%%% -*-latex-*-
%%%
-%%% $Id: storin.tex,v 1.5 2000/07/02 15:22:34 mdw Exp $
+%%% $Id: storin.tex,v 1.6 2001/03/11 23:22:53 mdw Exp $
%%%
%%% Definition of the cipher
%%%
%%%----- Revision history ---------------------------------------------------
%%%
%%% $Log: storin.tex,v $
+%%% Revision 1.6 2001/03/11 23:22:53 mdw
+%%% Use BibTeX for the paper bibliography.
+%%%
%%% Revision 1.5 2000/07/02 15:22:34 mdw
%%% Overhaul of differential cryptanalysis, including a new attack.
%%%
\usepackage{mathenv}
\usepackage{amsfonts}
\usepackage{mdwmath}
+\usepackage{url}
\usepackage[all, dvips]{xy}
\def\ror{\mathbin{>\!\!>\!\!>}}
\def\seq#1{{\langle #1 \rangle}}
\def\hex#1{\texttt{#1}_{16}}
+\let\msgid=\url
\sloppy
The key schedule is designed to be simple and to reuse the cipher components
already available. Given a user key, which is a sequence of one or more
24-bit words, it produces the 36 subkey words required by the cipher. The
-key schedule is very similar to Blowfish \cite{blowfish}. The subkey array
-is assigned an initial constant value derived from the matrix used in the
-cipher. Words from the user key are XORed into the array, starting from the
-beginning, and restarting from the beginning of the user key when all the
-user key words are exhausted. A 96-bit block is initialized to zero, and
-enciphered with Storin, using the subkeys currently in the array. The first
-four subkey words are then replaced with the resulting ciphertext, which is
-then encrypted again using the new subkeys. The next four subkey words are
-replaced with the ciphertext, and the process continues, nine times in all,
-until all of the subkey words have been replaced.
+key schedule is very similar to Blowfish \cite{Schneier:1994:DNV}. The
+subkey array is assigned an initial constant value derived from the matrix
+used in the cipher. Words from the user key are XORed into the array,
+starting from the beginning, and restarting from the beginning of the user
+key when all the user key words are exhausted. A 96-bit block is initialized
+to zero, and enciphered with Storin, using the subkeys currently in the
+array. The first four subkey words are then replaced with the resulting
+ciphertext, which is then encrypted again using the new subkeys. The next
+four subkey words are replaced with the ciphertext, and the process
+continues, nine times in all, until all of the subkey words have been
+replaced.
The Storin key schedule can in theory accept user keys up to 36 words (864
bits) long. However, there are known problems with keys longer than 28 words
The Storin encryption function uses 36 24-bit words of key material $k_0$,
$k_1$, \ldots, $k_{35}$, which are produced from the user key by the key
-schedule, described below. The key-mixing operation $K_i: \mathcal{P}
-\rightarrow \mathcal{P}$ is defined for $0 \le i < 9$ by:
+schedule, described below. The key-mixing operation $K_i \colon \mathcal{P}
+\to \mathcal{P}$ is defined for $0 \le i < 9$ by:
\[
K_i \begin{pmatrix} a \\ b \\ c \\d \end{pmatrix}
=
\end{pmatrix}
\]
-The matrix multiplication operation $M: \mathcal{P} \to \mathcal{P}$
+The matrix multiplication operation $M \colon \mathcal{P} \to \mathcal{P}$
is described by $M(\mathbf{x}) = \mathbf{M} \mathbf{x}$, where $\mathbf{M}$
is a fixed invertible $4 \times 4$ matrix over $\mathcal{W}$. The value of
$\mathbf{M}$ is defined below.
-The linear transformation $L: \mathcal{P} \to \mathcal{P}$ is defined by:
+The linear transformation $L \colon \mathcal{P} \to \mathcal{P}$ is defined by:
\[
L \begin{pmatrix} a \\ b \\ c \\ d \end{pmatrix}
=
\end{pmatrix}
\]
-The round function $R_i: \mathcal{P} \to \mathcal{P}$ is defined for $0 \le i
-< 8$ by
+The round function $R_i \colon \mathcal{P} \to \mathcal{P}$ is defined for $0
+\le i < 8$ by
\[ R_i(\mathbf{x}) = L\bigl(\mathbf{M} K_i(\mathbf{x}) \bigr) \]
-The cipher $C: \mathcal{P} \to \mathcal{P}$ is defined in terms of $R_i$ and
+The cipher $C \colon \mathcal{P} \to \mathcal{P}$ is defined in terms of $R_i$ and
$K_i$. Let $\mathbf{x}_0 \in \mathcal{P}$ be a plaintext vector. Let
$\mathbf{x}_{i+1} = R_i(\mathbf{x}_i)$ for $0 \le i < 8$. Then we define
$C(\mathbf{x})$ by setting $C(\mathbf{x}_0) = K_8(\mathbf{x}_8)$.
more sensible. This maximum can be raised easily when our understanding of
the cipher increases our confidence in it.
-The key schedule is strongly reminiscent of Blowfish \cite{blowfish}. Use of
-existing components of the cipher, such as the matrix multiplication and the
-cipher itself, help reduce the amount of code required in the implementation.
+The key schedule is strongly reminiscent of Blowfish
+\cite{Schneier:1994:DNV}. Use of existing components of the cipher, such as
+the matrix multiplication and the cipher itself, help reduce the amount of
+code required in the implementation.
The restriction of the key schedule to 28 words is due to an interesting
-property, also shared by Blowfish \cite{blowfish} (see
-figure~\ref{fig:bfkeysched}): the output of the first round of the second
-encryption doesn't depend on the previous round. To see why this is so, it
-is enough to note that the first round key has just been set equal to what is
-now the plaintext; the result of the key mixing stage is zero, which is
-unaffected by the matrix and linear transformation.
+property, also shared by Blowfish (see figure~\ref{fig:bfkeysched}): the
+output of the first round of the second encryption doesn't depend on the
+previous round. To see why this is so, it is enough to note that the first
+round key has just been set equal to what is now the plaintext; the result of
+the key mixing stage is zero, which is unaffected by the matrix and linear
+transformation.
A limit of 28 words is chosen to ensure that the round-1 key affects the
round-2 key in a part of the cipher earlier than the postwhitening stage.
\subsubsection{Differential cryptanalysis}
-There is a two-round truncated differential \cite{storin-tdiff}, which can be
-used to break Storin reduced to only 2 rounds. The differential
+There is a two-round truncated differential \cite{Wooding:2000:Storin-diff},
+which can be used to break Storin reduced to only 2 rounds. The differential
\[ \begin{pmatrix}
1 \lsl 23 \\ 1 \lsl 23 \\ 1 \lsl 23 \\ 0
\end{pmatrix} \to
\subsubsection{Other attacks}
-In \cite{storin-collide}, Matthew Fisher speculates on breaking 2 rounds of
-Storin by forcing collisions in the matrix multiplication outputs. This
-attack doesn't extend to more than two rounds either.
+In \cite{Fisher:2000:Storin-collide}, Matthew Fisher speculates on breaking 2
+rounds of Storin by forcing collisions in the matrix multiplication outputs.
+This attack doesn't extend to more than two rounds either.
One possible avenue of attack worth exploring is to attempt to cause zero
words to be input into the first-round matrix by choosing plaintext words
We have presented a new block cipher, Storin. Any cryptanalysis will be
received with interest.
-
-\begin{thebibliography}{99}
-\bibitem{storin-collide}
- M. Fisher,
- `Yet another block cipher: Storin',
- sci.crypt article, message-id \texttt{<8gjctn\$9ct\$1@nnrp1.deja.com>}
-\bibitem{idea}
- X. Lai,
- `On the Design and Security of Block Ciphers',
- ETH Series in Informatics Processing, J. L. Massey (editor), vol. 1,
- Hartung-Gorre Verlag Konstanz, Technische Hochschule (Zurich), 1992
-\bibitem{blowfish}
- B. Schneier,
- `The Blowfish Encryption Algorithm',
- \textit{Dr Dobb's Journal}, vol. 19 no. 4, April 1994, pp. 38--40
-\bibitem{storin-tdiff}
- M. D. Wooding,
- `Yet another block cipher: Storin',
- sci.crypt article, message-id
- \texttt{<slrn8iqhaq.872.mdw@mull.ncipher.com>}
-\end{thebibliography}
+\bibliographystyle{alpha}
+\bibliography{cryptography,mdw}
%%%----- That's all, folks --------------------------------------------------
~mdw / storin / blobdiff