Path: news.io.com!news.fc.net!news3.net99.net!news.cais.net!news.structured.
+ net!news.tbcnet.com!pagesat.net!news1.i1.net!news.exodus.net!newsfeed.
+ internetmci.com!news.sprintlink.net!cs.utexas.edu!not-for-mail
From: ritter@io.com (Terry Ritter)
Newsgroups: sci.crypt
Subject: Variable Size Block Ciphers
Date: 20 Aug 1995 18:18:12 -0500
Organization: UTexas Mail-to-News Gateway
Lines: 81
Sender: nobody@cs.utexas.edu
Message-ID: <199508202317.SAA17442@tristero.io.com>
NNTP-Posting-Host: news.cs.utexas.edu
For some time now I have been working with some apparently new
ciphering structures which I call "Variable Size Block Ciphers."
As the name suggests, these constructs can be made to cipher blocks
of essentially arbitrary size (typically in byte-size steps),
*without* changing the number of layers or "rounds" in the cipher.
And, while the variable size feature has some unexpected advantages,
these ciphers are also the fastest ciphering construct that I know.
A number of different designs have been realized and tested for
overall diffusion in both 80-bit and 1600-bit forms. The best
designs appear to perform as one would expect from a random
permutation of the indicated size. (Worse designs don't.)
The VSBC construction is based on a column of operations, usually
including four different substitutions and mixing or combining
connections to adjacent columns. (The substitutions are shuffled
by an RNG initialized from a Key for primary keying. Inexpensive
dynamic block-by-block keying is also available.) The simplest
effective scheme I have found looks like this:
input byte
|
(left-adjacent v (right-adjacent
column) S0 column)
v
from XOR0 -> XOR0
+ -> to XOR0
v
S1
v
XOR1 <- from XOR1
to XOR1 <- +
v
S2
v
XOR2 <- from XOR2
to XOR2 <- +
v
S3
|
v
output byte
where S0..S3 are byte-wide substitution tables. This particular
version shares information between columns by means of
exclusive-OR chains. This is experimentally sufficient to make
single-bit changes in the input value appear to select a byte at
random from each column in the block. There are better diagrams in
the VSBC paper on my web page:
http://www.io.com/~ritter
These variable size block constructs are very different from the
fixed size DES-like designs we now know, and they open up a broad
range of opportunities:
SPEED: VSBC's are the fastest ciphering construct I know.
FLEXIBILITY: The variable-size feature is a better interface to
other systems, especially database fields and perhaps voice
CODECs. The very same design can be used as a conventional
64-bit block cipher.
ARCHITECTURAL REGULARITY: VSBC's are far easier to implement, and
far more effective in the use of silicon real estate than, say,
DES-style ciphers.
SCALABILITY: Small blocks, and related versions with small columns,
can be investigated experimentally and results extrapolated to
real ciphers. (There is no small DES which is indisputably
related to DES.)
STRENGTH FLEXIBILITY: Additional layers can be added as needed,
without a total re-design of the cipher.
SIZE: A large block of plaintext generally is more unique and
harder to attack than a small block of plaintext.
POTENTIALLY ZERO BLOCK EXPANSION: For messages of at least modest
size, it may be possible to avoid having a partially-filled last
block.
For further details, please see my web page.
---
Terry Ritter ritter@io.com http://www.io.com/~ritter