Path: news.io.com!news.fc.net!news3.net99.net!news.cais.net!news.structured. + net!news.tbcnet.com!pagesat.net!news1.i1.net!news.exodus.net!newsfeed. + internetmci.com!news.sprintlink.net!cs.utexas.edu!not-for-mail From: ritter@io.com (Terry Ritter) Newsgroups: sci.crypt Subject: Variable Size Block Ciphers Date: 20 Aug 1995 18:18:12 -0500 Organization: UTexas Mail-to-News Gateway Lines: 81 Sender: nobody@cs.utexas.edu Message-ID: <199508202317.SAA17442@tristero.io.com> NNTP-Posting-Host: news.cs.utexas.edu For some time now I have been working with some apparently new ciphering structures which I call "Variable Size Block Ciphers." As the name suggests, these constructs can be made to cipher blocks of essentially arbitrary size (typically in byte-size steps), *without* changing the number of layers or "rounds" in the cipher. And, while the variable size feature has some unexpected advantages, these ciphers are also the fastest ciphering construct that I know. A number of different designs have been realized and tested for overall diffusion in both 80-bit and 1600-bit forms. The best designs appear to perform as one would expect from a random permutation of the indicated size. (Worse designs don't.) The VSBC construction is based on a column of operations, usually including four different substitutions and mixing or combining connections to adjacent columns. (The substitutions are shuffled by an RNG initialized from a Key for primary keying. Inexpensive dynamic block-by-block keying is also available.) The simplest effective scheme I have found looks like this: input byte | (left-adjacent v (right-adjacent column) S0 column) v from XOR0 -> XOR0 + -> to XOR0 v S1 v XOR1 <- from XOR1 to XOR1 <- + v S2 v XOR2 <- from XOR2 to XOR2 <- + v S3 | v output byte where S0..S3 are byte-wide substitution tables. This particular version shares information between columns by means of exclusive-OR chains. This is experimentally sufficient to make single-bit changes in the input value appear to select a byte at random from each column in the block. There are better diagrams in the VSBC paper on my web page: http://www.io.com/~ritter These variable size block constructs are very different from the fixed size DES-like designs we now know, and they open up a broad range of opportunities: SPEED: VSBC's are the fastest ciphering construct I know. FLEXIBILITY: The variable-size feature is a better interface to other systems, especially database fields and perhaps voice CODECs. The very same design can be used as a conventional 64-bit block cipher. ARCHITECTURAL REGULARITY: VSBC's are far easier to implement, and far more effective in the use of silicon real estate than, say, DES-style ciphers. SCALABILITY: Small blocks, and related versions with small columns, can be investigated experimentally and results extrapolated to real ciphers. (There is no small DES which is indisputably related to DES.) STRENGTH FLEXIBILITY: Additional layers can be added as needed, without a total re-design of the cipher. SIZE: A large block of plaintext generally is more unique and harder to attack than a small block of plaintext. POTENTIALLY ZERO BLOCK EXPANSION: For messages of at least modest size, it may be possible to avoid having a partially-filled last block. For further details, please see my web page. --- Terry Ritter ritter@io.com http://www.io.com/~ritter