[Cryptography] Gates are cheap. Should cipher design change?

Jon Callas jon at callas.org
Mon Mar 28 18:33:07 EDT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


> On Mar 28, 2016, at 8:00 AM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> 
> What would a modern cipher designed for efficient hardware
> implementation look like? Is it just DES with more rounds and a bigger
> block size? How about mixing up different cipher principles in one
> cipher? So start with a Feistel, then an S-box, then...
> 
> Another possibility to consider is what could we do if we mixed those
> single instruction AES rounds with another cipher entirely.

Look at ARX constructions. Look at Threefish (part of Skein), the design of BLAKE, and others. Also, as Jim said, Simon and Speck. I really recommend the Skein paper, because we discuss precisely this. It was designed to run on a 64-bit CPU that has add, rotate, and xor.

Feistal construction is inefficient. You're only working on half the data on each round -- so you really just need more rounds, but it means that the per-round overhead is higher. The alternative, which is called an S-P network can also be thought of as taking the same concept and just doing both halves in a single round.

There have been a number of attempts to use pieces of AES as a lower-order function and they just really haven't been as good. 

If you want, I could say more, but I'm just repeating what's been said elsewhere.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.3.0 (Build 9060)
Charset: us-ascii

wsBVAwUBVvmxKfD9H+HfsTZWAQj1zgf/SGoXIOp3BqP4lChnMHEKMwgcpdlhDMDp
iZadKHGLT8ecbVtWwHdgqAQ7tlkbbdOeWiqTFefBuQPpGHY8SDpad0uTgchZKRFV
3EXtdrqPGm7SvqNGj+/LmXkLofJhPYWSyThNvRBKhiuLajZXAd6KgMNf3glVCECE
vfFtmgnBJbITOPvAtVKOE8asZgkFTB4/M7hLEd6KO2ZrTgRLnNIPHtnT2jVLtKpn
B0WQmcsGzIpy99MV0lYy/5B6Oxs6RGfpg+Nk5JH+L2mdea3geKSAez3O5q5Ofjyh
+kYRjW34aVJIobKzynUyJRwGBQdiETShdvEgzwpNyHyGgOS92/aERg==
=fzTR
-----END PGP SIGNATURE-----


More information about the cryptography mailing list