New cryptographic primitives based on multiword T-functions

Abstract

A T-function is a mapping from n-bit words to n-bit words in which for each 0 ≤ i < n bit i of the output can depend only on bits 0, 1,...,i of the input. All the boolean operations and most of the numeric operations in modern processors are T-functions, and their compositions are also T-functions. In earlier papers we considered 'crazy' T-functions such as f(x) = x + (x2 V 5), proved that they are invertible mappings which contain all the 2n possible states on a single cycle for any word size n, and proposed to use them as primitive building blocks in a new class of software-oriented cryptographic schemes. The main practical drawback of this approach is that most processors have either 32 or 64 bit words, and thus even a maximal length cycle (of size 232 or 264) may be too short. In this paper we develop new ways to construct invertible T-functions on multiword states whose iteration is guaranteed to yield a single cycle of arbitrary length (say, 2256). Such mappings can lead to stream ciphers whose software implementation on a standard Pentium 4 processor can encrypt more than 5 gigabits of data per second, which is an order of magnitude faster than previous designs such as RC4. © International Association for Cryptologic Research 2004.