoundKeyRoundout State

Rijndael Sequence of Operations

- The extra final round omits the Mix Column step,

but is otherwise the same as a regular round.

Thus, the sequence of steps in Rijndael is - ARK
- BSB, SR, MC, ARK
- BSB, SR, MC, ARK
- BSB, SR, MC, ARK
- .....
- BSB, SR, MC, ARK
- BSB, SR, ARK

9 of them!!

Rijndael Sequence of Operations

Where ARK Add Round Key BSB Byte Sub

Block SR Shift Row MC Mix Column

Rijndael

Rijndael two-Dimensions Scheme

Rijndael Block Representation

- Rijndael considers a 128-bit block grouped into

16 bytes of 8 bits each. Let us call each of

these 16 bytes as, b15 b14 b13 b2 b1 b0.

Rijndael deals with this block as bytes arranged

into a 44 matrix,

Rijndael Rounds Steps

- In the Byte Sub step each byte of the block is

replaced by its substitute in an S-box.

S-Box Look-up Table method

- Write a byte as 8 bits x7 x6 x5 x4 x3 x2 x1 x0.

Look for the entry in the x7 x6 x5 x4 row and x3

x2 x1 x0 column.

Rijndael S-Box

- 99 124 119 123 242 107 111 197 48 1 103

43 254 215 171 118 - 202 130 201 125 250 89 71 240 173 212 162

175 156 164 114 192 - 183 253 147 38 54 63 247 204 52 165 229

241 113 216 49 21 - 4 199 35 195 24 150 5 154 7

18 128 226 235 39 178 117 - 9 131 44 26 27 110 90 160 82 59

214 179 41 227 47 132 - 83 209 0 237 32 252 177 91 106 203

190 57 74 76 88 207 - 208 239 170 251 67 77 51 133 69 249

2 127 80 60 159 168 - 81 163 64 143 146 157 56 245 188 182 218

33 16 255 243 210 - 205 12 19 236 95 151 68 23 196 167

126 61 100 93 25 115 - 96 129 79 220 34 42 144 136 70 238

184 20 222 94 11 219 - 224 50 58 10 73 6 36 92 194 211

172 98 145 149 228 121 - 231 200 55 109 141 213 78 169 108 86 244

234 101 122 174 8 - 186 120 37 46 28 166 180 198 232 221 116

31 75 189 139 138 - 112 62 181 102 72 3 246 14 97 53

87 185 134 193 29 158 - 225 248 152 17 105 217 142 148 155 30 135

233 206 85 40 223 - 140 161 137 13 191 230 66 104 65 153 45

15 176 84 187 22

Rijndael Rounds Steps

- The specification for Rijndael only provided an

explanation of how the S-box was calculated the

first step was to replace each byte with its

reciprocal in the same GF(28) as used below in

the Mix Column step, except that 0, which has no

reciprocal, is replaced by itself (since it isn't

anything's reciprocal either, it is the only

value not used, so that makes sense) then a

bitwise modulo-two matrix multiply was used, and

finally the hexadecimal number 63 is XORed with

the result.

Rijndael ByteSub Step

- S-Box ArithmeticElements in
- G GF(28, 1aa3a4a8 )nhex Þ nbin Þ

(polynomial with nÕs bits for coeffs)Arithmetic

in Z2 (/), then mod by 1aa3a4a8polynomial

Þ nbin Þ nhex ByteSub(x) A Mx-1 63hex

Precompute and use look-up table

The Construction of the S-Box

- Although the S-box is implemented as a lookup

table, it has a simple mathematical description. - Start with a byte x7 x6 x5 x4 x3 x2 x1 x0, where

each xi is a binary bit. Compute its inverse in

GF(28). If the byte is 0, use the same 0 as its

inverse.

The Construction of the S-Box

- The resulting byte y7 y6 y5 y4 y3 y2 y1 y0

represents an 8-dimensional column vector, with

the rightmost bit y0 in the top position.

Multiply by a matrix and add the column vector

(1, 1, 0, 0, 1, 1, 0) to obtain a vector z7 z6 z5

z4 z3 z2 z1 z0 as shown in the next slide

The Construction of the S-Box

The Construction of the S-Box

- For example, start with the byte 11001011 CB.

Its inverse in GF(28) is 00000100 04, then

The Construction of the S-Box

- This yields the byte 00011111 1F. Note that the

input vector was 11001011. The 4 MSBs of the

input vector are thus 1100 and this gives us the

13th row in the S-Box. Similarly, 1011 yields us

the 14th column in the S-Box. By checking the

S-box we see that indeed 31 1F is the

corresponding entry in the S-Box as claimed.

Rijndael Shift Row Step

- Next is the Shift Row step. Considering the

128-bit block grouped into 16 bytes of 8 bits

each, call them, b15 b14 b13 b2 b1 b0. - these bytes are arranged into a 44 matrix, and

shifted as follows

Rijndael Shift Row Step

- Blocks that are 192 and 256 bits long are

shifted like this - from to
- 1 5 9 13 17 21 1 5 9 13 17 21
- 2 6 10 14 18 22 6 10 14 18 22 2
- 3 7 11 15 19 23 11 15 19 23 3 7
- 4 8 12 16 20 24 16 20 24 4 8 12
- from to
- 1 5 9 13 17 21 25 29 1 5 9 13 17 21 25

29 - 2 6 10 14 18 22 26 30 6 10 14 18 22 26 30 2

- 3 7 11 15 19 23 27 31 15 19 23 27 31 3 7

11 - 4 8 12 16 20 24 28 32 20 24 28 32 4 8 12

16

Rijndael Mix Column step

- Next comes the Mix Column step. Matrix

multiplication is performed each column, in the

arrangement we have seen above, is multiplied by

the matrix - 2 3 1 1
- 1 2 3 1
- 1 1 2 3
- 3 1 1 2
- However, this multiplication is done over GF(28).

This means that the bytes being multiplied are

treated as polynomials rather than numbers.

Rijndael Mix Column step

- GF(28)The Galois Field with 28 elements is the

Finite Field GF(28)Z2x/m(x)where m is

irreducible in Z2x and has degree 8.Rijndael

chooses m(x) 1 x x3 x4 x8

Rijndael Mix Column step

- If the result has more than 8 bits, the extra

bits are not simply discarded instead, they're

cancelled out by XORing the binary 9-bit string

100011011 with the result (shifted right if

necessary). This string stands for the generating

polynomial of the particular version of GF(28)

used by Rijndael.

Rijndael Mix Column step

- For example, multiplying the binary string

11001010 by 3 within this Galois Field works like

this - 11001010
- 11
- --------------
- 11001010
- 11001010
- ---------------
- 101011110 (XOR instead of addition)

- 100011011 (this is XORed, instead of

subt. 256) - --------------
- 1000101

Rijndael Mix Column step

- MixColumn ArithmeticMixColumn is equivalent

to - with arithmetic in GF( 28 ).

Rijndael Add Round Key

- The final step is Add Round Key. This simply

XORs in the subkey for the current round.

Rijndael Key Schedule

- Round keys extracted from the cipher key in two

steps - Initial key expansion
- First bits of the expanded key are set to the

bits of the cipher key - Remaining bits calculated recursively as a

non-linear function of the previous bits of the

expanded key - Round key selection from expanded key

Rijndael Key Schedule

- The original key consists of 128 bits, which are

arranged into a 44 matrix of bytes. This matrix

is expanded by adjoining 40 more columns, as

follows. - Label the first four columns W(0), W(1), W(2),

W(3). The new columns are generated recursively.

Suppose columns up through W(i-1) have been

defined. If i is not a multiple of 4, then form

the new column as, - W(i) W(i-4)?W(i-1).

Rijndael Key Schedule

- If i is a multiple of 4, then
- W(i) W(i-4)?T(W(i-1)),
- Where T(W(i-1)) is the transformation of W(i-1)

as follows. Let the elements of the columns are

w0 w1 w2 w3. Shift these cyclically to obtain w1

w2 w3 w0. Then replace each of these bytes with

the corresponding element in the S-box from the

ByteSub step, to get 4 bytes y0 y1 y2 y3.

Rijndael Key Schedule

- Finally compute the round constant
- In GF(28). Recall that we are in the case where i

is a multiple of 4. Then T(W(i-1)) is the column

vector - (y0 ?r(i), y1 y2 y3)

Rijndael Key Schedule

- In this way, columns W(4),,W(43) are generated

from the initial four columns. The round key for

the ith round consists of the columns - W(4i), W(4i1), W(4i2), W(4i3.)

Rijndael Key Schedule

- Because it begins and ends with an ARK (Add Round

Key) step, there is no wasted unkeyed step at the

beginning or end. The sequence of operations is

important for facilitating decipherment, as well. - Although the sequence is not symmetrical, the

order of some of the steps in Rijndael could be

changed without affecting the cipher. The Byte

Sub step could just as easily be done after the

Shift Row step as before it.

Rijndael Key Schedule

- For keys 128 and 192 bits in length, the subkey

material, which consists of all the round keys in

order, consists of the original key, followed by

stretches, each the length of the original key,

consisting of four-byte words such that each word

is the XOR of the preceding four-byte word and

either the corresponding word in the previous

stretch or a function of it.

Rijndael Key Schedule

- For the first word in a stretch, the word is

first rotated one byte to the left, and then its

bytes are transformed using the S-box from the

Byte Sub step, and then a round-dependent

constant is XORed to its first byte.

Rijndael Key Schedule

- The round constants are
- 1 2 4 8 16 32

64 128 - 27 54 108 216 171 77 154

47 - 94 188 99 198 151 53 106 212

- 179 125 250 239 197 145 57 114
- 228 211 189 97...

Rijndael Decryption

- Inverse Cypher
- Reverse Steps
- Use Keys in Reverse Order
- ByteSub and ShiftRow Commute
- MixColumn Matrix is Invertible

Rijndael Decryption

- The inverse of ByteSub is another lookup table,

called InvByteSub. - The inverse of ShiftRow is obtained by shifting

the rows to the right instead of to the left,

yielding InvShiftRow.

Rijndael Decryption

- The inverse of MixColumn exists because the 44

matrix used in MixColumn is invertible. The

transformation InvMixColumn is given by

multiplication by the matrix

Rijndael Sequence of Operations for Encryption

- The extra final round omits the Mix Column step,

but is otherwise the same as a regular round.

Thus, the sequence of steps in Rijndael is - ARK
- BSB, SR, MC, ARK
- BSB, SR, MC, ARK
- BSB, SR, MC, ARK
- .....
- BSB, SR, MC, ARK
- BSB, SR, ARK

9 of them!!

Rijndael Sequence of Operations

Where ARK Add Round Key BSB Byte Sub

Block SR Shift Row MC Mix Column

Rijndael Decryption

- AddRoundKey is its own inverse.
- Hence to decrypt we have to perform the following

steps - ARK, ISR, IBS
- ARK, IMC, ISR, IBS
- ARK, IMC, ISR, IBS
- .....
- ARK, IMC, ISR, IBS
- ARK

Rijndael Decryption

- However, we would like to rewrite this

decryption in order to make it look more like

encryption. We make the following observations - The order of BS and the SR operations are

exchangable (why??). - We also would like to reverse the order of ARK

and IMC but this is not possible.Instead we

proceed as follows

Rijndael Decryption

- Where (mi,j) is the 44 matrix in MixColumn and

(ki,j) is the round key matrix. The inverse is

obtained by solving

for (ci,j) in terms of (ei,j), namely,

Rijndael Decryption

- Therefore the decryption process to follow is
- The first arrow is simply InvMixColumn applied to

(ei,j). If we let InvAddRoundKey be XORing with

(ki,j), then we have that the inverse of MC

then ARK is IMC then IARK.

Rijndael Decryption

- We now see that decryption is given by
- ARK, IBS, ISR
- IMC, IARK, IBS, ISR
- IMC, IARK, IBS, ISR
- .....
- IMC, IARK, IBS, ISR
- ARK.
- Summarizing we have the following procedures to

perform encryption/decryption with Rijndael

algorithm

Rijndael Encryption

- ARK using the 0th key.
- Nine rounds of BS, SR, MC, ARK using round keys 1

to 9. - A final round BS, SR, ARK, using the 10th round

key.

Rijndael Decryption

- ARK using the 10th key.
- Nine rounds of IBS, ISR, IMC, IARK using round

keys 9 to 1. - A final round IBS, ISR, ARK, using the 0th round

key.

Rijndael Why MixColumn is omitted in the last

round?

- Suppose MixColumn had been left in. Then the

encryption would start ARK, BS, SR, MC, ARK, ,

and it would end ARK, BS, SR, MC, ARK. Therefore,

the beginning o fthe decryption would be (after

the reorderings) IMC, IARK, IBS, ISR, . This

means the decryption would have an unnecessary

IMC at the beginning.

Rijndael Why MixColumn is omitted in the last

round?

- Another way to look at encryption is that there

is an initialARK, then a sequence of alternating

half rounds - (BS, SR), (MC, ARK), (BS, SR),, (MC, ARK), (BS,

SR), - followed by a final ARK.
- The decryption is ARK, followed by a sequence of

alternating half rounds - (IBS, ISR), (IMC, IARK), (IBS, ISR),, (IMC,

IARK), (IBS, ISR)

Rijndael Why MixColumn is omitted in the last

round?

- Followed by a final ARK. From this point of view,

we see that a final MC would not fit naturally

into any of the half rounds, and it results

natural to leave it out.

Rijndael SOme design consideration comments.

- On 8-bit processors, decryption is not quite as

fast as encryption. This is because the entriesof

the 44 matrix for InvMixColumn are more complex

than those for MixColumn, and this is enough to

make decryption take around 30 longer than

encryption for those processors.

Rijndael SOme design consideration comments.

- The fact that encryption and decryption are not

identical processes leads to the expectation that

there are no weak keys in Rijndael, in contrast

to DES and several other algorithms. - In Rijndael all the bits are treated uniformly.

This has the effect of diffusing the input bits

faster.

Rijndael SOme design consideration comments.

- It can be shown that two rounds are enough to

obtain full difussion, namely, each of the 128

output bits depends on each of the 128 input

bits. - The Rijndael S-box is highly nonlinear, since it

is based on the mapping x ? x-1 in GF(28). This

means that Rijndael is excellent resisting

differential and linear cryptoanalysis attacks.

Rijndael SOme design consideration comments.

- The ShiftRow step was added to resist two

recently developed attacks, namely truncated

differentials and the Square attack (Square is a

predecessor of Rijndael). - The MixColumn causes diffusion among the bytes. A

change in one input byte in this step always

results in all four output bytes changing. If two

input bytes are changed, at least three output

bytes are changed.

Rijndael SOme design consideration comments.

- The Key Schedule involves nonlinear mixing of the

key bits, since it uses the S-box. The mixing is

designed to resist attacks where the

cryptoanalyst knows part of the key and tries to

deduce the remaining bits. - The round constants are used to eliminate

symmetries in the encryption process by making

each round different.

Rijndael SOme design consideration comments.

- The number of rounds was chosen to be 10 because

there are attacks that are better than brute

force up to six rounds. - No known attack beats brute force for seven or

more rounds. - It was felt that four extra rounds provide a

large enough margin of safety. Of course, the

number of rounds could easily be increased if

needed.