Secure and Fast Implementations of Two Involution Ciphers

  • Billy Bob Brumley
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7127)


Anubis and Khazad are closely related involution block ciphers. Building on two recent AES software results, this work presents a number of constant-time software implementations of Anubis and Khazad for processors with a byte-vector shuffle instruction, such as those that support SSSE3. For Anubis, the first is serial in the sense that it employs only one cipher instance and is compatible with all standard block cipher modes. Efficiency is largely due to the S-box construction that is simple to realize using a byte shuffler. The equivalent for Khazad runs two parallel instances in counter mode. The second for each cipher is a parallel bit-slice implementation in counter mode.


Anubis Khazad involution ciphers block ciphers software implementation timing attacks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aranha, D.F., López, J., Hankerson, D.: High-Speed Parallel Software Implementation of the η T Pairing. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 89–105. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Barreto, P.S.L.M., Rijmen, V.: The Anubis block cipher (2001),
  3. 3.
    Barreto, P.S.L.M., Rijmen, V.: The Khazad legacy-level block cipher (2001),
  4. 4.
    Barreto, P.S.L.M., Simplício Jr., M.A.: CURUPIRA, a block cipher for constrained platforms. In: 5th Brazilian Symposium on Computer Networks and Distributed Systems, pp. 61–74 (2007),
  5. 5.
    Bernstein, D.J.: Cache-timing attacks on AES (2004),
  6. 6.
    Boyar, J., Peralta, R.: New logic minimization techniques with applications to cryptology. Cryptology ePrint Archive, Report 2009/191 (2009),
  7. 7.
    Canright, D., Osvik, D.A.: A More Compact AES. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 157–169. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Clavier, C., Gaj, K. (eds.): CHES 2009. LNCS, vol. 5747. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  9. 9.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein hash function family. Submission to NIST (Round 2) (2009),
  10. 10.
    Hamburg, M.: Accelerating AES with vector permute instructions. In: Clavier and Gaj [8], pp. 18–32Google Scholar
  11. 11.
    Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: Clavier and Gaj [8], pp. 1–17Google Scholar
  12. 12.
    Preneel, B.: The NESSIE project: towards new cryptographic algorithms. In: 3rd International Workshop on Information Security Applications, WISA 2002, pp. 16–33 (2002)Google Scholar
  13. 13.
    Rudra, A., Dubey, P.K., Jutla, C.S., Kumar, V., Rao, J.R., Rohatgi, P.: Efficient Rijndael Encryption Implementation with Composite Field Arithmetic. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 171–184. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Satoh, A., Morioka, S., Takano, K., Munetoh, S.: A Compact Rijndael Hardware Architecture with S-Box Optimization. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 239–254. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Simplício Jr., M.A., Barreto, P.S.L.M., Carvalho, T.C.M.B., Margi, C.B., Näslund, M.: The CURUPIRA-2 block cipher for constrained platforms: Specification and benchmarking. In: Bettini, C., Jajodia, S., Samarati, P., Wang, X.S. (eds.) PiLBA. CEUR Workshop Proceedings, vol. 397, (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Billy Bob Brumley
    • 1
  1. 1.Aalto University School of ScienceFinland

Personalised recommendations