| General | |
|---|---|
| Designers | David M'Raïhi,David Naccache,Jacques Stern,Serge Vaudenay |
| First published | January 1997 |
| Cipher detail | |
| Key sizes | variable, equal to block size |
| Block sizes | variable |
| Rounds | variable, even |
| Best publiccryptanalysis | |
| differential cryptanalysis, complementation property,weak keys | |
Incryptography,xmx is ablock cipher designed in 1997 by DavidM'Raïhi,David Naccache,Jacques Stern, andSerge Vaudenay. According to thedesigners it "usespublic-key-like operations asconfusion and diffusion means." Thecipher was designed for efficiency, and the only operations it uses areXORsandmodular multiplications.
The main parameters of xmx are variable, including theblock size andkey size, which are equal, as wellas the number of rounds. In addition to thekey, it also makesuse of an odd modulusn which is small enough to fit in a single block.
The round function is f(m)=(moa)·b mod n, where a and b aresubkeys and b iscoprime to n. Here moa represents an operation thatequals m XOR a, if that is less than n, and otherwise equals m. This is a simpleinvertible operation: moaoa = m. The xmx cipher consistsof an even number of iterations of the round function, followed by a finalowith an additional subkey.
Thekey schedule is very simple, using the same key for all the multipliers, andthree different subkeys for the others: the key itself for the first half of thecipher, itsmultiplicative inverse mod n for the last half, and the XOR of these twofor the middle subkey.
The designers defined four specific variants of xmx:
Borisov, et al., using a multiplicative form ofdifferential cryptanalysis, found acomplementation property for any variant of xmx, like the first three above, such thatn=2k-1, where k is the block size. They also found largeweak key classesfor the Challenge variant, and for many other moduli.
{{cite conference}}: CS1 maint: multiple names: authors list (link)