Re: Key-schedules as separate entities from encryption algorithms

From: Alexis Machado (alexis_at_brfree.com.br)
Date: 05/26/03 

Date: Mon, 26 May 2003 01:46:50 -0000

"Matt" <matt_crypto@yahoo.co.uk> wrote in message news:94b59a36.0305240554.3195eb83@posting.google.com...

> ...
> Finally, my (a)musings are along these lines: would it be possible to
> develop a ``universal'' key-schedule primitive, most likely with some
> loss of efficiency, which would be secure for almost all block
> ciphers? Any existing contenders? How much efficiency would have to be
> sacrificed to achieve this? Would it be worth the sacrifice to gain
> confidence in a single well-understood key-schedule? Are the key
> schedule and encryption algorithm too tightly coupled to allow
> independent design? etc...
>

Hi Matt.

Several months ago, I speculated about a general
way to expand the masterkey using the encryption
function but ignoring the internals of it. Is not totally
independent as you want, but avoids the complexity
of a standalone (secure) prng :

Consider
1) b is the block size in bits
2) W = { x | 0 <= x < 2^b }
3) W^p = { [X1,X2,...,Xp] | Xi is an element of W }
4) M from W^m, the m-block masterkey
5) C from W^n, a fixed value formed by n random blocks
6) K, a generic element of W^n
7) B, a generic element of W
8) f_K : W -> W, the block cipher encryption function
9) g_B : W^n -> W^n, a function defined by
    g_B(K) = [f_K(B+C1), f_K(B+C2), ..., f_K(B+Cn)]

Finally, h : W^m -> W^n, defined by

    h(M) = g_0 o g_Mm o ... o g_M2 o g_M1 (C)

derives n blocks from the masterkey m blocks ("+" is
xor and "o" is function composition). If the composition
operator and the g_X functions (or subsets of them)
forms a group, the method have a big problem.

I think that "good" properties of f_K imply "good"
properties of h. If you are interested, we can discuss
details. 

---
Alexis
Quantcast