El 17/4/20 a les 12:13,
tranng...@gmail.com ha escrit:
Hi, let's work a little. Thank you for your attention.
>
> I've read the documentation and have questions:
>
> 1) The mix(x,y) function, described here, and the m(x,y) function described by the documentation, are not the same: m(x,y) has pre-whitening while mix() has both pre- and post- whitening. So I understand that that mix() is intended to be the improved version of m(). Is it correct?
>
Absolutely. It's an improved version, simpler. The documentation is not
up to date. I've chosen pre and post whitening because is simpler to
explain and, correct me if I'm wrong, safety is the same.
> 2) Does the 'restrict commutativity' property, claimed to hold for m() by the documentation, still hold for mix()?
Yes. Let me say that it's the property that justifies everything and
allows for public-key protocols, key agreement and signature.
>
> 3) The round function mixes the state string (R) with a permuted version of the string (R permuted). The specific permutation is string rotation. Does the 'restrict commutativity' property still hold if the rotation is replaced with another permutation, e.g. decimation?
Well, it's not exactly string rotation. In this case the m (mixing)
function will not be reversible knowing the ciphertext and the key. The
mixing applies f (the 7x7 substitution table) sequentially to adjacent
elements in the string, while trying to accumulate diffusion. So, if s
is the state, the process is:
N=length(s)
s[0]=f(s[0],s[-1]) // s[-1]=s[length(s)-1]
s[1]=f(s[1],s[0])
s[2]=f(s[2],s[1])
...
and so on, wrapping at the end.
Another permutations are possible but always updating i.e. doing
s[a]=f(s[a],s[b]). I've not written a formal proof but my experiments
points to this.
>
> 4) The entire construction, mix(x,z), has a special algebraic property, namely the 'restrict commutativity' property. On the other hand it is constructed as a product (i.e. multi-round) cipher which, as implied by security requirements, a symmetric (secret-key) block cipher with key length = text length. Am I understanding correctly?
>
Yes again. The name of the property is quite random. The answer to the
second question is yes. I've nothing to add since you're describing it
very accurately. The difference with a symmetric cypher is that's much
simpler, which is not and advantage but a constraint. In the end is a
public-key, asymmetric, algorithm, so it must hold the property
'restricted commutativity' in order to be useful. The good point is that
the number of rounds is not critical, or at least can be big, 256 rounds
is ok, for example (here I'm considering a round a full cycle over the
state). Speed is not critical in public key cryptography (if it's not
absurdly slow, of course).
Yours,
Daniel