Re: New Stream Cipher: Restream

From: David Wagner (daw_at_mozart.cs.berkeley.edu)
Date: 08/29/03 

Date: Fri, 29 Aug 2003 18:46:27 +0000 (UTC)

Dominik Reichl wrote:
>The KSA of Restream is relatively easy to describe. The initial state
>array (2048 32-bit values) is filled by hashing the user password plus
>an incrementing counter using SHA-1 (but it could be any other one-way
>hash function) until the array is completely filled.
>
>Before calculating the final 32-bit output word, apply this to the state
>array:
>
>uNew = p[MRC(pos)] + p[MRC(pos+1)] + p[MRC(pos-1)] + p[MRC(pos-2)] +
> ((p[MRC(pos+17)] * p[MRC(pos+37)]) ^
> (p[MRC(pos+101)] ^ p[MRC(pos+213)])) +
> ((p[MRC(pos+157)] ^ p[MRC(pos+513)] ^
> p[MRC(pos+127)]) + p[MRC(pos+713)]);
>ctx->state[pos] = uNew;
>ctx->pos++;
>
>where MRC(x) is x & 2047, and 'p' a pointer to ctx->state.
>
>The 32-bit value which can be used then for encryption/decryption is:
>
>x = (p[MRC(pos+27)] + p[MRC(pos+317)]) ^ p[MRC(pos+657)];

How fast is this? Is it competitive with today's fastest known
stream ciphers, like SEAL, SNOW, Rabbit, RC4, etc.?

If I understand correctly, there's no diffusion from high bits to
low bits. Also, if we leave out the multiplication, the effect of the
cipher on the low bits of the state are entirely linear. That doesn't
sound so great.

One could try to analyze the cipher-with-multiply by noting that the
low bit of the multiply is 0 with prob. 3/4. Does this lead to a
correlation attack? I don't know.

Relevant Pages

  • Re: Rijndael/Blowfish Cipher Question (correction)
    ... What you are describing is simply cascading of the ciphers which might ... When calculating ... strong as the underlying block cipher or hash algorithm. ...
    (sci.crypt)
  • initialising S-boxes
    ... First 100000 decimal PI digits presented as a array of 32-bit integers. ... Suitable for initialising S-boxes in various ciphers. ...
    (sci.crypt)