B. Schneier and J. Kesley. Unbalanced Feistel networks and block cipher design. In D. Gollmann, editor, Fast Software Encryption -- FSE'96, volume 1039 of LNCS, pages 121--144. Springer-Verlag, 1996.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....Many block ciphers may be characterized as Feistel networks. Feistel networks were invented by Horst Feistel [53] and are a general method of transforming a function into a permutation. The basic Feistel network divides the data block into two halves where one half operates upon the other half [126]. The function, termed the f function, uses one of the halves of the data block and a key to create a pseudo random bit stream that is used to encrypt or decrypt the other half of the data block. Therefore, to encrypt or decrypt both halves requires two iterations of the Feistel network. A ....

.... of PipeRench is that the architecture targets streaming applications where pipelining drastically increases system throughput once the latency of the pipeline has been met [61, 139] Systems that require feedback, as is the case with most block ciphers (operating in CBC, CFB, or OFB modes) [126], are difficult to realize within the PipeRench architecture. 3.1 Architecture Goals 3.1.1 Algorithm Agility Algorithm agility is defined as the ability to switch between cryptographic algorithms within a given system. Chief among the reasons for designing a system that supports algorithm ....

[Article contains additional citation context not shown here]

B. Schneier and J. Kelsey. Unbalanced Feistel Networks and Block Cipher Design. Cambridge, UK.

.... Key words: Feistel Network, diffusion, swapping scheme, complete F function INTRODUCTION A Feistel Network (FN) is a method for mixing the sub blocks of an input block in a cipher through repeated application of keyed, non linear F functions in order to generate a permutation of the input block [4, 8, 9]. In a standard FN the plaintext block is divided evenly into two sub blocks. The right subblock is fed into a key dependent F function. The left sub block is combined, via bitwise exclusive or (XOR) with the output of the F function. Afterwards, the two sub blocks are swapped (fig. 1(a) A ....

B. Schneier, J. Kelsey - "Unbalanced Feistel Networks and Block-Cipher Designs " - Fast Software Encryption, 3rd International Workshop Proceedings - Feb. 1996 - p. 121-144

.... Key words: Feistel Network, diffusion, swapping scheme, complete F function INTRODUCTION A Feistel Network (FN) is a method for mixing the sub blocks of an input block in a cipher through repeated application of keyed, non linear F functions in order to generate a permutation of the input block [4, 9, 10]. A round in a block cipher is a transformation which combines sub blocks of its input block through non linear, key dependent functions, called F functions (fig. 1(b) followed by a permutation of the sub blocks. In a standard FN the plaintext block is divided evenly into two sub blocks. The ....

B. Schneier, J. Kelsey - "Unbalanced Feistel Networks and Block-Cipher Designs " - Fast Software Encryption, 3rd International Workshop Proceedings - Feb. 1996 - p. 121-144

....Transformation . Final Permutation FP A block diagram for the Serpent algorithm is shown in Figure 1. Most block ciphers require an inverted key schedule as the only modification needed to perform decryption. Typically, these ciphers are based on Feistel networks as opposed to SP networks [16] [17]. This results in the Serpent decryption process requiring inverse operations for the S Boxes (implemented in reverse order) and the Linear Transformation in addition to a reverse ordering of the key schedule [15] Note that the implemented version of the Serpent algorithm performs encryption but ....

B. Schneier and J. Kelsey, "Unbalanced Feistel Networks and Block Cipher Design," in International Workshop on Fast Software Encryption (D. Gollmann, ed.), vol. LNCS 1039, (Cambridge, UK), SpringerVerlag, 1996.

....than on any other general structure. Other Feistel ciphers are FEAL, Blowfish, Khufu, LOKI91, CAST, and MISTY1. The approach of a Feistel cipher can be further extended by dividing the input into more parts (ciphers constructed in this way have been called general unbalanced Feistel networks [81]) This may lead to a faster propagation of changes, but could reduce parallelism (depending on the nature of the nonlinear functions) This type of approach is used by the MD4 family, MD2, Tiger, and Snefru. Other variants and extensions of uniform transformations and Feistel ciphers have been ....

B. Schneier, J. Kelsey, "Unbalanced Feistel networks and block cipher design," Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 121--144.

....value is given by [L 0 jR 0 ] This is equivalent to performing the encryption computation with the subkeys in reverse order, and with additive inverses for SK 3i , SK 3i Gamma2 . 2. 2 Key Schedule LOKI97 uses a key schedule based on an unbalanced Feistel network (as per Schneier and Kelsey [SK96]) operating on four 64 bit words. It uses the same function f(A; B) as the data computation to provide sufficient non linearity to ensure that computing related keys is infeasible. The key schedule is initialised, based on the size of the key supplied, into the four 64 bit words [K4 0 jK3 0 jK2 ....

....As discussed previously, following the analyses of the existing LOKI ciphers, we decided to use a non linear key schedule with the same round function as used for the data computation. Since the key schedule was to be initialised with up to 256 bit keys, an unbalanced Feistel network was needed [SK96]) being: SK i = K1 i = K4 i Gamma1 xor g i (K1 i Gamma1 ; K3 i Gamma1 ; K2 i Gamma1 ) K4 i = K3 i Gamma1 K3 i = K2 i Gamma1 K2 i = K1 i Gamma1 In order to accomodate the necessary 3 inputs, the function g(K1; K3;K2) was defined from the existing round function as: g i (K1; K3;K2) f(K1 K3 ....

Bruce Schneier and John Kelsey. Unbalanced Feistel Networks and Block Cipher Design, volume 1039 of Lecture Notes in Computer Science, pages 121--144. Springer-Verlag, 1996.

....permutations with reduced distinguishing probability using t 2 rounds (here t = 3) Recall, f i : I (1 Gamma1=t) 7 I =t (here f i : I 2 =3 7 I =3 ) length preserving functions as in Definition 2. 1) We note that using such unbalanced Feistel permutations was previously suggested in [5, 27, 45]. Definition 6.1 (Generalized Feistel Permutations) For any two positive integers, s and 0 , and any function f : I 0 7 I s let = 0 s and let D f 2 P be the permutation defined by D f (L; R) def = R; L Phi f(R) where jLj = s and jRj = 0 . We can now define the ....

B. Schneier and J. Kelsey, Unbalanced Feistel networks and block cipher design, Proc. Fast Software Encryption, Lecture Notes in Computer Science, vol. 1039, Springer-Verlag, 1996, pp. 121-144.

....constructions we first extend Feistel permutations to deal with the case where the underlying functions have arbitrary input and output lengths (instead of length preserving functions as in Definition 2. 1) We note that using such unbalanced Feistel permutations was previously suggested in [5, 28, 46]. Definition 6.1 (Generalized Feistel Permutations) For any integers 0 s and any function f : I Gammas 7 I s let D f 2 P be the permutation defined by D f (L; R) def = R; L Phi f(R) where jLj = s and jRj = Gamma s (D f is defined for any function f since one can read 8s, 8( ....

B. Schneier and J. Kelsey, Unbalanced Feistel networks and block cipher design, Proc. Fast Software Encryption, Lecture Notes in Computer Science, vol. 1039, Springer-Verlag, 1996, pp. 121-144.

No context found.

B. Schneier, J. Kelsey, \Unbalanced Feistel Networks and Block Cipher Design," Fast Software Encryption{Third International Workshop, Springer-Verlag, 1996.

No context found.

B. Schneier and J. Kelsey, "Unbalanced Feistel Networks and Block Cipher Design," Fast Software Encryption, 3rd International Workshop Proceedings, Springer-Verlag, 1996, pp. 121--144.

....only one byte position, it will often take many (48 64) rounds before full avalanche is achieved. In contrast, in the forward direction, avalanche is expected to be achieved relatively quickly (about 16 24 rounds) Ciphers with an asymmetrical internal structure (e.g. unbalanced Feistel networks [9]) often require extra care to avoid this sort of pitfall. Several other recent ciphers contain special precautions to avoid weaknesses in the reverse direction. As a notable example, Skipjack [7, 10] alternates between one round structure (Rule A) and its inverse (Rule B) to avoid asymmetries ....

B. Schneier and J. Kelsey, \Unbalanced Feistel Networks and Block Cipher Design," Fast Software Encryption, 3rd International Workshop Proceedings, Springer-Verlag, 1996, pp. 121-144.

....of batches. Alternatively, we can simply build sorted lists of all the Z i and all the Z i ## 1 , and then look for matches. 3 Amplified Boomerangs and the MARS Core 3. 1 The MARS Core MARS [BCD 98] is a heterogenous, target heavy, unbalanced Feistel network (to use the nomenclature from [SK96]) At the center are 16 core rounds: eight forward core rounds and eight backward core rounds. Surrounding those rounds are 16 keyless mixing rounds: eight forward mixing rounds before the core, and eight backward mixing rounds after the core. Surrounding that are two whitening rounds: one at the ....

B. Schneier and J. Kelsey, "Unbalanced Feistel Networks and Block Cipher Design," Fast Software Encryption, 3rd International Workshop Proceedings, Springer-Verlag, 1996, pp. 121--144.

....one byte position, it will often take many (48 64) rounds before full avalanche is achieved. In contrast, in the forward direction, avalanche is expected to be achieved relatively quickly (about 16 24 rounds) 8 Ciphers with an asymmetrical internal structure (e.g. unbalanced Feistel networks [9]) often require extra care to avoid this sort of pitfall. Several other recent ciphers contain special precautions to avoid weaknesses in the reverse direction. As a notable example, Skipjack [7, 10] alternates between one round structure (Rule A) and its inverse (Rule B) to avoid asymmetries ....

B. Schneier and J. Kelsey, "Unbalanced Feistel Networks and Block Cipher Design," Fast Software Encryption, 3rd International Workshop Proceedings, Springer-Verlag, 1996, pp. 121--144.

....0 1 2 3 4 5 6 F1 .5 .5 .5 .5 .5 .5 .5 F2 .5 .5 .5 .25 .5 .5 .75 F3 .5 .5 .5 .5 .5 .5 .5 F4 .5 .5 .5 .5 .5 .5 .5 Table 1. Probability that the output of F i remains unchanged after flipping one input bit. The second complication is much, much more problematic. SPEED is, in the terminology of [9], a source heavy UFN. Furthermore, there is no key addition before the input of the F function. This means that the inputs to the Feistel F function in successive rounds can t be assumed to be independent, as they generally can be in a balanced Feistel network or in a target heavy UFN. If the ....

....characteristic (across F 2 ) the characteristic always has a probability of 0. However, later in this paper we will show how to fix the attack by tweaking the di#erential characteristic. See Section 4. The problem of inter round dependence was mentioned as a theoretical possibility in [9]; here we give a practical example where it arises. The dependence also arises again in Section 6, where precisely this di#culty complicates a related key attack on the cipher. 4 More on Di#erential Characteristics Di#erential characteristics are also possible with more than one bit at the same ....

B. Schneier, J. Kelsey, "Unbalanced Feistel Networks and Block Cipher Design," Fast Software Encryption--Third International Workshop, Springer-Verlag, 1996.

No context found.

B. Schneier and J. Kelsey, "Unbalanced Feistel Networks and Block Cipher Design," Fast Software Encryption, 3rd International Workshop Proceedings, Springer-Verlag, 1996, pp. 121--144.

....i. 0 1 2 3 4 5 6 F1 :5 :5 :5 :5 :5 :5 :5 F2 :5 :5 :5 :25 :5 :5 :75 F3 :5 :5 :5 :5 :5 :5 :5 F4 :5 :5 :5 :5 :5 :5 :5 Table 1. Probability that the output of F i remains unchanged after flipping one input bit. The second complication is much, much more problematic. SPEED is, in the terminology of [9], a source heavy UFN. Furthermore, there is no key addition before the input of the F function. This means that the inputs to the Feistel F function in successive rounds can t be assumed to be independent, as they generally can be in a balanced Feistel network or in a target heavy UFN. If the ....

....characteristic (across F 2 ) the characteristic always has a probability of 0. However, later in this paper we will show how to fix the attack by tweaking the differential characteristic. See Section 4. The problem of inter round dependence was mentioned as a theoretical possibility in [9]; here we give a practical example where it arises. The dependence also arises again in Section 6, where precisely this difficulty complicates a related key attack on the cipher. 4 More on Differential Characteristics Differential characteristics are also possible with more than one bit at the ....

B. Schneier, J. Kelsey, "Unbalanced Feistel Networks and Block Cipher Design," Fast Software Encryption--Third International Workshop, Springer-Verlag, 1996.

....one byte position, it will often take many (48 64) rounds before full avalanche is achieved. In contrast, in the forward direction, avalanche is expected to be achieved relatively quickly (about 16 24 rounds) Ciphers with an asymmetrical internal structure (e.g. unbalanced Feistel networks [9]) often require extra care to avoid this sort of pitfall. Several other recent ciphers contain special precautions to avoid weaknesses in the reverse direction. As a notable example, Skipjack [7, 10] alternates between one round structure (Rule A) and its inverse (Rule B) to avoid asymmetries ....

B. Schneier and J. Kelsey, "Unbalanced Feistel Networks and Block Cipher Design," Fast Software Encryption, 3rd International Workshop Proceedings, Springer-Verlag, 1996, pp. 121--144.

No context found.

B. Schneier and J. Kesley. Unbalanced Feistel networks and block cipher design. In D. Gollmann, editor, Fast Software Encryption -- FSE'96, volume 1039 of LNCS, pages 121--144. Springer-Verlag, 1996.

No context found.

B. Schneier and J. Kelsey, Unbalanced Feistel networks and block cipher design, Proc. Fast Software Encryption, Lecture Notes in Computer Science, vol. 1039, Springer-Verlag, 1996, pp. 121-144.

No context found.

B. Schneier and J. Kelsey, \Unbalanced Feistel Networks and Block Cipher Design ", in Proceedings of the Third International Workshop on Fast Software Encryption, Cambridge, UK, February 1996, Springer, LNCS 1039, pp.121-144.

No context found.

Bruce Schneier and John Kelsey. Unbalanced feistel networks and block cipher design. In Dieter Gollmann, editor, Fast Software Encryption, Third International workshop, volume 1039 of LNCS, pages 121--144, Cambridge, UK, 21-23 February 1996. Springer-Verlag.

No context found.

Schneier and Kelsey. Unbalanced Feistel Networks and Block Cipher Design. In Proceedings of Fast Software Encryption (FSE), LNCS 1039, Springer-Verlag, 1996.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC