Algebraic Structure Defectoscopy Tests Results
40-64-bit
Block Ciphers |
|
Type |
Key
Size |
Data Size |
Total Secret State
Size |
Output
Size |
Rounds |
Rounds Between Outputs |
|
PRF Rounds
(Key) |
PRF Rounds (Data) |
PRF Rounds (Both) |
|
PFE Rounds |
SPFE Rounds |
Maximum Output Per Round |
DES-56 |
|
FN |
56 |
64 |
120 |
64 |
16 |
16 |
|
6 |
6 |
6 |
|
18 |
24 |
2.33 |
DESL-56 |
|
FN |
56 |
64 |
120 |
64 |
16 |
16 |
|
6 |
6 |
6 |
|
18 |
24 |
2.33 |
MacGuffin-64 |
|
FN |
64 |
64 |
128 |
64 |
32 |
32 |
|
13 |
13 |
13 |
|
39 |
52 |
1.23 |
RC5-64 |
|
FN |
64 |
64 |
128 |
64 |
12 |
12 |
|
1 |
6 |
6 |
|
18 |
24 |
2.66 |
RTEA-64 |
|
FN |
64 |
64 |
128 |
64 |
40 |
40 |
|
10 |
10 |
10 |
|
30 |
40 |
1.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
80-96-bit
Block Ciphers |
|
Type |
Key
Size |
Data Size |
Total Secret State
Size |
Output
Size |
Rounds |
Rounds Between Outputs |
|
PRF Rounds
(Key) |
PRF Rounds (Data) |
PRF Rounds (Both) |
|
PFE Rounds |
SPFE Rounds |
Maximum Output Per Round |
RC5-96 |
|
FN |
96 |
64 |
160 |
64 |
12 |
12 |
|
1 |
6 |
6 |
|
18 |
24 |
2.66 |
RTEA-96 |
|
FN |
96 |
64 |
160 |
64 |
44 |
44 |
|
11 |
10 |
11 |
|
33 |
44 |
1.45 |
Skipjack-80 (Rule A) |
|
FN |
80 |
64 |
144 |
64 |
32 |
32 |
|
6 |
7 |
7 |
|
21 |
28 |
5.14 |
Skipjack-80 (Rule B) |
|
FN |
80 |
64 |
144 |
64 |
32 |
32 |
|
11 |
14 |
14 |
|
42 |
56 |
2.57 |
Skipjack-80 |
|
FN |
80 |
64 |
144 |
64 |
32 |
32 |
|
(6+11)/2 |
(7+14)/2 |
(7+14)/2 |
|
31.5 |
42 |
3.42 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 128-256-bit
Block Ciphers |
|
Type |
Key
Size |
Data Size |
Total Secret State
Size |
Output
Size |
Rounds |
Rounds Between Outputs |
|
PRF Rounds
(Key) |
PRF Rounds (Data) |
PRF Rounds (Both) |
|
PFE Rounds |
SPFE Rounds |
Maximum Output Per Round |
AES-128 (Rijndael) |
|
BN |
128 |
128 |
256 |
128 |
10 |
10 |
|
4 |
5 |
5 |
|
15 |
20 |
6.4 |
CAST-128 |
|
FN |
128 |
128 |
256 |
128 |
24 |
24 |
|
4 |
5 |
5 |
|
15 |
20 |
6.4 |
Crypton-128 |
|
? |
128 |
128 |
256 |
128 |
11 |
11 |
|
3 |
3 |
3 |
|
9 |
12 |
10.6 |
DEAL-128 |
|
FN |
128 |
128 |
256 |
128 |
6 |
6 |
|
3 |
2 |
3 |
|
9 |
12 |
10.6 |
DFC-128 |
|
FN |
128 |
128 |
256 |
128 |
8 |
8 |
|
4 |
4 |
4 |
|
12 |
16 |
8 |
E2-128 |
|
FN |
128 |
128 |
256 |
128 |
12 |
12 |
|
2 |
4 |
4 |
|
12 |
16 |
8 |
Frog-128 |
|
? |
128 |
128 |
256 |
128 |
8 |
8 |
|
2 |
3 |
3 |
|
9 |
12 |
10.6 |
GOST-256 |
|
FN |
256 |
64 |
320 |
64 |
32 |
32 |
|
9 |
16 |
16 |
|
48 |
64 |
1 |
HPC-128 |
|
? |
128 |
128 |
256 |
128 |
8 |
8 |
|
2 |
2 |
2 |
|
6 |
8 |
16 |
IDEA-128 |
|
BN |
128 |
64 |
192 |
64 |
8.5 |
8.5 |
|
9/∞ |
4-8/∞ |
4-8/∞ |
|
27/∞ |
36/∞ |
1.77/0 |
IDEA-NXT64-128 |
|
? |
128 |
64 |
192 |
64 |
16 |
16 |
|
2 |
2 |
2 |
|
6 |
8 |
24 |
IDEA-NXT128-128 |
|
? |
128 |
128 |
256 |
128 |
16 |
16 |
|
2 |
2 |
2 |
|
6 |
8 |
32 |
Loki97-128 |
|
FN |
128 |
128 |
256 |
128 |
16 |
16 |
|
3 |
7 |
7 |
|
21 |
28 |
4.57 |
Magenta-128 |
|
FN |
128 |
128 |
256 |
128 |
6 |
6 |
|
2 |
4 |
4 |
|
12 |
16 |
8 |
Mars-128 |
|
? |
128 |
128 |
256 |
128 |
32 |
32 |
|
1 |
8 |
8 |
|
24 |
32 |
4 |
RC5-128 |
|
FN |
128 |
64 |
192 |
64 |
12 |
12 |
|
1 |
6 |
6 |
|
18 |
24 |
2.66 |
RC6-128 |
|
FN |
128 |
128 |
256 |
128 |
20 |
20 |
|
3 |
5 |
5 |
|
15 |
20 |
6.4 |
RTEA-128 |
|
FN |
128 |
64 |
192 |
64 |
48 |
48 |
|
12 |
10 |
12 |
|
36 |
48 |
1.45 |
RTEA-256 |
|
FN |
256 |
64 |
320 |
64 |
64 |
64 |
|
16 |
10 |
16 |
|
48 |
64 |
1.06 |
Safer+-128 |
|
? |
128 |
128 |
256 |
128 |
16 |
16 |
|
3 |
4 |
4 |
|
12 |
16 |
8 |
Serpent-128 |
|
? |
128 |
128 |
256 |
128 |
32 |
32 |
|
3 |
3 |
3 |
|
9 |
12 |
10.6 |
TEA-128 |
|
FN |
128 |
64 |
192 |
64 |
64 |
64 |
|
∞ |
8 |
∞ |
|
∞ |
∞ |
0 |
Twofish-128 |
|
FN |
128 |
128 |
256 |
128 |
16 |
16 |
|
2 |
4 |
4 |
|
12 |
16 |
8 |
XTEA-128 |
|
FN |
128 |
64 |
192 |
64 |
64 |
64 |
|
15 |
9 |
15 |
|
45 |
60 |
1.06 |
XXTEA-128 |
|
UFN |
128 |
32n |
192 |
32n+128 |
6n+52 |
6n+52 |
|
8 |
4n |
4n |
|
16n+24 |
16n+32 |
2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Stream Ciphers |
|
Type |
Key
Size |
IV Size |
Total Secret State
Size |
Output
Size |
Sealing
Rounds |
Rounds Between Outputs |
|
PRF Rounds
(Key) |
PRF Rounds (IV) |
PRF Rounds (State) |
|
PFE Sealing Rounds |
SPFE Sealing Rounds |
Maximum Advised Output Per Round |
Achterbahn2-80 |
|
NFS |
80 |
80 |
297 |
1 |
96 |
1 |
|
∞ |
∞ |
∞ |
|
∞ |
∞ |
0 |
Achterbahn2-128 |
|
NFS |
128 |
128 |
351 |
1 |
96 |
1 |
|
∞ |
∞ |
∞ |
|
∞ |
∞ |
0 |
Dragon-256 |
|
UFN |
256 |
256 |
1088 |
64 |
16 |
1 |
|
4 |
4 |
8 |
|
12 |
16 |
32 |
Grain2-80 |
|
UFN |
80 |
64 |
160 |
1 |
160 |
1 |
|
168 |
214 |
214 |
|
642 |
856 |
0.18 |
Grain2-128 |
|
UFN |
128 |
96 |
256 |
1 |
256 |
1 |
|
276 |
313 |
313 |
|
939 |
1252 |
0.20 |
MICKEY2-80 (Mixing) |
|
UFN |
80 |
80 |
200 |
1 |
180 |
1 |
|
65 |
65 |
65 |
|
195 |
260 |
0.76 |
MICKEY2-80 (Keystream) |
|
UFN |
80 |
80 |
200 |
1 |
180 |
1 |
|
∞ |
∞ |
∞ |
|
∞ |
∞ |
0 |
MICKEY2-128 (Mixing) |
|
UFN |
128 |
128 |
320 |
1 |
288 |
1 |
|
102 |
102 |
102 |
|
306 |
408 |
0.78 |
MICKEY2-128 (Keystream) |
|
UFN |
128 |
128 |
320 |
1 |
288 |
1 |
|
∞ |
∞ |
∞ |
|
∞ |
∞ |
0 |
KeeLoq-64 |
|
UFN |
64 |
32 |
96 |
32 |
96 |
96 |
|
∞ |
∞ |
∞ |
|
∞ |
∞ |
0 |
LILI-128 |
|
LFS |
128 |
0 |
128 |
1 |
0 |
1 |
|
∞ |
∞ |
∞ |
|
∞ |
∞ |
0 |
LILI-II-128 |
|
LFS |
128 |
128 |
256 |
1 |
510 |
1 |
|
∞ |
∞ |
∞ |
|
∞ |
∞ |
0 |
Phelix-128 |
|
UFN |
256 |
128 |
544 |
32 |
32 |
4 |
|
20 |
20 |
6 |
|
60 |
80 |
12.8 |
Polar-Bear-128 |
|
? |
128 |
248 |
2304 |
32 |
4 |
4 |
|
∞ |
4 |
∞ |
|
∞ |
∞ |
0 |
Rabbit-128 |
|
BN |
128 |
64 |
513 |
128 |
4 |
1 |
|
2 |
3 |
4 |
|
12 |
16 |
32 |
RC4-N |
|
UFN |
N |
0 |
2056 |
8 |
256 |
1 |
|
N/8+512 |
– |
768 |
|
2304 |
3072 |
0.66 |
Salsa20-256 |
|
UFN |
256 |
128 |
512 |
512 |
20 |
20 |
|
4 |
4 |
∞ |
|
12/∞? |
16/∞? |
32/0? |
Seal-160 |
|
UFN |
160 |
128 |
26016 |
128 |
5 |
2 |
|
1 |
3 |
3 |
|
12 |
12 |
10.6 |
Trivium-80 |
|
UFN |
80 |
80 |
288 |
1 |
1152 |
1 |
|
544 |
544 |
544/∞ |
|
1632 |
2176 |
0.13 |
VEST4-80 |
|
BN |
80 |
80 |
256 |
4 |
32 |
1 |
|
3+5 |
3+5 |
5 |
|
3+15 |
3+20 |
12.8 |
VEST8-128 |
|
BN |
128 |
128 |
384 |
8 |
32 |
1 |
|
3+5 |
3+5 |
5 |
|
3+15 |
3+20 |
19.2 |
VEST16-160 |
|
BN |
160 |
160 |
512 |
16 |
32 |
1 |
|
3+6 |
3+6 |
6 |
|
3+18 |
3+24 |
21.3 |
VEST32-256 |
|
BN |
256 |
256 |
768 |
32 |
32 |
1 |
|
3+6 |
3+6 |
6 |
|
3+18 |
3+24 |
32 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Hash Functions |
|
Type |
Data
Size |
Hash Size |
Total Secret State
Size |
Output
Size |
Sealing
Rounds |
Rounds Between Outputs |
|
PRF Rounds
(Data) |
PRF Rounds (Hash) |
PRF Rounds (State) |
|
PFE Sealing Rounds |
SPFE Sealing Rounds |
Maximum Output Per Round |
GOST-256 |
|
FN |
1024 |
256 |
1280 |
256 |
32 |
32 |
|
9 |
16 |
16 |
|
48 |
64 |
4 |
MD4-64 (R0) |
|
UFN |
512 |
128 |
640 |
128 |
48 |
48 |
|
44 |
28 |
44 |
|
132 |
176 |
0.72 |
MD4-64 (R1) |
|
UFN |
512 |
128 |
640 |
128 |
48 |
48 |
|
36 |
20 |
36 |
|
108 |
144 |
0.88 |
MD4-64 (R2) |
|
UFN |
512 |
128 |
640 |
128 |
48 |
48 |
|
26 |
10 |
26 |
|
78 |
104 |
1.23 |
MD5-64 (R0) |
|
UFN |
512 |
128 |
640 |
128 |
64 |
64 |
|
31 |
15 |
31 |
|
93 |
124 |
1.03 |
MD5-64 (R1) |
|
UFN |
512 |
128 |
640 |
128 |
64 |
64 |
|
28 |
12 |
28 |
|
84 |
112 |
1.14 |
MD5-64 (R2) |
|
UFN |
512 |
128 |
640 |
128 |
64 |
64 |
|
27 |
11 |
27 |
|
81 |
108 |
1.18 |
MD5-64 (R3) |
|
UFN |
512 |
128 |
640 |
128 |
64 |
64 |
|
24 |
15 |
24 |
|
72 |
96 |
1.33 |
SHA0-80 |
|
UFN |
512 |
160 |
672 |
160 |
80 |
80 |
|
31 |
18 |
31 |
|
93 |
124 |
1.25 |
SHA1-80 |
|
UFN |
512 |
160 |
672 |
160 |
80 |
80 |
|
30 |
18 |
30 |
|
90 |
120 |
1.33 |
SHA256-128 |
|
UFN |
512 |
256 |
768 |
256 |
64 |
64 |
|
24 |
10 |
24 |
|
72 |
96 |
2.66 |
SHA512-256 |
|
UFN |
1024 |
512 |
1536 |
512 |
80 |
80 |
|
26 |
11 |
26 |
|
78 |
104 |
4.92 |
Tiger-192 |
|
UFN |
512 |
192 |
704 |
192 |
24 |
24 |
|
6 |
5 |
6 |
|
18 |
24 |
8 |
Whirlpool-256 |
|
BN |
512 |
512 |
1024 |
512 |
10 |
10 |
|
3 |
3 |
3 |
|
9 |
12 |
85.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Toy Ciphers |
|
Type |
Key
Size |
Data Size |
Total Secret State
Size |
Output
Size |
Rounds |
Rounds Between Outputs |
|
PRF Rounds
(Key) |
PRF Rounds (Data) |
PRF Rounds (State) |
|
PFE Rounds |
SPFE Rounds |
Maximum Output Per Round |
CTC-N |
|
BN |
N |
N |
2N |
N |
? |
? |
|
6-8 |
7-9 |
7-9 |
|
21-27 |
28-36 |
N/36-N/28 |
CTC2-N |
|
BN |
N |
N |
2N |
N |
? |
? |
|
5-7 |
6-8 |
6-8 |
|
18-24 |
24-32 |
N/32-N/24 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Asymmetric Primitives |
|
Type |
Mod
Size |
Exp Size |
Total Secret State
Size |
Output
Size |
Sealing
Rounds |
Rounds Between Outputs |
|
PRF Rounds
(Key) |
PRF Rounds (IV/Data) |
PRF Rounds (State) |
|
PFE Rounds |
SPFE Rounds |
Maximum Output Per Round |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Notes:
All the primitives have their claimed security attached to their names.
FN: [Balanced] Feistel Network
UFN: Unbalanced Feistel Network (all high-degree NLFSRs are also UFNs)
BN: Benes/Butterfly Network
LFS: [A set of] Linear Feedback Shift register[s] with a stateless nonlinear output combiner
NFS: [A set of] Low-degree Nonlinear Feedback Shift register[s] with a stateless output combiner
If the type is incorrect or if it is marked as unknown, please let us know what it is.
PFE: Pseudorandom Function Ensemble - a large dense pseudorandom function invulnerable to non-adaptive attacks. PFErounds = 3*PRFrounds.
SPFE: Super-PFE - a large dense pseudorandom function invulnerable to adaptive attacks. SPFErounds = 4*PRFrounds.
PRF Rounds: The number of rounds after which the function succeeds randomising monomials of degree up to the square root of the security level.
SPFE Rounds: The minimum advised number of rounds. In some special cases, fewer rounds may suffice to build SPFE.
∞: Fails to build a PRF perpetually either due to presence of weak keys or states or structural flaws.
Maximum Output Per Round: Maximum number of bits that can be output securely on every round if the primitive is used as a stream cipher.
PFE and SPFE require all the rounds to be independent. It automatically ensures invulnerability to slide attacks. Our tests verify that automatically. If the primitive is vulnerable to slide attacks, it will be shown in the table as ∞. For more details on PFE and SPFE see the Background page.
Black |
Trivially breakable (rounds < 2*PRFrounds, flawed key schedule or self-similar round function) |
Brown |
Fails to build a PFE, most certainly vulnerable to non-adaptive attacks (rounds < 3*PRFrounds) |
Gray |
Fails to build an SPFE, possibly vulnerable to adaptive attacks (rounds < 4*PRFrounds) |
Blue |
Most probably secure against all statistical and algebraic attacks (4*PRFrounds ≤ rounds) |
White |
Most probably secure, but with an unreasonably large margin |
These results do not include analysis required to tell if the primitive's size is sufficient for the claimed security level. It is assumed to be sufficient. Please expect significant changes to the figures and colours in the table above while we keep it up to date with the ongoing cryptologic research. All technical corrections, public and private are welcome. Personal points of view, sentiments and political propaganda will not be considered.
Many of the cryptographic components marked in the table above as weak could be used securely if a sufficiently large number of rounds and a sufficiently large state/output proportion are chosen instead of the author-proposed ones.
Last updated: 10.10.2007
|
