DFC (cipher)
In cryptography, DFC is a symmetric block cipher which was
created in 1998 by a group of researchers from École Normale Supérieure, CNRS, and France Télécom and submitted to the AES competition.
Like other AES candidates, DFC operates on blocks of 128 bits, using a key of 128, 192, or 256 bits. It uses an 8-round Feistel network. The round function uses a single 6×32-bit S-box, as well as an affine transformation mod 264+13. DFC can actually use a key of any size up to 256 bits; the key schedule uses another 4-round Feistel network to generate a 1024-bit "expanded key". The arbitrary constants, including all entries of the S-box, are derived using the binary expansion of e as a source of "nothing up my sleeve numbers".
Soon after DFC's publication, Ian Harvey raised the concern that reduction modulo a 65-bit number was beyond the native capabilities of most platforms, and that careful implementation would be required to protect against side-channel attacks, especially timing attacks. Although DFC was designed using Vaudenay's decorrelation theory to be provably secure against ordinary differential and linear cryptanalysis, in 1999 Lars Knudsen and Vincent Rijmen presented a differential chosen-ciphertext attack that breaks 6 rounds faster than exhaustive search.
In 2000, Vaudenay, et al. presented an updated version of the algorithm, called DFCv2. This variant allows for more choice in the cipher's parameters, and uses a modified key schedule to eliminate certain weak keys discovered by Don Coppersmith.