Ways of Doubling Block Size of Feistel Ciphers Used in Some Candidates for the AES

Transcription

1 Ways of Doubling Block Size of Feistel Ciphers Used in Some Candidates for the AS Bohuslav Rudolf National Security Authority P. O. Box 49, 15 6, Prague 56 Abstract We describe and discuss rounds of 4 (former) candidates into the AS process (DAL, CAST-256, Twofish and RC6). ach of them represents its own way from a Feistel network to a cipher with double block size. We try to sketch these ways and to compare them. Keywords: Feistel network, AS, block size, DAL, CAST, Twofish, RC6. 1 ntroduction ost block ciphers in use today have a block size of 64 bits. For these ciphers some variants of the birthday attack require storage / collection of 2 32 ciphertexts blocks for a succes about one half [4]. With the rapid increase in computing power and available storage media it can be expected that in a few years this attack is very realistic. Hence in a near future we shall use for higher security levels block ciphers with 128-bit block size. This has been taken also into considerations in the projects AS and NSS. A lot of block algorithms are Feistel networks. They are iterated block ciphers. This means taking a simple round function and iterating it multiple times. A basic building block of the round (function) is a non-linear function usually called F function or round function. When we try to design Feistel cipher with 128-bit block size, we can choose one of two following possibilities. First one is to develop our own design. The second one is try to double 64-bit block size of some common Feistel cipher. n this contribution we describe and discuss rounds of 4 candidates into the AS process. ach of them represents its own way from (perhaps slightly modified) Feistel network to a cipher with double block size. The simplest (and straightforward) approach to solve this problem is to use encryption function of a chosen 64- bit block cipher as F function of a new cipher. n the end we obtain pure Feistel network with 128-bit block size. This is an instance of the cipher DAL (with DS encryption as the building block). Little bit less straightforward, but still very simple way is to take F function of the original cipher and use it in generalized (unbalanced) Feistel network. This way led for instance from the cipher CAST-128 to CAST-256. Both of these examples are very simple. But none of them (DAL and CAST-256) became one of the AS finalists. Both of two remaining discussed candidates Twofish and RC6 were among 5 finalists of the AS process. Twofish F function design is based on nontrivial modification and doubling of Blowfish F function. n this contribution we try to sketch a probable way from Blowfish to Twofish design. The last one example is design of RC6. t is the result of a careful modification of two parallel copies of RC5. Both of them are connected with Feistel structure but both of them differ essentially from traditional Feistel network. t is interesting for us that authors of RC6 described their way from RC5 to RC6 [7]. A way of mixing of all computation lines during encryption is important for a new cipher quality. f this mixing is too slow we should not expect high performance and high security of the cipher simultaneously. n the former paper [1] we studied and used D (diffusion evaluation matrix). t is a simple tool for elementary estimation of cipher diffusion. t is based on old ideas to use matrices for diffusion evaluation (see for instance [2]) completed by the theorem about D of composed mapping and exploitation of matrix calculus. Usually we use it for estimation of the smallest number of encryption rounds potentially providing full diffusion. We speak about potentiality only because we are not sure that different ways of dependency transfer do not mutually cancel. n the paper [1] we illustrated D estimation with the following examples: Twofish F-function, a traditional Feistel network and an unbalanced Feistel network used in CAST-256. D estimation of RC6 is done in Appendix of this contribution. Security and Protection of nformation

2 Of course, block cipher security estimation is sophisticated problem. t has many important aspects. Usually cipher resistance against known attacks is examined (differential, linear and other kinds of cryptanalysis, detectable key classes and so on) and attacks against simplified variants of the algorithm are designed. For the AS finalists we know corresponding security levels assigned them by NST. 2 DAL - cipher design using DS encryption as F function ntroductory remarks: n [5] Knudsen proposed the r-round Feistel cipher DAL with a block size 128 bits. DAL is a simple way of constructing a new block cipher based on another block cipher, doubling the block size. t uses DS in the round function. One could as well view DAL as a mode of operation of the underlying block cipher (here DS), instead of a block cipher of its own right. The word DAL means Data ncryption Algorithm with Larger blocks. DAL round: A 128 bit plaintext is split up into two halves. A round take the 128-bit block (L, R) and the round key K as the input to compute the output block (L new, R new ) by: L new = R, R new = L (R, K) denotes XOR and is the DS encryption function, K is the DS key, L, R, L new and R new are 64-bit words The Knudsen attack: n Knudsen paper [5] is the following proposition: There is an attack on six-round DAL with independent round keys, which requires about DS-encryptions using about 2 7 chosen plaintexts. Diffusion: DAL F function is DS encryption function. Hence it has potentially full diffusion and in accordance with our results in [1] three DAL rounds have potentially full diffusion. Number of rounds and speed of encryption: Accordingly to the attack on 6 rounds Knudsen recommended to use DAL at least with 6 rounds. DAL accepts three different key sizes, namely 128 bits (DAL-128), 192 bits (DAL-192) and 256 bits (DAL-256). For the first two sizes author recommends that number of rounds is equal to 6, for 256 bit keys it should be 8. DAL with 6 rounds is as fast as triple DS. Hence it provides a worst-case performance benchmark for AS. [1]. Let us notice that Knudsen participated also on proposal of Serpent (one of AS finalists). 3 The CAST a cipher with a generalized Feistel network The CAST-256 encryption algorithm is an extension of the CAST-128 cipher and has been submitted as a candidate for NST s AS effort [3]. The main idea of the block size doubling: The mechanism for the expansion of a 64-bit block size to a larger block size in the CAST-256 design case is based on the following idea. n a traditional Feistel network (64-bit block size) it is possible the exchange of left and right halves in each round to interpret as a circular right shift of 32 bits. Let us consider a generalization of this structure to a cipher with a block size of 4 x 32 bits. n this case we consider round as a structure consisting in 2 steps. n the first of them F function is used for nontrivial change of one 32-bit word value. Then a 128-bit data block is circularly shifted of 32 bits (one word) to right. Round equations: Accordingly, the round of this cipher contains a circular right shift of 32 bits and the round has the form: C* = C f(d, k), (A new, B new, C new, D new ) = (D, A, B, C*) f denotes F function, k is a round subkey and (A, B, C, D) is a 128-bit block where words A, B, C, D are each 32 bits in length. A cycle and a quad-round of the cipher: n accordance with [11], a cycle is the number of rounds necessary for (non-trivial) modification of each bit in the block. The cycle of a traditional Feistel network contains 2 rounds. For instance the DS cipher has 8 cycles. The CAST-256 algorithm with the block size 128 = 4 x 32 requires 4 rounds (instead of 2) to input all bits in the block to the round function. Thus, its cycle contains 4 rounds called a quad-round. Two representations of a cycle: (see for instance [12], twisted ladder and untwisted ladder) The first one representation of a cycle is straightforward. We write four times one round equation. We obtain the second representation of a cycle by the following modification: nstead of the rotations in cycle rounds we change only notation of words in these rounds. 138 Security and Protection of nformation 23

3 ncryption and decryption: The consequence of the CAST-256 cipher structure design is that it requires a separate structure for decryption. f in the encryption the right circular shift is used, the decryption needs a left circular shift. Accordingly, in this case we have to consider 2 types of quad-rounds: The forward one for the encryption and the reverse one for the decryption. f there are r rounds in the full cipher, the first r/2 rounds use right shifting and the last r/2 rounds use left-shifting. n this way decryption is identical to encryption, requiring only a reversal of the round key. Form of the quad rounds: Here we shall use the second type representation of the Feistel cycle. The forward quad-round has the form: C new = C f 1 (D, k (j) ) B new = B f 2 (C new, k 1 (j) ) A new = A f 3 (B new, k 2 (j) ) The reverse quad-round has the form: D new = D f 1 (A new, k 3 (j) ) D new = D f 1 (A, k 3 (j) ) A new = A f 3 (B, k 2 (j) ) B new = B f 2 (C, k 1 (j) ) C new = C f 1 (D new, k (j) ) where f 1, f 2, f 3 are functions defined as for CAST-128. (A, B, C, D) denotes a 128-bit block where A, B, C, D are each 32 bits in length. (k (j), k (j) 1, k (j) 2, k (j) 3 ) the set of keys for the j-th quad round Choice of the Feistel function: The CAST-256 uses the same Feistel functions as the CAST-128. Cipher diffusion: n [1] we have seen that this kind of unbalanced Feistel network needs at least 7 rounds to reach full diffusion. Number of rounds and speed of encryption: Security analysis in [3] suggests to use CAST-256 with 12 quad rounds having 48 rounds. Accordingly to a lot of required rounds, it is considerably slower than the fastest AS candidates [1]. 4 A possible way from Blowfish to Twofish ntroductory remarks: Twofish is a block cipher designed by Counterpane Systems Group [9] as a candidate for the Advanced ncryption Standard selection process, and was accepted as one of the five finalists. t is a 128-bit block cipher that accepts a variable -length key up to 256 bits. t uses a 16-round (8-cycles) Feistel-like strukture with additional whitening of input and output. (The only non-feistel elements are the 1-bit rotates.) t originated from an attempt to take the original Blowfish design and modify it for a 128-bit block [8]. We do not know the way of the Twofish team from Blowfish to Twofish design exactly. But we can try to reconstruct its main probable line. The Blowfish F function: Blowfish is traditional Feistel network with 64-bit block size. Let us describe its F function now. 1. First the 32-bit input data X are XORed with corresponding subkey K: X* = X K. 2. The result X* is split into 4 bytes: (x*3, x*2, x*1, x*) creating four 8-bit inputs to the four keydependent S-boxes. Their outputs are four 32-bit words: [Y 3, Y 2, Y 1, Y ]. Hence: Y j = sj(x*j). 3. The results are combined (mix) in the folowing way: Y = [(Y Y 1) Y 2] Y 3. Security and Protection of nformation

4 B k (8 x 32) S-box X X* (8 x 32) S-box 1 (8 x 32) S-box 2 (8 x 32) S-box 3 Y Figure 1: Blowfish F function B. First probable step of the way to Twofish - replacement of the function B: The Twofish function G is a successor of Blowfish F function B. t uses 4 bijective 8 x 8 key-dependent s-boxes instead of Blowfish large 8 x 32 boxes. Dependence of the G function on a key is provided only by s-boxes. As mixing (diffusion) layer the DS matrix (connected with sophisticated theoretical background) is used. G x S-box X x 1 S-box 1 Y Z DS x 2 S-box 2 x 3 S-box 3 Figure 2: Twofish function G. Second probable step of the way - predecessor of Twofish F function: Let us take two parallel versions of the function G. n the next steps we need above all to add some diffusion layer to mix outputs (or inputs) of these two versions of G. t also seems be reasonable to break in some way the symmetry connected with two identical functions use. Third probable step of the way - adding mixing layer: To mix computation of both G function instances they use so called Pseudo Hadamard transform (PHT in short) with 32-bit long variables pairs: (X*, Y*) = T PH (X, Y), where: X* = X Y, Y* = X 2 Y = X* Y. t is applied on the both functions G outputs. Fourth probable step of the way - first asymmetry installation: The second instance of G input is firstly rotated by one byte. t is an easy way to make from G a different function G*: G*(X) = G(X <<< 8 ). t is different but closely related function to G. t contains the same boxes (but in different order) and in some sense different DS transformation, but simply related to the original one. Cryptographic properties of both of these functions are the same. Fifth probable step - standard key-dependence insertion: Of course, outputs of the functions G and G* are keydependent. But we need some standard key-dependence, too. Thus we take a different part of the Twofish key and add it modulo 2 32 to both parts of the PHT output. Relationship between the F function F and the function G (resumption) 14 Security and Protection of nformation 23

5 The F function F contains the function G twice. The inputs into the second instance of G are firstly rotated by one byte (to obtain function G*). The outputs from functions G and G* are combined by the Pseudo-Hadamard transform. The standard key-dependence is by subkey adding to the both parts of the output provided. The mixing layer of Twofish F function: The mixing layer of the Twofish F function is composed of two parts: The first one contains the DS transformations of the both instances function G And the second one is the Pseudo-Hadamard transformation realised by two additions. The Twofish F function: Let us represent result of the former five steps. The F function is defined by the function G in the following form: A* = G(A) G(B <<< 8 ) K A, B* = G(A) 2 G(B <<< 8 ) K B, where denotes addition modulo 2 32, A, B (A*, B*) are 32-bit halves of the input (output), K A, K B are 32-bit subkeys. F K A A G PHT A* G* B <<< 8 B* G K B Figure 3: Twofish F function. Sixth step - second asymmetry installation (one-bit rotations in the Feistel structure): ajority of Twofish Feistel function building blocks are byte-oriented (namely S-boxes and DS-transformation). The one-bit rotations were included to help break this structure. Let us denote the round input as (A, B, C, D), its output as (A new, B new, C new, D new ) and two halves of the F function output as (A*, B*). Then: A new = (A* C) >>> 1, B new = B* (D <<< 1 ), where X >>>1 (or X <<<1 ) denotes right (or left) one-bit rotation of the word X. Of course: (C new, D new ) = (A, B). Remark about decryption: Different order of the XOR and rotation in C line and D line helps to provide symmetry for decryption.the Twofish encryption and decryption functions are slightly different, but are built from the same blocks. Security and Protection of nformation

6 A B C D K A F A* B* <<<1 K B >>>1 A new B new C new D new Figure 4: The round structure of Twofish. Diffusion: n paper [1] we have seen that Twofish F function has potentially full diffusion. Number of rounds, security and speed of encryption: Twofish with 16 rounds (8-cycles) appears to have a high security level in the sense of NST comparison of AS finalists security. (Of course, this is probably mainly connected with the use of key-dependent boxes). Twofish was ranked among the fastest AS candidates. 5 Way from RC5 to RC6 ntroductory remarks: The iterated block cipher RC5 was introduced by Rivest in [6]. t has a variable number of rounds denoted with r and key size of b bytes. The design is word-oriented for word sizes w = 32, 64 and the block size is 2w. The choice of parameters is usually denoted as RC5-w / r / b. n the next we shall take w = 32 only. A novel feature of the RC5 algorithm is the use of data-dependent rotations. RC5 is not exactly a Feistel cipher but it has a very similar structure. The RC6 block cipher is an evolutionary improvement of RC5, designed to meet the requirements of the AS. The authors of the RC6 (Rivest,. Robshaw, Sidney and Yin) described the way from RC5 to RC6 in their AS proposal [7]. A round of RC5 encryption: Formulas for one (half) round of RC5 encryption have the form: A* = [(A B) <<< B ] K, (A new, B new ) = (B, A*) A, B, K j, A*, A new, B new are w-bit words, (here we suppose w = 32) A new, B new denote new values (after round) of words A, B and K is a round subkey. A <<<B rotate the w-bit word A to the left by the amount given by the least significant lg w bits of B (here lg w = 5) We see that the data entering round is split into two halves - a left word A and a right word B. Value of the word B does not change and it is transferred into a new value of the word A. The unkeyed part of F function analogy: The function f(x, Y) = X <<< Y appears as unkeyed part of F function analogy. t has two input words X and Y. The inputs are playing very different roles. We can interpret it in the way that input word Y controls computation of a new value of the input word X. This function is highly nonlinear accordingly to (in reality 5 least significant bits only) the input word Y. (RC5 security is based on data dependent rotations.) A way from RC5 round to RC6 round: The authors of RC6 described their way from RC5 to RC6 roughly in the following form: 142 Security and Protection of nformation 23

7 A First step - an improvement of the RC5 round: The rotation provided by the function f depends on 5 least significant bits of word B only. Accordingly RC5 has been strengthened to have rotation amounts depending on all the bits of B. nstead of using B in straightforward manner as above, they use transformed version of this register, for suitable transformation. The particular choice of this transformation for RC6 is: g(x) = [X (2X 1)] <<< 5, Note that g(x) is one-to-one modulo 2 32, and that the bits of g(x), which determine the rotation amount used, depend heavily on all the bits of x. Then the strengthened form of RC5 round has the form: T = g(b), A* = [(A T) <<< T ] K, (A new, B new ) = (B, A*) A B T g f K A new B new Figure 5: The strengthened version of RC5 round. A second step - doubling a block size: Run two copies of strengthened RC5 in parallel: T = g(b), U = g(d), A* = [(A T) <<< T ] K L, C* = [(C U) <<< U ] K R, (A new, B new ) = (B, A*), (C new, D new ) = (D, C*) A third step of the way : ix the A, B computation with the C, D computation. nstead of swapping A with B and C with D, permute the registers A, B, C, D. Switch where the rotation amounts come from between two computations: T = g(b), U = g(d), A* = [(A T) <<< U ] K L, C* = [(C U) <<< T ] K R, (A new, B new, C new, D new ) = (B, C*, D, A*) Security and Protection of nformation

8 A B D C T g g U f f K L K R A new B new D new C new Figure 6: One round of RC6. Remark about change of order of words (A, B, C, D) on the figure 6: Both copies of RC5 are used in symmetric way. To preserve this symmetry in our figure we changed order of words C and D here. Hence instead of rotation of the outgoing 4 words we can see two kinds of mixing computation lines: The first one provides mixing inside (strengthened) RC5 instance only and it is represented by transpositions: A new = B, C new = D. The second one mix both instances lines also: B new = C, D new = A. Diffusion: n the Appendix, D estimation of RC6 is computed with the following result: Full diffusion is potentially provided by 3 rounds of RC6. Number of rounds, security and speed of encryption: RC6 with 2 rounds appears to have an adequate security margin and reasonable speed of encryption. But both these characteristics are closely connected with a data dependent rotation use. 6 Conclusion We described 4 ways of doubling block length of Feistel network connected with 4 former candidates for the AS. The simplest one of them is connected with the cipher DAL. n this case the whole encryption function of the original cipher (here DS) is used as the F function of the new cipher. However, the resulting cipher is very slow in comparison with other AS candidates. The second approach is based on inserting the F function of the original cipher into an unbalanced Feistel network. Cycle of this cipher consists of 4 rounds (quad round). Full mixing is potentially reached after 7 rounds. For reasonable security a huge amount of rounds is need. CAST-256 proposal require 12 quad rounds e. g. 48 rounds. Thus speed of encryption is also considerably low. The third approach is based on doubling of F function. The original (Blowfish) F function has been essentially modified for function g and doubled. ixing of lines of computing connected with these two instances of function g is provided by the PHT transform. n this way the Twofish F function is obtained. Number of resulting cipher rounds needed for full mixing is the same as for standard Feistel network - in the case of the optimal mixing of F function three rounds are needed. Twofish is secure and simultaneously fast cipher. The last approach is based on doubling and mixing of a modified Feistel network. Two parallel running copies of original cipher (RC5) round are strengthened and their computation is mixed. RC6 reach full diffusion potentially after 3 rounds. Security of RC5 and RC6 is influenced heavily by the data dependent rotations use. 144 Security and Protection of nformation 23

9 References [1] Rudolf B.: Diffusion valuation atrix Applied to (Generalized) Feistel Networks, (corrected version), ikulášská kryptobesídka 22, sborník přednášek, CO-ONTOR.CO. [2] eyer C.: Cryptography A New Dimension in Computer data Security, 1982, John Wiley & sons pp [3] Adams C.: The CAST-256 ncryption Algorithm, AS proposal [4] Knudsen L.: Contemporary Block Ciphers, Lectures on Data Security, LNCS [5] Knudsen L.: DAL - a 128-bit Block Cipher, [6] Rivest R. L.: The RC5 ncryption Algorithm, Fast Software ncryption 95, LNCS 18, pp [7] Rivest R. L., Robshaw. J. B., Yin Y. L.: The RC6 Block Cipher. v.1.1, AS proposal [8] Schneier Br.: The Twofish ncryption Algorithm: A 128-bit block cipher, Dr. Dobb s Journal, December [9] Schneier, Kelsey, Whiting, Wagner, Ferguson: Twofish: A 128-bit block cipher, AS proposal [1] Schneier, Kelsey, Whiting, Wagner, Hall: Performance Comparison of the AS Submissions. [11] Schneier, Kelsey: Unbalanced Feistel Network and Block Cipher Design, Fast Software ncryption 96, LNCS 139, pp [12] Oorschot, Vanstone, enezes: Handbook of Applied Cryptography, CRC Press 1996, p nformation about the author RNDr. Bohuslav RUDOLF Studies Faculty of athematics and Physics of the Charles University (athematical Physics) 1986 Doctor degree - RNDr. - in the subject: nterdisciplinary Physics Research Faculty of echanical ngineering of the Czech Technical University Research project: Stochastic odels in Statistical and Quantum Physics Grant CTU: Nonlinear odels in Quantum Physics Shanghai University of Science and Technology (quasi-classical approximation in quantum chaos) ilitary Technical nstitute of lectronics (risk analysis, public-key cryptography) 2 - National Security Authority (block ciphers analysis) Security and Protection of nformation

10 Appendix - D estimation of RC6 rounds Preliminary information Definitions of D (D1), output-input-component dependence (D2) and σ-reduction (D3) D1: Let us consider function ϕ: Y = ϕ(x) working with n-bit variables X and Y. Now we regard the n-bit variables X and Y as m-dimensional vectors. Usually we consider the case: m = n / 8 (vector components are bytes). The j-th component of vector X (or Y) we denote x j (or y j ). We assign to this function the corresponding diffusion evaluation matrix (D), which we denote as (ϕ). ts matrix element m jk (ϕ) (in the j-the row and k-th column) is by definition equal to 1 if and only if the j-th component y j of the variable Y depends on the k-th component x k of the variable X. Otherwise we put: m jk (ϕ) =. D2: For function ϕ: Y = ϕ(x) and the variables X, Y as above, the formulation that the j-th component y j of Y depends on the k-th component x k of X means the following: There is at least one pair of values (X,X*) of the variable X such that: x* k x k, x* r = x r for r k, y* j y j, where: Y = ϕ(x), Y* = ϕ(x*). D3. Let us consider a real matrix. Then the σ-reduced matrix σ() corresponding to has elements σ(m jk ), whereas: m jk σ(m jk ) = 1, m jk = σ(m jk ) =, (m jk is the corresponding element of ). Theorem about D estimation of a composed mapping: Let functions ϕ, χ and ψ are working with n-bit variables so that: ψ = ϕ χ. Let us regard the n-bit inputs and n-bit outputs of these functions as m-dimensional vectors. Then for Ds of these functions the following inequality holds: (ψ) = (ϕ χ) σ[(ϕ) (χ)], where the symbol denotes the standard matrix multiplication and the inequality: N of matrices, N means, that m jk n jk for every pair of indices (j, k). Full diffusion and matrix : We say that a function ϕ has full diffusion iff every component of its output Y depends on all components of its input X. The corresponding diffusion evaluation matrix contains only 1 as its matrix elements. This kind of matrix we call as full diffusion matrix and we denote it as. Potentially full diffusion: Usually we are interested in lowest number of rounds needed for full diffusion. But we compute D estimation only (and not D value). t follows from our use of inequality for D of composed function. Accordingly we obtain results of estimation in the form: An n-round D of some considered function is less or equal to. However in many cases it simply means that this D is equal to. For this reason we speak about potentially full diffusion in these cases. dentity matrix : We use matrix of identity also and we denote it as. t has non-zero elements on its diagonal only. They all are equal to 1. Work with matrices and : To make σ-reduced multiplications of matrices and N (containing and as submatrices) we can use the following equations: σ( ) = σ( ) = σ() =, σ( ) =, σ( ) = σ() =, σ( ) = σ( ) = σ( ) =, σ( ) =. Rotational matrices: The left circular shift of a bit string by α bits we express by a (rotational) matrix α. Let us notice that D of this mapping is simply equal to this matrix: ( α ) = α. n the following computation we do not need an explicit form of this matrix. 146 Security and Protection of nformation 23

11 Work with rotational matrices: t is evident that the following equations hold: σ( α ) = σ( α ) = σ( α ) = α, σ( α β ) = σ( α β ) = α β, σ( α ) = σ( α ) = σ() =, σ( α ) = σ( α ) =, f we need to express σ( α ), σ( α β ) we have to use an explicit form of a rotational matrix. t is not so complicated, but in the following computation we do not need it. Calculations To be more close to the figure we change notation of words in the following way: Then the round equations become into: (A, B, C, D) (α, β, γ, δ) = (A, B, D, C) α* = {[α g(β)] <<< g(γ) } K L, δ* = {[δ g(γ)] <<< g(β) } K R, (α new, β new, γ new, δ new ) = (β, δ*, α*, γ) The round mapping R we regard as composed mapping: R = q 4 q 3 q 2 q 1, whereas: (α*, β*, γ*, δ*) = q 1 (α, β, γ, δ), α* = α g(β), β* = β, γ* = γ, δ* = δ g(γ) (α*, β*, γ*, δ*) = q 2 (α, β, γ, δ), α* = α <<< g(γ), β* = β, γ* = γ, δ* = δ <<< g(β). (α*, β*, γ*, δ*) = q 3 (α, β, γ, δ), α* = α K L, β* = β, γ* = γ, δ* = δ K R. (α*, β*, γ*, δ*) = q 4 (α, β, γ, δ) = (β, δ, α, γ) D of the function g: t is equal to : (g) =. very bit of a modular product depends on all bits of its factors. D of subkey adding: t depends on a value of the subkey. Hence we consider the worst diffusion case only. t is connected with the particular subkey value: K L = K R =. Then (q 3, worst ) =. Accordingly we obtain the following formulas for D of mappings q j : ( q1 ) =, ( q ) 2 = γ α Here the symbols γ and α denote rotational matrices for the left circular shifts by 5 least significant bits of the words g(γ) and g(α), respectively. Security and Protection of nformation

12 Security and Protection of nformation ( ) = worst q, 3, ( ) = 4 q And D estimation of a round has the form: ( ) ( ) ( ) ( ) ( ) [ ] =, q q worst q q R γ α σ Now we need to distinguish rotational matrices connected with different rounds. The matrices α, β connected with the j-th round we denote as α(j), β(j). D estimation of two rounds (for instance rounds 1. and 2.) we obtain in the following way: ( ) ( ) ( ) [ ] ( ) ( ) () () R R R γ α γ α σ σ And it has the form: ( ) ( ) () R γ α t is evident that D estimation of 3 rounds gives (3R). Hence 3 rounds of RC6 provide potentially full diffusion.