Comparison of the Randomness Provided by Some AES Candidates
Using the decorrelation techniques we compare the randomness of three schemes used in the AES candidates. The target schemes are the original Feistel scheme and two modified Feistel schemes: the MARS-like structure and the CAST256-like structure. As a result, the required numbers of rounds for Luby-Rackoff's randomness (which is related to resistance against chosen plaintext attacks) are 3, 5, and 7, respectively. Moreover, the required numbers of rounds for achieving the decorrelation bias of order two 2-128 are 9, 25, and 35, respectively. This holds for truly random round functions. Imperfect random round function can achieve similar decorrelation by using decorrelation modules like in DFC, but need a number of rounds of at least 9, 30 and 42 respectively.
Record created on 2007-01-19, modified on 2016-08-08