| General | |
|---|---|
| Designers | Jacques Stern,Serge Vaudenay, et al. |
| First published | 1998 |
| Related to | COCONUT98 |
| Cipher detail | |
| Key sizes | 128, 192, or 256 bits |
| Block sizes | 128 bits |
| Structure | Feistel network |
| Rounds | 8 |
| Best publiccryptanalysis | |
| Knudsen andRijmen'sdifferential attack breaks 6 rounds | |
Incryptography,DFC (Decorrelated Fast Cipher) is asymmetricblock cipher which wascreated in 1998 by a group of researchers fromÉcole Normale Supérieure,CNRS, andFrance Télécom (includingJacques Stern andSerge Vaudenay) and submitted to theAES competition.
Like other AES candidates, DFC operates on blocks of 128 bits, using a key of 128, 192, or 256 bits. It uses an 8-roundFeistel network. The round function uses a single 6×32-bitS-box, as well as anaffine transformation mod 264+13. DFC can actually use a key of any size up to 256 bits; thekey schedule uses another 4-round Feistel network to generate a 1024-bit "expanded key". The arbitrary constants, including all entries of the S-box, are derived using the binary expansion ofe as a source of "nothing up my sleeve numbers".
Soon after DFC's publication, Ian Harvey raised the concern that reduction modulo a 65-bit number was beyond the native capabilities of most platforms, and that careful implementation would be required to protect againstside-channel attacks, especiallytiming attacks. Although DFC was designed using Vaudenay'sdecorrelation theory to beprovably secure against ordinarydifferential andlinear cryptanalysis, in 1999Lars Knudsen andVincent Rijmen presented a differentialchosen-ciphertext attack that breaks 6 rounds faster than exhaustive search.
In 2000, Vaudenay, et al. presented an updated version of the algorithm, calledDFCv2. This variant allows for more choice in the cipher's parameters, and uses a modified key schedule to eliminate certainweak keys discovered byDon Coppersmith.
{{cite journal}}:Cite journal requires|journal= (help)CS1 maint: multiple names: authors list (link)