Intel Cascade Cipher

In cryptography, the Intel Cascaded Cipher is a high bandwidth block cipher, used as an optional component of the Output Content Protection DRM scheme of the Microsoft Windows Vista operating system. The cipher is based on Advanced Encryption Standard (AES) operating in counter mode, used for generating keys, and a 3-round version of Serpent for encrypting actual content.

The Cascaded Cipher has not been subject to an open peer review process. A license for using the Cascaded Cipher is required from Intel Corporation.

Description
The Cascaded Cipher specifications are not currently available on the Intel web site or in academic journals. A description of the structure of the cipher appears in a US patent application. In this case, the patent application only describes the inventive steps as claimed by its inventors, and is not a specification of the cipher as it is intended to be used to protect content in Windows Vista.

There are two embodiments of the cipher described in the US patent application.

CTR-ECB mode
In the counter-electronic codebook mode, the Cascaded Cipher uses full strength AES-128 in counter mode to generate a secure key stream and supplies this key-stream to a reduced round Serpent in electronic codebook mode to encrypt each plaintext block. To increase performance, each inner key stream block is reused several times to encrypt multiple blocks.

CTR-CTR mode
In the counter-counter mode, the Cascaded Cipher uses full-strength AES-128 in counter mode to generate a secure key stream and supplies this key-stream to a reduced round Serpent also operating in counter mode to encrypt each plaintext block. To increase performance, each inner key stream block is reused several times to encrypt multiple blocks.

Security
In the Microsoft document "Output Content Protection and Windows Vista", it is claimed that: "The security level achieved for typical video data is estimated to be approaching that of regular AES. This assertion is being tested by Intel putting its Cascaded Cipher out to the cryptography community to get their security assessment — that is, to see if they can break it."

The security of the system requires that it is impossible to recover the currently active inner key from the output of the reduced round Serpent encrypted video stream. Furthermore, the security of this method is highly sensitive to the number of rounds used in Serpent, the mode of operation described in the patent application, and the number of times the inner key is reused.