mirror of https://github.com/odzhan/tinycrypt
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('') and can be up to 35 characters long.
odzhan
f5c1beecb6

3 years ago  

..  
doc  3 years ago  
old  3 years ago  
ref  3 years ago  
Makefile  3 years ago  
README.txt  3 years ago  
noekeon.c  3 years ago  
noekeon.h  3 years ago  
noekeon.html  3 years ago  
nz.asm  3 years ago  
test  3 years ago  
test.c  3 years ago 
README.txt
Noekeon Block Cipher
Designers Joan Daemen, Michaël Peeters,
Gilles Van Assche, Vincent Rijmen
First published 200009
Derived from 3Way, BaseKing
Key sizes 128 bits
Block sizes 128 bits
Rounds 16
Noekeon is a SubstitutionPermutation Network operating on blocks of 128
bits using a 128bits key. It operates on 4 words of 32 bits except for
the SBox layer, "Gamma", which operates on 4bits nibbles. The same
round key is used in every round; how it is derived depends on whether
relatedkey attacks must be considered or not. However, there exists
relatedkey differentials for both key schedules[96] It uses the
following operations.
Gamma: Consists in applying a 4bit involution SBox on nibbles
independently. Each of the 32 nibbles considered in Gamma is made of the
bits of index i in each of the 4 words for all i in [0, 31]. This leads
to a simple bitslice implementation of this layer. Most choices for
Gamma generated using the same design criteria would have lead to weak
ciphers but the one chosen in Noekeon does not[96]. Theta: A linear
layer which mixes words with each other and operates at the byte level.
It has a LaiMassey structure where the LaiMassey function is linear: x
\mapsto x \oplus (x <<< 8) \oplus (x >>> 8). The round key is XORed
between the 2steps of the LaiLassey operation. shift operations: Three
of the four words are rotated by different offsets, namely 1, 5 and 2.
Each rotations and their inverses are used.
A round constant is XORed in the internal state before applying Gamma
during encryption. Since the components are involutionbased, decryption
can be implemented using the same circuit as encryption. 16 rounds are
used.
It is claimed to be suitable for implementation in hardware and on 8bit
processors.
The best attack by the designers is a linear attack based on a 2rounds
iterative linear trail covering 9 rounds, which is then extended to
cover 12 rounds through key guessing.