VSBC Newsgroup Discussion

Variable Size Block Ciphers discussed in sci.crypt.

The goal is a block-cipher architecture which can have an essentially arbitrary and dynamically-variable block size. It is necessary that good diffusion be produced from all plaintext input bits to all ciphertext output bits. It is desirable that a fixed number of processing layers evenly diffuse blocks of any size, or else there would be a strong motive to use small blocks.


Contents


The Original Announcement

The technical criticism to these brand-new structures comes from David Wagner, and his "No go" response certainly sounds ominous. It took me a long time to understand this criticism and place it in context, even with several other messages from David by private e-mail.

As I understand it, David comments that if we change adjacent input bytes, we can match values in the top-level substitutions, and when this is repeated, it essentially solves that confusion layer. Although I was aware of the first part of this, I did not see how it would lead to success. Thanks David!

Thus, what I had seen as a worst-case block cipher test (the single-bit-change avalanche results) ignores the important possibility of correlations in multi-bit changes. (I expect that we could pick this up by trying all 64K values of two adjacent bytes over multiple keyings.)

But David himself comments that we can correct the problem in the cipher simply by adding another right-going diffusion layer to the original structure. So the "No go" response is not a blanket indictment of the technology, but is instead a good insight about ways in which these structures can be weak. We have every motive to reduce the number of layers, but we can easily go too far. Don't do that.


Announcing Realized Prototypes


Terry Ritter, his current address, and his top page.

Last updated: 1996-02-15