ABSTRACT
There are two types of data-driven operations efficient on the general purpose microprocessors available today: data-dependent rotation (DDR) and DDSS. The DDRs are extensively used in the well-known ciphers RC5 and RC6. Ciphering mechanism described in the following text characterizes a class of block encryption functions based on DDSS. We suppose that an expanded encryption key that
represents a sequence containing 2δ b-bit subkeys Q [ j], where j = 0, 1, 2, …, 2δ − 1, is used. This sequence is to be precomputed, depending on the secret key, the length of which is 128 to 256 bits. The input data block is represented as a concatenation of b-bit subblocks:
M = (B(0), B(1), …, B(w−1)) (5.1)
Encryption and decryption are executed as a sequence of elementary conversion steps: C = E(M) = ek(ek−1(… e2(e1(M)))) (5.2)
M = D(C) = e′k(e′k−1(… e′2(e′1(C)))) (5.3)
where e1, e2, …, ek and e′1, e′2, …, e′k are elementary encryption and decryption functions; C is a cipher text block. Elementary decryption function e′i is the inverse of function ek−i+1. Elementary encryption functions have the following structures:
j(s, g′) = (B(g′ ))<d(s−1)< mod 2δ (5.4)
B(g) ← ei(B(g), Q[ j(s,g′)]) (5.5)
where B<x< denotes to-left rotation of B by x bits, g′ = (i − 1) mod w, g = i mod w, d is an integer (d|b and 1< d < b), i is a counter of elementary encryption steps i = 1, 2, …, k (k ≥ wb/d ), and s is a counter of encryption subrounds s = (i − 1) mod (b/d ) + 1 (where i = 1, 2, …, b/d ). Integer d defines the number of encryption subrounds in one round. One encryption round includes wb/d consequent elementary steps. The value k = wb/d corresponds to the case when all binary digits of the input data block M will be used to control the subkey selection. Thus, in one round of the encryption function under consideration, each input bit influences the subkey selection. However, it may happen that two different input data blocks define the same set of selected subkeys. If this happens, it is a weakness from a general cryptanalytic point of view. To define the dependence of subkey selection on every input bit, one must impose certain conditions on the used elementary encryption functions.
