Round (cryptography)

Last updated April 13, 2023

In cryptography, a round or round function is a basic transformation that is repeated (iterated) multiple times inside the algorithm. Splitting a large algorithmic function into rounds simplifies both implementation and cryptanalysis.^[1]

For example, encryption using an oversimplified three-round cipher can be written as $C=R_{3}(R_{2}(R_{1}(P)))$ , where $C$ is the ciphertext and $P$ is the plaintext. Typically, rounds $R_{1},R_{2},...$ are implemented using the same function, parameterized by the round constant and, for block ciphers, the round key from the key schedule. Parameterization is essential to reduce the self-similarity of the cipher, which could lead to slide attacks.^[1]

Increasing the number of rounds "almost always"^[2] protects against differential and linear cryptanalysis, as for these tools the effort grows exponentially with the number of rounds. Simply increasing the number of rounds does not necessarily make weak ciphers into strong ones, as some attacks do not depend on the number of rounds.^[3]

The idea of an iterative cipher using repeated application of simple non-commutating operations producing diffusion and confusion goes as far back as 1945, to the then-secret version of C. E. Shannon's work "Communication Theory of Secrecy Systems";^[4] Shannon was inspired by mixing transformations used in the field of dynamical systems theory (cf. horseshoe map). Most of the modern ciphers use iterative design with number of rounds usually chosen between 8 and 32 (with 64 and even 80 used in cryptographic hashes).^[5]

For some Feistel-like cipher descriptions, notably the one of the RC5, a term "half-round" is used to define the transformation of part of the data (a distinguishing feature of the Feistel design). This operation corresponds to a full round in traditional descriptions of Feistel ciphers (like DES).^[6]

Round constants

Inserting round-dependent constants into the encryption process breaks the symmetry between rounds and thus thwarts the most obvious slide attacks.^[3] The technique is a standard feature of most modern block ciphers. However, a poor choice of round constants or unintended interrelations between the constants and other cipher components could still allow slide attacks (e.g., attacking the initial version of the format-preserving encryption mode FF3).^[7]

Many lightweight ciphers utilize very simple key scheduling: the round keys come from adding the round constants to the encryption key. A poor choice of round constants in this case might make the cipher vulnerable to invariant attacks; ciphers broken this way include SCREAM and Midori64.^[8]

Optimization

Daemen and Rijmen assert that one of the goals of optimizing the cipher is reducing the overall workload, the product of the round complexity and the number of rounds. There are two approaches to address this goal:^[2]

local optimization improves the worst-case behavior of a single round (two rounds for Feistel ciphers);
global optimization optimizes the worst-case behavior of more than one round, allowing the use of less sophisticated components.

Reduced-round ciphers

Cryptanalysis techniques include the use of versions of ciphers with fewer rounds than specified by their designers. Since a single round is usually cryptographically weak, many attacks that fail to work against the full version of ciphers will work on such reduced-round variants. The result of such attack provides valuable information about the strength of the algorithm,^[9] a typical break of the full cipher starts out as a success against a reduced-round one.^[10]

Related Research Articles

The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks. Block ciphers are specified elementary components in the design of many cryptographic protocols and are widely used to encrypt large amounts of data, including in data exchange protocols. A block cipher uses blocks as an unvarying transformation.

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

In cryptography, the International Data Encryption Algorithm (IDEA), originally called Improved Proposed Encryption Standard (IPES), is a symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991. The algorithm was intended as a replacement for the Data Encryption Standard (DES). IDEA is a minor revision of an earlier cipher Proposed Encryption Standard (PES).

In cryptography, Skipjack is a block cipher—an algorithm for encryption—developed by the U.S. National Security Agency (NSA). Initially classified, it was originally intended for use in the controversial Clipper chip. Subsequently, the algorithm was declassified.

<span class="mw-page-title-main">GOST (block cipher)</span> Soviet/Russian national standard block cipher

The GOST block cipher (Magma), defined in the standard GOST 28147-89, is a Soviet and Russian government standard symmetric key block cipher with a block size of 64 bits. The original standard, published in 1989, did not give the cipher any name, but the most recent revision of the standard, GOST R 34.12-2015, specifies that it may be referred to as Magma. The GOST hash function is based on this cipher. The new standard also specifies a new 128-bit block cipher called Kuznyechik.

In cryptography, confusion and diffusion are two properties of the operation of a secure cipher identified by Claude Shannon in his 1945 classified report A Mathematical Theory of Cryptography. These properties, when present, work together to thwart the application of statistics and other methods of cryptanalysis.

In cryptography, LOKI97 is a block cipher which was a candidate in the Advanced Encryption Standard competition. It is a member of the LOKI family of ciphers, with earlier instances being LOKI89 and LOKI91. LOKI97 was designed by Lawrie Brown, assisted by Jennifer Seberry and Josef Pieprzyk.

In cryptography, MISTY1 is a block cipher designed in 1995 by Mitsuru Matsui and others for Mitsubishi Electric.

In cryptography, Khufu and Khafre are two block ciphers designed by Ralph Merkle in 1989 while working at Xerox's Palo Alto Research Center. Along with Snefru, a cryptographic hash function, the ciphers were named after the Egyptian Pharaohs Khufu, Khafre and Sneferu.

<span class="mw-page-title-main">MacGuffin (cipher)</span> Block cipher

In cryptography, MacGuffin is a block cipher created in 1994 by Bruce Schneier and Matt Blaze at a Fast Software Encryption workshop. It was intended as a catalyst for analysis of a new cipher structure, known as Generalized Unbalanced Feistel Networks (GUFNs). The cryptanalysis proceeded very quickly, so quickly that the cipher was broken at the same workshop by Vincent Rijmen and Bart Preneel.

Bart Preneel is a Flemish cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, in the COSIC group.

The slide attack is a form of cryptanalysis designed to deal with the prevailing idea that even weak ciphers can become very strong by increasing the number of rounds, which can ward off a differential attack. The slide attack works in such a way as to make the number of rounds in a cipher irrelevant. Rather than looking at the data-randomizing aspects of the block cipher, the slide attack works by analyzing the key schedule and exploiting weaknesses in it to break the cipher. The most common one is the keys repeating in a cyclic manner.

In cryptography, integral cryptanalysis is a cryptanalytic attack that is particularly applicable to block ciphers based on substitution–permutation networks. It was originally designed by Lars Knudsen as a dedicated attack against Square, so it is commonly known as the Square attack. It was also extended to a few other ciphers related to Square: CRYPTON, Rijndael, and SHARK. Stefan Lucks generalized the attack to what he called a saturation attack and used it to attack Twofish, which is not at all similar to Square, having a radically different Feistel network structure. Forms of integral cryptanalysis have since been applied to a variety of ciphers, including Hierocrypt, IDEA, Camellia, Skipjack, MISTY1, MISTY2, SAFER++, KHAZAD, and FOX.

In cryptography, KN-Cipher is a block cipher created by Kaisa Nyberg and Lars Knudsen in 1995. One of the first ciphers designed to be provably secure against ordinary differential cryptanalysis, KN-Cipher was later broken using higher order differential cryptanalysis.

In cryptography, truncated differential cryptanalysis is a generalization of differential cryptanalysis, an attack against block ciphers. Lars Knudsen developed the technique in 1994. Whereas ordinary differential cryptanalysis analyzes the full difference between two texts, the truncated variant considers differences that are only partially determined. That is, the attack makes predictions of only some of the bits instead of the full block. This technique has been applied to SAFER, IDEA, Skipjack, E2, Twofish, Camellia, CRYPTON, and even the stream cipher Salsa20.

Multivariate cryptography is the generic term for asymmetric cryptographic primitives based on multivariate polynomials over a finite field $. In certain cases those polynomials could be defined over both a ground and an extension field. If the polynomials have the degree two, we talk about multivariate quadratics. Solving systems of multivariate polynomial equations is proven to be NP-complete. That's why those schemes are often considered to be good candidates for post-quantum cryptography. Multivariate cryptography has been very productive in terms of design and cryptanalysis. Overall, the situation is now more stable and the strongest schemes have withstood the test of time. It is commonly admitted that Multivariate cryptography turned out to be more successful as an approach to build signature schemes primarily because multivariate schemes provide the shortest signature among post-quantum algorithms.$

The following outline is provided as an overview of and topical guide to cryptography:

This article summarizes publicly known attacks against block ciphers and stream ciphers. Note that there are perhaps attacks that are not publicly known, and not all entries may be up to date.

PRESENT is a lightweight block cipher, developed by the Orange Labs (France), Ruhr University Bochum (Germany) and the Technical University of Denmark in 2007. PRESENT was designed by Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, Christof Paar, Axel Poschmann, Matthew J. B. Robshaw, Yannick Seurin, and C. Vikkelsoe. The algorithm is notable for its compact size.

References

1 2 Aumasson 2017, p. 56.
1 2 Daemen & Rijmen 2013, p. 74.
1 2 Biryukov & Wagner 1999.
↑ Shannon, Claude (September 1, 1945). "A Mathematical Theory of Cryptography" (PDF). p. 97.
↑ Biryukov 2005.
↑ Kaliski & Yin 1995, p. 173.
↑ Dunkelman et al. 2020, p. 252.
↑ Beierle et al. 2017.
↑ Robshaw 1995, p. 23.
↑ Schneier 2000, p. 2.

Sources

Aumasson, Jean-Philippe (6 November 2017). Serious Cryptography: A Practical Introduction to Modern Encryption. No Starch Press. pp. 56–57. ISBN 978-1-59327-826-7. OCLC 1012843116.
Biryukov, Alex; Wagner, David (1999). "Slide Attacks". Fast Software Encryption. Lecture Notes in Computer Science. Vol. 1636. Springer Berlin Heidelberg. pp. 245–259. doi:10.1007/3-540-48519-8_18. ISBN 978-3-540-66226-6. ISSN 0302-9743.
Dunkelman, Orr; Keller, Nathan; Lasry, Noam; Shamir, Adi (2020). "New Slide Attacks on Almost Self-similar Ciphers". Advances in Cryptology – EUROCRYPT 2020. Lecture Notes in Computer Science. Vol. 12105. Springer International Publishing. pp. 250–279. doi:10.1007/978-3-030-45721-1_10. eISSN 1611-3349. ISBN 978-3-030-45720-4. ISSN 0302-9743.
Beierle, Christof; Canteaut, Anne; Leander, Gregor; Rotella, Yann (2017). "Proving Resistance Against Invariant Attacks: How to Choose the Round Constants" (PDF). Advances in Cryptology – CRYPTO 2017. Lecture Notes in Computer Science. Vol. 10402. Springer International Publishing. pp. 647–678. doi:10.1007/978-3-319-63715-0_22. eISSN 1611-3349. ISBN 978-3-319-63714-3. ISSN 0302-9743.
Biryukov, Alex (2005). "Product Cipher, Superencryption". Encyclopedia of Cryptography and Security. Springer US. pp. 480–481. doi:10.1007/0-387-23483-7_320.
Robshaw, M.J.B. (August 2, 1995). Block Ciphers (PDF) (Version 2.0 ed.). Redwood City, CA: RSA Laboratories.
Schneier, Bruce (January 2000). "A Self-Study Course in Block-Cipher Cryptanalysis" (PDF). Cryptologia. 24 (1): 18–34. doi:10.1080/0161-110091888754. S2CID 53307028.
Kaliski, Burton S.; Yin, Yiqun Lisa (1995). "On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm" (PDF). Advances in Cryptology — CRYPT0’ 95. Springer Berlin Heidelberg. pp. 171–184. doi:10.1007/3-540-44750-4_14. ISSN 0302-9743.
Daemen, Joan; Rijmen, Vincent (9 March 2013). The Design of Rijndael: AES - The Advanced Encryption Standard (PDF). Springer Science & Business Media. ISBN 978-3-662-04722-4. OCLC 1259405449.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[FOOTNOTEAumasson201756-1] 1 2 Aumasson 2017, p. 56.

[FOOTNOTEDaemenRijmen201374-2] 1 2 Daemen & Rijmen 2013, p. 74.

[FOOTNOTEBiryukovWagner1999-3] 1 2 Biryukov & Wagner 1999.

[4] Shannon, Claude (September 1, 1945). "A Mathematical Theory of Cryptography" (PDF). p. 97.

[FOOTNOTEBiryukov2005-5] Biryukov 2005.

[FOOTNOTEKaliskiYin1995173-6] Kaliski & Yin 1995, p. 173.

[FOOTNOTEDunkelmanKellerLasryShamir2020252-7] Dunkelman et al. 2020, p. 252.

[FOOTNOTEBeierleCanteautLeanderRotella2017-8] Beierle et al. 2017.

[FOOTNOTERobshaw199523-9] Robshaw 1995, p. 23.

[FOOTNOTESchneier20002-10] Schneier 2000, p. 2.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]