- Rotation combined with other operation(s) allows to build arbitrary transformations of $w$-bit words. For example, by combining (a sufficient number of) $\operatorname{ROTR}$ (with $r=1$), $\operatorname{NAND}$, and some fixed constants, any function over $w$-bit words can be constructed (thus including any bijection, thus any bit permutation). By contrast, when $w>1$, this can not be achieved using any combination of $\operatorname{AND}$, $\operatorname{OR}$, $\operatorname{XOR}$, $\operatorname{NAND}$, $\operatorname{NOR}$, and addition modulo $2^w$ (because none of these operations can make bit $x_1$ on input influence bit $x_0$ on output). Stated otherwise: rotation is one of few ways to achieve diffusion from high to lower-order bits (right-shift, division, and table lookup are others).
- More generally, rotation allows a cipher designer to create diffusion, at will, among bits of different rank in computer words, as emphasized in this other answerother answer. Shifts allow that too, but when shifting by more than a few bits
are too strongly surjectivehave too many distinct inputs reaching the same output for many cryptographic uses. Other techniques are used to create diffusion among different computer words. - Availability, speed and low cost: on many CPUs, rotation is the only bit permutation available as a single native CPU instruction (discounting the possibility to implement a permutation by a table read for small $w$). All modern computer CPUs, and many modern embedded CPUs, have a dedicated barrel shifter that can rotate over its natively supported word size(s) $w$, for any $r$, as fast as any other data manipulation goes. Rotation for other width $w$ not supported in hardware can be efficiently constructed in software. In hardware, rotation by a fixed $r$ requires no gate at all (like any bit permutation) thus is extremely fast and cheap.
- No timing dependency: on all CPUs, rotation for fixed $r$ has duration independent of the data manipulated; this extends to variable $r$ when there is a barrel shifter. By contrast, table-lookup (another popular way to achieve diffusion to the right) often exhibit timing dependency, due to cache misses or memory alignment, which might allow timing attacks.
replaced http://crypto.stackexchange.com/ with https://crypto.stackexchange.com/
- Rotation combined with other operation(s) allows to build arbitrary transformations of $w$-bit words. For example, by combining (a sufficient number of) $\operatorname{ROTR}$ (with $r=1$), $\operatorname{NAND}$, and some fixed constants, any function over $w$-bit words can be constructed (thus including any bijection, thus any bit permutation). By contrast, when $w>1$, this can not be achieved using any combination of $\operatorname{AND}$, $\operatorname{OR}$, $\operatorname{XOR}$, $\operatorname{NAND}$, $\operatorname{NOR}$, and addition modulo $2^w$ (because none of these operations can make bit $x_1$ on input influence bit $x_0$ on output). Stated otherwise: rotation is one of few ways to achieve diffusion from high to lower-order bits (right-shift, division, and table lookup are others).
- More generally, rotation allows a cipher designer to create diffusion, at will, among bits of different rank in computer words, as emphasized in this other answer. Shifts allow that too, but when shifting by more than a few bits
are too strongly surjectivehave too many distinct inputs reaching the same output for many cryptographic uses. Other techniques are used to create diffusion among different computer words. - Availability, speed and low cost: on many CPUs, rotation is the only bit permutation available as a single native CPU instruction (discounting the possibility to implement a permutation by a table read for small $w$). All modern computer CPUs, and many modern embedded CPUs, have a dedicated barrel shifter that can rotate over its natively supported word size(s) $w$, for any $r$, as fast as any other data manipulation goes. Rotation for other width $w$ not supported in hardware can be efficiently constructed in software. In hardware, rotation by a fixed $r$ requires no gate at all (like any bit permutation) thus is extremely fast and cheap.
- No timing dependency: on all CPUs, rotation for fixed $r$ has duration independent of the data manipulated; this extends to variable $r$ when there is a barrel shifter. By contrast, table-lookup (another popular way to achieve diffusion to the right) often exhibit timing dependency, due to cache misses or memory alignment, which might allow timing attacks.
- Rotation combined with other operation(s) allows to build arbitrary transformations of $w$-bit words. For example, by combining (a sufficient number of) $\operatorname{ROTR}$ (with $r=1$), $\operatorname{NAND}$, and some fixed constants, any function over $w$-bit words can be constructed (thus including any bijection, thus any bit permutation). By contrast, when $w>1$, this can not be achieved using any combination of $\operatorname{AND}$, $\operatorname{OR}$, $\operatorname{XOR}$, $\operatorname{NAND}$, $\operatorname{NOR}$, and addition modulo $2^w$ (because none of these operations can make bit $x_1$ on input influence bit $x_0$ on output). Stated otherwise: rotation is one of few ways to achieve diffusion from high to lower-order bits (right-shift, division, and table lookup are others).
- More generally, rotation allows a cipher designer to create diffusion, at will, among bits of different rank in computer words, as emphasized in this other answer. Shifts allow that too, but when shifting by more than a few bits
are too strongly surjectivehave too many distinct inputs reaching the same output for many cryptographic uses. Other techniques are used to create diffusion among different computer words. - Availability, speed and low cost: on many CPUs, rotation is the only bit permutation available as a single native CPU instruction (discounting the possibility to implement a permutation by a table read for small $w$). All modern computer CPUs, and many modern embedded CPUs, have a dedicated barrel shifter that can rotate over its natively supported word size(s) $w$, for any $r$, as fast as any other data manipulation goes. Rotation for other width $w$ not supported in hardware can be efficiently constructed in software. In hardware, rotation by a fixed $r$ requires no gate at all (like any bit permutation) thus is extremely fast and cheap.
- No timing dependency: on all CPUs, rotation for fixed $r$ has duration independent of the data manipulated; this extends to variable $r$ when there is a barrel shifter. By contrast, table-lookup (another popular way to achieve diffusion to the right) often exhibit timing dependency, due to cache misses or memory alignment, which might allow timing attacks.
- Rotation combined with other operation(s) allows to build arbitrary transformations of $w$-bit words. For example, by combining (a sufficient number of) $\operatorname{ROTR}$ (with $r=1$), $\operatorname{NAND}$, and some fixed constants, any function over $w$-bit words can be constructed (thus including any bijection, thus any bit permutation). By contrast, when $w>1$, this can not be achieved using any combination of $\operatorname{AND}$, $\operatorname{OR}$, $\operatorname{XOR}$, $\operatorname{NAND}$, $\operatorname{NOR}$, and addition modulo $2^w$ (because none of these operations can make bit $x_1$ on input influence bit $x_0$ on output). Stated otherwise: rotation is one of few ways to achieve diffusion from high to lower-order bits (right-shift, division, and table lookup are others).
- More generally, rotation allows a cipher designer to create diffusion, at will, among bits of different rank in computer words, as emphasized in this other answer. Shifts allow that too, but when shifting by more than a few bits are too strongly surjective
are too strongly surjectivehave too many distinct inputs reaching the same output for many cryptographic uses. Other techniques are used to create diffusion among different computer words. - Availability, speed and low cost: on many CPUs, rotation is the only bit permutation available as a single native CPU instruction (discounting the possibility to implement a permutation by a table read for small $w$). All modern computer CPUs, and many modern embedded CPUs, have a dedicated barrel shifter that can rotate over its natively supported word size(s) $w$, for any $r$, as fast as any other data manipulation goes. Rotation for other width $w$ not supported in hardware can be efficiently constructed in software. In hardware, rotation by a fixed $r$ requires no gate at all (like any bit permutation) thus is extremely fast and cheap.
- No timing dependency: on all CPUs, rotation for fixed $r$ has duration independent of the data manipulated; this extends to variable $r$ when there is a barrel shifter. By contrast, table-lookup (another popular way to achieve diffusion to the right) often exhibit timing dependency, due to cache misses or memory alignment, which might allow timing attacks.
- Rotation combined with other operation(s) allows to build arbitrary transformations of $w$-bit words. For example, by combining (a sufficient number of) $\operatorname{ROTR}$ (with $r=1$), $\operatorname{NAND}$, and some fixed constants, any function over $w$-bit words can be constructed (thus including any bijection, thus any bit permutation). By contrast, when $w>1$, this can not be achieved using any combination of $\operatorname{AND}$, $\operatorname{OR}$, $\operatorname{XOR}$, $\operatorname{NAND}$, $\operatorname{NOR}$, and addition modulo $2^w$ (because none of these operations can make bit $x_1$ on input influence bit $x_0$ on output). Stated otherwise: rotation is one of few ways to achieve diffusion from high to lower-order bits (right-shift, division, and table lookup are others).
- More generally, rotation allows a cipher designer to create diffusion, at will, among bits of different rank in computer words, as emphasized in this other answer. Shifts allow that too, but when shifting by more than a few bits are too strongly surjective for many cryptographic uses. Other techniques are used to create diffusion among different computer words.
- Availability, speed and low cost: on many CPUs, rotation is the only bit permutation available as a single native CPU instruction (discounting the possibility to implement a permutation by a table read for small $w$). All modern computer CPUs, and many modern embedded CPUs, have a dedicated barrel shifter that can rotate over its natively supported word size(s) $w$, for any $r$, as fast as any other data manipulation goes. Rotation for other width $w$ not supported in hardware can be efficiently constructed in software. In hardware, rotation by a fixed $r$ requires no gate at all (like any bit permutation) thus is extremely fast and cheap.
- No timing dependency: on all CPUs, rotation for fixed $r$ has duration independent of the data manipulated; this extends to variable $r$ when there is a barrel shifter. By contrast, table-lookup (another popular way to achieve diffusion to the right) often exhibit timing dependency, due to cache misses or memory alignment, which might allow timing attacks.
- Rotation combined with other operation(s) allows to build arbitrary transformations of $w$-bit words. For example, by combining (a sufficient number of) $\operatorname{ROTR}$ (with $r=1$), $\operatorname{NAND}$, and some fixed constants, any function over $w$-bit words can be constructed (thus including any bijection, thus any bit permutation). By contrast, when $w>1$, this can not be achieved using any combination of $\operatorname{AND}$, $\operatorname{OR}$, $\operatorname{XOR}$, $\operatorname{NAND}$, $\operatorname{NOR}$, and addition modulo $2^w$ (because none of these operations can make bit $x_1$ on input influence bit $x_0$ on output). Stated otherwise: rotation is one of few ways to achieve diffusion from high to lower-order bits (right-shift, division, and table lookup are others).
- More generally, rotation allows a cipher designer to create diffusion, at will, among bits of different rank in computer words, as emphasized in this other answer. Shifts allow that too, but when shifting by more than a few bits
are too strongly surjectivehave too many distinct inputs reaching the same output for many cryptographic uses. Other techniques are used to create diffusion among different computer words. - Availability, speed and low cost: on many CPUs, rotation is the only bit permutation available as a single native CPU instruction (discounting the possibility to implement a permutation by a table read for small $w$). All modern computer CPUs, and many modern embedded CPUs, have a dedicated barrel shifter that can rotate over its natively supported word size(s) $w$, for any $r$, as fast as any other data manipulation goes. Rotation for other width $w$ not supported in hardware can be efficiently constructed in software. In hardware, rotation by a fixed $r$ requires no gate at all (like any bit permutation) thus is extremely fast and cheap.
- No timing dependency: on all CPUs, rotation for fixed $r$ has duration independent of the data manipulated; this extends to variable $r$ when there is a barrel shifter. By contrast, table-lookup (another popular way to achieve diffusion to the right) often exhibit timing dependency, due to cache misses or memory alignment, which might allow timing attacks.
- Rotation combined with other operation(s) allows to build arbitrary transformations of $w$-bit words. For example, by combining (a sufficient number of) $\operatorname{ROTR}$ (with $r=1$), $\operatorname{NAND}$, and some fixed constants, any function over $w$-bit words can be constructed (thus including any bijection, thus any bit permutation). By contrast, when $w>1$, this can not be achieved using any combination of $\operatorname{AND}$, $\operatorname{OR}$, $\operatorname{XOR}$, $\operatorname{NAND}$, $\operatorname{NOR}$, and addition modulo $2^w$ (because none of these operations can make bit $x_1$ on input influence bit $x_0$ on output). Stated otherwise: rotation is one of few ways to achieve diffusion from high to lower-order bits (right-shift, division, and table lookup are others). Rotation more
- More generally allows a cipher designer to create diffusion, at willrotation allows a cipher designer to create diffusion, at will, among bits of different rank in computer words, among bits of different rankas emphasized in computer wordsthis (other constructs are used to create diffusion among different computer words)other answer. Shifts allow that too, but, when shifting by more than a few bits, are too strongly surjective for many cryptographic uses. Other techniques are used to create diffusion among different computer words.
- Availability, speed and low cost: on many CPUs, rotation is the only bit permutation available as a single native CPU instruction (discounting the possibility to implement a permutation by a table read for small $w$). All modern computer CPUs, and many modern embedded CPUs, have a dedicated barrel shifter that can rotate over its natively supported word size(s) $w$, for any $r$, as fast as any other data manipulation goes. Rotation for other width $w$ not supported in hardware can be efficiently constructed in software. In hardware, rotation by a fixed $r$ requires no gate at all (like any bit permutation) thus is extremely fast and cheap.
- No timing dependency: on all CPUs, rotation for fixed $r$ has duration independent of the data manipulated; this extends to variable $r$ when there is a barrel shifter. By contrast, table-lookup (another popular way to achieve diffusion to the right) often exhibit timing dependency, due to cache misses or memory alignment, which might allow timing attacks.
- Rotation combined with other operation(s) allows to build arbitrary transformations of $w$-bit words. For example, by combining (a sufficient number of) $\operatorname{ROTR}$ (with $r=1$), $\operatorname{NAND}$, and some fixed constants, any function over $w$-bit words can be constructed (thus including any bijection, thus any bit permutation). By contrast, when $w>1$, this can not be achieved using any combination of $\operatorname{AND}$, $\operatorname{OR}$, $\operatorname{XOR}$, $\operatorname{NAND}$, $\operatorname{NOR}$, and addition modulo $2^w$ (because none of these operations can make bit $x_1$ on input influence bit $x_0$ on output). Stated otherwise: rotation is one of few ways to achieve diffusion from high to lower-order bits (right-shift, division, and table lookup are others). Rotation more generally allows a cipher designer to create diffusion, at will, among bits of different rank in computer words (other constructs are used to create diffusion among different computer words). Shifts allow that too, but, when shifting by more than a few bits, are too strongly surjective for many cryptographic uses.
- Availability, speed and low cost: on many CPUs, rotation is the only bit permutation available as a single native CPU instruction (discounting the possibility to implement a permutation by a table read for small $w$). All modern computer CPUs, and many modern embedded CPUs, have a dedicated barrel shifter that can rotate over its natively supported word size(s) $w$, for any $r$, as fast as any other data manipulation goes. Rotation for other width $w$ not supported in hardware can be efficiently constructed in software. In hardware, rotation by a fixed $r$ requires no gate at all (like any bit permutation) thus is extremely fast and cheap.
- No timing dependency: on all CPUs, rotation for fixed $r$ has duration independent of the data manipulated; this extends to variable $r$ when there is a barrel shifter. By contrast, table-lookup (another popular way to achieve diffusion to the right) often exhibit timing dependency, due to cache misses or memory alignment, which might allow timing attacks.
- Rotation combined with other operation(s) allows to build arbitrary transformations of $w$-bit words. For example, by combining (a sufficient number of) $\operatorname{ROTR}$ (with $r=1$), $\operatorname{NAND}$, and some fixed constants, any function over $w$-bit words can be constructed (thus including any bijection, thus any bit permutation). By contrast, when $w>1$, this can not be achieved using any combination of $\operatorname{AND}$, $\operatorname{OR}$, $\operatorname{XOR}$, $\operatorname{NAND}$, $\operatorname{NOR}$, and addition modulo $2^w$ (because none of these operations can make bit $x_1$ on input influence bit $x_0$ on output). Stated otherwise: rotation is one of few ways to achieve diffusion from high to lower-order bits (right-shift, division, and table lookup are others).
- More generally, rotation allows a cipher designer to create diffusion, at will, among bits of different rank in computer words, as emphasized in this other answer. Shifts allow that too, but when shifting by more than a few bits are too strongly surjective for many cryptographic uses. Other techniques are used to create diffusion among different computer words.
- Availability, speed and low cost: on many CPUs, rotation is the only bit permutation available as a single native CPU instruction (discounting the possibility to implement a permutation by a table read for small $w$). All modern computer CPUs, and many modern embedded CPUs, have a dedicated barrel shifter that can rotate over its natively supported word size(s) $w$, for any $r$, as fast as any other data manipulation goes. Rotation for other width $w$ not supported in hardware can be efficiently constructed in software. In hardware, rotation by a fixed $r$ requires no gate at all (like any bit permutation) thus is extremely fast and cheap.
- No timing dependency: on all CPUs, rotation for fixed $r$ has duration independent of the data manipulated; this extends to variable $r$ when there is a barrel shifter. By contrast, table-lookup (another popular way to achieve diffusion to the right) often exhibit timing dependency, due to cache misses or memory alignment, which might allow timing attacks.
Loading
Loading