In cryptography, a round or round function is a basic transformation that is repeated (iterated) multiple times inside the algorithm. Splitting a large algorithmic function into rounds simplifies both implementation and cryptanalysis.[1]
For example, encryption using an oversimplified three-round cipher can be written as , where C is the ciphertext and P is the plaintext. Typically, rounds are implemented using the same function, parameterized by the round constant and, for block ciphers, the round key from the key schedule. Parameterization is essential to reduce the self-similarity of the cipher, which could lead to slide attacks.[1]
Increasing the number of rounds "almost always"[2] protects against differential and linear cryptanalysis, as for these tools the effort grows exponentially with the number of rounds. However, increasing the number of rounds does not always make weak ciphers into strong ones, as some attacks do not depend on the number of rounds.[3]
The idea of an iterative cipher using repeated application of simple non-commutating operations producing diffusion and confusion goes as far back as 1945, to the then-secret version of C. E. Shannon's work "Communication Theory of Secrecy Systems";[4] Shannon was inspired by mixing transformations used in the field of dynamical systems theory (cf. horseshoe map). Most of the modern ciphers use iterative design with number of rounds usually chosen between 8 and 32 (with 64 and even 80 used in cryptographic hashes).[5]
For some Feistel-like cipher descriptions, notably that of the RC5, a term "half-round" is used to define the transformation of part of the data (a distinguishing feature of the Feistel design). This operation corresponds to a full round in traditional descriptions of Feistel ciphers (like DES).[6]
Round constants
editInserting round-dependent constants into the encryption process breaks the symmetry between rounds and thus thwarts the most obvious slide attacks.[3] The technique is a standard feature of most modern block ciphers. However, a poor choice of round constants or unintended interrelations between the constants and other cipher components could still allow slide attacks (e.g., attacking the initial version of the format-preserving encryption mode FF3).[7]
Many lightweight ciphers utilize very simple key scheduling: the round keys come from adding the round constants to the encryption key. A poor choice of round constants in this case might make the cipher vulnerable to invariant attacks; ciphers broken this way include SCREAM and Midori64.[8]
Optimization
editDaemen and Rijmen assert that one of the goals of optimizing the cipher is reducing the overall workload, the product of the round complexity and the number of rounds. There are two approaches to address this goal:[2]
- local optimization improves the worst-case behavior of a single round (two rounds for Feistel ciphers);
- global optimization optimizes the worst-case behavior of more than one round, allowing the use of less sophisticated components.
Reduced-round ciphers
editCryptanalysis techniques include the use of versions of ciphers with fewer rounds than specified by their designers. Since a single round is usually cryptographically weak, many attacks that fail to work against the full version of ciphers will work on such reduced-round variants. The result of such attack provides valuable information about the strength of the algorithm,[9] a typical break of the full cipher starts out as a success against a reduced-round one.[10]
References
edit- ^ a b Aumasson 2017, p. 56.
- ^ a b Daemen & Rijmen 2013, p. 74.
- ^ a b Biryukov & Wagner 1999.
- ^ Shannon, Claude (September 1, 1945). "A Mathematical Theory of Cryptography" (PDF). p. 97.
- ^ Biryukov 2005.
- ^ Kaliski & Yin 1995, p. 173.
- ^ Dunkelman et al. 2020, p. 252.
- ^ Beierle et al. 2017.
- ^ Robshaw 1995, p. 23.
- ^ Schneier 2000, p. 2.
Sources
edit- Aumasson, Jean-Philippe (6 November 2017). Serious Cryptography: A Practical Introduction to Modern Encryption. No Starch Press. pp. 56–57. ISBN 978-1-59327-826-7. OCLC 1012843116.
- Biryukov, Alex; Wagner, David (1999). "Slide Attacks". Fast Software Encryption. Lecture Notes in Computer Science. Vol. 1636. Springer Berlin Heidelberg. pp. 245–259. doi:10.1007/3-540-48519-8_18. ISBN 978-3-540-66226-6. ISSN 0302-9743.
- Dunkelman, Orr; Keller, Nathan; Lasry, Noam; Shamir, Adi (2020). "New Slide Attacks on Almost Self-similar Ciphers". Advances in Cryptology – EUROCRYPT 2020. Lecture Notes in Computer Science. Vol. 12105. Springer International Publishing. pp. 250–279. doi:10.1007/978-3-030-45721-1_10. eISSN 1611-3349. ISBN 978-3-030-45720-4. ISSN 0302-9743.
- Beierle, Christof; Canteaut, Anne; Leander, Gregor; Rotella, Yann (2017). "Proving Resistance Against Invariant Attacks: How to Choose the Round Constants" (PDF). Advances in Cryptology – CRYPTO 2017. Lecture Notes in Computer Science. Vol. 10402. Springer International Publishing. pp. 647–678. doi:10.1007/978-3-319-63715-0_22. eISSN 1611-3349. ISBN 978-3-319-63714-3. ISSN 0302-9743.
- Biryukov, Alex (2005). "Product Cipher, Superencryption". Encyclopedia of Cryptography and Security. Springer US. pp. 480–481. doi:10.1007/0-387-23483-7_320. ISBN 978-0-387-23473-1.
- Robshaw, M.J.B. (August 2, 1995). Block Ciphers (PDF) (Version 2.0 ed.). Redwood City, CA: RSA Laboratories.
- Schneier, Bruce (January 2000). "A Self-Study Course in Block-Cipher Cryptanalysis" (PDF). Cryptologia. 24 (1): 18–34. doi:10.1080/0161-110091888754. S2CID 53307028.
- Kaliski, Burton S.; Yin, Yiqun Lisa (1995). "On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm" (PDF). Advances in Cryptology – CRYPT0' 95. Lecture Notes in Computer Science. Vol. 963. Springer Berlin Heidelberg. pp. 171–184. doi:10.1007/3-540-44750-4_14. ISBN 978-3-540-60221-7. ISSN 0302-9743.
- Daemen, Joan; Rijmen, Vincent (9 March 2013). The Design of Rijndael: AES - The Advanced Encryption Standard (PDF). Springer Science & Business Media. ISBN 978-3-662-04722-4. OCLC 1286305449.