%%% -*-latex-*-
%%%
-%%% $Id: storin.tex,v 1.3 2000/05/25 19:46:22 mdw Exp $
+%%% $Id: storin.tex,v 1.4 2000/05/28 00:39:32 mdw Exp $
%%%
%%% Definition of the cipher
%%%
%%%----- Revision history ---------------------------------------------------
%%%
%%% $Log: storin.tex,v $
+%%% Revision 1.4 2000/05/28 00:39:32 mdw
+%%% Fix some errors.
+%%%
%%% Revision 1.3 2000/05/25 19:46:22 mdw
%%% Improve analysis section.
%%%
until all of the subkey words have been replaced.
The Storin key schedule can in theory accept user keys up to 36 words (864
-bits) long. However, there are possible security problems with keys shorter
-than 28 words (672 bits). We believe that it's unrealistic to expect this
-much strength from the cipher and recommend against using keys longer than 5
-words (120 bits).
+bits) long. However, there are known problems with keys longer than 28 words
+(672 bits), and these large keys are forbidden. We expect that with long
+keys, attacks will be found which are more efficient than an exhaustive
+search of the keyspace; we therefore (conservatively) recommend 5 word
+(120-bit) keys as a practical maximum.
\subsection{Encryption}
cipher itself, help reduce the amount of code required in the implementation.
The restriction of the key schedule to 28 words is due to an interesting
-property, also shared by Blowfish \cite{blowfish}: the output of the first
-round of the second encryption is zero. To see why this is so, it is enough
-to note that the first round key has just been set equal to what is now the
-plaintext; the result of the key mixing stage is zero, which is unaffected by
-the matrix and linear transformation. See figure~\ref{fig:bfkeysched}.
+property, also shared by Blowfish \cite{blowfish} (see
+figure~\ref{fig:bfkeysched}): the output of the first round of the second
+encryption doesn't depend on the previous round. To see why this is so, it
+is enough to note that the first round key has just been set equal to what is
+now the plaintext; the result of the key mixing stage is zero, which is
+unaffected by the matrix and linear transformation.
A limit of 28 words is chosen to ensure that the round-1 key affects the
round-2 key in a part of the cipher earlier than the postwhitening stage.
\subsection{Attacking Storin}
-A brief\footnote{About three days' worth on a 300MHz Pentium II.}
-computerized analysis of the matrix multiplication failed to turn up any
-high-probability differential characteristics. While an exhaustive search
-was clearly not possible, the program tested all differentials of Hamming
-weight 5 or less, and then random differentials, applying each to a suite of
-$2^{13}$ different 96-bit inputs chosen at random. No output difference was
-noted more than once.
-
There is a two-round truncated differential \cite{storin-tdiff}, which can be
used to break Storin reduced to only 2 rounds. The differential
\[ (\hex{800000}, \hex{800000}, \hex{800000}, 0) \to