[Cryptography] If diffusion is perfect how much confusion do you really need?
Ray Dillinger
bear at sonic.net
Mon Jun 1 23:22:39 EDT 2015
... re: "D-box" as a perfect but reversible diffusion
mechanism and the construction....
>> M > ^key | D-box | ^key | D-box | ^key | D-box | ^key = C
>>
>> And the decryption is in fact the very same operation using the
>> reversed D-boxes:
>>
>> C > ^key | Xob-d | ^key | Xob-d | ^key | Xob-d | ^key = M
On 06/01/2015 05:43 PM, Jonathan Katz wrote:
> One round of your construction is the Even-Mansour cipher, which is indeed
> secure. Multi-round versions have also been analyzed more recently.
I rejected one-round constructions because of known-plaintext attacks
recovering the key (same problem as one-time pad or stream cipher),
and rejected two-round constructions because of meet-in-the-middle
attacks using a known plaintext, and rejected 3-round constructions
with a D-box at either end because D-boxes are defined as trivially
reversible so they'd add no security, besides which XOR is
ridiculously cheap.
Which is how I wound up with the odd 3-and-a-half round construction.
"Secure" in one round would, I believe, apply only to an adversary
with no oracle and no known-plaintext attack, which leaves some
very sharp edges exposed to any mistake in protocol or use. The
3-and-a-half is secure against a far more general class of
attacks.
And in the last few hours, I've actually implemented and tested
recursive D-box and Xob-d definitions which are valid for blocks
of every size which is a power of 2 greater than 8. Although I
don't know why anybody would want an 8-bit cipher, I *HAVE*
sometimes wanted a cipher with a 32-Mbyte block size. And now
I have one. :-)
One drawback, I guess, is that my implementation does require
up to twice the block size as working space. But that's no
worse than most; I can live with it.
Now I'll go read up about Even-Mansour, and see if he came up
with the same D-box construction I did. Thanks for the pointer,
although I'm disappointed that someone else came up with it first.
I was hoping to finally publish something.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150601/69dc4033/attachment.sig>
More information about the cryptography
mailing list