vest    overview    technical    applications
Header
design    security    proprietary ciphers    publications
vestciphers.com > technical > security
VEST Security Margins

VEST is a robust cryptosystem. It has withstood over two years of targeted attacks and so far sixteen months of intensive public scrutiny as a part of the ECRYPT eSTREAM competition.

VEST-32 Accumualtor 
(The VEST-32 accumulator core; 587 different 6-to-1 Boolean functions)

VEST are strong and complex ciphers with very high security margins.

As of September 2006, there are no known attacks against VEST ciphers or hash functions that are faster than serial brute-force of the key space or of the internal state. Parallel brute-force attacks are prevented by the use of keys at least twice the security rating of the cipher or by using initialisation vectors (IV) with a sufficient amount of entropy.

The internal states of all VEST ciphers families are conservatively chosen to be at least 3 times the size of their expected security in bits: 80-bit secure VEST-4 ciphers have a 256-bit internal state, 128-bit secure VEST-8 ciphers have a 384-bit internal state, 160-bit secure VEST-16 ciphers have a 512-bit internal state, and 256-bit secure VEST-32 ciphers have a 768-bit internal state. This proportion is chosen to make TMD trade-off attacks require more resources than brute-force of the cipher key space.

… In the design of block ciphers, Lars Knudsen (and others) have for a long time promoted the following: see how many rounds we need to make it secure, then double it (or even multiply by 4). We believe that stream ciphers should also be designed with such a comfortable security margin.”

Nicolas T. Courtois, “Cryptanalysis of Sfinks”

VEST follows the same general design approach as recommended above. Four rounds are required for the diffusion of every single-bit change in the core accumulator to become indistinguishable from random by any existing automated tools. This figure is used as the theoretical minimum number of sealing rounds. VEST designs multiply this minimum number of sealing rounds by eight times giving a total of 32 key-sealing / iv-sealing rounds. VEST maintains the total state / output proportions at more than 16:1 plus compensation for the information leaked by the output.

VEST ciphers are secure against Weak Keys, Related Keys and IV Attacks. There are no fixed points and no collisions in any of the VEST ciphers’ components. Key material is loaded into the internal state sequentially through the bijective counter state, then expanded and thoroughly mixed in the core accumulator with all other key and IV bits. Four rounds are required for the diffusion of every single-bit change in the core accumulator to become indistinguishable from random by any existing automated tools. The 32-round key-sealing and IV-sealing steps make it very hard to determine what changes in the key or IV material could result in a predetermined change in the internal state after the keying or IV loading.

VEST ciphers are secure against Linear and Differential Attacks. The low amount of redundancy in the inputs into the feedback functions and the rapid growth of their widths and algebraic degrees with each round inherent in the design of all VEST cipher cores naturally make them tolerant to large amounts of linearity in their feedback functions. There are no exploitable linear approximations in VEST feedback functions or their combinations.

VEST ciphers are secure against Algebraic Attacks. Algebraic attacks are most effective against ciphers with linear or quadratic components and against ciphers with easily reducible polynomials defining relationships between output bits and bits of internal state or key material. All key components in VEST ciphers are nonlinear and cannot be dismissed from the attacks. All the feedback functions in the core accumulator are dense degree 4 polynomials. In 4-5 rounds, every bit in the accumulator state of VEST ciphers will depend on all other accumulator bits, also depending on the bits of the counters and the counter diffusor. Even assuming that the counter state is guessed by the attacker, the core accumulators of all VEST ciphers are conservatively chosen 19-27 times the width of the output. In the at least 10 rounds required to define a half of the accumulator state, these relationships grow sufficiently large and sufficiently dense to render algebraic attacks infeasible.

In summary, VEST is not a cut-back cipher like some of its “competitors” (VSC, low-round IDEA-nxt, Trivium, etc.) who achieve high-speed encryption in a small area by using shortcuts or over-simplifications.

VEST ciphers are complex constructions including elements protecting them against a vast number of attacks, but they are small enough to be included as a part of any microchip and fast enough to encrypt multi-gigabit-per-second traffic such as HDTV content.

 VEST-4 on Smallest Altera CycloneII Device
     contact us   |   disclaimer language: [ fr | jp ]