*Edit: As Andy pointed out, the following reasoning is fatally flawed by the fact that the f*

So, given the strong evidence Andy has found, it really looks like the algorithm is a 4-round Feistel network.

This is actually good news, I have to say I am relieved ;)

_{n}functions are**not**bijective.So, given the strong evidence Andy has found, it really looks like the algorithm is a 4-round Feistel network.

This is actually good news, I have to say I am relieved ;)

Remember that

L

_{1}= R

_{0}

R

_{1}= L

_{0}XOR f

_{1}(R

_{0})

L

_{2}= R

_{1}

R

_{2}= L

_{1}XOR f

_{2}(R

_{1})

L

_{3}= R

_{2}

R

_{3}= L

_{2}XOR f

_{3}(R

_{2})

L

_{4}= R

_{3}

R

_{4}= L

_{3}XOR f

_{4}(R

_{3})

In the previous article I showed that if we take (E,D) and (E',D') such that L

_{0}XOR L

_{4}= L'

_{0}XOR L'

_{4}and R

_{0}= R'

_{0}, then

R

_{2}= R'

_{2}.

I'll now take a different route from the one I took yesterday, to avoid the flaw that Andy noticed.

From R

_{2}= R'

_{2}follows that

L

_{1}XOR f

_{2}(R

_{1}) = L'

_{1}XOR f

_{2}(R'

_{1}), that is

R

_{0}XOR f

_{2}(R

_{1}) = R'

_{0}XOR f

_{2}(R'

_{1}), that is (since R

_{0}= R'

_{0})

f

_{2}(R

_{1}) = f

_{2}(R'

_{1}), that is (since f2 is bijective)

R

_{1}= R'

_{1}, that is

L

_{0}XOR f

_{1}(R

_{0}) = L'

_{0}XOR f

_{1}(R'

_{0}), that is (since R

_{0}= R'

_{0})

L

_{0}= L'

_{0}, therefore

(E,D) = (E',D')

Therefore two different pairs with the requested property cannot exist.

When converting the 16-bit values to and from (L,R) pairs, we need to take the initial and final permutation into account. Note that we are not using R

_{4}in the above; we are only using L

_{0}, R

_{0}, and L

_{4}. Also, we don't care about the effects of the permutation on L

_{0}and R

_{0}, the only thing we care about is that when we do L

_{0}XOR L

_{4}we XOR the correct bits together. So we can arbitrarily fix the permutation on L

_{0}and R

_{0}, and try all possible permutations on L

_{4}.

So if the CPS2 algorithm were a Feistel network, for some permutation of the bits in L4 it should not be possible to select two different pairs (E,D) and (E',D') with the requested property.

This doesn't happen: for every permutation, such pairs exist. Therefore CPS2 is not just a 4-round Feistel network.

This is not to say that Andy isn't on the right track, on the contrary, the findings in CPS-2 (5) are extremely interesting, but the algorithm cannot be just a 4-round Feistel network. There's something else we are missing.

## 2 comments:

Sorry, but i have to refute again your experiment. ;)

I had indeed to have mentioned yesterday, but i have to recognize i haven't payed attention till now. Sorry again. :P

The (very evident) flaw is this:

>(since f2 is bijective)

False. A Feistel function is not required to be biyective; indeed, i think that FN with only biyective functions would be weaker than the general case... the Feistel function is the responsible for confusion in the encryption, and it should be such non-linear as possible (of course, a good Feistel function will change approximately half the bits in his output when you flip a bit in his input), but, definitively, it is not needed that it be a bijection.

LOL, you are absolutely right.

Excellent news actually :)

Post a Comment