[Cryptography] If diffusion is perfect how much confusion do you really need?

Ray Dillinger bear at sonic.net
Mon Jun 1 23:22:39 EDT 2015


... re: "D-box" as a perfect but reversible diffusion
    mechanism and the construction....

>> M > ^key | D-box | ^key | D-box | ^key | D-box | ^key = C
>>
>> And the decryption is in fact the very same operation using the
>> reversed D-boxes:
>>
>> C > ^key | Xob-d | ^key | Xob-d | ^key | Xob-d | ^key = M


On 06/01/2015 05:43 PM, Jonathan Katz wrote:
> One round of your construction is the Even-Mansour cipher, which is indeed
> secure. Multi-round versions have also been analyzed more recently.

I rejected one-round constructions because of known-plaintext attacks
recovering the key (same problem as one-time pad or stream cipher),
and rejected two-round constructions because of meet-in-the-middle
attacks using a known plaintext, and rejected 3-round constructions
with a D-box at either end because D-boxes are defined as trivially
reversible so they'd add no security, besides which XOR is
ridiculously cheap.

Which is how I wound up with the odd 3-and-a-half round construction.

"Secure" in one round would, I believe, apply only to an adversary
with no oracle and no known-plaintext attack, which leaves some
very sharp edges exposed to any mistake in protocol or use. The
3-and-a-half is secure against a far more general class of
attacks.

And in the last few hours, I've actually implemented and tested
recursive D-box and Xob-d definitions which are valid for blocks
of every size which is a power of 2 greater than 8.  Although I
don't know why anybody would want an 8-bit cipher, I *HAVE*
sometimes wanted a cipher with a 32-Mbyte block size.   And now
I have one.  :-)

One drawback, I guess, is that my implementation does require
up to twice the block size as working space.  But that's no
worse than most; I can live with it.

Now I'll go read up  about Even-Mansour, and see if he came up
with the same D-box construction I did.  Thanks for the pointer,
although I'm disappointed that someone else came up with it first.
I was hoping to finally publish something.

			Bear





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150601/69dc4033/attachment.sig>


More information about the cryptography mailing list