EnRUPT – The Simpler The Better

« Patented or not patented?Simpler is Better (Cold Boot Attacks) »

In plain C...

25/02/08 | by Sean O’Neil [mail] | Categories: Issues

I guess the easiest way to understand and implement EnRUPT32 as a block cipher would be something like this:

#define er1(k) (rotr(2*x[(r-1)%xw]^x[(r+1)%xw]^k^r,8)*9^k)

enRUPT (u32 *x, const u32 xw, u32 *key, const u32 kw)
{
    u32 r, s=4, n=s*(2*xw+kw);
    for (r=1; r<=n; r++) x[r%xw] ^= er1(key[r%kw]);
}

unRUPT (u32 *x, const u32 xw, u32 *key, const u32 kw)
{
    u32 r, s=4, n=s*(2*xw+kw);
    for (r=n; r   ; r--) x[r%xw] ^= er1(key[r%kw]);
}

Yes. This is it. A complete block cipher. There is nothing more to it. If it is used with arbitrary but constant 2n block sizes, it should be almost as fast as an unrolled implementation, almost as fast as the AES for the 4-word blocks and the 4-word keys.

3 feedbacks »Permalink

Trackback address for this post

Trackback URL (right click and copy shortcut/link location)

3 comments

Comment from: Aleksey [Visitor]
*****
It's really simple & powerfull! Sean, good luck for you & enRUPT. Fully with you, best regards.
26/02/08 @ 08:05
Comment from: Matt [Visitor]
**---
I like the idea of iterating a small round function many times because it simplifies analysis.

The problem is your non-linear component is completely affine for some input and output bits. It doesn't mean there is an attack, but if I saw an s-box with those characteristics I would instantly reject it. I will not be surprised to see a successful linear cryptanalysis on at least half the cipher.
29/02/08 @ 03:06
Comment from: Sean O’Neil [Member] Email · http://cryptolib.com/

I really appreciate your feedback, guys!

Of course it is a good idea to reject an s-box with some linear bits in it when a better one can be used at the same cost, but does the entire 32-bit or 64-bit wide operation really have to be non-linear? It can be completely linearised anyway at a small cost of guessing all the carry bits and even cheaper with algebraic methods. The goal was to make that nonlinearity accumulate consistently and sufficiently by the end of the cipher.

As I wrote in the paper, I will not be surprised to see successful non-adaptive statistical attacks up to 3/4 of the cipher and successful adaptive attacks even beyond that, but not for the complete cipher. If you believe that the linear characteristics you found are iterative or potentially exploitable for the full cipher, I am all ears.

29/02/08 @ 03:39

Leave a comment


Your email address will not be revealed on this site.

Your URL will be displayed.
PoorExcellent
(Line breaks become <br />)
(Name, email & website)
(Allow users to contact you through a message form (your email will not be revealed.)
May 2008
Mon Tue Wed Thu Fri Sat Sun
 << <   > >>
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Poll

EnRUPT for SHA-3?

View Results

Q: What is EnRUPT?

A: EnRUPT is a simple scalable all-in-one block/stream cipher/hash.

Search




Categories

XML Feeds

What is RSS?

Weather

°

Feels like: °
Wind:
Today's high: °
Today's low: °
Sunrise:
Sunset:
More...

powered by b2evolution free blog software