95082501.HTM

Path: news.io.com!uunet!in1.uu.net!cs.utexas.edu!not-for-mail
From: ritter@io.com (Terry Ritter)
Newsgroups: sci.crypt

Subject: Re: Variable Size Block Ciphers
Date: 25 Aug 1995 19:49:15 -0500
Organization: UTexas Mail-to-News Gateway
Lines: 117
Sender: nobody@cs.utexas.edu
Message-ID: <199508260048.TAA04443@tristero.io.com>
References: <303bc3ec@ralf>
NNTP-Posting-Host: news.cs.utexas.edu

 In <303bc3ec@ralf> Ralf Brown  wrote:

>In article <419qs5$pej@lyra.csx.cam.ac.uk>, rja14@cl.cam.ac.uk
>(Ross Anderson) wrote:
>}ritter@io.com (Terry Ritter) writes:
>}
>}>  For some time now I have been working with some apparently new
>}>  ciphering structures which I call "Variable Size Block Ciphers."
>}>  As the name suggests, these constructs can be made to cipher blocks
>}>  of essentially arbitrary size (typically in byte-size steps),
>}>  *without* changing the number of layers or "rounds" in the cipher.
     -----------------------------------------------------------------
     (note emphasis added)

>)}
>}Two such ciphers appeared in 1993 - WAKE by David Wheeler and a
>}proposal from Burt Kaliski and Matt Robshaw. They are both in `Fast
>}Software Encryption', Springer LNCS 809

 As I said in a previous posting, Ross Anderson's comment is false.
 WAKE is an autokey stream cipher, and does not produce the bit-level
 diffusion we expect in a block cipher.  And Kaliski-Robshaw is 
 a big, fixed-size block cipher without a variable-size feature.


>
>And I proposed another approach to variable-size blocks, namely using a
>Feistel network and "sliding" it along the input, back in April. If
>anyone is interested and can't find it in the sci.crypt.research
>archives, I could dig out a copy of that post.

 No need; let me, let me:

>From: ralf+@cs.cmu.edu (Ralf Brown)
>Newsgroups: sci.crypt
>
>Subject: Generalized Feistel Networks
>Date: 2 Apr 1995 23:59:33 GMT
>Organization: School of Computer Science, Carnegie Mellon
>Lines: 49
>Message-ID: <3lndp5$nm4@cantaloupe.srv.cs.cmu.edu>
>NNTP-Posting-Host: b.gp.cs.cmu.edu
>
>
>[Does anyone know if the following idea I just had has ever been used?  Would
>it be more secure than a regular Feistel cipher?]
>
>As many of you know, Feistel ciphers are based on repeated iterations
>("rounds") of the following for the two halves A and B of a block of some
>predetermined size:
>        A' = B
>        B' = f(A,B), for some invertible function f
>with the decryption transform for A',B' being
>        B = A'
>        A = f'(B,B'), where f' is the inverse of f
>
>This idea can be generalized to the N parts of a block (said block naturally
>being larger than in the N=2 case normally used).  For instance, if N=4,
>then the subblocks A,B,C,D of a block would be transformed as follows for
>encryption:
>        A' = D
>        B' = f(A,B)
>        C' = f(B,C)
>        D' = f(C,D)
>with decryption using
>        D = A'
>        C = f'(D,D')
>        B = f'(C,C')
>        A = f'(B,B')
>
>For N subblocks in a block, a minimum of N rounds are required to process
 -------------------------------------------------------------------------
 (emphasis added)

>each subblock uniformly through the network, at which point every subblock
 --------------------------------------------------------------------------

>of the output depends on every subblock of the input.
 ----------------------------------------------------

>[...]

 In contrast, I have clearly defined "Variable Size Block Ciphers"
 to refer to ciphers which

             ==>  DO NOT REQUIRE MORE ROUNDS  <==

 (to achieve a measurable full diffusion) when the block is expanded.
 This is the only way such a cipher really could be practical, of
 course, because otherwise ciphering a given amount of data would
 go far slower in large blocks than small ones.

 Moreover, a VSBC exhibits

                 ==>  BIT-LEVEL DIFFUSION  <==

 in that every *BIT* in the output block depends on every *BIT* of
 the input block, and this diffusion is also BALANCED.  This is
 *not* just "subblock" diffusion, and it is not just a detail.
 This level and quality of diffusion is important to prevent The
 Opponent from isolating and working on the "subblocks" themselves.

 My VSBC work occurred substantially before April 1995, with the
 announcement naturally being delayed for protection purposes.

 My article is the result of actual implementation, "reduction to
 practice," and diffusion measurements -- with the better-diffusing
 architectures selected as examples -- and also general speed
 comparisons.

 For some details on this technology, see the (admittedly early)
 VSBC article on my web page.  I welcome comments or confusions.

 ---
 Terry Ritter   ritter@io.com   http://www.io.com/~ritter