Path: news.io.com!uunet!in1.uu.net!cs.utexas.edu!not-for-mail From: ritter@io.com (Terry Ritter) Newsgroups: sci.crypt Subject: Re: Variable Size Block Ciphers Date: 25 Aug 1995 19:49:15 -0500 Organization: UTexas Mail-to-News Gateway Lines: 117 Sender: nobody@cs.utexas.edu Message-ID: <199508260048.TAA04443@tristero.io.com> References: <303bc3ec@ralf> NNTP-Posting-Host: news.cs.utexas.edu In <303bc3ec@ralf> Ralf Brownwrote: >In article <419qs5$pej@lyra.csx.cam.ac.uk>, rja14@cl.cam.ac.uk >(Ross Anderson) wrote: >}ritter@io.com (Terry Ritter) writes: >} >}> For some time now I have been working with some apparently new >}> ciphering structures which I call "Variable Size Block Ciphers." >}> As the name suggests, these constructs can be made to cipher blocks >}> of essentially arbitrary size (typically in byte-size steps), >}> *without* changing the number of layers or "rounds" in the cipher. ----------------------------------------------------------------- (note emphasis added) >)} >}Two such ciphers appeared in 1993 - WAKE by David Wheeler and a >}proposal from Burt Kaliski and Matt Robshaw. They are both in `Fast >}Software Encryption', Springer LNCS 809 As I said in a previous posting, Ross Anderson's comment is false. WAKE is an autokey stream cipher, and does not produce the bit-level diffusion we expect in a block cipher. And Kaliski-Robshaw is a big, fixed-size block cipher without a variable-size feature. > >And I proposed another approach to variable-size blocks, namely using a >Feistel network and "sliding" it along the input, back in April. If >anyone is interested and can't find it in the sci.crypt.research >archives, I could dig out a copy of that post. No need; let me, let me: >From: ralf+@cs.cmu.edu (Ralf Brown) >Newsgroups: sci.crypt > >Subject: Generalized Feistel Networks >Date: 2 Apr 1995 23:59:33 GMT >Organization: School of Computer Science, Carnegie Mellon >Lines: 49 >Message-ID: <3lndp5$nm4@cantaloupe.srv.cs.cmu.edu> >NNTP-Posting-Host: b.gp.cs.cmu.edu > > >[Does anyone know if the following idea I just had has ever been used? Would >it be more secure than a regular Feistel cipher?] > >As many of you know, Feistel ciphers are based on repeated iterations >("rounds") of the following for the two halves A and B of a block of some >predetermined size: > A' = B > B' = f(A,B), for some invertible function f >with the decryption transform for A',B' being > B = A' > A = f'(B,B'), where f' is the inverse of f > >This idea can be generalized to the N parts of a block (said block naturally >being larger than in the N=2 case normally used). For instance, if N=4, >then the subblocks A,B,C,D of a block would be transformed as follows for >encryption: > A' = D > B' = f(A,B) > C' = f(B,C) > D' = f(C,D) >with decryption using > D = A' > C = f'(D,D') > B = f'(C,C') > A = f'(B,B') > >For N subblocks in a block, a minimum of N rounds are required to process ------------------------------------------------------------------------- (emphasis added) >each subblock uniformly through the network, at which point every subblock -------------------------------------------------------------------------- >of the output depends on every subblock of the input. ---------------------------------------------------- >[...] In contrast, I have clearly defined "Variable Size Block Ciphers" to refer to ciphers which ==> DO NOT REQUIRE MORE ROUNDS <== (to achieve a measurable full diffusion) when the block is expanded. This is the only way such a cipher really could be practical, of course, because otherwise ciphering a given amount of data would go far slower in large blocks than small ones. Moreover, a VSBC exhibits ==> BIT-LEVEL DIFFUSION <== in that every *BIT* in the output block depends on every *BIT* of the input block, and this diffusion is also BALANCED. This is *not* just "subblock" diffusion, and it is not just a detail. This level and quality of diffusion is important to prevent The Opponent from isolating and working on the "subblocks" themselves. My VSBC work occurred substantially before April 1995, with the announcement naturally being delayed for protection purposes. My article is the result of actual implementation, "reduction to practice," and diffusion measurements -- with the better-diffusing architectures selected as examples -- and also general speed comparisons. For some details on this technology, see the (admittedly early) VSBC article on my web page. I welcome comments or confusions. --- Terry Ritter ritter@io.com http://www.io.com/~ritter