sci.crypt #46705 (9 more)
Path: news.io.com!io.com!not-for-mail
From: ritter@io.com (ritter)
Newsgroups: sci.crypt

Subject: Fencing and Mixing Ciphers
Date: 16 Jan 1996 19:31:11 -0600
Organization: Illuminati Online
Lines: 242
Message-ID: <4dhjgv$rn5@pentagon.io.com>
NNTP-Posting-Host: pentagon.io.com


 From my previous work on fencing and mixing ciphers I have realized
 a family of five interesting block cipher architectures in 64-bit,
 128-bit, and 256-bit widths.

 You won't find this sort of cipher in the crypto texts.

 These working prototypes are intended to explore a range of
 "Fencing" and "Balanced Block Mixing" designs, and provide some
 crude performance comparisons.  This is patent-pending technology.


 My Technical Terms

    * By "fencing" I mean an array of typically byte-width
      substitutions.  Each 256-byte table corresponds to a
      keyspace of 1684 bits (provided, of course, that the rest
      of the cipher will hide the arrangement of the table).

    * By "balanced block mixing" I mean a structure which generally
      takes two input sub-blocks to two output sub-blocks and
      provably propagates a change in *either* input sub-block to
      *both* output sub-blocks.  (This is sufficient to provide
      provable avalanche in a block cipher.)

 I show the structure for the "4x" or "256-bit block" versions.
 The large block is used for most ciphering; one each 2x and 1x
 block may be used at the end of the file to reduce ciphertext
 expansion to that of a 64-bit block.

 Performance measurements occurred for RAM-drive ciphering of a
 750K file on a P90 under DOS 6.22, with single-pass shuffles.


 Fenced DES  (init = 31ms, ciphering = 181 KB/sec)

                              INPUT
 <------------------------- 256 bits -------------------------->

 S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S  fencing
 -------------------------------x-------------------------------  mixing
 ---------------x--------------- ---------------x---------------  mixing
 ------DES------ ------DES------ ------DES------ ------DES------  DES
 ---------------x--------------- ---------------x---------------  mixing
 -------------------------------x-------------------------------  mixing
 S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S  fencing

 <------------------------- 256 bits -------------------------->
                             OUTPUT

 Here we have 32 input and 32 output byte-substitutions (S)
 across a 256-bit block.  We also mix (---x---) 128-bit and 64-bit
 sub-blocks using linear Balanced Block Mixing.  Because all data
 flows through DES, the cipher cannot be weaker than DES.  Each
 substitution layer is protected by DES and so apparently cannot be
 exposed without breaking DES and the other substitution layer.

 Each 256-byte substitution table is keyed by shuffling under a
 cryptographic RNG initialized from a User Key.  That RNG also
 produces 4 separate random DES keys.  Normally, the keyspace of
 this sort of cipher is limited by the size of the RNG used to key
 the substitutions, and it is easy to have a true keyspace of
 thousands of bits.

 The ability to attack the keying RNG depends upon developing
 the state in one or more of the substitutions, then inferring
 the RNG sequence.  But inferring the RNG sequence can be made
 difficult or impossible by double-shuffling each substitution.
 It is not at all clear how an attacker could develop the correct
 state of any substitution in the first place.  Even a single bit
 error in any input table is guaranteed to produce avalanche, so
 the extent of solution of these tables cannot be distinguished.

 (The Fenced DES cipher was described on sci.crypt almost two
 years ago, in a post I have archived as

    http://www.io.com/~ritter/NEWS/94042901.HTM

 ).


 Fenced Tree  (init = 45ms, ciphering = 113 KB/sec)

 S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S  fencing
 -------------------------------x-------------------------------  mixing
 ---------------x--------------- ---------------x---------------  mixing
 -------x------- -------x------- -------x------- -------x-------  mixing
 ---x--- ---x--- ---x--- ---x--- ---x--- ---x--- ---x--- ---x---  mixing
 -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-  mixing
 S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S  fencing
 -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-  mixing
 ---x--- ---x--- ---x--- ---x--- ---x--- ---x--- ---x--- ---x---  mixing
 -------x------- -------x------- -------x------- -------x-------  mixing
 ---------------x--------------- ---------------x---------------  mixing
 -------------------------------x-------------------------------  mixing
 S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S  fencing

 This is similar to Fenced DES, but with three more Balanced Block
 Mixing layers (for a total of five) and another fencing layer
 instead of the DES layer.


 Fenced Quad  (init = 45ms, ciphering = 398 KB/sec)

 S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S  fencing
 ===============================================================  lin-FFT
 ======= ======= ======= ======= ======= ======= ======= =======  lin-FFT
 S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S  fencing
 ======= ======= ======= ======= ======= ======= ======= =======  lin-FFT
 ===============================================================  lin-FFT
 S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S  fencing

 Here we have two full linear "FFT" operations between three
 fencing layers.  Note that many different mixing arrangements
 will produce equally acceptable mixing.

 Each "FFT" "butterfly" operation is a Balanced Block Mixer of
 appropriate width.  Basically, this design assumes that mixing
 with 32-bit sub-blocks is likely to be faster than mixing with
 8-bit sub-blocks.  Consequently, the mixing is broken down into
 32-bit "FFT" layers and 8-bit "FFT" layers.


 Fenced FFT  (init = 45ms, ciphering = 413 KB/sec)

 S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S  fencing
 ===============================================================  lin-FFT
 S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S  fencing
 ===============================================================  lin-FFT
 S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S  fencing

 Here we also have linear "FFT-like" mixing between three fencing
 layers.  But here, every "FFT" "butterfly" operation is a byte
 width Balanced Block Mixer.


 Fenced OLS  (init = 76ms, ciphering = 372 KB/sec)

                             INPUT
 <------------------------- 256 bits -------------------------->

 ===============================================================  nl-FFT

 <------------------------- 256 bits -------------------------->
                             OUTPUT

 Here we have non-linear FFT-style mixing, and no fencing layers
 at all.  Each "FFT" "butterfly" is a byte-width Balanced Block
 Mixer composed of a keyed pair of orthogonal Latin squares of
 order 256.

 This prototype uses a single 128K randomized table, with a
 keyspace of 3368 bits.  But only memory space and initialization
 time prevents us from using a different table at every mixing
 node, thus producing an astronomical keyspace.


 Avalanche

 It is interesting to contrast the avalanche characteristics in
 this class of mixing cipher with that of the ideal block cipher,
 which is a huge keyed Simple Substitution.  In the ideal case,
 a one-bit change in the input block has the potential to change
 just a single bit in the output block.  But in these mixing ciphers,
 a one-bit change in the input block will change at least one bit
 *in every mixing output*.

 However, this particular case is so rare that we could probably
 never find such a value in the ideal cipher (even though such
 values must exist!).  Nor could we expect to see the difference
 in practical statistical tests.  So here we seem to have designs
 whose known deviations from the ideal occur in areas which we
 cannot measure.


 Complexity

 These ciphers are simultaneously more simple and also more complex
 than conventional ciphers:  These ciphers have far simpler
 structures than, say, "round" based Feistel ciphers, and rely on
 simple, *provable* mixing characteristics.  (See, for example,

    http://www.io.com/~ritter/FENCED.HTM      (24K)

 ).  But these ciphers have far more "state" than conventional
 (mainly "algorithmic") ciphers.  These ciphers also *key* the
 internal state (as opposed to using the same state for all users).

 I expect that the large-state approach is generally more secure
 than the algorithmic approach in that a large keyed state
 *demands* a large amount of investigation to define that state.
 In contrast, a mainly algorithmic approach seems perhaps more
 vulnerable to unknown algorithmic attack.

 Having a clean, simple structure should mean that any attacks
 based on that structure should also be fairly clean and apparent.
 It *should* be easier to have confidence in these ciphers than
 in complex architectures which have plenty of opportunity to
 hide attack techniques.

 There is an additional storage cost for the large-state approach,
 but, for these sizes, it seems almost irrelevant.  This state does
 require a keyed initialization which takes longer than the usual
 algorithmic cipher.  Normally, keyed initialization is arranged
 to occur infrequently.


 Dynamic Keying

 Zero-overhead block-by-block dynamic keying is available by XORing
 the input block with a like-size key.  I would not expect this to
 increase native strength, but I would expect it to defeat attacks
 which rely upon knowing the input to the cipher over many blocks.
 As long as the cipher itself remains unbroken, this sort of dynamic
 key would seem to be well hidden.

 Some moderate-overhead dynamic keying is also available in Fenced
 DES by changing one or more of the DES keys.

 At this time I would resist adding internal XOR keying layers, with
 the thought that such layers might expose otherwise hidden internal
 operations.


 Your Comments Wanted

 All comments on these designs, positive or negative, will be
 appreciated.  Serious financial support is also needed.  Companies
 interested in custom ciphers based on these or other technologies
 should contact me directly.


 References

    http://www.io.com/~ritter/NEWS/LBDNEWS.HTM#LBDBBM
    http://www.io.com/~ritter/BBM.HTM                     (13K)
    http://www.io.com/~ritter/NEWS/LBDNEWS.HTM#LBDFD
    http://www.io.com/~ritter/FENCED.HTM                  (24K)

 ---
 Terry Ritter   Ciphers By Ritter   http://www.io.com/~ritter/