| |
 |
|
|
Science Forum Index » Cryptography Forum » Decorrelation and data-dependent multiplications
Page 1 of 1
|
| Author |
Message |
| Benjamin Choi |
 Posted: Thu Jan 01, 2004 8:19 am |
|
|
|
Guest
|
Considering the use of data-dependent rotations in RC5 together with
modular addition to approximate decorrelation and reading a few papers
on data-dependent rotations, I gathered that a weakness of
data-dependent rotations was that it did not use the whole word, but
only the least significant 5 bits. RC6 attempted to solve that using
modular multiplication together with the rotations.
I considered the following construct as the 64-bit F-function for a
128-bit Feistel cipher (since it isn't necessarily reversible):
Split 64-bit input into A and B
for(i=0; i<4; i++) {
A *= B;
A += subkey[i];
A = G(A);
Swap A, B
}
Recombine A and B into 64-bit output
Let G() be a nonlinear function, e.g. substitute each of the 4 bytes
in an 8x8 S-box.
Let subkey[] be an array of 32-bit subkeys.
I thought that the advantages of multiplication over rotation would be
- Much higher diffusion
- Closer to decorrelation than rotations
- Apparently not patented
And the advantages of data-dependent multiplication over just
key-dependent multiplication on a half of the block:
- Provides diffusion without needing an XOR between the halves of the
block
My question is, would it provide sufficient decorrelation to prevent
differential and linear cryptanalysis, supposing this F-function were
used in a Feistel cipher with, say, 8 rounds?
--
Benjamin Choi |
|
|
| Back to top |
|
| |
|
Page 1 of 1
All times are GMT - 5 Hours
The time now is Sat Jul 26, 2008 5:14 pm
|
|
