AES Tests

AES Noise Purity Tests Results

"…A signal that is Pure Noise is thermodynamically indistinguishable from a perfectly encoded and compressed semantic message: they both look like a varying signal in which you could not predict one bit of the signal based on the previous ones…"

— Matt LaMantia, Data Integrity Engineer, Noise Laboratories.

NOISE PURITY TEST #1: NON-LINEAR DATA INPUT, CONSTANT ZERO KEY (NICK)

The table below contains results of the First of our Noise Purity Tests performed on 128 bit versions of all 15 AES candidates encryption algorithms.

Multiple randomness tests were performed on non-linear data input after 1 to 8 rounds of encryption with a constant key (NICK).

In this test the same 128 bit key consisting of all 0s was used for data encryption.

Input data consisted of all combinations of 4 bit 1 and 124 bit 0 out of 128 bit of the data block, therefore giving 10,668,000 combinations or 170,688,000 byte of input data for encryption and the following noise purity analysis.

Values separated by / refer to the results of encryption performed WITH and WITHOUT pre- and post- data whitening such as bit permutation or XOR or ADD or any other more complex operation if it's present. If algorithm does not include any pre or post- whitening, only one result is displayed and used.

Processor cycles per round (CPR) refer to the fastest known implementations for Intel® Pentium® II processor. Extra possible minor speed increases due to instruction pairing between encryption rounds themselves and between data whitening and the first and the last rounds of encryption were not taken into consideration.

NICK

CAST

Crypton

DEAL

DFC

Frog

HPC

Loki97

Magenta

Mars

RC6*

Rijndael*

Safer+*

Serpent

Twofish

1 Round

0 / 0

– / 0

0 / 0

– / –

– / 0

0 / 0

0* / 0*

0 / 0

2 Rounds

0 / 0

– / 0

0 / 0

–

– / –

– / 0

0 / 0

0* / 0*

X / X

0 / 0

+ / +

3 Rounds

+ / 0

+ / +

X / 0

–

X / –

– / 0

0 / 0

0* / 0*

X / X

X / –

X / X

4 Rounds

+ / X

X / +

X / –

–

X / 0

– / 0

X* / X*

+ / +

X / +

X / X

5 Rounds

X / X

X / +

X / X

X / –

+ / –

X* / X*

X / X

6 Rounds

X / X

X / +

X / +*

X* / X*

+* / +*

X / X

7 Rounds

X / X

X / +*

X* / X*

+* / +*

X / X

8 Rounds

X / X

X / +*

X* / X*

+* / +*

X / X

Max Rounds

Cycles

600

392

2368

304

356

2416

380

2144

6540

368

244

284

1712

960

264

CPR

140

302

134

1090

106

Whitening

128

Min Rounds Passing

5 / 4

4 / 5

3 / 6

3 / 5

4 / 7

6 / 17*

4* / 4*

2* / 2*

3 / 5

3 / 3

Min Cycles Passing

200

200
128

688
700

190

113
162

1510

145
235

536

3270

188
105

76
204*

116*
112*

228*
212*

120
150

104
96

NICK

CAST

Crypton

DEAL

DFC

Frog

HPC

Loki97

Magenta

Mars

RC6*

Rijndael*

Safer+*

Serpent

Twofish

Comments:

0	Failed all tests
–	Failed some tests
+	Passed, but results look suspicious, almost failed some tests
X	Passed all tests

* RC6: Noise Purity NICK Test of RC6 without data pre- and post- whitening returns very suspicious results up to the maximum tested 20 rounds, possible minor flaw in the cipher.

* Rijndael: Input data whitening XOR does not make absolutely any difference. Also 6 and 7 rounds of encryption produce exactly the same output (!?), possible flaw in the cipher.

* Safer+: Starting with 6 and up to the maximum 8 rounds of encryption, returned test results look very suspicious, possible minor flaw in the cipher.

* Crypton1: Only key schedule generation was modified in Crypton1, so it performed identically to Crypton in this test and therefore it's not included in this table.

We expected Bruce Schneier's Twofish to look good, but we didn't expect it to show such an outstanding performance and such a remarkable stability of the results… We also expected RC6 to perform better than it did, but… So far Twofish indubitably leads the list of the world's best 128 bit block ciphers.

— Yes, Bruce, one can judge the encryption algorithm quality by the speed of its secure version, one just has to determine that "secure" number of rounds correctly. And we believe that practical results say much more than any theoretical speculations.

AS ALWAYS, PRACTICE IS FAR AWAY FROM THEORY

This was the first of the battery of tests we plan to perform on AES and other encryption algorithms. The table above is a subject to constant modifications according to all collected new information. More tests on different parts of the encryption algorithms will be performed in the near future and more results are coming.

Details on the results from the table above are under construction. Please also note that just passing these tests alone is not a proof of the cipher's security, but failing them by a single bit is what must be taken seriously.

We do not and never will provide a theoretical basis for or an explanation of the results of our tests. This is not a cryptoanalytic work. All tests are meant purely for demonstration of the practical difference in behavior and performance of different encryption algorithms hopefully finding and bringing to attention possible flaws in them.

Any feedback will be highly appreciated.

LINKS TO AES CANDIDATES AND THEIR AUTHORS

AES Algorithm	Designed / Submitted By
CAST-256	Carlisle Adams (e-mail), Entrust Technologies, Inc.
CRYPTON	Chae Hoon Lim (e-mail), Future Systems, Inc.
DEAL	Lars Knudsen ( e-mail) and Richard Outerbridge
DFC	Serge Vaudenay (e-mail), CNRS – Ecole Normale Superieure
E2	Kazumaro Aoki, Masayuki Kanda, Tsutomu Matsumoto, Shiho Moriai, Kazuo Ohta, Miyako Ookubo, Youichi Takashima and Hiroki Ueda, (e-mail) – NTT Nippon Telegraph and Telephone Corporation
FROG	Dianelos Georgoudis (e-mail), Damian Leroux and Billy Simon Chaves, TecApro International S.A. (e-mail)
HPC	Rich Schroeppel (e-mail)
LOKI97	Lawrie Brown (e-mail or e-mail), Josef Pieprzyk (e-mail or e-mail) and Jennifer Seberry (e-mail)
MAGENTA	M.J. Jacobson (e-mail) and Dr. Klaus Huber (e-mail), Deutsche Telekom AG
MARS	Nevenko Zunic (e-mail), IBM
RC6	Ron Rivest ( e-mail, or his secretary Be Blackburn e-mail ), Matthew Robshaw , RSA Laboratories (e-mail)
RIJNDAEL	Joan Daemen (e-mail) and Vincent Rijmen (e-mail ) who doesn't like Internet Explorer ;-)
SAFER+	James L. Massey, Charles Williams, Cylink Corporation
SERPENT	Ross Anderson (e-mail), Eli Biham (e-mail) and Lars Knudsen (e-mail)
TWOFISH	Bruce Schneier (e-mail), John Kelsey, Doug Whiting, David Wagner (e-mail), Chris Hall and Niels Ferguson

OTHER AES RELATED RESOURCES

NIST Home of AES – exactly where it all has begun, updated regularly.

Well organized AES Algorithms Efficiency page by Brian Gladman (e-mail ), contains next to perfect C sources of all AES algorithms, updated regularly.

One of the best AES Algorithm Performance Comparison documents by the TWOFISH team, not updated.

The one and only AES Block Cypher Lounge by Lars Knudsen (e-mail) contains names of the papers and links to the best known attacks on AES algorithms, updated often.

The largest Cryptography People List by David Wagner (e-mail), some links are outdated though.

A nice AES Ciphers Speed site maintained by Helger Lipmaa (e-mail), updated regularly.

And a very informative Candidate AES Analysis and Reviews site maintained by Franois Kouene (e-mail), UCL Crypto Group, updated often.

Revision History:

April 21, 1999	— Started the first test, Non-Linear Input & Constant Key (NICK)
May 16, 1999	— First Published
July 24, 1999	— Started the second test, Non-Linear Key & Constant Input (NKCI)
July 27, 1999	— Minor Corrections
October, 1999	— Planned to start the third test, Non-Linear KeyStream & Constant Input (NSCI)