Square

Square
Square
Creator	Vincent Rayman , ; Yoan Dimen ; Lars Knudsen
Created by	1997
Published	1997
Key size	128 bit
Block size	128 bit
Number of rounds	8
Type of	Wildcard network

SQUARE is a symmetric block cryptographic algorithm in cryptography developed in 1997 by Vincent Rayman , Joan Dimen and Lars Knudsen .

Considered the forerunner of the AES algorithm. The structure of the algorithm was chosen by the authors for the possibility of obtaining an effective implementation on a wide range of processors, as well as for cryptographic resistance to differential and linear cryptanalysis.

Content

1 Description of the algorithm
- 1.1 Transformations in the encryption round
  - 1.1.1 Linear Transformation $\theta$ ${\ displaystyle \ theta}$ $\ theta$
  - 1.1.2 Nonlinear Transformation $\gamma$ ${\ displaystyle \ gamma}$ $\ gamma$
  - 1.1.3 Byte Shift $\pi$ ${\ displaystyle \ pi}$ $\ pi$
  - 1.1.4 Addition with a round key $\sigma [K_{i}]$ ${\ displaystyle \ sigma [K_ {i}]}$ ${\ displaystyle \ sigma [K_ {i}]}$
- 1.2 Procedure for obtaining keys
2 Encryption
3 Decryption
4 Security
- 4.1 The study of cryptographic stability by the creators of the algorithm
  - 4.1.1 Description of the Square attack
5 Cipher Features
6 See also
7 notes
8 Literature
9 References

Algorithm Description

The SQUARE algorithm uses a 128-bit key; data is encrypted with 128-bit blocks; however, the modular approach to building a cipher makes it easy to expand the key length and the length of the data block to large sizes. One round of SQUARE consists of four separate transformations. Data is represented by a 4x4 byte square. The main components of this cipher are five different reversible transformations that affect an array of size bytes $4\times 4$ ${\ displaystyle 4 \ times 4}$ $4\times 4$ . ^[one]

Transformations in the Encryption Round

Linear conversion $\theta$ ${\ displaystyle \ theta}$ $\theta$

Linear conversion $\theta$ ${\ displaystyle \ theta}$ affects every row in the data square. It is represented by the formula ${b_{i,j}=c_{j}a_{i,0}\oplus c_{j-1}a_{i,1}\oplus c_{j-2}a_{i,2}\oplus c_{j-3}a_{i,3}}$ ${\ displaystyle {b_ {i, j} = c_ {j} a_ {i, 0} \ oplus c_ {j-1} a_ {i, 1} \ oplus c_ {j-2} a_ {i, 2} \ oplus c_ {j-3} a_ {i, 3}}}$ where:

${a_{i,j}}$ ${\ displaystyle {a_ {i, j}}}$ Is the value of the byte in $i$ ${\ displaystyle i}$ th row and $j$ ${\ displaystyle j}$ -th column in the squared data;
${b_{i,j}}$ ${\ displaystyle {b_ {i, j}}}$ - new byte value in a square;
${c_{n}}$ ${\ displaystyle {c_ {n}}}$ - set of constants;
multiplications are performed in the Galois field ${GF(2^{8})}$ ${\ displaystyle {GF (2 ^ {8})}}$ ;

Important that the field ${GF(2^{8})}$ ${\ displaystyle {GF (2 ^ {8})}}$ has characteristic 2, that is, the addition operation corresponds to bitwise $\mathrm {xor}$ ${\ displaystyle \ mathrm {xor}}$ . Each $i$ ${\ displaystyle i}$ -th row squared can be represented as a polynomial $a_{i}(x)=a_{i,0}\oplus a_{i,1}x\oplus a_{i,2}x^{2}\oplus a_{i,3}x^{3}$ ${\ displaystyle a_ {i} (x) = a_ {i, 0} \ oplus a_ {i, 1} x \ oplus a_ {i, 2} x ^ {2} \ oplus a_ {i, 3} x ^ { 3}}$ . Then, determining the coefficients ${c_{n}}$ ${\ displaystyle {c_ {n}}}$ like a polynomial ${c(x)=\oplus _{j}c_{j}x^{j}}$ ${\ displaystyle {c (x) = \ oplus _ {j} c_ {j} x ^ {j}}}$ transformation $\theta$ ${\ displaystyle \ theta}$ can be represented as a product of polynomials: $b_{i}(x)=c(x)a_{i}(x)\mod 1\oplus x^{4}$ ${\ displaystyle b_ {i} (x) = c (x) a_ {i} (x) \ mod 1 \ oplus x ^ {4}}$ , here $b_{i}(x)$ ${\ displaystyle b_ {i} (x)}$ - the new value of the row of the square, presented in the form of a polynomial, and $c(x)=2\oplus 1\cdot x\oplus 1\cdot x^{2}\oplus 3\cdot x^{3}$ ${\ displaystyle c (x) = 2 \ oplus 1 \ cdot x \ oplus 1 \ cdot x ^ {2} \ oplus 3 \ cdot x ^ {3}}$ . Inverse transformation $\theta ^{-1}$ ${\ displaystyle \ theta ^ {- 1}}$ matches polynomial $d(x)$ ${\ displaystyle d (x)}$ defined by the formula $c(x)d(x)=1{\pmod {1}}\oplus x^{4}$ ${\ displaystyle c (x) d (x) = 1 {\ pmod {1}} \ oplus x ^ {4}}$ . ^[2]

Nonlinear transformation $\gamma$ ${\ displaystyle \ gamma}$

This conversion is a table replacement $\gamma$ ${\ displaystyle \ gamma}$ . Table for replacement:

B1	CE	C3	95	5A	AD	E7	02	4D	44	Fb	91	0C	87	A1	fifty
CB	67	54	DD	46	8F	E1	4E	F0	Fd	FC	EB	F9	C4	1A	6E
5E	F5	CC	8D	1C	56	43	FE	07	61	F8	75	59	Ff	03	22
8A	D1	13	Ee	88	00	0E	34	fifteen	80	94	E3	ED	B5	53	23
4B	47	17	A7	90	35	Ab	D8	B8	Df	4F	57	9A	92	DB	1B
3C	C8	99	04	8E	E0	D7	7D	85	BB	40	2C	3A	45	F1	42
65	twenty	41	eighteen	72	25	93	70	36	05	F2	0B	A3	79	EC	08
27	31	32	B6	7C	B0	0A	73	5B	7B	B7	81	D2	0D	6A	26
9E	58	9C	83	74	B3	AC	thirty	7A	69	77	0F	Ae	21	DE	D0
2E	97	10	A4	98	A8	D4	68	2D	62	29th	6D	16	49	76	C7
E8	C1	96	37	E5	CA	F4	E9	63	12	C2	A6	fourteen	BC	D3	28
AF	2F	E6	24	52	C6	A0	09	Bd	8C	CF	5D	eleven	5F	01	C5
9F	3D	A2	9B	C9	3B	BE	51	19	1F	3F	5C	B2	Ef	4A	CD
Bf	BA	6F	64	D9	F3	3E	B4	AA	DC	D5	06	C0	7E	F6	66
6C	84	71	38	B9	1D	7F	9D	48	8B	2A	DA	A5	33	82	39
D6	78	86	FA	E4	2B	A9	1E	89	60	6B	EA	55	4C	F7	E2

Conversion

\pi

{\ displaystyle \ pi}

that is, 0 will be replaced by B1, 1 by CE, and so on. ^[one]

Byte swap $\pi$ ${\ displaystyle \ pi}$

Byte permutation transposes the byte square, i.e. ${a_{i,j}=a_{j,i}}$ ${\ displaystyle {a_ {i, j} = a_ {j, i}}}$ .

Round Key Addition $\sigma [K_{i}]$ ${\ displaystyle \ sigma [K_ {i}]}$

This operation is a bitwise addition of 128 bits of data with a round key, ${b=a\oplus K_{i}}$ ${\ displaystyle {b = a \ oplus K_ {i}}}$ where:

${a}$ ${\ displaystyle {a}}$ and ${b}$ ${\ displaystyle {b}}$ - value of 128 data bits before and after conversion;
${K_{i}}$ ${\ displaystyle {K_ {i}}}$ - round key ${i}$ ${\ displaystyle {i}}$ . ^[2]

The procedure for obtaining keys

For encryption, you need to get 8 128-bit round keys, as well as a key for the preliminary round from the encryption key of the algorithm.

Procedure

\psi

{\ displaystyle \ psi}

receiving keys.

The procedure for obtaining the key is described by the conversion $\psi :K_{i+1}=\psi (K_{i})$ ${\ displaystyle \ psi: K_ {i + 1} = \ psi (K_ {i})}$ running on a key represented, like a data block, a 4x4 byte square. Conversion $\psi$ ${\ displaystyle \ psi}$ described by the following operations:

${k_{0,i+1}=k_{0,i}\oplus rotl(k_{3,i})\oplus C_{i}}$ ${\ displaystyle {k_ {0, i + 1} = k_ {0, i} \ oplus rotl (k_ {3, i}) \ oplus C_ {i}}}$ ;
${k_{1,i+1}=k_{1,i}\oplus k_{0,i+1}}$ ${\ displaystyle {k_ {1, i + 1} = k_ {1, i} \ oplus k_ {0, i + 1}}}$ ;
${k_{2,i+1}=k_{2,i}\oplus k_{1,i+1}}$ ${\ displaystyle {k_ {2, i + 1} = k_ {2, i} \ oplus k_ {1, i + 1}}}$ ;
${k_{3,i+1}=k_{3,i}\oplus k_{2,i+1}}$ ${\ displaystyle {k_ {3, i + 1} = k_ {3, i} \ oplus k_ {2, i + 1}}}$ ;

Where:

${k_{n,i}}$ ${\ displaystyle {k_ {n, i}}}$ - $n$ ${\ displaystyle n}$ key string byte square $i$ ${\ displaystyle i}$ round;
$C_{i}$ ${\ displaystyle C_ {i}}$ Is a constant for $i$ ${\ displaystyle i}$ round calculated by the formula ${C_{i+1}=2\cdot C_{i}}$ ${\ displaystyle {C_ {i + 1} = 2 \ cdot C_ {i}}}$ , $C_{0}=1$ ${\ displaystyle C_ {0} = 1}$ ;
${rotl()}$ {\ displaystyle {rotl ()}} - operation of cyclic shift of a byte string by one byte to the left: $rotl[a_{i,0},a_{i,1},a_{i,2},a_{i,3}]=[a_{i,1},a_{i,2},a_{i,3},a_{i,0}]$ ${\ displaystyle rotl [a_ {i, 0}, a_ {i, 1}, a_ {i, 2}, a_ {i, 3}] = [a_ {i, 1}, a_ {i, 2}, a_ {i, 3}, a_ {i, 0}]}$ ;

The source key of the encryption algorithm is used as the key for the preliminary round. ^[2]

Encryption

Denote one round of encryption as $\rho [k^{t}]=\sigma [k^{t}]\circ \pi \circ \gamma \circ \theta$ ${\ displaystyle \ rho [k ^ {t}] = \ sigma [k ^ {t}] \ circ \ pi \ circ \ gamma \ circ \ theta}$ . Also, eight rounds of conversion are preceded by key addition $\sigma [K_{0}]$ ${\ displaystyle \ sigma [K_ {0}]}$ and $\theta ^{-1}$ ${\ displaystyle \ theta ^ {- 1}}$ : $\mathrm {Square} [k]=\rho [k^{8}]\circ \rho [k^{7}]\circ \rho [k^{6}]\circ \rho [k^{5}]\circ \rho [k^{4}]\circ \rho [k^{3}]\circ \rho [k^{2}]\circ \rho [k^{1}]\circ \sigma [k^{0}]\circ \theta ^{-1}$ ${\ displaystyle \ mathrm {Square} [k] = \ rho [k ^ {8}] \ circ \ rho [k ^ {7}] \ circ \ rho [k ^ {6}] \ circ \ rho [k ^ {5}] \ circ \ rho [k ^ {4}] \ circ \ rho [k ^ {3}] \ circ \ rho [k ^ {2}] \ circ \ rho [k ^ {1}] \ circ \ sigma [k ^ {0}] \ circ \ theta ^ {- 1}}$ . ^[2]

Decryption

The decryption algorithm is similar to the encryption algorithm, but instead of transformations $\gamma$ ${\ displaystyle \ gamma}$ and $\theta$ ${\ displaystyle \ theta}$ reverse conversions are used $\gamma ^{-1}$ ${\ displaystyle \ gamma ^ {- 1}}$ and $\theta ^{-1}$ ${\ displaystyle \ theta ^ {- 1}}$ , wherein $\gamma ^{-1}$ ${\ displaystyle \ gamma ^ {- 1}}$ Is a reverse table replacement, and $\theta ^{-1}$ ${\ displaystyle \ theta ^ {- 1}}$ Is a multiplication of a line by a polynomial $d(x)$ ${\ displaystyle d (x)}$ such that $d(x)c(x)=1{\pmod {1\oplus x^{4}}}$ ${\ displaystyle d (x) c (x) = 1 {\ pmod {1 \ oplus x ^ {4}}}}$ , also in the preliminary round the transformation is used $\theta$ ${\ displaystyle \ theta}$ instead $\theta ^{-1}$ ${\ displaystyle \ theta ^ {- 1}}$ . The encryption formula shows that

\mathrm {Square^{-1}} [k]=\theta \circ \sigma ^{-1}[k^{0}]\circ \rho ^{-1}[k^{1}]\circ \rho ^{-1}[k^{2}]\circ \rho ^{-1}[k^{3}]\circ \rho ^{-1}[k^{4}]\circ \rho ^{-1}[k^{5}]\circ \rho ^{-1}[k^{6}]\circ \rho ^{-1}[k^{7}]\circ \rho ^{-1}[k^{8}]

{\ displaystyle \ mathrm {Square ^ {- 1}} [k] = \ theta \ circ \ sigma ^ {- 1} [k ^ {0}] \ circ \ rho ^ {- 1} [k ^ {1} ] \ circ \ rho ^ {- 1} [k ^ {2}] \ circ \ rho ^ {- 1} [k ^ {3}] \ circ \ rho ^ {- 1} [k ^ {4}] \ circ \ rho ^ {- 1} [k ^ {5}] \ circ \ rho ^ {- 1} [k ^ {6}] \ circ \ rho ^ {- 1} [k ^ {7}] \ circ \ rho ^ {- 1} [k ^ {8}]}

,

Where $\rho ^{-1}[k^{t}]=\theta ^{-1}\circ \gamma ^{-1}\circ \pi ^{-1}\circ \sigma ^{-1}[k^{t}]=\theta ^{-1}\circ \gamma ^{-1}\circ \pi \circ \sigma [k^{t}]$ ${\ displaystyle \ rho ^ {- 1} [k ^ {t}] = \ theta ^ {- 1} \ circ \ gamma ^ {- 1} \ circ \ pi ^ {- 1} \ circ \ sigma ^ {- 1} [k ^ {t}] = \ theta ^ {- 1} \ circ \ gamma ^ {- 1} \ circ \ pi \ circ \ sigma [k ^ {t}]}$ . As $\gamma ^{-1}\circ \pi =\pi \circ \gamma ^{-1}$ ${\ displaystyle \ gamma ^ {- 1} \ circ \ pi = \ pi \ circ \ gamma ^ {- 1}}$ , and, moreover, since $\theta ^{-1}(a)\oplus k^{t}=\theta ^{-1}(a+\theta (k^{t}))$ ${\ displaystyle \ theta ^ {- 1} (a) \ oplus k ^ {t} = \ theta ^ {- 1} (a + \ theta (k ^ {t}))}$ we get $\sigma [k^{t}]\circ \theta ^{-1}=\theta ^{-1}\circ \sigma [\theta (k^{t})]$ ${\ displaystyle \ sigma [k ^ {t}] \ circ \ theta ^ {- 1} = \ theta ^ {- 1} \ circ \ sigma [\ theta (k ^ {t})]}$ . Now one round for decryption can be defined as $\rho '[k^{t}]=\sigma [k^{t}]\circ \pi \circ \gamma ^{-1}\circ \theta ^{-1}$ ${\ displaystyle \ rho '[k ^ {t}] = \ sigma [k ^ {t}] \ circ \ pi \ circ \ gamma ^ {- 1} \ circ \ theta ^ {- 1}}$ , and the full formula for decryption is written as:

\mathrm {Square} ^{-1}=\rho '[k^{8}]\circ \rho '[k^{7}]\circ \rho '[k^{6}]\circ \rho '[k^{5}]\circ \rho '[k^{4}]\circ \rho '[k^{3}]\circ \rho '[k^{2}]\circ \rho '[k^{1}]\circ \sigma [k^{0}]\circ \theta

{\ displaystyle \ mathrm {Square} ^ {- 1} = \ rho '[k ^ {8}] \ circ \ rho' [k ^ {7}] \ circ \ rho '[k ^ {6}] \ circ \ rho '[k ^ {5}] \ circ \ rho' [k ^ {4}] \ circ \ rho '[k ^ {3}] \ circ \ rho' [k ^ {2}] \ circ \ rho '[k ^ {1}] \ circ \ sigma [k ^ {0}] \ circ \ theta}

. ^[2]

Security

The study of cryptographic stability by the creators of the algorithm

The algorithm is highly resistant to linear and differential cryptanalysis thanks to transformations $\theta$ ${\ displaystyle \ theta}$ and $\gamma$ ${\ displaystyle \ gamma}$ which reduce the maximum probability of the appearance of differential traces and the maximum correlation of linear traces in 4 rounds of transformations. The first SQUARE cryptanalysis was carried out by its authors using integrated cryptanalysis , which later became known as Square attack. ^[2]

Square Attack Description

First of all, we’ll introduce some definitions,

Definition 1: Let $\Lambda$ ${\ displaystyle \ Lambda}$ -set - a set of 256 16-byte states, each of which differs from the others in some bytes, which we will call active, and coincide in some bytes, which we will call passive. Further, $\lambda$ ${\ displaystyle \ lambda}$ Is a set of indexes of active bytes. ^[3] We have:

\forall x,y\in \Lambda :{\begin{cases}x_{i,j}\neq y_{i,j},for(i,j)\in \lambda \\x_{i,j}=y_{i,j},for(i,j)\notin \lambda \end{cases}}

{\ displaystyle \ forall x, y \ in \ Lambda: {\ begin {cases} x_ {i, j} \ neq y_ {i, j}, for (i, j) \ in \ lambda \\ x_ {i, j} = y_ {i, j}, for (i, j) \ notin \ lambda \ end {cases}}}

.

Definition 2: If applying an exclusive “or” operation to all bytes at the same position in $\Lambda$ ${\ displaystyle \ Lambda}$ -set gives 0, then this position is called balanced $\Lambda$ ${\ displaystyle \ Lambda}$ - a lot. ^[3]

Applying transformations $\gamma$ ${\ displaystyle \ gamma}$ and $\sigma [k^{t}]$ ${\ displaystyle \ sigma [k ^ {t}]}$ to $\Lambda$ ${\ displaystyle \ Lambda}$ - gives a lot $\Lambda$ ${\ displaystyle \ Lambda}$ -set with the same $\lambda$ ${\ displaystyle \ lambda}$ . Conversion application $\pi$ ${\ displaystyle \ pi}$ gives $\Lambda$ ${\ displaystyle \ Lambda}$ -set in which active bytes are transposed (relative to active bytes in the original $\Lambda$ ${\ displaystyle \ Lambda}$ -Many). Also, application $\theta$ ${\ displaystyle \ theta}$ to $\Lambda$ ${\ displaystyle \ Lambda}$ - many will not necessarily return $\Lambda$ ${\ displaystyle \ Lambda}$ -set, however, since each output byte $\theta$ ${\ displaystyle \ theta}$ is a linear combination of four input bytes in the same line, then, submitting a line with only one active byte, the output will receive a line consisting of only active bytes. ^[2] Consider $\Lambda$ ${\ displaystyle \ Lambda}$ - a set in which only one byte is active and follow how the position of the active byte changes over three rounds (here the preliminary round is combined with the first: $\rho [k^{1}]\circ \sigma [k^{0}]\circ \theta ^{-1}$ ${\ displaystyle \ rho [k ^ {1}] \ circ \ sigma [k ^ {0}] \ circ \ theta ^ {- 1}}$ which ultimately is written as $\sigma [k^{1}]\circ \pi \circ \gamma \circ \theta \circ \sigma [k^{0}]\circ \theta ^{-1}=\sigma [k^{1}]\circ \pi \circ \gamma \circ \sigma [\theta (k^{0})]$ ${\ displaystyle \ sigma [k ^ {1}] \ circ \ pi \ circ \ gamma \ circ \ theta \ circ \ sigma [k ^ {0}] \ circ \ theta ^ {- 1} = \ sigma [k ^ {1}] \ circ \ pi \ circ \ gamma \ circ \ sigma [\ theta (k ^ {0})]}$ ) Since the first round does not contain $\theta$ ${\ displaystyle \ theta}$ , then by the beginning of the second round remains one active byte. In the second round $\theta$ ${\ displaystyle \ theta}$ converts to a string of active bytes that $\pi$ ${\ displaystyle \ pi}$ converts to a column of active bytes. $\theta$ ${\ displaystyle \ theta}$ in the third round translates the result into $\Lambda$ ${\ displaystyle \ Lambda}$ -set consisting of only active bytes. The byte values at the output of the third round run through all possible values, therefore, are balanced by the set $\Lambda$ ${\ displaystyle \ Lambda}$ , we have

{\underset {b=\theta (a),a\in \Lambda }{\bigoplus }}b_{i,j}={\underset {a\in \Lambda }{\bigoplus }}{\underset {k}{\bigoplus }}c_{j-k}a_{i,k}={\underset {l}{\bigoplus }}c_{l}{\underset {a\in \Lambda }{\bigoplus }}a_{i,l+j}={\underset {l}{\bigoplus }}c_{l}0=0,

{\ displaystyle {\ underset {b = \ theta (a), a \ in \ Lambda} {\ bigoplus}} b_ {i, j} = {\ underset {a \ in \ Lambda} {\ bigoplus}} {\ underset {k} {\ bigoplus}} c_ {jk} a_ {i, k} = {\ underset {l} {\ bigoplus}} c_ {l} {\ underset {a \ in \ Lambda} {\ bigoplus}} a_ {i, l + j} = {\ underset {l} {\ bigoplus}} c_ {l} 0 = 0,}

means bytes on an output $\theta$ ${\ displaystyle \ theta}$ in the fourth round balanced by $\Lambda$ ${\ displaystyle \ Lambda}$ - a lot. This equilibrium is violated by subsequent application. $\gamma$ ${\ displaystyle \ gamma}$ . The output bytes of the fourth round can be expressed using a function of the intermediate state $b$ ${\ displaystyle b}$ : $a_{i,j}=S_{\gamma }[b_{j,i}]\oplus k_{i,j}^{4}$ ${\ displaystyle a_ {i, j} = S _ {\ gamma} [b_ {j, i}] \ oplus k_ {i, j} ^ {4}}$ . Assuming value $k_{i,j}^{4}$ ${\ displaystyle k_ {i, j} ^ {4}}$ , value $b_{j,i}$ ${\ displaystyle b_ {j, i}}$ for all elements $\Lambda$ ${\ displaystyle \ Lambda}$ -set can be computed from ciphertexts. If the value of this byte is unbalanced by $\Lambda$ ${\ displaystyle \ Lambda}$ , then the expected key value $k_{i,j}^{4}$ ${\ displaystyle k_ {i, j} ^ {4}}$ is false. This cryptanalysis method allowed to crack a 6-round version of the cipher using $2^{32}$ ${\ displaystyle 2 ^ {32}}$ plaintext blocks and their corresponding ciphertext blocks and execution $2^{72}$ ${\ displaystyle 2 ^ {72}}$ encryption operations. ^[2]

In 2010, a boomerang-based attack on bound keys was introduced. Previously, a similar attack was applied to the KASUMI , COCONUT98 , IDEA, and AES-192/256 ciphers. This was the first attack on a full-round square. ^[4] In 2011, a full-round version of SQUARE was cryptanalyzed using a full bipartite graph . This type of attack allowed to crack the cipher using one key, $2^{48}$ ${\ displaystyle 2 ^ {48}}$ plaintext and holding $2^{126}$ ${\ displaystyle 2 ^ {126}}$ encryption operations. ^[5]

Cipher Features

The SQUARE cipher was created in accordance with the strategy of a wide trace - each round of the cipher consists of several transformations, non-linear permutation and composition of linear transformations - which gave the cipher high cryptographic strength against linear and differential cryptanalysis, the components of the algorithm and their interaction were also selected based on the possibility of quick implementation on a wide range of processors. ^[6] The implementation of the algorithm in the C language had an encryption speed of 2.63 MB / s, running on a Pentium processor with a frequency of 100 MHz, and the implementation in the assembler language increased the encryption speed by half. This algorithm was developed and became the basis of the new American standard - the Rijndael cipher, which was developed by a team of SQUARE authors. By the way, at the AES contest, experts noted that "the Rijndael algorithm is based on an unconventional paradigm, so it may contain hidden vulnerabilities" ^[1] . For this reason, SQUARE itself is rarely used now, inferior in popularity to its descendant - Rijndael. Also a descendant of the cipher is the South Korean algorithm CRYPTON , a participant in the AES contest.

Notes

↑ ¹ ² ³ Panasenko, 2009 .
↑ ¹ ² ³ ⁴ ⁵ ⁶ ⁷ ⁸ The Block Cipher SQUARE, 1997 .
↑ ¹ ² Impossible di ﬀ erential and square attacks: Cryptanalytic link and application to Skipjack, 2001 .
↑ Koo, Yeom, Song, 2010 .
↑ Biclique Cryptanalisis of the Block Cipher SQUARE, 2011 .
↑ The Block Cipher Square Algorithm

Literature

J. Daemen, L. Knudsen, V. Rijmen. The Block Cipher SQUARE . - 1997.
B. Koo, Y. Yeom, J. Song. Related-Key Boomerang Attack on Block Cipher SQUARE . - 2010.
H. Mala. Biclique Cryptanalisis of the Block Cipher SQUARE . - 2011.
G. Piret, J.-J. Quisquater. Impossible di ﬀ erential and square attacks: Cryptanalytic link and application to Skipjack . - 2001.
Panasenko S.P. Encryption Algorithms. Special Reference - SPb. : BHV-SPb , 2009 .-- 576 p. - ISBN 978-5-9775-0319-8
<a href=" https://wikidata.org/wiki/Track:Q27942697 "> </a> <a href=" https://wikidata.org/wiki/Track:Q27942695 "> </a> <a href = " https://wikidata.org/wiki/Track:Q27942699 "> </a>

Links

The Block Cipher Square Algorithm , Joan Daemen, Lars R. Knudsen and and Vincent Rijmen, Dr. Dobb's Journal , October 01, 1997.

[_444f6d82a2f109ea-1] ¹ ² ³ Panasenko, 2009 .

[_fd23487764cd939d-2] ¹ ² ³ ⁴ ⁵ ⁶ ⁷ ⁸ The Block Cipher SQUARE, 1997 .

[_cc4e7dc3e763587f-3] ¹ ² Impossible di ﬀ erential and square attacks: Cryptanalytic link and application to Skipjack, 2001 .

[_f8412a3f67c4f40a-4] Koo, Yeom, Song, 2010 .

[_b5dafae4b53df392-5] Biclique Cryptanalisis of the Block Cipher SQUARE, 2011 .

[6] The Block Cipher Square Algorithm

Square
Creator	Vincent Rayman , Yoan Dimen Lars Knudsen
Created by	1997
Published	1997
Key size	128 bit
Block size	128 bit
Number of rounds	8
Type of	Wildcard network