Unformatted text preview: viewed as cryptographically pointless and should be discarded. 5. All the faster implementations of DES precompute the keys for each round. Given this fact, there is no reason not to make this computation more complicated. 6. Unlike DES, the Sbox design criteria should be public. To this list, Merkle would probably now add “resistant to differential cryptanalysis and to linear attacks, ” but those attacks were still unknown at the time. Khufu
Khufu is a 64bit block cipher. The 64bit plaintext is first divided into two 32bit halves, L and R. First, both halves are XORed with some key material. Then, they are subjected to a series of rounds similar to DES. In each round, the least significant byte of L is used as the input to an Sbox. Each Sbox has 8 input bits and 32 output bits. The selected 32bit entry in the Sbox is then XORed with R. L is then rotated some multiple of 8 bits, L and R are swapped, and the round ends. The Sbox itself is not static, but changes every 8 rounds. Finally, after the last round, L and R are XORed with more key material, and then combined to form the ciphertext block. Although parts of the key are XORed with the encryption block at the beginning and end of the algorithm, the primary purpose of the key is to generate the Sboxes. These Sboxes are secret and, in essence, part of the key. Khufu calls for a total key size of 512 bits (64 bytes) and gives an algorithm for generating Sboxes from the key. The number of rounds for the algorithm is left open. Merkle mentioned that 8round Khufu is susceptible to a chosenplaintext attack and recommended 16, 24, or 32 rounds [1071]. (He restricted the choice of rounds to a multiple of eight.) Because Khufu has keydependent and secret Sboxes, it is resistant to differential cryptanalysis. There is a differential attack against 16round Khufu that recovers the key after 231 chosen plaintexts [611], but it cannot be extended to more rounds. If bruteforce is the best way to attack Khufu, it is impressively sec...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details