Re: Formulae for Latin squares of size 2^n
From: Tom St Denis (tomstdenis_at_iahu.ca)
Date: 12/16/03
- Next message: nobody: "Order of Encryption and Authentication"
- Previous message: Bob Silverman: "Re: What makes NFS tick?"
- In reply to: Terry Ritter: "Re: Formulae for Latin squares of size 2^n"
- Next in thread: Cyber Vagrant: "Re: Formulae for Latin squares of size 2^n"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Dec 2003 00:11:44 GMT
"Terry Ritter" <ritter@ciphersbyritter.com> wrote in message
news:5c88fd7a.0312151314.2ae3434c@posting.google.com...
> 2. I suppose it is important to learn as much as
> possible about everything, and I will study these
> transforms. But leaning is required of us all, and
> others should look at my Balanced Block Mixing, in the
> keyed nonlinear form. Start in my Glossary.
Why? If I want good linear transforms I'll use FFT or MDS based transforms.
BBM Mixing isn't always ideal. Nor does your site have a lot of theory to
learn from anyways.
> 3. Apparently, what I could achieve from such study
> is a method of building a fixed-size linear mixing.
> But I have long since decided against linear mixing,
> provided there is a reasonable nonlinear alternative.
> There is.
Not really. Linear transforms are trivial to count the branch of. For
example, all MDS transforms have perfect branch. All FFT transform [radix
two] with MDS 2x2 mixing have branch that follows a simple pattern.
Non-linear transforms have to be counted to find the branch. That can take
a lot of time given a big enough domain.
> 4. Even if a particular linear mixing does have a proof
> of branch value, that does not mean that other mixings
> do not achieve that same value, or close to it.
Sure, but linear codes are easier to prove things about. That's the point
of science. To rationalize things. Heuristic proofs are not very
impressive for the most part.
> 5. The range of branch values is 0..2n only. The
> sources give n+1 as the optimal value. Apparently,
> values above that are worse, not better.
Non-singular transforms are limited to n+1 [hence the meaning of MDS]. If
you want singular transforms I'm sure you could probably do better.
> 6. A branch number is not the sole measure of good
> mixing.
Actually by definition it is. High branch implies high diffusion. A MDS
is also by definition complete and non-singular. You can't get much better
than that [more efficient would be nice which is why circulant matrices are
used].
> I have spent considerable effort documenting
> the distributions of Boolean function nonlinearity in
> (linear) Mixing Ciphers, but we see no mention of that
> term in the branch articles, nor any other measure,
> as far as I can recall.
Branch is a measure of trail weight [coined by Daemen in his PhD
dissertation]. The trick is you have a non-linear component, a key mixing
component and a linear transform to promote branch. This leads to simple
designs [Square for instance] for which we can prove amazing things [for the
time]. For instance, when Square was designed the only way to make a design
secure against DC/LC was either to use GF cubing over GF(2^33) [or something
like that, Matsui's designs used cubing over GF(2^15) and GF(2^17) to make a
32x32 non-linear transform] . The other way was manually count sboxes by
sampling inputs.
Daemen showed that with 5 minutes, a pen and some paper you can prove Square
is secure against both DC/LC. You can't say the same for say ICE, DES,
IDEA, LOKI, etc...
> 7. Having a proven branch number is not so powerful as
> to achieve guaranteed cipher strength. Accordingly,
> branch is not a substitute for scalability and testing
> ciphers of tiny size. In contrast, Mixing Ciphers scale
> dynamically from a couple of bytes to thousands. Tiny
> versions can be tested heavily, with the exact same
> source code applied in production and dealing with huge
> blocks of thousands of bytes or more.
This is where math comes into play. You design your cipher along sound
mathematical principles and away you go!
Also MDS transforms do scale. They exist for any size [given an appropriate
field].
Anyways, whatever. I don't care what you want to believe or not. If you
like your ad hoc pseudo-science then go with it. I'll stick to things I can
prove without heuristics.
Tom
- Next message: nobody: "Order of Encryption and Authentication"
- Previous message: Bob Silverman: "Re: What makes NFS tick?"
- In reply to: Terry Ritter: "Re: Formulae for Latin squares of size 2^n"
- Next in thread: Cyber Vagrant: "Re: Formulae for Latin squares of size 2^n"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
