Unformatted text preview: long. The trick is to generate two subkey sequences in parallel, and then alternate subkeys from each sequence. This means that if you choose Ka = Kb, then the 128bit key is compatible with the 64bit key Ka. Security of SAFER K64
Massey showed that SAFER K64 is immune to differential cryptanalysis after 8 rounds and is adequately secure against the attack after 6 rounds. After only 3 rounds linear cryptanalysis is ineffective against this algorithm [1010]. Knudsen found a weakness in the key schedule: For virtually every key, there exists at least one (and sometimes as many as nine) other key that encrypts some different plaintext to identical ciphertexts [862]. The number of different plaintexts that encrypt to identical ciphertexts after 6 rounds is anywhere from 222 to 228. While this attack may not impact SAFER’s security when used as an encryption algorithm, it greatly reduces its security when used as a oneway hash function. In any case, Knudsen recommends at least 8 rounds. SAFER was designed for Cylink, and Cylink is tainted by the NSA [80]. I recommend years of intense cryptanalysis before using SAFER in any form. 14.5 3Way
3Way is a block cipher designed by Joan Daemen [402,410]. It has a 96bit block length and key length, and is designed to be very efficient in hardware. 3Way is not a Feistel network, but it is an iterated block cipher. 3Way can have n rounds; Daemen recommends 11. Description of 3Way
The algorithm is simple to describe. To encrypt a plaintext block, x: For i = 0 to n – 1 x = x XOR Ki x = theta (x) x = pi – 1 (x) x = gamma (x) x = pi – 2 (x) x = x • Kn x = theta (x) The functions are: — theta(x) is a linear substitution function—basically a bunch of circular shifts and XORs. — pi–1(x) and pi–2(x) are simple permutations. — gamma(x) is a nonlinear substitution function. This is the step that gives 3Way its name; it is the parallel execution of the substitution step on 3bit blocks of the input. Decryption is similar to encryption, except that the bits...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details