| General | |
|---|---|
| Designers | Vincent Rijmen,Paulo S. L. M. Barreto |
| First published | 2000 |
| Derived from | Rijndael |
| Cipher detail | |
| Key sizes | 128 to 320 bits in steps of 32 bits |
| Block sizes | 128 bits |
| Structure | substitution–permutation network |
| Rounds | at least 12 (for 128-bit keys), plus one per additional 32 key bits |
Anubis is ablock cipher designed byVincent Rijmen andPaulo S. L. M. Barreto as an entrant in theNESSIE project, a former research program initiated by theEuropean Commission in 2000 for the identification of newcryptographic algorithms.[1] Although the cipher has not been included in the final NESSIE portfolio, its design is considered very strong, and no attacks have been found by 2004 after the project had been concluded.[2] The cipher is not patented and has been released by the designers for free public use.[3]
Anubis operates on data blocks of 128 bits, accepting keys of length 32N bits (N = 4, ..., 10). It is designed as asubstitution–permutation network, which bears large similarity toRijndael.[2] LikeKHAZAD, designed by the same authors and also submitted to NESSIE, it usesinvolutions for the various operations.[2] An involution is an operation whose inverse is the same as the forward operation. In other words, when an involution is run twice, it is the same as performing no operation. This allows low-cost hardware and compact software implementations to use the same operations for both encryption and decryption. Both theS-box and the mix columns operations are involutions.[1] Although many involutional components can make a cipher more susceptible todistinguishing attacks exploiting the cycle structure of permutations within the cipher, no attack strategy for the Anubis cipher has been presented.[4]
There are two versions of the Anubis cipher; the original implementation uses a pseudo-random S-box. Subsequently, the S-box was modified to be more efficient to implement in hardware; the newer version of Anubis is called the "tweaked" version.[2]
The authors claim the algorithm to be secure against a number of attacks, including four-rounddifferential andlinear analysis, as well asrelated-key,interpolation,boomerang,truncated differential,impossible differential, and saturation attacks.[1] Nonetheless, because of the cipher's similarity with Rijndael it was not considered to offer any convincing advantages and thus was not included in the second evaluation phase of the NESSIE project.
Anubis is named after theEgyptian god of entombing and embalming, which the designers interpreted to includeencryption. They claim that violators of the cipher will becursed.[1]
