Composing large block cipher from smaller ones
in [Cryptography]
|
Prev: No more conservation of telecommunication data in Germany
Next: Final: An obvious pattern found in the first 37Million Prime Sums using the log of the golden ratio Lp!
From: Mok-Kong Shen on 4 Mar 2010 04:43 Given a block cipher E of block length n, could one advantageously use it to compose a larger block cipher in a rather simple manner? I like to solicit some good ideas on this from the group via presenting my own humble one. With keys K0 and K1 one could do the following processing after Feistel on two blocks of plaintext B_0 and B_1: for (i=0; i<numberofrounds, i++) { B_0 ^= E(K1,B_1); B1 ^= E(K0,B0); } I have omitted the swapping operation that is present e.g. in DES, for that's irrelevant for security, if I don't err. One could recursively do this, doubling the block length to get 4n, 8n, etc. This I would designate as "vertical" expansion. For one could alternatively do "horizontal" expansion to achieve block length of e.g. 4n as follows: for (i=0; i<numberofrounds, i++) { B_0 ^= E(K1,B_1); B1 ^= E(K0,B0); B_2 ^= E(K3,B_3); B3 ^= E(K2,B2); B_0 ^= E(K2,B_2); B2 ^= E(K0,B0); B_1 ^= E(K3,B_3); B3 ^= E(K1,B1); } For comments and critiques I should be very grateful. M. K. Shen
From: Tom St Denis on 4 Mar 2010 06:45 On Mar 4, 4:43 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > Given a block cipher E of block length n, could one advantageously use > it to compose a larger block cipher in a rather simple manner? I like > to solicit some good ideas on this from the group via presenting my own > humble one. > > With keys K0 and K1 one could do the following processing after Feistel > on two blocks of plaintext B_0 and B_1: > > for (i=0; i<numberofrounds, i++) > { > B_0 ^= E(K1,B_1); B1 ^= E(K0,B0); > } > > I have omitted the swapping operation that is present e.g. in DES, for > that's irrelevant for security, if I don't err. > > One could recursively do this, doubling the block length to get 4n, 8n, > etc. This I would designate as "vertical" expansion. For one could > alternatively do "horizontal" expansion to achieve block length of e.g. > 4n as follows: > > for (i=0; i<numberofrounds, i++) > { > B_0 ^= E(K1,B_1); B1 ^= E(K0,B0); B_2 ^= E(K3,B_3); B3 ^= E(K2,B2); > B_0 ^= E(K2,B_2); B2 ^= E(K0,B0); B_1 ^= E(K3,B_3); B3 ^= E(K1,B1); > } > > For comments and critiques I should be very grateful. Google for Matt Blazes Turtle Cipher. Tom
From: biject on 4 Mar 2010 09:45 On Mar 4, 2:43 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > Given a block cipher E of block length n, could one advantageously use > it to compose a larger block cipher in a rather simple manner? I like > to solicit some good ideas on this from the group via presenting my own > humble one. > > With keys K0 and K1 one could do the following processing after Feistel > on two blocks of plaintext B_0 and B_1: > > for (i=0; i<numberofrounds, i++) > { > B_0 ^= E(K1,B_1); B1 ^= E(K0,B0); > } > > I have omitted the swapping operation that is present e.g. in DES, for > that's irrelevant for security, if I don't err. > > One could recursively do this, doubling the block length to get 4n, 8n, > etc. This I would designate as "vertical" expansion. For one could > alternatively do "horizontal" expansion to achieve block length of e.g. > 4n as follows: > > for (i=0; i<numberofrounds, i++) > { > B_0 ^= E(K1,B_1); B1 ^= E(K0,B0); B_2 ^= E(K3,B_3); B3 ^= E(K2,B2); > B_0 ^= E(K2,B_2); B2 ^= E(K0,B0); B_1 ^= E(K3,B_3); B3 ^= E(K1,B1); > } > > For comments and critiques I should be very grateful. > > M. K. Shen Not sure you would like the idea but say I had an 8 bit crypto both key and buffer. say I want to make it 64 bits long of key space and as big a buffer as possible. Then I would do a first pass of the 8 bit system using first 8 bits of key followed by seven passes of either a binary bwts or unbwts you pick with extra key bits or fix the pattern of bwts unbwts followed by the 8bit cypher pass with new key bits. Suppose you used just binary bwts so no bits used to decide which of bwts and unbwts that would give you a 64 bit cipher with whatever you allow for the block size which is most likely the whole file. for more overkill pick either predefined or key dependent using obviously more key bits some segments of something like offsets into the binary expansion of something like pi and do an xor pass before the bwts or unbwts. for more over kill you can bijectively expand the file so that there would be a minimum size file so that size would not be a give away. Do this before the start of the encryption process. David A. Scott -- My Crypto code http://bijective.dogma.net/crypto/scott19u.zip http://www.jim.com/jamesd/Kong/scott19u.zip old version My Compression code http://bijective.dogma.net/ **TO EMAIL ME drop the roman "five" ** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged. As a famous person once said "any cryptograhic system is only as strong as its weakest link"
From: Mok-Kong Shen on 4 Mar 2010 09:49 Tom St Denis wrote: > Google for Matt Blazes Turtle Cipher. Thanks for the pointer. But in my understanding my construction operates on a more coarse level (though on the other hand could be said to be less general than what Turtle wants to achieve). It starts with a block cipher of e.g. 64 or 128 bit block size and hence (assuming that one has such a starting point), is simpler (in implementation and security considerations) in my humble view. M. K. Shen
From: Tom St Denis on 4 Mar 2010 10:08
On Mar 4, 9:49 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > Tom St Denis wrote: > > Google for Matt Blazes Turtle Cipher. > > Thanks for the pointer. But in my understanding my construction > operates on a more coarse level (though on the other hand could be said > to be less general than what Turtle wants to achieve). It starts with > a block cipher of e.g. 64 or 128 bit block size and hence (assuming > that one has such a starting point), is simpler (in implementation > and security considerations) in my humble view. The general idea of a recursive Feistel is well established in the Turtle paper. The fact you didn't see that doesn't surprise me. From Turtle you could make a 64-bit cipher with nothing but random 8x8 PRFs, you'd have 4 rounds of a 32-bit function, 4 rounds of a 16, and 4 rounds of a 8 [for 64, 32, and 16-bit feistels respectfully] netting 4^3 = 64 8x8 functions or 16KB of tables. You could generalize this even further to say a SPN where you use a generic 2x2 MDS in say 3 layers per invocation. So start with an 8x8 [bit] PRP then from that you can make a 3 layer 16-bit SPN (needing 6 sboxes). From that you can make a 32-bit SPN (3 * 2 * 6 = 6^2 = 36 sboxes), and so on. Fortunately, there are better ways to make ciphers. For example, one could simply use an 8x8 MDS followed by the same [fixed] 8x8 sbox to get a 64-bit cipher that is much much faster. Same goes for Feistel functions. [*] When I say 8x8 PRF/PRP I mean 8 bits in and 8 bits out, by 8x8 MDS I mean an 8-th degree vector transform. Tom |