Hasty Pudding Cipher | |
Designers: | Richard Schroeppel |
Publish Date: | June 1998 |
Key Size: | Variable |
Block Size: | Variable |
The Hasty Pudding cipher (HPC) is a variable-block-size block cipher designed by Richard Schroeppel, which was an unsuccessful candidate in the competition for selecting the U.S. Advanced Encryption Standard (AES). It has a number of unusual properties for a block cipher: its input block size and key length are variable, and it includes an additional input parameter called the "spice" for use as a secondary, non-secret key. The Hasty Pudding cipher was the only AES candidate designed exclusively by U.S. cryptographers.[1] [2]
The Hasty Pudding cipher is in the public domain, and open source implementations are available.[3]
The Hasty Pudding cipher consists of 5 different sub-ciphers:
HPC-Tiny | 0 - 35 bits | |
---|---|---|
HPC-Short | 36 - 64 bits | |
HPC-Medium | 65-128 bits | |
HPC-Long | 129 - 512 bits | |
HPC-Extended | 513+ bits |
The Hasty Pudding cipher algorithms all use 64-bit words internally. The cipher is designed to run on 64-bit machines, which can easily perform simple operations on 64-bit words.
The Hasty Pudding cipher can take a key of any number of bits for any one of the five subciphers. The cipher itself uses a key table of 16,384 bits (256 64-bit words). To derive the key table from the key, the key expansion function uses the following algorithm:
Each of the subciphers uses a different algorithm, but there are certain similarities. Three inputs are used to determine the ciphertext: the plaintext (in several 64-bit words plus one "fragment"), the spice (eight 64-bit words, with default value 0), and the key table. The operations within the cipher consist of stirring, which combines internal variables in various ways with values from the key table and spice at regular intervals. HPC-Short uses two fixed permutations in addition, and HPC-Tiny consists of many special sub-cases.
Decryption involves undoing the steps of encryption one by one. Many operations are easily undone (e.g. s = s + s is undone by computing s = s - s). Other operations are more complex to undo. Some of the ideas involved include:
The Hasty Pudding cipher can also be used to encrypt values in a range that do not translate to strings with an integral number of bits; for instance, it can encrypt a number from 0 to N by producing another number from 0 to N. It does this by using the smallest subcipher that can handle the input as a bit string, and applying it to the input as a bit string, repeatedly, until the output is in the proper range.
Schroeppel claimed that the Hasty Pudding cipher was the fastest AES candidate on a 64-bit architecture;[4] Schroeppel claimed that it was twice as fast as its nearest competitor, DFC, and three times as fast as the other candidates, and that its performance on a 32-bit machine was adequate. Comments from others did not support this view; for instance, Schneier et al.'s analysis ranked the Hasty Pudding cipher 4th best (376 cycles) on a 64-bit machine, although for Rijndael and Twofish, the performance was only estimated.[5] On a 32-bit Pentium, Hasty Pudding encryption was rated by Schneier et al. at 1600 clock cycles, 10th best out of the 15 candidates. Schneier et al., and Schroeppel, noted that the speed of the cipher would be significantly impacted on a 32-bit machine because of its heavy use of 64-bit operations, particularly bit shifts.[6]
The Hasty Pudding cipher's key setup was rated as relatively slow; 120000 cycles on a Pentium.
The cipher was criticized for its performance on smartcards. Specifically, some comments pointed out the difficulty of keeping over 2KB of RAM for the key table.[7]
There have been relatively few results on attacking the Hasty Pudding cipher. Early in the AES process, David Wagner noted that relatively large classes of Hasty Pudding keys were equivalent in that they led to the same key table.[8] This was expanded upon by D'Halluin et al., who noted that for 128-bit keys, approximately 2120 keys are weak keys that each have 230 equivalent keys each.[9] In response to this attack, Schroeppel modified the key expansion algorithm to include one additional step.
Despite the relative lack of cryptanalysis, the Hasty Pudding cipher was criticized for its hard-to-understand design and its lack of grounding in research results.[10] Schroeppel has offered a bottle of Dom Pérignon champagne to the best paper presenting progress on the Hasty Pudding cipher. It did not make the second round of consideration for AES.[11]
The Hasty Pudding cipher is considered the first tweakable block cipher.[12]