Comparison of the Randomness Provided by Some AES Candidates

Using the decorrelation techniques we compare the randomness of three schemes used in the AES candidates. The target schemes are the original Feistel scheme and two modified Feistel schemes: the MARS-like structure and the CAST256-like structure. As a result, the required numbers of rounds for Luby-Rackoff's randomness (which is related to resistance against chosen plaintext attacks) are 3, 5, and 7, respectively. Moreover, the required numbers of rounds for achieving the decorrelation bias of order two 2<sup>-128 </sup>are 9, 25, and 35, respectively. This holds for truly random round functions. Imperfect random round function can achieve similar decorrelation by using decorrelation modules like in DFC, but need a number of rounds of at least 9, 30 and 42 respectively.


Published in:
Official Comment of the Advanced Encryption Standard Process, National Institute of Standards and Technology (NIST)
Presented at:
Official Comment of the Advanced Encryption Standard Process, National Institute of Standards and Technology (NIST), April 1999
Year:
1999
Laboratories:




 Record created 2007-01-19, last modified 2018-03-17

n/a:
Download fulltext
PS

Rate this document:

Rate this document:
1
2
3
 
(Not yet reviewed)