This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ith the input of the previous round to form the input of the next round. Lucifer’s S-boxes have 4-bit inputs and 4-bit outputs; the input of the S-boxes is the bit-permuted output of the S-boxes of the previous round; the input of the S-boxes of the first round is the plaintext. A key bit is used to choose the actual S-box from two possible S-boxes. (Lucifer represents this as a single T-box with 9 bits in and 8 bits out.) Unlike DES, there is no swapping between rounds and no block halves are used. Lucifer has 16 rounds, 128-bit blocks, and a key schedule simpler than DES. Using differential cryptanalysis against the first incarnation of Lucifer, Biham and Shamir [170, 172] showed that Lucifer, with 32-bit blocks and 8 rounds, can be broken with 40 chosen plaintexts and 229 steps; the same attack can break Lucifer with 128-bit blocks and 8 rounds with 60 chosen plaintexts and 253 steps. Another differential cryptanalytic attack breaks 18-round, 128-bit Lucifer with 24 chosen plaintexts in 221 steps. All of these attacks used the strong DES S-boxes. Using differential cryptanalysis against the second incarnation, they found the S-boxes to be much weaker than DES. Further analysis showed that over half the possible keys are insecure . Related-key cryptanalysis can break 128-bit Lucifer, with any number of rounds, with 233 chosen-key chosen plaintexts, or with 265 chosen-key known plaintexts . The second incarnation of Lucifer is even weaker [170, 172, 112]. Some people feel that Lucifer is more secure than DES because of the longer key length and lack of published results. This is clearly not the case. Lucifer is the subject of several U.S. patents: [553, 554, 555, 1483]. They have all expired. 13.2 Madryga
W. E. Madryga proposed this block algorithm in 1984 . It is efficient for software: It has no irritating permutations and all its operations work on bytes. His design objectives are worth repeating: 1. The plaintext cannot be derived from the ciphertext without using the key. (This just means that the algorithm is secure.) 2. The number...
View Full Document
- Fall '10