| General | |
|---|---|
| Designers | Hitachi |
| First published | 1988 |
| Cipher detail | |
| Key sizes | 64 bits |
| Block sizes | 64 bits |
| Structure | Feistel network |
| Rounds | Variable |
MULTI2 is a block cipher, developed by Hitachi in 1988. Designed for general-purpose cryptography, its current use is encryption of high-definition television broadcasts in Japan.
MULTI2 is a symmetric key algorithm with variable number of rounds. It has a block size of 64 bits, and a key size of 64 bits. A 256-bit implementation-dependent substitution box constant is used during key schedule. Scramble and descramble is done by repeating four basic functions (involutions).
There are a large class of equivalent keys in the Multi2 block cipher. The largest class (so far found) stems from the fact that the Pi3 round function in the key schedule is not bijective. For example, with the following 40-byte input key to the key schedule:
45 ec 86 d8 b6 5e 24 d5 38 fe 1d 90 ce fc a4 22 3e 39 1b e3 da 03 0f cb 9c 9e d7 c6 1c e4 73 61 d0 fa 39 86 58 5d 5b 90
You can perform the following single byte modifications (modification here means XOR against the original key byte):
Can mod byte 5 with CF Can mod byte 7 with 77 Can mod byte 20 with 9A Can mod byte 20 with A9 Can mod byte 20 with D7 Can mod byte 21 with 35 Can mod byte 21 with 6A Can mod byte 21 with 9F Can mod byte 21 with CC Can mod byte 22 with 4D Can mod byte 22 with 7A Can mod byte 22 with A7 Can mod byte 23 with 53 Can mod byte 23 with AE
In this case there are 15 different keys which will schedule to the same 8 32-bit round keys for the ciphers bulk encryption path. The keys are all different in the first keyword used in the Pi3 round function (keys k[1] and k[5]). The collision occurs because a single byte difference turns into a pattern like 0X0X0000 (rotated by 0, 8, 16, or 24 bits) which then expands to a variation of 0X000X00 and finally in the second last line (with the rotate by 16 and the XOR) the differences cancel out. Turning into a zero-delta.
The problem stems from the fact that the function
x = ROL(x, y) ^ x
Where ROL means rotate left by y bits, is not bijective for any value of y. There are similar problems with the Pi2 and Pi4 functions but they are seemingly harder to exploit because the rotation value is smaller.
There are other observations too, for example
x = ROL(x, 1) - x
Found in Pi3, is an identity function for 50% of the values of x (where the most significant byte is zero).
This also means it is possible to have weak keys where instead of forcing single byte differences in the key, they are in the plaintext into Pi3 produces a zero-delta output and possibly leading to a 1R differential.
The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard (AES) now receives more attention, and Schneier recommends Twofish for modern applications.
In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks, with an unvarying transformation that is specified by a symmetric key. Block ciphers operate as important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data.
In cryptography, the International Data Encryption Algorithm (IDEA), originally called Improved Proposed Encryption Standard (IPES), is a symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991. The algorithm was intended as a replacement for the Data Encryption Standard (DES). IDEA is a minor revision of an earlier cipher Proposed Encryption Standard (PES).
In cryptography, RC4 is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure protocols such as WEP.
In cryptography, RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for "Rivest Cipher", or alternatively, "Ron's Code". The Advanced Encryption Standard (AES) candidate RC6 was based on RC5.
In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.
In cryptography, Lucifer was the name given to several of the earliest civilian block ciphers, developed by Horst Feistel and his colleagues at IBM. Lucifer was a direct precursor to the Data Encryption Standard. One version, alternatively named DTD-1, saw commercial use in the 1970s for electronic banking.
In cryptography, the Tiny Encryption Algorithm (TEA) is a block cipher notable for its simplicity of description and implementation, typically a few lines of code. It was designed by David Wheeler and Roger Needham of the Cambridge Computer Laboratory; it was first presented at the Fast Software Encryption workshop in Leuven in 1994, and first published in the proceedings of that workshop.
In computer science and cryptography, Whirlpool is a cryptographic hash function. It was designed by Vincent Rijmen and Paulo S. L. M. Barreto, who first described it in 2000.
KASUMI is a block cipher used in UMTS, GSM, and GPRS mobile communications systems. In UMTS, KASUMI is used in the confidentiality (f8) and integrity algorithms (f9) with names UEA1 and UIA1, respectively. In GSM, KASUMI is used in the A5/3 key stream generator and in GPRS in the GEA3 key stream generator.
In cryptography, Khufu and Khafre are two block ciphers designed by Ralph Merkle in 1989 while working at Xerox's Palo Alto Research Center. Along with Snefru, a cryptographic hash function, the ciphers were named after the Egyptian Pharaohs Khufu, Khafre and Sneferu.
In cryptography, Madryga is a block cipher published in 1984 by W. E. Madryga. It was designed to be easy and efficient for implementation in software. Serious weaknesses have since been found in the algorithm, but it was one of the first encryption algorithms to make use of data-dependent rotations, later used in other ciphers, such as RC5 and RC6.
In cryptography, FROG is a block cipher authored by Georgoudis, Leroux and Chaves. The algorithm can work with any block size between 8 and 128 bytes, and supports key sizes between 5 and 125 bytes. The algorithm consists of 8 rounds and has a very complicated key schedule.
In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers widely adopted thanks to its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources. The operation is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality. GCM is defined for block ciphers with a block size of 128 bits. Galois Message Authentication Code (GMAC) is an authentication-only variant of the GCM which can form an incremental message authentication code. Both GCM and GMAC can accept initialization vectors of arbitrary length.
In cryptography, SXAL is a block cipher designed in 1993 by Yokohama-based Laurel Intelligent Systems. It is normally used in a special mode of operation called MBAL . SXAL/MBAL has been used for encryption in a number of Japanese PC cards and smart cards.
In cryptography, M8 is a block cipher designed by Hitachi in 1999. The algorithm negotiates introduced in 1997 M6, with the modified key length, which is enlarged to 64 bits or more. This cipher operates with Feistel network and designed to reach high performance on small implementation or 32 bits devices. For instance, by using round numbers = 10 it present encryption speed at 32 Mbps for dedicated hardware of 6K gates and 25 MHz clock or 208 Mbps for program, that uses C-language and Pentium-I 266MHz. Due to the openness of description, it should not be used in open or multivendor software.
In cryptography, a distinguishing attack is any form of cryptanalysis on data encrypted by a cipher that allows an attacker to distinguish the encrypted data from random data. Modern symmetric-key ciphers are specifically designed to be immune to such an attack. In other words, modern encryption schemes are pseudorandom permutations and are designed to have ciphertext indistinguishability. If an algorithm is found that can distinguish the output from random faster than a brute force search, then that is considered a break of the cipher.
bcrypt is a password hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher, and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.
Speck is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. Speck has been optimized for performance in software implementations, while its sister algorithm, Simon, has been optimized for hardware implementations. Speck is an add–rotate–xor (ARX) cipher.
