|Designers||Vincent Rijmen, Paulo S. L. M. Barreto|
|Key sizes||128 to 320 bits in steps of 32 bits|
|Block sizes||128 bits|
|Rounds||at least 12 (for 128-bit keys), plus one per additional 32 key bits|
Anubis is a block cipher designed by Vincent Rijmen and Paulo S. L. M. Barreto as an entrant in the NESSIE project, a former research program initiated by the European Commission in 2000 for the identification of new cryptographic algorithms. Although the cipher has not been included in the final NESSIE portfolio, its design is considered very strong, and no attacks have been found by 2004 after the project had been concluded. The cipher is not patented and has been released by the designers for free public use.
Anubis operates on data blocks of 128 bits, accepting keys of length 32N bits (N = 4, ..., 10). It is designed as a substitution–permutation network, which bears large similarity to Rijndael. Like KHAZAD, designed by the same authors and also submitted to NESSIE, it uses involutions for the various operations. An involution is an operation whose inverse is the same as the forward operation. In other words, when an involution is run twice, it is the same as performing no operation. This allows low-cost hardware and compact software implementations to use the same operations for both encryption and decryption. Both the S-box and the mix columns operations are involutions. Although many involutional components can make a cipher more susceptible to distinguishing attacks exploiting the cycle structure of permutations within the cipher, no attack strategy for the Anubis cipher has been presented.
There are two versions of the Anubis cipher; the original implementation uses a pseudo-random S-box. Subsequently, the S-box was modified to be more efficient to implement in hardware; the newer version of Anubis is called the "tweaked" version.
The authors claim the algorithm to be secure against a number of attacks, including four-round differential and linear analysis, as well as related-key, interpolation, boomerang, truncated differential, impossible differential, and saturation attacks. Nonetheless, because of the cipher's similarity with Rijndael it was not considered to offer any convincing advantages and thus was not included in the second evaluation phase of the NESSIE project.
- Barreto, Paulo S.L.M.; Rijmen, Vincent (September 2000). The ANUBIS Block Cipher (Submission to NESSIE).
- B. Preneel; A. Biryukov; C. De Cannière; S. B. Örs; E. Oswald; B. van Rompay; L. Granboulan; E. Dottax; G. Martinet; S. Murphy; A. Dent; R. Shipsey; C. Swart; J. White; M. Dichtl; S. Pyka; M. Schafheutle; P. Serf; E. Biham; E. Barkan; Y. Braziler; O. Dunkelman; V. Furman; D. Kenigsberg; J. Stolin; J.-J. Quisquater; M. Ciet; F. Sica; H. Raddum; L. Knudsen & M. Parker (April 19, 2004). New European Schemes for Signatures, Integrity, and Encryption (PDF) (Final report of European project number IST-1999-12324).
- Barreto & Rijmen 2000, accompanied Intellectual Property Statement
- Biryukov, Alex (February 2003). "Analysis of Involutional Ciphers: Khazad And Anubis". 10th International Workshop on Fast Software Encryption (FSE '03). Lund: Springer-Verlag. pp. 45–53. CiteSeerX 10.1.1.57.6336.
- The ANUBIS Block Cipher by Paulo S. L. M. Barreto
- 256bit Ciphers - ANUBIS Reference implementation and derived code