ńņš. 14 |

quences with low absolute values of the maximal

out-of-phase auto-correlation, i.e., |Cu,u (Ļ„ )| should cryption Standard (Rijdnael/AES). In 1999 it was

be small for all values of Ļ„ = 0 (mod e). selected as one of the ļ¬ve ļ¬nalists of the AES com-

Let F be a family consisting of M sequences petition.

Serpent is a 32-round substitutionā“permutation

F = {si (t) : i = 1, 2, Ā· Ā· Ā· , M},

(SP) network operating on 128-bit blocks. Each

where each sequence {si (t)} has period e. round consists of a key mixing operation, a layer

of 32 copies of a 4 Ć— 4-bit S-box, and (except in the

The cross-correlation between two sequences

{si (t)} and {s j(t)} at shift Ļ„ is denoted by Ci, j(Ļ„ ). last round) a linear transformation. The replicated

564 SET

S-box differs from round to round and is selected [6] Biham, E., O. Dunkelman, and N. Keller (2003).

āDifferential-linear cryptanalysis of Serpent.ā Fast

from a set of eight different S-boxes. The last (in-

Software Encryption, FSE 2003, Lecture Notes in

complete) round is followed by a ļ¬nal key mixing

Computer Science, vol. 2887, ed. T. Johansson.

operation. An additional bit permutation before

Springer-Verlag, Berlin, 9ā“21.

the ļ¬rst round and after the last key mixing layer

[7] Kelsey, J., T. Kohno, and B. Schneier (2001). āAm-

is applied to all data entering and leaving the SP

pliļ¬ed boomerang attacks against reduced-round

network. The 128-bit subkeys mixed with the data MARS and Serpent.ā Fast Software Encryption,

in each round are generated by linearly expanding FSE 2000, Lecture Notes in Computer Science,

a 128-bit, 192-bit, or 256-bit secret key, and pass- vol. 1978, ed. B. Schneier. Springer-Verlag, Berlin,

ing the result through a layer of S-boxes. 75ā“93.

The initial and ļ¬nal permutations, the S-boxes,

and the linear transformation have all been de-

signed in order to allow an optimized implementa-

tion in software using the ābitsliceā technique [3].

SET

The idea is to construct a complete description of

the cipher using only logical bit-operations (as in

hardware) and then execute 32 (or 64) operations SET (Secure Electronic Transactions) is a stan-

in parallel on a 32-bit (or 64-bit) processor. dard for a payment protocol for credit card pay-

Serpent is considered to have a rather high se- ments over the Internet and was developed in

curity margin. The best attacks published so far 1996ā“97 as a joint initiative of MasterCard, VISA,

break about 1/3 of the rounds. Kelsey, Kohno, and IBM, Microsoft, Netscape and others as a more

Schneier [7] presented a ļ¬rst attack breaking 9 secure alternative to Secure Socket Layer SSL,

rounds with a time complexity slightly faster than which never really caught on.

exhaustive key search. This ampliļ¬ed boomerang SET assumes the existence of appropriate in-

attack was improved and extended by one round frastructure within the card organisation, and en-

by Biham et al. [5]. The best attacks so far are tails the communication between the registered

the linear and the differential-linear attacks pre- Payer (cardholder), Payee (merchant) and the Pay-

sented in [4] and [6]. Both break 11 rounds out ment Gateway Provider, i.e. the Acquirer or a Pay-

of 32. ment Service Provider. The main purpose of the

protocol is to secure this communication in such a

Christophe De Canni` re

e way that neither the Payee, nor the Payment Gate-

way Provider can access all purchase transaction

References details. Thus the Payee has access to the order

information only and not the credit card details,

[1] Anderson, R.J., E. Biham, and L.R. Knudsen (1998). while the Payment Gateway Provider has access

āSerpent: A new block cipher proposal.ā Fast Soft- to the payment information only.

ware Encryption, FSEā™98, Lecture Notes in Com- SET is a PKI-solution (see public key infra-

puter Science, vol. 1372, ed. S. Vaudenay. Springer- structure). The Certiļ¬cate Authority (CA) hierar-

Verlag, Berlin, 222ā“238.

chy consists of a Root CA that signs the certiļ¬cates

[2] Anderson, R.J., E. Biham, and L.R. Knudsen (1998).

of each of the credit card brand CAā™s. These CAā™s

āSerpent: A proposal for the advanced encryption

sign certiļ¬cates for the Cardholder CA (the Card

standard.ā Proceedings of the First AES Candidate

Issuer), Merchant CA (the Customer Acquirer)

Conference. National Institute of Standards and

and the Payment CA. These CAā™s then in turn sign

Technology, August.

the certiļ¬cates for the cardholder, merchant, and

[3] Biham, E. (1997). āA fast new DES implementation

payment gateway provider, respectively, using the

in software.ā Fast Software Encryption, FSEā™97, Lec-

ture Notes in Computer Science, vol. 1267, ed. E. X.509 v3 format. Neither cardholderā™s name, nor

Biham. Springer-Verlag, Berlin, 260ā“272. card number are shown in the certiļ¬cates. Rather

[4] Biham, E., O. Dunkelman, and N. Keller (2002). a number is used that has been computed from

āLinear cryptanalysis of reduced round Serpent.ā the credit card number and other input by the

Fast Software Encryption, FSE 2001, Lecture Notes

Issuer.

in Computer Science, vol. 2355, ed. M. Matsui.

In short, the protocol works as follows: the card-

Springer-Verlag, Berlin, 16ā“27.

holder indicates that he wants to initiate pay-

[5] Biham, E., O. Dunkelman, and N. Keller (2002).

ment for his order. The merchant then identiļ¬es

āNew results on boomerang and rectangle attacks.ā

himself with his certiļ¬cate and provides the card-

Fast Software Encryption, FSE 2002, Lecture Notes

holder with the public key of the payment gateway

in Computer Science, vol. 2365, eds. J. Daemen and

provider. The cardholder encrypts the payment

V. Rijmen. Springer-Verlag, Berlin, 1ā“16.

SHA family (secure hash algorithm) 565

SHA-1 Compression Function

information using this key, thus ensuring the mer-

chant cannot access this information and signs

the payment instruction. The merchant forwards Five 32-bit chaining variables A, B, C, D, E are

the payment information to the payment gateway either initialized to

provider in an authorization request, and the pay-

A ā IV1 = 67452301x

ment gateway provider veriļ¬es the content and

B ā IV2 = EFCDAB89x

authorizes accordingly.

C ā IV3 = 98BADCFEx

Peter Landrock

D ā IV4 = 10325476x

E ā IV5 = C3D2E1F0x

for the ļ¬rst 512-bit message block or to the current

SHA FAMILY (SECURE hash value for the following message blocks. The

ļ¬rst sixteen words of the message schedule are

HASH ALGORITHM) initialized to input message words. The following

64 message schedule words Wi are computed as

The SHA (Secure Hash Algorithm) Family des-

Wi ā (Wiā’3 ā• Wiā’8 ā• Wiā’14 ā• Wiā’16 )

ignates a family of six different hash functions: 1,

SHA-0, SHA-1, SHA-224, SHA-256, SHA-384, and 16 ā¤ i ā¤ 79

SHA-512 [7, 8]. They take variable length input

where āā•ā represents bit-wise exclusive-or, and

messages and hash them to ļ¬xed-length outputs.

āX nā is the cyclic rotation of X to the left by

The ļ¬rst four operate on 512-bit message blocks di-

n bits. Then the compression function works as

vided into 32-bit words and the last two on 1024-

follows:

bit blocks divided into 64-bit words. SHA-0 (the

ļ¬rst version of SHA since replaced by SHA-1) and

SHA-1 produce a message digest of 160 bits, SHA-

for i = 0 to 79 do

224 of 224 bits, SHA-256 of 256 bits, SHA-384 of

T ā Wi + A 5 + fi (B, C, D) + E + Ki

384 bits and SHA-512 of 512 bits respectively. All

mod 232

six functions start by padding the message accord-

Bā A

Ė

ing to the so-called Merkle-Damgard strength-

C ā B 30

ening technique. Next, the message is processed

DāC

block by block by the underlying compression func-

Eā D

tion. This function initializes an appropriate num-

Aā T

ber of chaining variables to a ļ¬xed value to hash

the ļ¬rst message block, and to the current hash

ńņš. 14 |