How round constants are chosen in a block cipher?

cn flag

Block ciphers that are NOT LIGHTWEIGHT use relatively complex key scheduling algorithms to enhance their security and thwart some of the known cryptographic attacks. In such ciphers round constants are also added for removing symmetries in the structure (if these exist) but the selection criteria for the round constants is never mentioned.

How should these constants be selected for any block cipher?

kelalaka avatar
in flag
It is a matter of removing the attack surface of slide attacks. However, one need to see the action on their schedule.
fr flag

The constants used in block cipher, much like ones used in many other symmetric cryptographic algorithms, depend on what the algorithm needs in terms of security. For block ciphers, the most common constructions use S-boxes and round constants.

In many cases, the requirements for the constants are minimal: that they contain a reasonable mix of zeros and ones, that they lack some pattern that could be exploited (e.g., in a slide or differential attack), and that they be above suspicion (which we refer to as nothing-up-my-sleeve numbers). Common types of patterns to be avoided are things like simple shifts, rotations, and additions of earlier constants, which could be nullified by certain input patterns, depending on the algorithm and its core operations.

Usually, if there is no explanation provided, the constants are typically generated from some sort of well-known constant or pattern. For example, MD5 uses $ sin(x) $, SHA-2 uses square and cube roots, and numerous algorithms use $ \pi $, $ e $, or $ \phi $, and the reader is expected to recognize those constants. (Neither MD5 nor SHA-2 are block ciphers, but the same principle applies.) For example, SEED uses $ \phi $.

In some algorithms, such as the Sparkle permutation (which is also not a block cipher), constants are additionally chosen because they have some beneficial property (in this case, resistance to differential attacks), and thus constants are generated and ones that don't meet the requirements are rejected until enough are found. The reader of the paper usually has the same software used for testing those constants and can verify that the constants chosen really are the first ones that meet the criteria.

For S-boxes, things are typically similar, except that in some cases it may be desirable to avoid fixed points or that the period of the orbit is maximal. Sometimes an efficiently computable inverse is helpful (as in SAFER). Again, they are typically generated from some well-known constant, and if the generation is not trivial, usually software or an algorithm is included to demonstrate that there are no back doors.

Typically, if there are substantial requirements other than the general ones listed above, the paper or an adjoining FAQ will say why they were chosen, as the Sparkle paper does. In order for users to trust the algorithm, it will need extensive cryptanalysis, and usually everyone will be happier to have read a few paragraphs about the reasons rather than to have to guess.


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.