Measured Distant Avalanche in Large Block Ciphers (original) (raw)

ACiphers By Ritter Page

Terry Ritter

Some block ciphers handle data blocks of dynamically variable size. These are not stream ciphers, but are instead true block ciphers, in which each and every input bit affects each and every output bit in a balanced way. But in a large block, bits which are far apart must somehow produce similar effects, which exposes the possibility that mixing could be more effective for near bit positions than for far ones. We can explore possible locality in mixing by injecting data changes at different points across the plaintext data block, and counting the resulting bit-changes at multiple points across the ciphertext. Accumulated bit-change counts can be organized in a "contingency table" for a test of independence. Experiments conducted on Mixing and Variable Size Block Cipher constructions with 16-byte, 64-byte and even 512-byte (that is, 4096-bit) blocks show no evidence of mixing locality.


Contents


From: ritter@io.com (Terry Ritter) Newsgroups: sci.crypt Subject: Measured Distant Avalanche in Large Block Ciphers (LONG!) Date: Thu, 05 Mar 1998 01:24:44 GMT Lines: 403 Message-ID: 34fdfea7.1999205@news.io.com

MEASURED DISTANT AVALANCHE IN LARGE BLOCK CIPHERS

Terry Ritter ritter@io.com Ritter Software Engineering http://www.io.com/~ritter/

1998-03-04 (Army Day)

ABSTRACT

Some block ciphers handle data blocks of dynamically variable size. These are not stream ciphers, but are instead true block ciphers, in which each and every input bit affects each and every output bit in a balanced way. But in a large block, bits which are far apart must somehow produce similar effects, which exposes the possibility that mixing could be more effective for near bit positions than for far ones. We can explore possible locality in mixing by injecting data changes at different points across the plaintext data block, and counting the resulting bit-changes at multiple points across the ciphertext. Accumulated bit-change counts can be organized in a "contingency table" for a test of independence. Experiments conducted on Mixing and Variable Size Block Cipher constructions with 16-byte, 64-byte and even 512-byte (that is, 4096-bit) blocks show no evidence of mixing locality.

INTRODUCTION

The ideal block cipher is a keyed simple substitution table of sufficient size. Unfortunately, with 128-bit blocks, there would be 2**128 entries in that table, which is completely out of the question. So the modern block cipher is a construction intended to simulate a keyed substitution of the desired size. At issue is the effectiveness of the construction technology; in particular, the ability of the mixing to handle distant bits equally well.

A more fundamental question might be why one would want a large block cipher. The short answer is that there can be real advantages to large blocks:

  1. Large blocks support an unsearchable amount of "uniqueness" or "entropy" in each plaintext block, which allows us to avoid randomization by block chaining. This means we can use electronic code book (ECB) mode, and avoid the need to generate and transport (or save) an initial value (IV). ECB mode also supports the ciphering of independent blocks, both in-parallel for high speed, and out-of-order as occurs in packet-oriented applications.

  2. A large block has room for information other than data. For example, an authentication field can avoid a separate authentication pass across the data at a higher level, and thus speed overall operation. And a dynamic keying field can provide ultra-high-speed keying. That same field also can be seen as a strength-producing homophonic "mode," a useful block cipher mode which is simply impractical in ciphers which only have small blocks.

Note that a cipher which supports blocks of dynamically variable size can handle "legacy" 64-bit blocks, "modern" 128-bit blocks, and even "independent" 64-byte blocks in a single unchanged program. Thus, when large blocks are inappropriate, legacy blocks are always available. And when large blocks are used, we can always "step down" the block size at the end of a message, and so limit data expansion to that of legacy ciphers. This means that there is little or no "down side" to using ciphers which have a dynamically variable block size.

Here we seek to investigate the quality of the mixing in some large block constructions by experiment.

AVALANCHE

The term "avalanche" comes from Feistel [1], and refers to the observed property of a block cipher constructed in "rounds" with respect to a tiny change in the input. The change of a single input bit generally produces multiple bit-changes after one round, many more bit-changes after another round, and so on, until about half of the block will change. An analogy is drawn to an avalanche in snow, where a small initial effect can lead to a dramatic result. Feistel writes:

"As the input moves through successive layers the pattern of 1's generated is amplified and results in an unpredictable avalanche. In the end the final output will have, on average, half 0's and half 1's . . . ." [p.22]

In any block cipher we expect every input bit to affect every output bit: If we change an input bit, we expect about half of the output bits to change, and we expect this to be independent of input or output bit position. This is in fact inherent in the concept of a large invertible substitution, but when we simulate such a table, it becomes necessary to somehow force the "mixing" of every input bit into every output bit in a balanced way. We might use the term "distant avalanche" to refer to bit changes in a block position far removed from the input change.

NEW MIXING TECHNOLOGIES

Over the past decade of my full-time work in this field, I have had the rare privilege to introduce to cryptography two new and original forms of mixing for block cipher construction: Balanced Block Mixing and Variable Size Block Ciphers. These technologies mix more data, better, and with less effort than earlier techniques. For example, Mixing ciphers

http://www.io.com/~ritter/CRYPHTML.HTM#BBMTech

have a known mixing effort of n log n for n-bit blocks of any power-of-2 size. Further, each input byte is known to participate in each mixed result byte exactly once, and with the same significance.

On the other hand, VSBC's

http://www.io.com/~ritter/CRYPHTML.HTM#VSBCTech

have a mixing effort which is linear in n for blocks of any size (to the byte), so these are often faster than Mixing designs. And the dynamically random block sizing available in VSBC designs can add a level of strength which is simply unavailable to any fixed-width cipher.

The better quality mixing in these technologies allows diffusion and confusion operations to be optimized and applied separately. The result is cipher designs which are relatively simple, thus easier to understand and model, and which also scale down to experimental size. The worth of cipher scalability can hardly be overstated, since only with a tiny version can we hope to approach a block cipher experimentally in comprehensive ways. But the sampling of mixing locality does not require scalability and so can be applied to even conventional designs.

PROBING LOCALITY

We wish to capture any locality of mixing present in large block constructions. Presumably we could try to capture the effect of every input bit or byte on every output bit or byte, although we would then be overwhelmed with data. But it seems that we might capture most of the significance of mixing locality by injecting changes in just a few widely separated block positions, and also probing for changes at a few selected block positions. Surely, if there is a problem mixing in either direction, we should find it when we change a value at one end of the block and sense the result at the other.

In particular, we construct a random key, and use it to initialize the cipher tables; this gives us a particular large substitution as an emulation. Then we construct a random data block, save that, encipher it, and also save the result. We produce a random byte as the change to be used at each change position. Then we copy the saved data block, XOR the random byte at the selected block position, and encipher. In general, we will see about half the bits change across the block, but we only probe a few output byte positions. For each input change position, we accumulate the number of bit-changes seen at each output probe position over many random data blocks. We place the results in a contingency table, and compute a chi-square statistic which is small when the results are independent. Each different random key will produce a different analysis and a different chi-square value.

RESULTS

If there is some locality weakness in mixing, it should express itself most clearly in measurements on large blocks. Accordingly, we start with 512-byte (4096-bit) blocks, noting that these are fully 64 times as large as "legacy" blocks. The Mixing cipher results are given in Figure 1.

Bit Changes in 1000 Plaintexts of 512-byte Mixing Cipher Fig. 1

        [  0]         [169]         [340]         [511]

[ 0] 3986 0.00 3932 0.72 4087 0.32 4050 0.04 [169] 3941 0.36 4013 0.24 4039 0.02 4049 0.06 [340] 3984 0.01 4008 0.18 4016 0.23 4029 0.00 [511] 3981 0.20 3952 0.00 4024 0.00 3981 0.17

In figure 1 we have a single trial of 1000 different plaintext blocks, each processed 5 times: first without change, then once each with bytes 0, 169, 340, or 511 changed; these are the rows. In each case, the number of ciphertext bits which change in byte positions 0, 169, 340 and 511 are accumulated in separate column elements. For example, the value 4050 in the top row and rightmost column means that over the 1,000 times when input byte 0 was changed, output byte 511 had a total of 4050 bit changes. The value 0.04 is the chi-square contribution for that particular element.

In statistics, the structure of figure 1 is called a "contingency table" (e.g. [2: 240]). In many ways this is similar to the common one-dimensional chi-square test for comparing distributions. Here we are asking whether the columns (probe positions across the ciphertext block) are independent of the rows (change positions across the plaintext block). That is, if there is locality in mixing, it should affect close bit positions more strongly than distant bit positions, so we should see more changes for close bit positions than for distant ones. Here we are measuring the number of output bit changes for each possible case, to see whether output probe position is independent of input injection position. In a contingency table, independence is the null hypothesis.

The expected value for a contingency table element is the sum of the values in that row, times the sum of the values in that column, divided by the total of all values, so each element may have a slightly different expected value. The sum of all chi-square values is interpreted with the chi-square statistic and the degree of freedom which is the number of rows minus one, times the number of columns minus one. This is a "one-tail" statistical test, in that no value can be too small; we are only concerned with values which repeatedly show a tendency to be unexpectedly large.

If we sum all the individual chi-square values in figure 1, we get a chi-square total of 2.56, which can be interpreted with figure 2 as being a very low and thus a very good value.

Chi-Square Critical Values, for DF = 9 Fig. 2

1% 5% 25% 50% 75% 95% 99% 2.0879 3.3251 5.8988 8.3428 11.3888 16.9190 21.6660

In the same way as figure 1, we can collect a set of 20 such trials, as shown in figure 3.

Chi-Square Totals for 512-byte Mixing Cipher Fig. 3

2.56    5.54    3.11    6.86    1.52
4.64    7.01    2.24    2.34    1.77
3.75    6.61    8.10    2.77    2.23
7.24    3.08    5.86    3.77    4.38

Figure 3 was the first set in the sequence recorded for this article, but does seem rather tight, so we might take another look. A somewhat wider range was recorded next, as shown in figure 4.

Chi-Square Totals for 512-byte Mixing Cipher Fig. 4

9.00    3.87    5.41    5.31    1.22
2.03    8.47   10.31    8.14    1.58
3.34   11.61    3.24    4.70    7.87
5.70    5.70    4.77    4.50    6.13

The chi-square value of 11.61 in figure 4 corresponds to just over a probability of 0.75, and so might be said to reject the hypothesis that rows and columns are independent at the 0.25 level of significance. Of course, scientific results normally require a 0.05 or 0.01 level of significance, which is never approached here. And in cryptography we can generally afford to do a great number of experiments and so place the level of significance even higher. As usual, we expect high chi-square values to occur occasionally by chance, and so expect to be concerned about only repeatable and significant indications of problem.

VSBC results are generally similar, as shown in figure 5.

Bit Changes in 1000 Plaintexts of 512-byte VSBC Fig. 5

        [  0]         [169]         [340]         [511]

[ 0] 4008 0.06 3997 0.01 4006 0.03 3993 0.03 [169] 3953 0.61 4027 0.19 4003 0.14 4059 0.52 [340] 3959 0.00 3911 0.46 4028 0.57 3960 0.01 [511] 4043 0.24 4018 0.02 4023 0.04 3996 0.18

In figure 5, the chi-square total is 3.11, which corresponds to a probability of 0.04, which is very good. (Actually, we should say only that the value is insufficient to cause us to reject the hypothesis of independence.) The full 20 trials in the first VSBC set are shown in figure 6.

Chi-Square Totals for 512-byte VSBC Fig. 6

3.11    2.18    3.15    4.50    3.67
6.23    3.96    6.23    5.40    4.26
4.10    1.97    3.63    2.34    4.31
4.14    1.92    4.04    5.15    5.06

Subsequent tests on smaller blocks are remarkably similar. The test results on 64-byte block ciphers (still fully 8 times as large as "legacy" blocks) with 1,000-plaintexts are shown in figures 7 and 8. In these tests, block elements are both changed and probed at positions 0, 20, 41, and 63. (Probing the changed element always provides a contrast to more distant elements, and should make it easier to detect mixing locality effects if they exist.)

Chi-Square Totals for 64-byte Mixing Cipher Fig. 7

2.53    6.24    3.09    2.15    3.86
3.26    2.76    4.91    5.59    5.52
5.51    5.65    3.17    0.98    3.23
2.20    5.79    2.86   10.26    7.92

Chi-Square Totals for 64-byte VSBC Fig. 8

6.31    3.55    3.32    3.70    6.65
3.47    4.17    5.81    3.24    5.20
2.31    3.31    5.85    3.25    3.77
2.48    7.82    3.21    6.16    2.98

The test results on 16-byte block ciphers with 1,000-plaintexts are shown in figures 9 and 10. In these tests, block elements are changed and probed at positions 0, 4, 9 and 15.

Chi-Square Totals for 16-byte Mixing Cipher Fig. 9

3.63    5.27    4.76    5.45    4.97
3.35    6.50    2.82    4.60    2.70
4.92    2.61    2.21    7.89    4.39

12.60 3.58 5.28 2.73 6.27

Chi-Square Totals for 16-byte VSBC Fig. 10

1.84    9.69    5.30    4.13    2.02
5.27    5.01    6.19    1.12    4.13
4.69    7.13    6.39    4.98    5.50
0.87    5.30    1.79    6.02    7.31

When tests are going well, the outcomes can seem pretty boring. But make no mistake: If these tests had not gone well, they would have become very interesting very fast. About the only thing remaining is to see whether the distribution gets noticeably more severe in larger trials, so we run some trials with 10,000 plaintexts in figures 11 and 12.

Bit Changes in 10,000 Plaintexts of 512-byte Mixing Cipher Fig. 11

        [  0]         [169]         [340]         [511]

[ 0] 39613 0.29 40010 0.16 40027 0.83 39666 0.60 [169] 39702 0.01 40029 0.25 39780 0.10 39802 0.01 [340] 39882 0.36 39925 0.05 39847 0.04 39829 0.03 [511] 39734 0.00 39802 0.46 39776 0.15 40036 1.08

In figure 11 we have a chi-square total of 4.43 for a probability of 0.119, which is fine.

Bit Changes in 10,000 Plaintexts of 512-byte VSBC Fig. 12

        [  0]         [169]         [340]         [511]

[ 0] 40165 0.76 39948 0.00 39876 0.34 39913 0.05 [169] 39988 0.12 39878 0.00 39880 0.04 39871 0.01 [340] 39836 0.77 40101 0.37 40094 0.16 39954 0.02 [511] 40074 0.12 40011 0.25 40225 0.16 40202 0.20

In figure 12 we have a chi-square total of 3.38 for a probability of 0.052, which is also fine.

All of these results seem very representative of the endless data which can be collected in repeated tests.

CONCLUSIONS

These results resoundingly fail to reject the null hypothesis. We thus conclude that the null hypothesis is correct, and output position is in fact independent of input position, with respect to bit changes, for both Mixing cipher and Variable Size Block Cipher designs of 512-byte (4096-bit) width.

By supporting the idea that some effective large block designs can exist, the results also support the viability of large block cipher design in general.

REFERENCES

[1] Feistel, H. 1973. Cryptography and Computer Privacy. Scientific American. 228(5): 15-23.

[2] Huntsberger, D. 1967. Elements of Statistical Inference.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ The Crypto Glossary: http://www.io.com/~ritter/GLOSSARY.HTM

From: ardell@DESPAMpipeline.com (Gary Ardell) Newsgroups: sci.crypt Subject: Re: Measured Distant Avalanche in Large Block Ciphers (LONG!) Date: Fri, 06 Mar 1998 21:44:26 GMT Lines: 17 Message-ID: 350066aa.9625060@news.pipeline.com References: <34fdfea7.1999205@news.io.com>

Terry,

I enjoyed your post. Thanks.

I may be missing something obvious here but I don't see the reasoning behind focusing on changes in individual bytes rather than on individual bits. Why not flip all single input bits and check all single output bits (using your same basic sampling approach)?

Regards,

Gary

From: ritter@io.com (Terry Ritter) Newsgroups: sci.crypt Subject: Re: Measured Distant Avalanche in Large Block Ciphers (LONG!) Date: Fri, 06 Mar 1998 23:58:35 GMT Lines: 70 Message-ID: 350087b5.5283891@news.io.com References: <34fdfea7.1999205@news.io.com> <350066aa.9625060@news.pipeline.com>

On Fri, 06 Mar 1998 21:44:26 GMT, in <350066aa.9625060@news.pipeline.com> in sci.crypt ardell@DESPAMpipeline.com (Gary Ardell) wrote:

I enjoyed your post. Thanks.

And thank you.

I may be missing something obvious here but I don't see the reasoning behind focusing on changes in individual bytes rather than on individual bits. Why not flip all single input bits and check all single output bits (using your same basic sampling approach)?

There seem to be two parts to this question: bits vs. bytes, and all vs. some.

With respect to "bits vs. bytes," the systems under test both have a fundamental mixing size of 8-bits. If we want to detect problems in 8-bit mixing, 8-bit values seem the appropriate size to address. In this way, we can at least hope that a problem will be easier to see in the context of byte results, rather than a necessarily smaller difference in 8 contiguous but otherwise unremarkable bits.

With respect to "all vs. some," the point is to achieve insight, rather than data. If we have already covered the worst case (the nearest possible locality compared to the most distant locality in both directions), it is hard to see how more data would help. And the amount of data could be tremendous: Instead of having 4 * 4 = 16 counters, we would have, for the 512-byte case, 4096 * 4096 = 16,772,216 counters. We could confine ourselves to small blocks that we could test this way, but the whole point is to investigate mixing across very large blocks. We are necessarily limited to devising tests that are not only revealing, but also practical.

When I began measuring large block constructions a number of years ago, one of the first things I did was to investigate what one should expect in terms of random bit-change totals (which everyone will now agree should be binomial, although there was some discussion about it at the time). I like the binomial reference distribution because it makes a very strong statement about the probability of a rare occurrence. In the context of a large block we get a relatively small range which is reasonable, and values out of that range have a computable probability which we can understand directly: if a 1-in-a-million event occurs twice in a few tests, we pretty well know the story without a great deal of deliberation about chi-square statistics, confidence levels, and so on. In that sense, the test has the potential to give a clearer and more definitive statement than a single average value or even chi-square results of a nominally flat distribution. Of course we do want a wide range of tests in any event.

In actual large block tests using the binomial reference, I have constructed random keys, random data, and changed each input bit, or changed random numbers of random bit positions. And my experience is that, while this can give one a general feel for the cipher (and certainly make a loud statement of significant fault), it is pretty general. In the case of the distant avalanche tests, I was looking to specifically address the criticism that "large blocks are bad because they are obviously hard to mix." Hopefully the results are food for thought, which is the best I could hope for anyway.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ The Crypto Glossary: http://www.io.com/~ritter/GLOSSARY.HTM

From: ardell@DESPAMpipeline.com (Gary Ardell) Newsgroups: sci.crypt Subject: Re: Measured Distant Avalanche in Large Block Ciphers (LONG!) Date: Mon, 09 Mar 1998 16:10:55 GMT Lines: 42 Message-ID: 3504131a.6688407@news.pipeline.com References: <34fdfea7.1999205@news.io.com> <350066aa.9625060@news.pipeline.com> <350087b5.5283891@news.io.com>

Terry,

Clearly, passing the chi-squared test on the number of flips gets the most fundamental question about the degree of avalanche: "Are changes in each byte fully propagating to all the output bytes?" This is all you intended and it seems that your test accomplish this mission given some assumptions about the nature of possible problems. (For example, if cipher failures are rare but spectacular, then the sample size could have to be huge.)

However, having passed the test, numerous pathologies still seem possible e.g. that output flips are not independent. (I don�t say likely.) As you know better than I, numerous very poor random number generators can easily pass the chi-squared test but fail more strident tests. Therefore, it would seem useful to me to exploit the rich battery of tests that have been designed to test for weaknesses in random number generators. For example, here is one procedure.

Randomly draw a 20 MB of plain text (better yet, 3-DES a 20 MB file). Call that file, PLAIN. Encrypt that file without chaining with your test cipher and store the results to another file, CYPERBASE. Let�s focus on input-bit one for the second. Make a copy of PLAIN and flip bit one in every input block. Now encrypt this new file without chaining and xor it against CYPERBASE. This file should look to all the world like 20 MB of random numbers. So, run it through Diehard to see what if any failures show up. Doing this once for every input bit comprehensively tests the notion that there is a statistically obvious exploitable weaknesses in the cipher. Doing this with truncated rounds should help identify the pathologies that crop up and the tests that best flag these problems.

(Note: Diehard may have a weakness in detecting patterns in really long blocks. I don�t know. If this is a worry, we can make PLAIN big enough to allow us to pull 32-bit chunks out of each output block and still get the required 20 MB file.)

This seems to me like a manageable statistical protocol with the potential to produce even more comfort in the power of the test cipher.

Yes? No? Maybe?

Regards,

Gary

From: ritter@io.com (Terry Ritter) Newsgroups: sci.crypt Subject: Re: Measured Distant Avalanche in Large Block Ciphers (LONG!) Date: Tue, 10 Mar 1998 20:05:03 GMT Lines: 70 Message-ID: 35059c24.9942152@news.io.com References: <34fdfea7.1999205@news.io.com> <350066aa.9625060@news.pipeline.com> <350087b5.5283891@news.io.com> <3504131a.6688407@news.pipeline.com>

On Mon, 09 Mar 1998 16:10:55 GMT, in <3504131a.6688407@news.pipeline.com> in sci.crypt ardell@DESPAMpipeline.com (Gary Ardell) wrote:

Terry,

Clearly, passing the chi-squared test on the number of flips gets the most fundamental question about the degree of avalanche: [...]

However, having passed the test, numerous pathologies still seem possible e.g. that output flips are not independent. (I don�t say likely.) As you know better than I, numerous very poor random number generators can easily pass the chi-squared test but fail more strident tests. Therefore, it would seem useful to me to exploit the rich battery of tests that have been designed to test for weaknesses in random number generators. [...]

First, let me just state the obvious: RNG's are inherently different than block ciphers. When we ask whether each works right, we worry about completely different things. For example, RNG's generally iterate some fixed and often small amount of internal state; block ciphers do not. With RNG's we worry about correlations between adjacent or delayed values; there is nothing like this in block ciphers. And I expect that most RNG tests have been (explicitly or implicitly) designed to detect RNG-style problems, rather than block cipher style problems.

[...] This file should look to all the world like 20 MB of random numbers. So, run it through Diehard to see what if any failures show up. Doing this once

Let me point out that in each of my 10,000 plaintext tests of one 512-byte cipher, we are looking at 4 * 10,000 * 512 = 20.48 MB of output. So we are seeing a substantial sample.

But it would be wrong to simply throw ciphertext into a file and expect general tests to somehow derive information from the result. The Diehard tests, for example, expect 32-bit integer values, not 512-byte blocks. If we put in wider values, the tests lose their meaning, and if we only take 32 bits of the ciphertext, we are not testing what we want to test. These tests simply are not oriented toward block cipher testing.

[...] This seems to me like a manageable statistical protocol with the potential to produce even more comfort in the power of the test cipher.

On the contrary, I think it is usually far more important to test for particular qualities, based on an analysis of the system under test. Aiming at a specific quality gives us the basis for tests which selectively expose that quality while filtering out much of the inevitable noise. This seems by far the best way to find tiny problems.

And unless we first define what we are testing for, and then test for that, our results will not deliver much of a conclusion. If we use a general approach to testing, the best we could say is "we didn't find anything," without being able to describe either what we did not find or what was tested, in any real sense that relates to the mechanism itself.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ The Crypto Glossary: http://www.io.com/~ritter/GLOSSARY.HTM

From: jsavard@teneerf.edmonton.ab.ca (John Savard) Newsgroups: sci.crypt Subject: Re: Measured Distant Avalanche in Large Block Ciphers (LONG!) Date: Fri, 06 Mar 1998 22:13:34 GMT Lines: 10 Message-ID: 35007452.8557955@news.prosurfr.com References: <34fdfea7.1999205@news.io.com>

ritter@io.com (Terry Ritter) wrote, in part:

  1. A large block has room for information other than data.

Seeing that comment, I can't resist a historical note. LUCIFER, grandaddy of block ciphers, with its 128-bit blocks, was intended to handle blocks containing 64 bits of data, with identifying information and a serial counter (for randomization) in the other 64 bits.

John Savard

From: ritter@io.com (Terry Ritter) Newsgroups: sci.crypt Subject: Re: Measured Distant Avalanche in Large Block Ciphers (LONG!) Date: Sat, 07 Mar 1998 07:12:08 GMT Lines: 36 Message-ID: 3500f316.32703452@news.io.com References: <34fdfea7.1999205@news.io.com> <35007452.8557955@news.prosurfr.com>

On Fri, 06 Mar 1998 22:13:34 GMT, in <35007452.8557955@news.prosurfr.com> in sci.crypt jsavard@teneerf.edmonton.ab.ca (John Savard) wrote:

ritter@io.com (Terry Ritter) wrote, in part:

  1. A large block has room for information other than data.

Seeing that comment, I can't resist a historical note. LUCIFER, grandaddy of block ciphers, with its 128-bit blocks, was intended to handle blocks containing 64 bits of data, with identifying information and a serial counter (for randomization) in the other 64 bits.

Thank you for reading the article.

What I call a dynamic keying field is indeed described in one of the Feistel patents (now expired). But it is not particularly useful when there are only 64 bits in a block; this is a feature which depends upon having something better than DES and IDEA. Many tears are shed when constructing standard designs, but the inability to use such a field in DES may have been an especially bitter loss.

Surely dynamic keying will be at least possible with 128-bit blocks, but a 64-bit key would be fully half of such a block. That would double ciphering overhead, which may not be acceptable in many commercial applications.

A 64-bit dynamic key is only 1/64th of a 512-byte block, however, which seems a far more acceptable overhead.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ The Crypto Glossary: http://www.io.com/~ritter/GLOSSARY.HTM

Terry Ritter, hiscurrent address, and histop page.

Last updated: 1998-05-03