| |
 |
|
|
Science Forum Index » Cryptography Forum » Decorrelation and data-dependent multiplications
Page 1 of 1
|
| Author |
Message |
| Benjamin Choi |
 Posted: Thu Jan 01, 2004 8:19 am |
|
|
|
Guest
|
Considering the use of data-dependent rotations in RC5 together with
modular addition to approximate decorrelation and reading a few papers
on data-dependent rotations, I gathered that a weakness of
data-dependent rotations was that it did not use the whole word, but
only the least significant 5 bits. RC6 attempted to solve that using
modular multiplication together with the rotations.
I considered the following construct as the 64-bit F-function for a
128-bit Feistel cipher (since it isn't necessarily reversible):
Split 64-bit input into A and B
for(i=0; i<4; i++) {
A *= B;
A += subkey[i];
A = G(A);
Swap A, B
}
Recombine A and B into 64-bit output
Let G() be a nonlinear function, e.g. substitute each of the 4 bytes
in an 8x8 S-box.
Let subkey[] be an array of 32-bit subkeys.
I thought that the advantages of multiplication over rotation would be
- Much higher diffusion
- Closer to decorrelation than rotations
- Apparently not patented
And the advantages of data-dependent multiplication over just
key-dependent multiplication on a half of the block:
- Provides diffusion without needing an XOR between the halves of the
block
My question is, would it provide sufficient decorrelation to prevent
differential and linear cryptanalysis, supposing this F-function were
used in a Feistel cipher with, say, 8 rounds?
--
Benjamin Choi |
|
|
| Back to top |
|
| Tom St Denis |
| Posted: Thu Jan 01, 2004 8:31 am |
|
|
|
Guest
|
"Benjamin Choi" <nospam@technosoft21.com> wrote in message
news:7eeb3109.0401010519.12e706a7@posting.google.com...
Quote: I considered the following construct as the 64-bit F-function for a
128-bit Feistel cipher (since it isn't necessarily reversible):
Split 64-bit input into A and B
for(i=0; i<4; i++) {
A *= B;
This is over what... Z_{2^{32}} ? You realize this is very lossy right?
Consider the case where B is even and has only higher bits set [e.g. 2^16 +
2^20 or something].
Quote: A += subkey[i];
A = G(A);
Swap A, B
}
Recombine A and B into 64-bit output
Let G() be a nonlinear function, e.g. substitute each of the 4 bytes
in an 8x8 S-box.
Let subkey[] be an array of 32-bit subkeys.
I thought that the advantages of multiplication over rotation would be
- Much higher diffusion
Actually it has less diffusion because you lose many bits from the input.
[e.g. many collisions].
Quote: - Closer to decorrelation than rotations
Swing and a miss. The partial decorrelation in RC5 comes from the key and
the XOR. Look at
A = ROL(A ^ B, B) + K[0];
B = ROL(A ^ B, A) + K[1];
The actual rotate amount independence comes from K[] not from A/B.
A pair-wise decorrelation function would be something like F(x) = ax + b,
over a suitable structure [e.g. GF(2)[x]].
Quote: And the advantages of data-dependent multiplication over just
key-dependent multiplication on a half of the block:
- Provides diffusion without needing an XOR between the halves of the
block
My question is, would it provide sufficient decorrelation to prevent
differential and linear cryptanalysis, supposing this F-function were
used in a Feistel cipher with, say, 8 rounds?
No. Your function is far too lossy to prevent DC or LC from working.
Tom |
|
|
| Back to top |
|
| Tom St Denis |
| Posted: Thu Jan 01, 2004 8:31 am |
|
|
|
Guest
|
"Benjamin Choi" <nospam@technosoft21.com> wrote in message
news:7eeb3109.0401010519.12e706a7@posting.google.com...
Quote: I considered the following construct as the 64-bit F-function for a
128-bit Feistel cipher (since it isn't necessarily reversible):
Split 64-bit input into A and B
for(i=0; i<4; i++) {
A *= B;
This is over what... Z_{2^{32}} ? You realize this is very lossy right?
Consider the case where B is even and has only higher bits set [e.g. 2^16 +
2^20 or something].
Quote: A += subkey[i];
A = G(A);
Swap A, B
}
Recombine A and B into 64-bit output
Let G() be a nonlinear function, e.g. substitute each of the 4 bytes
in an 8x8 S-box.
Let subkey[] be an array of 32-bit subkeys.
I thought that the advantages of multiplication over rotation would be
- Much higher diffusion
Actually it has less diffusion because you lose many bits from the input.
[e.g. many collisions].
Quote: - Closer to decorrelation than rotations
Swing and a miss. The partial decorrelation in RC5 comes from the key and
the XOR. Look at
A = ROL(A ^ B, B) + K[0];
B = ROL(A ^ B, A) + K[1];
The actual rotate amount independence comes from K[] not from A/B.
A pair-wise decorrelation function would be something like F(x) = ax + b,
over a suitable structure [e.g. GF(2)[x]].
Quote: And the advantages of data-dependent multiplication over just
key-dependent multiplication on a half of the block:
- Provides diffusion without needing an XOR between the halves of the
block
My question is, would it provide sufficient decorrelation to prevent
differential and linear cryptanalysis, supposing this F-function were
used in a Feistel cipher with, say, 8 rounds?
No. Your function is far too lossy to prevent DC or LC from working.
Tom |
|
|
| Back to top |
|
| Mok-Kong Shen |
| Posted: Thu Jan 01, 2004 8:32 am |
|
|
|
Guest
|
Benjamin Choi wrote:
Quote:
[snip]
My question is, would it provide sufficient decorrelation to prevent
differential and linear cryptanalysis, supposing this F-function were
used in a Feistel cipher with, say, 8 rounds?
That's for the experts. It's far beyond my knowledge.
But a couple of tiny remarks: (1) Hitachi claimed
to have a patent on data-dependent rotations, though
I personally doubt its (real) validity. (2) I
recently suggested to use a formula (cf. the thread
on Latin square) with multiplication plus rotations
of the operands to do non-linear combination of two
entities of n bits. One conceivable use of that is
for obtaining F-functions.
M. K. Shen |
|
|
| Back to top |
|
| Mok-Kong Shen |
| Posted: Thu Jan 01, 2004 8:32 am |
|
|
|
Guest
|
Benjamin Choi wrote:
Quote:
[snip]
My question is, would it provide sufficient decorrelation to prevent
differential and linear cryptanalysis, supposing this F-function were
used in a Feistel cipher with, say, 8 rounds?
That's for the experts. It's far beyond my knowledge.
But a couple of tiny remarks: (1) Hitachi claimed
to have a patent on data-dependent rotations, though
I personally doubt its (real) validity. (2) I
recently suggested to use a formula (cf. the thread
on Latin square) with multiplication plus rotations
of the operands to do non-linear combination of two
entities of n bits. One conceivable use of that is
for obtaining F-functions.
M. K. Shen |
|
|
| Back to top |
|
| Gregory G Rose |
| Posted: Thu Jan 01, 2004 1:10 pm |
|
|
|
Guest
|
In article <7eeb3109.0401010519.12e706a7@posting.google.com>,
Benjamin Choi <nospam@technosoft21.com> wrote:
Quote: I considered the following construct as the 64-bit F-function for a
128-bit Feistel cipher (since it isn't necessarily reversible):
Split 64-bit input into A and B
for(i=0; i<4; i++) {
A *= B;
A += subkey[i];
A = G(A);
Swap A, B
}
Recombine A and B into 64-bit output
Without putting a lot of thought into it, I have
a feeling this will be a sucker for differential
cryptanalysis. Consider what happens when the B
half is zero; you destroy all information in the A
half. Now if the B half is 0x80000000, you get
left with just one bit of A. If the G()
transformation is known, this might be
manipulable.
Anyway, the fact that multiplication loses
information worries me a lot. RC6 and MARS went to
a lot of trouble to ensure that the
multiplications were always safe, but you haven't
done that.
Greg.
--
Greg Rose
232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
Qualcomm Australia: http://www.qualcomm.com.au |
|
|
| Back to top |
|
| Gregory G Rose |
| Posted: Thu Jan 01, 2004 1:10 pm |
|
|
|
Guest
|
In article <7eeb3109.0401010519.12e706a7@posting.google.com>,
Benjamin Choi <nospam@technosoft21.com> wrote:
Quote: I considered the following construct as the 64-bit F-function for a
128-bit Feistel cipher (since it isn't necessarily reversible):
Split 64-bit input into A and B
for(i=0; i<4; i++) {
A *= B;
A += subkey[i];
A = G(A);
Swap A, B
}
Recombine A and B into 64-bit output
Without putting a lot of thought into it, I have
a feeling this will be a sucker for differential
cryptanalysis. Consider what happens when the B
half is zero; you destroy all information in the A
half. Now if the B half is 0x80000000, you get
left with just one bit of A. If the G()
transformation is known, this might be
manipulable.
Anyway, the fact that multiplication loses
information worries me a lot. RC6 and MARS went to
a lot of trouble to ensure that the
multiplications were always safe, but you haven't
done that.
Greg.
--
Greg Rose
232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
Qualcomm Australia: http://www.qualcomm.com.au |
|
|
| Back to top |
|
| Scott Contini |
| Posted: Thu Jan 01, 2004 11:53 pm |
|
|
|
Guest
|
ggr@qualcomm.com (Gregory G Rose) wrote in message news:<bt1nrf$pjp@qualcomm.com>...
Quote: In article <7eeb3109.0401010519.12e706a7@posting.google.com>,
Benjamin Choi <nospam@technosoft21.com> wrote:
I considered the following construct as the 64-bit F-function for a
128-bit Feistel cipher (since it isn't necessarily reversible):
Split 64-bit input into A and B
for(i=0; i<4; i++) {
A *= B;
A += subkey[i];
A = G(A);
Swap A, B
}
Recombine A and B into 64-bit output
Without putting a lot of thought into it, I have
a feeling this will be a sucker for differential
cryptanalysis. Consider what happens when the B
half is zero; you destroy all information in the A
half. Now if the B half is 0x80000000, you get
left with just one bit of A. If the G()
transformation is known, this might be
manipulable.
Anyway, the fact that multiplication loses
information worries me a lot. RC6 and MARS went to
a lot of trouble to ensure that the
multiplications were always safe, but you haven't
done that.
Greg.
I agree with Greg. The problem is even at the byte-level: if the least
significant byte of B is 0, then the least significant byte of A after
the multiply is 0 as well, meaning that the least significant byte of the
subkey gets sent directly into the S-box. Same problem if the least
significant byte of A is 0. Even at the bit-level, there seems to be
potential problems: with probability 3/4, the least significant bit of
A or B is zero, implying that 3/4ths of the time, the least significant
bit going into the S-box is going to be the subkey. This must be leaking
subkey bits.
I dont know your complete design yet, but I am very skeptical that it can be
secure. For an example of a cipher that used multiplication poorly,
see "Cryptanalysis of multi-swap" by Borisov, Chew, Johnson, and Wagner:
http://www.cs.berkeley.edu/~rtjohnso/multiswap/
Scott |
|
|
| Back to top |
|
| Scott Contini |
| Posted: Thu Jan 01, 2004 11:53 pm |
|
|
|
Guest
|
ggr@qualcomm.com (Gregory G Rose) wrote in message news:<bt1nrf$pjp@qualcomm.com>...
Quote: In article <7eeb3109.0401010519.12e706a7@posting.google.com>,
Benjamin Choi <nospam@technosoft21.com> wrote:
I considered the following construct as the 64-bit F-function for a
128-bit Feistel cipher (since it isn't necessarily reversible):
Split 64-bit input into A and B
for(i=0; i<4; i++) {
A *= B;
A += subkey[i];
A = G(A);
Swap A, B
}
Recombine A and B into 64-bit output
Without putting a lot of thought into it, I have
a feeling this will be a sucker for differential
cryptanalysis. Consider what happens when the B
half is zero; you destroy all information in the A
half. Now if the B half is 0x80000000, you get
left with just one bit of A. If the G()
transformation is known, this might be
manipulable.
Anyway, the fact that multiplication loses
information worries me a lot. RC6 and MARS went to
a lot of trouble to ensure that the
multiplications were always safe, but you haven't
done that.
Greg.
I agree with Greg. The problem is even at the byte-level: if the least
significant byte of B is 0, then the least significant byte of A after
the multiply is 0 as well, meaning that the least significant byte of the
subkey gets sent directly into the S-box. Same problem if the least
significant byte of A is 0. Even at the bit-level, there seems to be
potential problems: with probability 3/4, the least significant bit of
A or B is zero, implying that 3/4ths of the time, the least significant
bit going into the S-box is going to be the subkey. This must be leaking
subkey bits.
I dont know your complete design yet, but I am very skeptical that it can be
secure. For an example of a cipher that used multiplication poorly,
see "Cryptanalysis of multi-swap" by Borisov, Chew, Johnson, and Wagner:
http://www.cs.berkeley.edu/~rtjohnso/multiswap/
Scott |
|
|
| Back to top |
|
| Benjamin Choi |
| Posted: Fri Jan 02, 2004 8:21 am |
|
|
|
Guest
|
contini@matmail.com (Scott Contini) wrote in message news:<6f35025c.0401012053.48595a3e@posting.google.com>...
<snip>
Quote: I agree with Greg. The problem is even at the byte-level: if the least
significant byte of B is 0, then the least significant byte of A after
the multiply is 0 as well, meaning that the least significant byte of the
subkey gets sent directly into the S-box.
What if the multiplications were made bijective, as in IDEA?
Quote: Same problem if the least
significant byte of A is 0. Even at the bit-level, there seems to be
potential problems: with probability 3/4, the least significant bit of
A or B is zero, implying that 3/4ths of the time, the least significant
bit going into the S-box is going to be the subkey. This must be leaking
subkey bits.
Indeed I didn't realise that.
Quote: I dont know your complete design yet, but I am very skeptical that it can be
secure.
Don't worry, I don't have a complete design. It was just a concept
that I wanted to further discuss and understand.
Quote: For an example of a cipher that used multiplication poorly,
see "Cryptanalysis of multi-swap" by Borisov, Chew, Johnson, and Wagner:
http://www.cs.berkeley.edu/~rtjohnso/multiswap/
Multi-Swap seems very linear in nature (the swaps can be considered
16-bit rotations in either direction). My best guess is that that's
the reason a multiplicative differential was found.
--
Benjamin Choi |
|
|
| Back to top |
|
| Benjamin Choi |
| Posted: Fri Jan 02, 2004 8:21 am |
|
|
|
Guest
|
contini@matmail.com (Scott Contini) wrote in message news:<6f35025c.0401012053.48595a3e@posting.google.com>...
<snip>
Quote: I agree with Greg. The problem is even at the byte-level: if the least
significant byte of B is 0, then the least significant byte of A after
the multiply is 0 as well, meaning that the least significant byte of the
subkey gets sent directly into the S-box.
What if the multiplications were made bijective, as in IDEA?
Quote: Same problem if the least
significant byte of A is 0. Even at the bit-level, there seems to be
potential problems: with probability 3/4, the least significant bit of
A or B is zero, implying that 3/4ths of the time, the least significant
bit going into the S-box is going to be the subkey. This must be leaking
subkey bits.
Indeed I didn't realise that.
Quote: I dont know your complete design yet, but I am very skeptical that it can be
secure.
Don't worry, I don't have a complete design. It was just a concept
that I wanted to further discuss and understand.
Quote: For an example of a cipher that used multiplication poorly,
see "Cryptanalysis of multi-swap" by Borisov, Chew, Johnson, and Wagner:
http://www.cs.berkeley.edu/~rtjohnso/multiswap/
Multi-Swap seems very linear in nature (the swaps can be considered
16-bit rotations in either direction). My best guess is that that's
the reason a multiplicative differential was found.
--
Benjamin Choi |
|
|
| Back to top |
|
| Scott Contini |
| Posted: Sun Jan 04, 2004 8:01 pm |
|
|
|
Guest
|
nospam@technosoft21.com (Benjamin Choi) wrote in message news:<7eeb3109.0401020521.36d2681@posting.google.com>...
Quote: contini@matmail.com (Scott Contini) wrote in message news:<6f35025c.0401012053.48595a3e@posting.google.com>...
snip
I agree with Greg. The problem is even at the byte-level: if the least
significant byte of B is 0, then the least significant byte of A after
the multiply is 0 as well, meaning that the least significant byte of the
subkey gets sent directly into the S-box.
What if the multiplications were made bijective, as in IDEA?
It would probably help.
When RC6 was being designed, they first considered the possibility of
using multiplications by a set of fixed integers that had good differential
properties. I spent a decent amount of time looking for such integers,
but then they later decided (rightfully so) that the function f(x) = x^2 + x
was a better approach. I never studied the decorrelation properties, however.
Scott |
|
|
| Back to top |
|
| |
|
Page 1 of 1
All times are GMT - 5 Hours
The time now is Wed Oct 15, 2008 8:46 pm
|
|