285:
Inserting round-dependent constants into the encryption process breaks the symmetry between rounds and thus thwarts the most obvious slide attacks. The technique is a standard feature of most modern block ciphers. However, a poor choice of round constants or unintended interrelations between the
351:
techniques include the use of versions of ciphers with fewer rounds than specified by their designers. Since a single round is usually cryptographically weak, many attacks that fail to work against the full version of ciphers will work on such
273:" is used to define the transformation of part of the data (a distinguishing feature of the Feistel design). This operation corresponds to a full round in traditional descriptions of Feistel ciphers (like
332:
assert that one of the goals of optimizing the cipher is reducing the overall workload, the product of the round complexity and the number of rounds. There are two approaches to address this goal:
356:
variants. The result of such attack provides valuable information about the strength of the algorithm, a typical break of the full cipher starts out as a success against a reduced-round one.
114:
182:
306:
310:
314:
254:). Most of the modern ciphers use iterative design with number of rounds usually chosen between 8 and 32 (with 64 and even 80 used in
243:
219:, as for these tools the effort grows exponentially with the number of rounds. However, increasing the number of rounds does not
339:
global optimization optimizes the worst-case behavior of more than one round, allowing the use of less sophisticated components.
797:
659:
609:
562:
523:
35:) multiple times inside the algorithm. Splitting a large algorithmic function into rounds simplifies both implementation and
581:
824:
286:
constants and other cipher components could still allow slide attacks (e.g., attacking the initial version of the
45:
638:. Lecture Notes in Computer Science. Vol. 10402. Springer International Publishing. pp. 647–678.
588:. Lecture Notes in Computer Science. Vol. 12105. Springer International Publishing. pp. 250–279.
287:
336:
local optimization improves the worst-case behavior of a single round (two rounds for
Feistel ciphers);
212:
752:
135:
549:. Lecture Notes in Computer Science. Vol. 1636. Springer Berlin Heidelberg. pp. 245–259.
274:
247:
235:
716:
513:
231:
223:
make weak ciphers into strong ones, as some attacks do not depend on the number of rounds.
216:
784:
8:
739:
647:
597:
294:
255:
803:
793:
771:
665:
655:
615:
605:
568:
558:
542:
529:
519:
42:
For example, encryption using an oversimplified three-round cipher can be written as
743:
419:
305:. A poor choice of round constants in this case might make the cipher vulnerable to
763:
731:
704:
682:
639:
589:
550:
227:
643:
629:"Proving Resistance Against Invariant Attacks: How to Choose the Round Constants"
593:
712:
329:
302:
298:
262:
807:
735:
695:
686:
533:
818:
775:
767:
669:
651:
619:
601:
572:
554:
348:
251:
239:
36:
205:
197:
189:
20:
753:"On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm"
627:
Beierle, Christof; Canteaut, Anne; Leander, Gregor; Rotella, Yann (2017).
325:
465:
453:
297:
utilize very simple key scheduling: the round keys come from adding the
628:
246:"; Shannon was inspired by mixing transformations used in the field of
121:
129:
32:
515:
Serious
Cryptography: A Practical Introduction to Modern Encryption
580:
Dunkelman, Orr; Keller, Nathan; Lasry, Noam; Shamir, Adi (2020).
211:
Increasing the number of rounds "almost always" protects against
786:
The Design of
Rijndael: AES - The Advanced Encryption Standard
184:
are implemented using the same function, parameterized by the
626:
471:
401:
399:
386:
384:
677:
Biryukov, Alex (2005). "Product Cipher, Superencryption".
579:
459:
396:
381:
266:
441:
371:
369:
238:
goes as far back as 1945, to the then-secret version of
489:
366:
138:
48:
477:
717:"A Self-Study Course in Block-Cipher Cryptanalysis"
429:
582:"New Slide Attacks on Almost Self-similar Ciphers"
176:
108:
816:
762:. Springer Berlin Heidelberg. pp. 171–184.
783:Daemen, Joan; Rijmen, Vincent (9 March 2013).
540:
405:
200:. Parameterization is essential to reduce the
782:
751:Kaliski, Burton S.; Yin, Yiqun Lisa (1995).
390:
31:is a basic transformation that is repeated (
512:Aumasson, Jean-Philippe (6 November 2017).
750:
703:(Version 2.0 ed.). Redwood City, CA:
447:
16:Repeated basic operation in a cryptosystem
792:. Springer Science & Business Media.
679:Encyclopedia of Cryptography and Security
711:
676:
511:
495:
435:
375:
343:
109:{\displaystyle C=R_{3}(R_{2}(R_{1}(P)))}
693:
586:Advances in Cryptology – EUROCRYPT 2020
483:
420:"A Mathematical Theory of Cryptography"
417:
244:Communication Theory of Secrecy Systems
817:
541:Biryukov, Alex; Wagner, David (1999).
418:Shannon, Claude (September 1, 1945).
265:descriptions, notably the one of the
230:using repeated application of simple
636:Advances in Cryptology – CRYPTO 2017
760:Advances in Cryptology – CRYPT0’ 95
518:. No Starch Press. pp. 56–57.
204:of the cipher, which could lead to
13:
694:Robshaw, M.J.B. (August 2, 1995).
309:; ciphers broken this way include
280:
14:
836:
681:. Springer US. pp. 480–481.
320:
177:{\displaystyle R_{1},R_{2},...}
411:
103:
100:
97:
91:
78:
65:
1:
359:
644:10.1007/978-3-319-63715-0_22
594:10.1007/978-3-030-45721-1_10
288:format-preserving encryption
7:
10:
841:
505:
406:Biryukov & Wagner 1999
736:10.1080/0161-110091888754
687:10.1007/0-387-23483-7_320
825:Cryptographic primitives
768:10.1007/3-540-44750-4_14
555:10.1007/3-540-48519-8_18
547:Fast Software Encryption
391:Daemen & Rijmen 2013
248:dynamical systems theory
236:diffusion and confusion
448:Kaliski & Yin 1995
178:
110:
460:Dunkelman et al. 2020
344:Reduced-round ciphers
234:operations producing
179:
111:
256:cryptographic hashes
217:linear cryptanalysis
136:
132:. Typically, rounds
46:
472:Beierle et al. 2017
295:lightweight ciphers
263:Feistel-like cipher
174:
106:
799:978-3-662-04722-4
661:978-3-319-63714-3
611:978-3-030-45720-4
564:978-3-540-66226-6
525:978-1-59327-826-7
307:invariant attacks
832:
811:
791:
779:
757:
747:
721:
715:(January 2000).
708:
705:RSA Laboratories
702:
690:
673:
633:
623:
576:
537:
499:
493:
487:
481:
475:
469:
463:
457:
451:
445:
439:
433:
427:
426:
424:
415:
409:
403:
394:
388:
379:
373:
228:iterative cipher
183:
181:
180:
175:
161:
160:
148:
147:
127:
119:
115:
113:
112:
107:
90:
89:
77:
76:
64:
63:
840:
839:
835:
834:
833:
831:
830:
829:
815:
814:
800:
789:
755:
719:
713:Schneier, Bruce
700:
662:
631:
612:
565:
543:"Slide Attacks"
526:
508:
503:
502:
494:
490:
482:
478:
470:
466:
458:
454:
446:
442:
434:
430:
422:
416:
412:
404:
397:
389:
382:
374:
367:
362:
346:
323:
299:round constants
283:
281:Round constants
232:non-commutating
226:The idea of an
202:self-similarity
156:
152:
143:
139:
137:
134:
133:
125:
117:
85:
81:
72:
68:
59:
55:
47:
44:
43:
17:
12:
11:
5:
838:
828:
827:
813:
812:
798:
780:
748:
709:
691:
674:
660:
624:
610:
577:
563:
538:
524:
507:
504:
501:
500:
488:
476:
464:
462:, p. 252.
452:
450:, p. 173.
440:
428:
410:
395:
380:
364:
363:
361:
358:
345:
342:
341:
340:
337:
322:
319:
303:encryption key
282:
279:
186:round constant
173:
170:
167:
164:
159:
155:
151:
146:
142:
105:
102:
99:
96:
93:
88:
84:
80:
75:
71:
67:
62:
58:
54:
51:
29:round function
15:
9:
6:
4:
3:
2:
837:
826:
823:
822:
820:
809:
805:
801:
795:
788:
787:
781:
777:
773:
769:
765:
761:
754:
749:
745:
741:
737:
733:
729:
725:
718:
714:
710:
706:
699:
698:
697:Block Ciphers
692:
688:
684:
680:
675:
671:
667:
663:
657:
653:
649:
645:
641:
637:
630:
625:
621:
617:
613:
607:
603:
599:
595:
591:
587:
583:
578:
574:
570:
566:
560:
556:
552:
548:
544:
539:
535:
531:
527:
521:
517:
516:
510:
509:
497:
496:Schneier 2000
492:
486:, p. 23.
485:
480:
473:
468:
461:
456:
449:
444:
437:
436:Biryukov 2005
432:
425:. p. 97.
421:
414:
407:
402:
400:
393:, p. 74.
392:
387:
385:
378:, p. 56.
377:
376:Aumasson 2017
372:
370:
365:
357:
355:
354:reduced-round
350:
349:Cryptanalysis
338:
335:
334:
333:
331:
327:
318:
316:
312:
308:
304:
300:
296:
291:
289:
278:
276:
272:
268:
264:
259:
257:
253:
252:horseshoe map
249:
245:
241:
240:C. E. Shannon
237:
233:
229:
224:
222:
218:
214:
209:
207:
206:slide attacks
203:
199:
195:
191:
190:block ciphers
187:
171:
168:
165:
162:
157:
153:
149:
144:
140:
131:
123:
94:
86:
82:
73:
69:
60:
56:
52:
49:
40:
38:
37:cryptanalysis
34:
30:
26:
22:
785:
759:
730:(1): 18–34.
727:
723:
696:
678:
635:
585:
546:
514:
498:, p. 2.
491:
484:Robshaw 1995
479:
467:
455:
443:
431:
413:
353:
347:
324:
321:Optimization
292:
284:
270:
260:
225:
220:
213:differential
210:
201:
198:key schedule
193:
185:
41:
28:
24:
21:cryptography
18:
724:Cryptologia
290:mode FF3).
808:1259405449
534:1012843116
360:References
271:half-round
269:, a term "
122:ciphertext
776:0302-9743
670:0302-9743
652:1611-3349
620:0302-9743
602:1611-3349
573:0302-9743
261:For some
242:'s work "
196:from the
194:round key
188:and, for
130:plaintext
819:Category
744:53307028
315:Midori64
116:, where
33:iterated
506:Sources
301:to the
128:is the
120:is the
806:
796:
774:
742:
668:
658:
650:
618:
608:
600:
571:
561:
532:
522:
330:Rijmen
326:Daemen
311:SCREAM
221:always
192:, the
790:(PDF)
756:(PDF)
740:S2CID
720:(PDF)
701:(PDF)
648:eISSN
632:(PDF)
598:eISSN
423:(PDF)
293:Many
250:(cf.
25:round
804:OCLC
794:ISBN
772:ISSN
666:ISSN
656:ISBN
616:ISSN
606:ISBN
569:ISSN
559:ISBN
530:OCLC
520:ISBN
328:and
313:and
215:and
124:and
23:, a
764:doi
732:doi
683:doi
640:doi
590:doi
551:doi
277:).
275:DES
267:RC5
258:).
27:or
19:In
821::
802:.
770:.
758:.
738:.
728:24
726:.
722:.
664:.
654:.
646:.
634:.
614:.
604:.
596:.
584:.
567:.
557:.
545:.
528:.
398:^
383:^
368:^
317:.
208:.
39:.
810:.
778:.
766::
746:.
734::
707:.
689:.
685::
672:.
642::
622:.
592::
575:.
553::
536:.
474:.
438:.
408:.
172:.
169:.
166:.
163:,
158:2
154:R
150:,
145:1
141:R
126:P
118:C
104:)
101:)
98:)
95:P
92:(
87:1
83:R
79:(
74:2
70:R
66:(
61:3
57:R
53:=
50:C
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.