"T-Functions"

tomstdenis_at_gmail.com
Date: 02/22/05 

Date: 22 Feb 2005 04:07:12 -0800

First off, for those not in the know...

A "T-Function" [Shamir invention...] is a function where bit i depends
only on the bits i...0 of the input [e.g. addition, xor, etc].
Additionally the influence from lower bits is called the "parameter".

There were several papers at FSE about them [and at eprint].

...

My question: What's the interest at all in them? It seems people are
spending a lot of time designing functions with horrible diffusion and
are essentially linear. I'm sorry but just because x2*x3 + x0|1 -
x0^x4 is a bijection and a t-function doesn't mean it's good [note: I
don't know if it's a bijection for any n doing it in modulo 2^n].

It's like using rivests' permutation polynomials mod 2^n [which are t
functions iirc] as a round function in a feistel. That would last all
of about 8 seconds before a break was posted [hint: think ls bits].

Maybe someone else can clue me in to the interest for "super fast and
weak" primitives...Aside from being useless they also clutter the world
because now when I say "it takes 17 cycles for my round function [which
is secure]" people can just say "this t-function is only 3 cycles!!!".
And it doesn't help that Shamir is backing this research.

If the goal was "non-linear mixing" it fails but not only that but
something like CS-Cipher [and the CS^2] achieve this in a much simpler
manner.

... any thoughts?

Tom

Quantcast