DFC (cipher)
Encyclopedia
In cryptography
, DFC (Decorrelated Fast Cipher) is a block cipher
which was
created in 1998 by a group of researchers from École Normale Supérieure
, CNRS, and France Télécom
(including Jacques Stern
and Serge Vaudenay
) and submitted to the AES competition.
Like other AES candidates, DFC operates on blocks of 128 bits, using a key of 128, 192, or 256 bits. It uses an 8-round Feistel network. The round function uses a single 6×32-bit S-box
, as well as an affine transformation
mod 264+13. DFC can actually use a key of any size up to 256 bits; the key schedule
uses another 4-round Feistel network to generate a 1024-bit "expanded key". The arbitrary constants, including all entries of the S-box, are derived using the binary expansion of e
as a source of "nothing up my sleeve number
s".
Soon after DFC's publication, Ian Harvey raised the concern that reduction modulo a 65-bit number was beyond the native capabilities of most platforms, and that careful implementation would be required to protect against side-channel attacks, especially timing attack
s. Although DFC was designed using Vaudenay's decorrelation theory
to be provably secure
against ordinary differential
and linear cryptanalysis
, in 1999 Lars Knudsen
and Vincent Rijmen
presented a differential chosen-ciphertext attack
that breaks 6 rounds faster than exhaustive search.
In 2000, Vaudenay, et al. presented an updated version of the algorithm, called DFCv2. This variant allows for more choice in the cipher's parameters, and uses a modified key schedule to eliminate certain weak key
s discovered by Don Coppersmith
.
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
, DFC (Decorrelated Fast Cipher) is a block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
which was
created in 1998 by a group of researchers from École Normale Supérieure
École Normale Supérieure
The École normale supérieure is one of the most prestigious French grandes écoles...
, CNRS, and France Télécom
France Télécom
France Telecom S.A. is the main telecommunications company in France, the third-largest in Europe and one of the largest in the world. It currently employs about 180,000 people and has 192.7 million customers worldwide . In 2010 the group had revenue of €45.5 billion...
(including Jacques Stern
Jacques Stern
Jacques Stern is a cryptographer, currently a professor at the École Normale Supérieure, where he is Director of the Computer Science Laboratory. He received the 2006 CNRS Gold Medal...
and Serge Vaudenay
Serge Vaudenay
Serge Vaudenay is a well-known French cryptographer.Serge Vaudenay entered the École Normale Supérieure in Paris as a normalien student in 1989. In 1992, he passed the agrégation in mathematics. He did his PhD at the computer science laboratory of École Normale Supérieure, and defended it in 1995...
) and submitted to the AES competition.
Like other AES candidates, DFC operates on blocks of 128 bits, using a key of 128, 192, or 256 bits. It uses an 8-round Feistel network. The round function uses a single 6×32-bit S-box
Substitution box
In cryptography, an S-Box is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext — Shannon's property of confusion...
, as well as an affine transformation
Affine transformation
In geometry, an affine transformation or affine map or an affinity is a transformation which preserves straight lines. It is the most general class of transformations with this property...
mod 264+13. DFC can actually use a key of any size up to 256 bits; the key schedule
Key schedule
[[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES [[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES [[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES ("[[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES ("...
uses another 4-round Feistel network to generate a 1024-bit "expanded key". The arbitrary constants, including all entries of the S-box, are derived using the binary expansion of e
E (mathematical constant)
The mathematical constant ' is the unique real number such that the value of the derivative of the function at the point is equal to 1. The function so defined is called the exponential function, and its inverse is the natural logarithm, or logarithm to base...
as a source of "nothing up my sleeve number
Nothing up my sleeve number
In cryptography, nothing up my sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers. These algorithms often need randomized constants for mixing or initialization purposes...
s".
Soon after DFC's publication, Ian Harvey raised the concern that reduction modulo a 65-bit number was beyond the native capabilities of most platforms, and that careful implementation would be required to protect against side-channel attacks, especially timing attack
Timing attack
In cryptography, a timing attack is a side channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms...
s. Although DFC was designed using Vaudenay's decorrelation theory
Decorrelation theory
In cryptography, decorrelation theory is a system developed by Serge Vaudenay for designing block ciphers to be provably secure against differential cryptanalysis, linear cryptanalysis, and even undiscovered cryptanalytic attacks meeting certain broad criteria...
to be provably secure
Provable security
In cryptography, a system has provable security if its security requirements can be stated formally in an adversarial model, as opposed to heuristically, with clear assumptions that the adversary has access to the system as well as enough computational resources...
against ordinary differential
Differential cryptanalysis
Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in an input can affect the resultant difference at the output...
and linear cryptanalysis
Linear cryptanalysis
In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers...
, in 1999 Lars Knudsen
Lars Knudsen
Lars Ramkilde Knudsen is a Danish researcher in cryptography, particularly interested in the design and analysis of block ciphers, hash functions and message authentication codes .-Academic:...
and Vincent Rijmen
Vincent Rijmen
Vincent Rijmen is a Belgian cryptographer and one of the two designers of the Rijndael, the Advanced Encryption Standard. Rijmen is also the co-designer of the WHIRLPOOL cryptographic hash function, and the block ciphers Anubis, KHAZAD, Square, NOEKEON and SHARK.In 1993, Rijmen obtained a degree...
presented a differential chosen-ciphertext attack
Chosen-ciphertext attack
A chosen-ciphertext attack is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the...
that breaks 6 rounds faster than exhaustive search.
In 2000, Vaudenay, et al. presented an updated version of the algorithm, called DFCv2. This variant allows for more choice in the cipher's parameters, and uses a modified key schedule to eliminate certain weak key
Weak key
In cryptography, a weak key is a key, which, used with a specific cipher, makes the cipher behave in some undesirable way. Weak keys usually represent a very small fraction of the overall keyspace, which usually means that, if one generates a random key to encrypt a message, weak keys are very...
s discovered by Don Coppersmith
Don Coppersmith
Don Coppersmith is a cryptographer and mathematician. He was involved in the design of the Data Encryption Standard block cipher at IBM, particularly the design of the S-boxes, strengthening them against differential cryptanalysis...
.