xmx
General | |
---|---|
Designers | David M'Raïhi, David Naccache, Jacques Stern, Serge Vaudenay |
First published | January 1997 |
Cipher detail | |
Key sizes | variable, equal to block size |
Block sizes | variable |
Rounds | variable, even |
Best public cryptanalysis | |
differential cryptanalysis, complementation property, weak keys |
In cryptography, xmx is a block cipher designed in 1997 by David M'Raïhi, David Naccache, Jacques Stern, and Serge Vaudenay. According to the designers it "uses public-key-like operations as confusion and diffusion means." The cipher was designed for efficiency, and the only operations it uses are XORs and modular multiplications.
The main parameters of xmx are variable, including the block size and key size, which are equal, as well as the number of rounds. In addition to the key, it also makes use of an odd modulus n which is small enough to fit in a single block.
The round function is f(m)=(moa)·b mod n, where a and b are subkeys and b is coprime to n. Here moa represents an operation that equals m XOR a if that is less than n, and otherwise equals m. This is a simple invertible operation: moaoa = m. The xmx cipher consists of an even number of iterations of the round function, followed by a final o with an additional subkey.
The key schedule is very simple, using the same key for all the multipliers, and three different subkeys for the others: the key itself for the first half of the cipher, its multiplicative inverse mod n for the last half, and the XOR of these two for the middle subkey.
The designers defined four specific variants of xmx:
- Standard: 512-bit block size, 8 rounds, n=2512-1
- High security: 768-bit block size, 12 rounds, n=2768-1
- Very-high security: 1024-bit block size, 16 rounds, n=21024-1
- Challenge: 256-bit block size, 8 rounds, n=(280-1)·2176+157
Borisov, et al., using a multiplicative form of differential cryptanalysis, found a complementation property for any variant of xmx, like the first three above, such that n=2k-1, where k is the block size. They also found large weak key classes for the Challenge variant, and for many other moduli.
References
- David M'Raïhi; David Naccache; Jacques Stern; Serge Vaudenay (January 1997). xmx: A Firmware-Oriented Block Cipher Based on Modular Multiplications (PDF/PostScript). 4th International Workshop on Fast Software Encryption (FSE '97). Haifa: Springer-Verlag. pp. 166–171. Retrieved 3 January 2007.
- Nikita Borisov, Monica Chew, Rob Johnson, David Wagner (February 2002). Multiplicative Differentials (PDF/PostScript). 9th International Workshop on Fast Software Encryption (FSE '02). Leuven: Springer-Verlag. pp. 17–33. Retrieved 3 January 2007.