Large Block DES

An on-line development project in cryptography.

The goal is a block cipher stronger than DES, and faster than Triple-DES. Ideally, it would also have a block size much larger than DES.



The project began in the weakness of DES, and the horror of systems people contemplating the widespread use of Triple-DES. The goal was a block cipher stronger than DES and substantially faster than Triple-DES. A design was constructed and the NxM DES article prepared.

Alas, NxM DES was found to be weak after publication. This left the problem unsolved, and the failure (in itself, not all that unusual) embarrassingly exposed. Thus began the open development process.

A series of approaches and articles were prepared, culminating in the introduction of Balanced Block Mixers and the resulting Fenced DES cipher. While Fenced DES is a new approach, and so not easily accepted, it does appear to solve the problem.


The original article in the series, and the desirable Nx2 form is eventually shown weak.

Isolated Double DES

An attempt to strengthen Double DES (which is known to be weak) to usability.

Ladder DES

A higher-level "Feistel Cipher" using DES as the nonlinear function.

(NCSA Mosaic has been known to destroy the ASCII flow-diagrams in this article, because they accidentally include the HTML "comment" sequence. Netscape has no such problem, but if your browser does, it may help to view the document "source." I want to avoid changing anything within the documents.)

Q: Am I the only one to find something odd about theoretical results which "prove" strength provided that the base functions are strong? If we had anything reasonable with provable strength, we wouldn't be going through this!

Large Block DES Newsletter

A summary of the never-ending project.

Balanced Block Mixers (originally called Block Mixing Transformations)

Simple, weak, fast and expandable mechanisms for mixing two input blocks into two output blocks. While many cryptographic mechanisms have do not have actual property proofs, this mechanism does.

Among other things, a Balanced Block Mixer construct provably guarantees to propagate a value change in one input block to both output blocks. This property can be used to produce provable overall diffusion or avalanche in a block cipher. While overall diffusion does not necessarily imply strength, overall diffusion is required in a good block cipher.

I note in passing that the mixing that John proposes cannot be a balanced form of mixing. It also combines both "strength" and "mixing," and I'm not sure we know how to evaluate the result. Will strength make up for an unbalanced mixing? How much strength do we need? How much does it have?

As this thread trails off, nobody has been convinced that a weak mixing mechanism can have an advantage in a cryptographic design. Ironically, we now know that about three months earlier, related mixing mechanisms were included in a serious block cipher: In December 1993 the well known and respected cryptographer James Massey presented his design for the SAFER K-64 block at the fast software ciphering conference. SAFER K-64 uses "PHT's" or "Pseudo-Hadamard Transforms" which are similarly weak but are not balanced block mixers.

From a design point of view, one of the most important aspects of Balanced Block Mixing is the provability of change propagation. This is addressed in detail in the Fenced DES design.

Fenced DES

A wide-block structure having a single DES level which is isolated, both on input and output, by arrays of keyed substitutions. The input substitution results are mixed into four separate DES operations each using separate keys. The DES results are then mixed into the output fencing array.

The intent was to find a structure provably stronger than DES, which itself used DES as a component. The design goal was to find some sort of structure which used multiple DES operations to encipher a wider block. This provides much greater strength, with almost single-DES speed.

Toward Axiomatic Fenced DES

A preliminary attempt to formalize the concept of block mixing, and demonstrate that the mixing structure is inherently strong.

The Context of the Fenced DES Design

An overview of Fenced DES with some proofs and strength discussions.

Announcing Realized Prototypes

Huge Block Size Discussion

Discussion from the sci.crypt newsgroup.

Terry Ritter, his current address, and his top page.

Last updated: 1998-01-20