David Wheeler has kindy agreed to answer some questions on WAKE's design aims and implementation:
Q1: Have you any comments regarding your latest thoughts on improving WAKE?
DW: If you asked me now I would say:
Q2: Would there be any point in having some fixed tables of known strength like the CAST cipher?
DW: Fixed tables give less work for the cryptoanalyser.
Q3:
> I would probably increase the size of the table to 1024 or
> greater (to use the larger caches available)
Do you mean a different 256 x 32 table for each round, or another scheme?
DW: Either four tables else one table with a shift of ten bits. The latter is slightly better as it gives more 'overlap'.
Q4: Have you considered the implications of dynamically changing the tables contents by: (a) swapping the used locations with random ones and/or (b) randomly modifying the used locations?
DW: I did consider and have used such schemes. WAKE was supposed to be fairly fast and so the speed/complication did not appear to pay off.
Q5:
> The default use would use a confounder of at least two words at
> the front, to be thrown away on reception. (to exclude
> unlikely attacks and possibly allow the longer use of each key.
Would you consider using material generated by the key expansion scheme?
DW: No. The idea is to prevent repetitive text attack where the changes to one bit/character/word changing are analysed.
Q6: (Arithmetic/logical right shifts) In:
genkey(long t[], long k[])
{ long x, z, p;
static long tt[10]= { 0x726a8f3b, /* obfuscation table */
...
for (p = 4; p < 256; p++)
{ x = t[p - 4] + t[p - 1]; /* fill table */
t[p] = x >> 3 ^ tt[x & 7];
}
for (p = 0; p < 23; p++) /* mix first entries */
t[p] += t[p + 89];
There will be a different table if x is declared unsigned long due to the 3-bit right shift. In:
cypher(V, n, k, r, t)
long V[], n, k[], r[], t[];
{ long r1, r2, r3, r4, r5, r6, d, *e, m = 0x00ffffff;
...
r3 = (r3 >> 8 & m) ^ t[r3 & 255];
a 24-bit mask is deliberately added to cause a logical shift. Should this also be the case with genkey() ?
DW: The cypher objectives were to make a secure and fast encypher technique. The logical shift was chosen for cypher as C was (is?) not completely defined for left/right shift. I cannot remember why but overflow, ones complement and sign and magnitude machines come to mind. I think on a twos complement machine arithmetic shifts are marginally preferable.
I regarded genkey as just one way of generating the table, so details were thought to be sufficient but not optimal. It was desired to make every entry depend on all the key bits and given the table - difficult to get the key.
Q7: In genkey() care is taken to ensure that the top 8 bits are a permutation. This makes:
r3 = r3 + r2; r3 = (r3 >> 8 & m) ^ t[r3 & 255];
reversible. If reversibility is not needed, does this benefit the cryptanalyst?
DW: Each stage of wake was made reversible and the non reversibility done at one stroke as this minimises the information loss. If each stage nibbles log2(e) in some cases they can add up.
If the table is replaced by a random table it contains about log2(e) extra potential information bits per entry. However the use of the entries is non uniform as some 8 bit table selectors have 0, 1, 2 etc values - and these might be found by statistical analysis.
Comments welcome: Keith
Back to home page
block,cipher,block cipher,crypto,cryptography,cipher design,
encryption,word auto key,word autokey,WAKE,Hereward,David Wheeler,
czczcz,DJ Wheeler,David J Wheeler