Movatterモバイル変換

[0]ホーム

Jump to content

Round (cryptography)

Türkçe

Edit links

From Wikipedia, the free encyclopedia

Repeated basic operation in a cryptosystem

Incryptography, around orround function is a basic transformation that is repeated (iterated) multiple times inside the algorithm. Splitting a large algorithmic function into rounds simplifies both implementation andcryptanalysis.^[1]

For example, encryption using an oversimplified three-round cipher can be written as $C=R_{3}(R_{2}(R_{1}(P)))$ , whereC is theciphertext andP is theplaintext. Typically, rounds $R_{1},R_{2},...$ are implemented using the same function, parameterized by theround constant and, forblock ciphers, theround key from thekey schedule. Parameterization is essential to reduce theself-similarity of the cipher, which could lead toslide attacks.^[1]

Increasing the number of rounds "almost always"^[2] protects againstdifferential andlinear cryptanalysis, as for these tools the effort grows exponentially with the number of rounds. However, increasing the number of rounds does notalways make weak ciphers into strong ones, as some attacks do not depend on the number of rounds.^[3]

The idea of aniterative cipher using repeated application of simplenon-commutating operations producingdiffusion and confusion goes as far back as 1945, to the then-secret version ofC. E. Shannon's work "Communication Theory of Secrecy Systems";^[4] Shannon was inspired by mixing transformations used in the field ofdynamical systems theory (cf.horseshoe map). Most of the modern ciphers useiterative design with number of rounds usually chosen between 8 and 32 (with 64 and even 80 used incryptographic hashes).^[5]

For someFeistel-like cipher descriptions, notably that of theRC5, a term "half-round" is used to define the transformation of part of the data (a distinguishing feature of the Feistel design). This operation corresponds to a full round in traditional descriptions of Feistel ciphers (likeDES).^[6]

Round constants

[edit]

Inserting round-dependent constants into the encryption process breaks the symmetry between rounds and thus thwarts the most obvious slide attacks.^[3] The technique is a standard feature of most modern block ciphers. However, a poor choice of round constants or unintended interrelations between the constants and other cipher components could still allow slide attacks (e.g., attacking the initial version of theformat-preserving encryption mode FF3).^[7]

Manylightweight ciphers utilize very simple key scheduling: the round keys come from adding theround constants to theencryption key. A poor choice of round constants in this case might make the cipher vulnerable toinvariant attacks; ciphers broken this way includeSCREAM andMidori64.^[8]

Optimization

[edit]

Daemen andRijmen assert that one of the goals of optimizing the cipher is reducing the overall workload, the product of the round complexity and the number of rounds. There are two approaches to address this goal:^[2]

local optimization improves the worst-case behavior of a single round (two rounds for Feistel ciphers);
global optimization optimizes the worst-case behavior of more than one round, allowing the use of less sophisticated components.

Reduced-round ciphers

[edit]

Cryptanalysis techniques include the use of versions of ciphers with fewer rounds than specified by their designers. Since a single round is usually cryptographically weak, many attacks that fail to work against the full version of ciphers will work on suchreduced-round variants. The result of such attack provides valuable information about the strength of the algorithm,^[9] a typical break of the full cipher starts out as a success against a reduced-round one.^[10]

Sateesan et al. propose using the reduced-round versions of lightweight hashes and ciphers asnon-cryptographic hash functions.^[11]