Round (cryptography)

Inserting round-dependent constants into the encryption process breaks the symmetry between rounds and thus thwarts the most obvious slide attacks. The technique is a standard feature of most modern block ciphers. However, a poor choice of round constants or unintended interrelations between the constants and other cipher components could still allow slide attacks (e.g., attacking the initial version of the format-preserving encryption mode FF3). Many lightweight ciphers utilize very simple key scheduling: the round keys come from adding the round constants to the encryption key. A poor choice of round constants in this case might make the cipher vulnerable to invariant attacks; ciphers broken this way include SCREAM and Midori64. == Optimization ==

Daemen and Rijmen assert that one of the goals of optimizing the cipher is reducing the overall workload, the product of the round complexity and the number of rounds. There are two approaches to address this goal: • local optimization improves the worst-case behavior of a single round (two rounds for Feistel ciphers); • global optimization optimizes the worst-case behavior of more than one round, allowing the use of less sophisticated components. == Reduced-round ciphers ==

Cryptanalysis techniques include the use of versions of ciphers with fewer rounds than specified by their designers. Since a single round is usually cryptographically weak, many attacks that fail to work against the full version of ciphers will work on such reduced-round variants. The result of such attack provides valuable information about the strength of the algorithm, a typical break of the full cipher starts out as a success against a reduced-round one. Sateesan et al. propose using the reduced-round versions of lightweight hashes and ciphers as non-cryptographic hash functions. ==References==