Path: news.io.com!uunet!in2.uu.net!news.mathworks.com!newsfeed.internetmci. + com!howland.reston.ans.net!vixen.cso.uiuc.edu!news.uoregon.edu!news. + delphi.com!usenet From: John KelseyNewsgroups: sci.crypt Subject: Variable-size block ciphers Date: Fri, 25 Aug 95 23:11:03 -0500 Organization: Delphi (info@delphi.com email, 800-695-4005 voice) Lines: 116 Message-ID: NNTP-Posting-Host: bos1e.delphi.com -----BEGIN PGP SIGNED MESSAGE----- >From: ritter@io.com (Terry Ritter) >Subject: Re: Variable Size Block Ciphers >Date: 23 Aug 1995 11:09:07 -0500 > I'm always honored by a response from Ross, and we've had several > discussions over the past years, but this time I think he misses > the point. While Kaliski-Robshaw does handle large 1 KB blocks, > we can search in vain for any reference to a size-parameterized > design or operation on data blocks of dynamically-variable size. > This is a particular design for a particular (fixed) size block. - From what I've seen of this construction, it seems odd to me that you don't need more rounds to handle larger blocks. (Intuitively, getting full diffusion through a 256-bit block should take more work than getting full difusion through a 64-bit block.) Unfortunately, I don't have access to a web browser that will let me view images, so I'm stuck with ASCII diagrams--so I may be missing something. > 1. There will be some applications in which data-expansion can > be eliminated. This is do-able with any fixed-length block cipher, if you're willing to do some extra work in encryption and decryption. If you eliminated data expansion by changing the block size of the last block, it seems like you'd be saving yourself little work. > 2. There will be other applications which can avoid buffering > by directly ciphering application-dependent field sizes. > 3. There may be a few applications (perhaps database ciphering, > or voice CODEC's) which actually can use a cipher of > dynamically-variable size. > 4. A single design can handle all of the above, as well as > 64-bit blocks, 256-Byte blocks and 1 KB blocks. Thus, a > single cipher can handle database ciphering, disk sector > ciphering, and communications. > 5. Tiny versions of the same cipher can be exhaustively studied, > and this can be done by parameterizing production-capable > code. (Validating results between this and the actual > production code then validates the high-efficiency > realization.) All four of these depend on the idea that it's possible to come up with equally-secure versions of your block cipher for any given size. I really would like to see some explanation of why you are convinced that this is the case. It's easy to create variants of Blowfish, SAFER, and many other ciphers with different block sizes, but it looks like changing the block size changes the security properties of these ciphers, perhaps requiring more rounds to be secure. > There are other advantages to VSBC technology: > > 1. These ciphers can closely approach the ideal of "overall > diffusion," in which a change to *any* input *bit* changes > *every* output *bit* with probability 0.5. This is what > we should expect and demand from a quality block cipher. Here, you're just saying that you have full diffusion, right? This is a necessary but not sufficient condition for block cipher security, since without full diffusion, it's possible to perform various divide-and-conquer attacks on the block cipher. > 4. Additional independent strength is easily added with new > layers, without disturbing the rest of the design. In > contrast, simply increasing the number of rounds which do > the same old algorithmic thing may not improve strength at > all. (Is a 32-round DES stronger than 16-round DES?) Can you explain this a bit more clearly? I'm not too sure I understand how you can be more certain that adding layers in your design adds strength, than you can be that adding rounds to DES adds strength. > 5. VSBC technology produces a clear, regular, understandable > structure in which the role of each element can be addressed > mathematically. In contrast, irregular and ad hoc designs > depend on the mysterious strength of complex manipulations. > While such manipulations may be "mathematical," they often > do not carry any useful analytical properties. Absent a > comprehensive theory of design, such ciphers can only be > analyzed individually, which is one of the major problems > that cryptography has today. I would say that a number of block cipher designs fit this description, such as balanced Feistel networks with subkeys applied outside the f() functions, block cipher designs based on cellular automata, etc. > SAFER K-64 does not use "fencing" layers (arrays of keyed > substitutions), and does use iterative "rounds" which my ciphers > do not. Still, if somebody has a problem with weak mixing (as a > lot of people did on sci.crypt last year), I encourage them to > take it up with Massey. :-) Actually, you could go back to the earliest work on SP networks-- fixed bit permutations are weak mixing layers, but nobody seems to doubt that they're useful in designing strong ciphers. > Terry Ritter ritter@io.com http://www.io.com/~ritter --John Kelsey, jmkelsey@delphi.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMD6IsEHx57Ag8goBAQHMwwP/Sfc+HQptaJS4Gp2iBrXB7UfRq+BnTYiz lLQxrCHgTWm9wL0oh9RbuvasrBd6w747xH7xL3qmzoXnUiMenTvJsx3HmxN1omVj QJI5f6SBDSbyVhDhrVp30GCKRusF4K35LTPW0ERv9ClLton7PP9fnQc8LMsMy0sc IqHBKhRX1JY= =kCRE -----END PGP SIGNATURE-----