+     com!!!!news.
From: John Kelsey 
Newsgroups: sci.crypt

Subject: Variable-size block ciphers
Date: Fri, 25 Aug 95 23:11:03 -0500
Organization: Delphi ( email, 800-695-4005 voice)
Lines: 116


>From: (Terry Ritter)
>Subject: Re: Variable Size Block Ciphers
>Date: 23 Aug 1995 11:09:07 -0500

> I'm always honored by a response from Ross, and we've had several
> discussions over the past years, but this time I think he misses
> the point.  While Kaliski-Robshaw does handle large 1 KB blocks,
> we can search in vain for any reference to a size-parameterized
> design or operation on data blocks of dynamically-variable size.
> This is a particular design for a particular (fixed) size block.

- From what I've seen of this construction, it seems odd to me that
you don't need more rounds to handle larger blocks.  (Intuitively,
getting full diffusion through a 256-bit block should take more
work than getting full difusion through a 64-bit block.)
Unfortunately, I don't have access to a web browser that will let
me view images, so I'm stuck with ASCII diagrams--so I may be
missing something.

>    1. There will be some applications in which data-expansion can
>       be eliminated.

This is do-able with any fixed-length block cipher, if you're
willing to do some extra work in encryption and decryption.  If you
eliminated data expansion by changing the block size of the last
block, it seems like you'd be saving yourself little work.

>    2. There will be other applications which can avoid buffering
>       by directly ciphering application-dependent field sizes.
>    3. There may be a few applications (perhaps database ciphering,
>       or voice CODEC's) which actually can use a cipher of
>       dynamically-variable size.
>    4. A single design can handle all of the above, as well as
>       64-bit blocks, 256-Byte blocks and 1 KB blocks.  Thus, a
>       single cipher can handle database ciphering, disk sector
>       ciphering, and communications.
>    5. Tiny versions of the same cipher can be exhaustively studied,
>       and this can be done by parameterizing production-capable
>       code.  (Validating results between this and the actual
>       production code then validates the high-efficiency
>       realization.)

All four of these depend on the idea that it's possible to come up
with equally-secure versions of your block cipher for any given
size.  I really would like to see some explanation of why you are
convinced that this is the case.  It's easy to create variants of
Blowfish, SAFER, and many other ciphers with different block sizes,
but it looks like changing the block size changes the security
properties of these ciphers, perhaps requiring more rounds to be

> There are other advantages to VSBC technology:
>    1. These ciphers can closely approach the ideal of "overall
>       diffusion," in which a change to *any* input *bit* changes
>       *every* output *bit* with probability 0.5.  This is what
>       we should expect and demand from a quality block cipher.

Here, you're just saying that you have full diffusion, right?  This
is a necessary but not sufficient condition for block cipher
security, since without full diffusion, it's possible to perform
various divide-and-conquer attacks on the block cipher.

>    4. Additional independent strength is easily added with new
>       layers, without disturbing the rest of the design.  In
>       contrast, simply increasing the number of rounds which do
>       the same old algorithmic thing may not improve strength at
>       all.  (Is a 32-round DES stronger than 16-round DES?)

Can you explain this a bit more clearly?  I'm not too sure I
understand how you can be more certain that adding layers in your
design adds strength, than you can be that adding rounds to DES
adds strength.

>    5. VSBC technology produces a clear, regular, understandable
>       structure in which the role of each element can be addressed
>       mathematically.  In contrast, irregular and ad hoc designs
>       depend on the mysterious strength of complex manipulations.
>       While such manipulations may be "mathematical," they often
>       do not carry any useful analytical properties.  Absent a
>       comprehensive theory of design, such ciphers can only be
>       analyzed individually, which is one of the major problems
>       that cryptography has today.

I would say that a number of block cipher designs fit this
description, such as balanced Feistel networks with subkeys applied
outside the f() functions, block cipher designs based on cellular
automata, etc.
> SAFER K-64 does not use "fencing" layers (arrays of keyed
> substitutions), and does use iterative "rounds" which my ciphers
> do not.  Still, if somebody has a problem with weak mixing (as a
> lot of people did on sci.crypt last year), I encourage them to
> take it up with Massey.  :-)

Actually, you could go back to the earliest work on SP networks--
fixed bit permutations are weak mixing layers, but nobody seems to
doubt that they're useful in designing strong ciphers.

> Terry Ritter

   --John Kelsey,
 PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36

Version: 2.6.2