Clutch cryptanalysis (named for the car part, not the bird litter) is applicable to ciphers with data-dependent rotations. It is a chosen-plaintext attack which tries to find pairs of plaintexts which are rotated by the same number of bits for some number of rounds. As applied to Wring, it consists of the following steps:
mix3 operation.These graphs are from running a version of clutch cryptanalysis in which the reduced-round encryption function returns the number of bits that the message was rotated by in each round as well as the ciphertext. This enables me to check what happens when the total number of bits two plaintexts were rotated is the same, but the number of bits they were rotated by in some round differs. I use four keys each of three different lengths, originally chosen for a related-key attack, a Wring with linear S-boxes, and two variants of a Wring like what a weak key would produce, and encrypt random-looking 10000-byte, 8192-byte, and 7776-byte messages. These message sizes take 15 rounds [4096,8192) or 16 rounds [8192,16384), but I do only 8 rounds, by which no messages are rotated together all the way through.
Graphs by key, 10000 byte messages:
| key96_0 | key96_1 | key96_2 | key96_3 |
| key30_0 | key30_1 | key30_2 | key30_3 |
| key6_0 | key6_1 | key6_2 | key6_3 |
| Linear | Weak | Weak ⊻0x69 |
Graphs by key, 8192 byte messages:
| key96_0 | key96_1 | key96_2 | key96_3 |
| key30_0 | key30_1 | key30_2 | key30_3 |
| key6_0 | key6_1 | key6_2 | key6_3 |
| Linear | Weak | Weak ⊻0x69 |
Graphs by key, 7776 byte messages:
| key96_0 | key96_1 | key96_2 | key96_3 |
| key30_0 | key30_1 | key30_2 | key30_3 |
| key6_0 | key6_1 | key6_2 | key6_3 |
| Linear | Weak | Weak ⊻0x69 |
This is the number of different bytes at the end of n rounds of encrypting 10000-byte messages that start out differing by one byte and continue rotating together for that many rounds, averaged over the eight keys that ran for the full 2049 iterations. Starting with one different byte, there were 2.543 different bytes partway through the round, 3.484 bytes different at the end of one round, and so on. One pair kept rotating together for six rounds; I ignored it.
| Rounds | Number of different bytes | Ratio | Number of different bytes before rotBitcount |
|---|---|---|---|
| 1 | 3.848 | 3.85 | 2.543 |
| 2 | 13.468 | 3.5 | 8.230 |
| 3 | 40.404 | 3 | 23.949 |
| 4 | 105.05 | 2.6 | 59.61 |
| 5 | 220.6 | 2.1 | 143.03 |
These are the data from running key96_3 for 8192 iterations, not computing jiggle statistics but counting how many bytes differ and how many pairs remain after each round. For speed, I did not count any pair that did not rotate together for two rounds, hence the asterisk at one round.
| Rounds | Remaining | Number of different bytes | Ratio |
|---|---|---|---|
| 1 | * | 3.8238655523772587 | 3.8238655523772587 |
| 2 | 2292283 | 13.448154525422908 | 3.5169004613832002 |
| 3 | 93248 | 40.05148635895676 | 2.9782143180495058 |
| 4 | 2395 | 106.71022964509395 | 2.6643263295827775 |
| 5 | 45 | 219.2 | 2.0541610746133165 |