english only
School of Computer and Communication Sciences
LASEC - Security and Cryptography Laboratory
EPFL > IC > LASEC > publications
Banner IC
INDEX
Home
People
Research
Teaching
Publications
Softwares & Events
Intranet
How to reach us

CONTACT

EPFL - I&C - ISC - LASEC
Station 14 - Building INF
CH-1015 Lausanne
Switzerland

Tel. +41 21 693 7603
Fax. +41 21 693 7689

Decorrelated Fast Cipher


Last update: September the 7th, 2000.

The Laboratory of Computer Sciences of the Ecole Normale Supérieure has been developping in cooperation with France Telecom a candidate to the Advanced Encryption Standard. It is called DFC as for "Decorrelated Fast Cipher".

This document includes:

  1. Documents on DFC (list of our documents about DFC)
  2. Best Implementations so Far (list of best known implementations of DFC)
  3. Original Implementations (our original implementations)
  4. Other Related Sites (list of related sites on AES)
  5. The AES Candidates (list of the AES candidates)



Documents on DFC

Here are a few documents related to DFC (in chronological order).
  • the DFC annoucement (HTML, Aug 12th, 1998) (Check the Errata Page.)
  • Link to The Decorrelation Technique Home Page. (HTML) All material on the decorrelation theory on which DFC is based can be found from there.
  • Errata Page. (HTML)
  • Decorrelated Fast Cipher: an AES Candidate. (PS, Aug 20th, 1998)(Check the Errata Page.) (Extended abstract on DFC published in the proceedings of the first AES workshop.)
    This paper gives all materials to define DFC.
  • Decorrelated Fast Cipher: an AES Candidate. (PS, Aug 20th, 1998)(Check the Errata Page.) (Full report published in the AES CD-ROM 1.)
  • Decorrelated Fast Cipher: an AES Candidate well suited for low cost smart cards applications. (PS, Sep 14th, 1998) (Draft paper to be published in CARDIS'98.)
    Description of the implementation we made of DFC on a very low cost smart card.
  • Report from Asiacrypt'98. (HTML, Oct 28th, 1998)
    This report responses to several criticisms emitted against DFC. It also clearify some implementation problems and achievements.
  • (External link) Link to the INPI (French National Institute for Industrial Property) (extenal link)
    Information on the patent appliance WO9820643 on decorrelation can be found there. The patent has been applied on 04/11/1996 and is being extended through PCT.
      Abstract. The invention concerns a method for the cryptography of data recorded on a medium useable by a computing unit in which said computing unit processes an input information x using a key for supplying an information encoded F(x) by a function F. The invention is characterised in that the function F uses a decorrelation module MK such that F(x) = [F'(MK)](x), in which K is a random key and F' a cryptographic function.
  • Testimony for DFC. (TXT, Jan 26th, 1999)
    This (controversial) document has been kindly posted by Robert Harley on the sci.crypt Usenet NewsGroup. (thanks Rob!)
  • Report on the AES Candidates. (PS, Mar 22nd, 1999) (Paper published in the proceedings of the second AES workshop.)
    This paper gives arguments against the AES candidates.
  • DFC Update. (PS, Mar 23rd, 1999) (Paper published in the proceedings of the second AES workshop.)
    This paper reports on the advances about DFC (new implementations, design criteria, next extensions annoucement).
  • Comparison of the Randomness Provided by Some AES Candidates. (PS, Apr 15th, 1999) (Paper sent to NIST as an official comment for the AES process.)
    Compare of several generalized Feistel constructions in term of pseudorandomness and decorrelation. In particular we compare the number of rounds for regular Feistel, Cast256-like and Mars-like schemes.
  • On Decorrelation and Provable Security (PS, Apr 15th, 1999) (Paper sent to NIST as an official comment for the AES process.)
    Feedback on several attacks against decorrelation.
  • Update of DFC Implementations (PS, Apr 15th, 1999) (Package sent to NIST as an official comment for the AES process.)
    This package contains high improvements of the official DFC implementations in CD2.
  • DFCv2 (To appear in SAC'00.)
    This updated version of DFC includes a new key schedule and scalable parameters (round number, block size).




  • Best Implementations so Far

    We summarize here the best known implementations of DFC on March 18th, 1999.

    Key setup algorithms have not always been implemented. There is no reason why the key setup timing should be different from four times the encryption timing though.

    Platform Language Compiler Programmer encryption speed (in clock cycles per block) best known implementation of DES
    Alpha 21164a C+asm cc.alt Harley 310
    Alpha 21164a C cc.alt Harley 526
    Alpha 21264 575MHz C+asm cc.alt Harley 231
    Pentium asm nasm Behr Harley Mathisen McGougan 609
    Pentium Pro 200MHz asm nasm Behr Harley Mathisen McGougan 392 344
    Pentium Pro 200MHz C gcc Noilhan 1262
    UltraSparc C SWC 5.0 Noilhan Harley 875
    UltraSparc Java JDK 1.2 Noilhan 4087
    ARM C+asm gcc Harley 710
    ARM asm gas Harley 555
    Motorola 6805 3.56MHz <200B RAM asm Poupard 35000 16000
    Motorola 6805 3.56MHz <100B RAM asm Poupard 200000 16000
    Note: in order to compare DFC with DES, we need to consider that DFC encrypts twice as bits as DES, with a security greater than triple-DES.




    Original Implementations

    Our submission package to NIST had several implementations which are available on the AES CD2 (you can order it to NIST, see information on NIST's AES web page). We provide here the implementation results in order to emphasis the implementation advances above.

    Platform Language Compiler Programmer encryption speed (in clock cycles per block) key setup speed (in clock cycles per block)
    Alpha 21164 600MHz ANSI C OSF1 v4.0.878 Pornin 2562 12810
    Alpha 21164 600MHz C OSF1 v4.0.878 Pornin 708 3540
    Alpha 21164 600MHz asm OSF1 v4.0.878 Pornin 558 2790
    Pentium Pro 200MHz ANSI C Visual C++ 4.0 Pornin 3600
    Pentium Pro 200MHz ANSI C Gnu C Compiler 2.7.2.1 Pornin 2592 12960
    Pentium Pro 200MHz C Gnu C Compiler 2.7.2.1 Pornin 2432 12160
    Pentium Pro 200MHz asm Gnu C Compiler 2.7.2.1 Hoogvorst 754 3770
    Pentium Pro 200MHz Java JDK Noilhan
    SPARC 170MHz ANSI C Workshop Compiler 4.2 Pornin 5380 26900
    SPARC 170MHz C Workshop Compiler 4.2 Pornin 1115 5575
    SPARC 170MHz asm Workshop Compiler 4.2 Hoogvorst 802 4010
    Motorola 6805 <200B RAM asm Poupard 35000 140000
    Motorola 6805 <100B RAM asm Poupard 200000 1000
    The API and all tests have been performed by Noilhan.



    External Links




    The AES Candidates


    © 2009, EPFL