[Cryptography] Nasruddin cryptographic function

[Ryan Carboni]

A rough draft of a 512-bit cryptographic function based upon Rijndael,
except the Mix Columns is replaced with Speck.

I call it the Nasruddin cryptographic function.

The Subbytes step could be sped up on computers with AES-NI by using the
AES encrypt last round instruction with a subkey of zero and reshuffling
the bytes.

The Shift Rows shifts each 64-bit row by n bytes, depending on the position
of the row.

The Mix Columns simply operates on each column using the 64-bit Speck round
function (word size 32-bits).

The AddRoundKey simply xors the state with a 512-bit subkey.
---

In stream cipher mode of operation, it functions much like ChaCha. 192-bits
of key, followed by 128-bits of nonce, followed by 64-bits of counter, and
a 128-bit constant (first 128-bits of pi, according to this web page:
http://www.befria.nu/elias/pi/binpi.html ). It uses no key schedule, and
xors the original state into the current state after each round iteration.

While like ChaCha it is vulnerable to slide attacks, the limit to the
number of outputs is far below the birthday bound, thus making it an
unlikely possibility to find a slide pair.

---
In block cipher modes of operation, the subkeys are generated through a
similar mode as the stream cipher mode of operation.

The first 48 bytes of state uses the key (of whatever length), with zero
bytes for padding. The last 128-bits is the aforementioned constant.

Then each key byte is xored with a byte integer of the round number (with
the padding and constant untouched). (making each key length independent
from each other)

Then the round function is applied three times, with the original state
used for AddRoundKey.

The final state is the subkey for the block cipher round.

The pre-whitening and post-whitening keys is generated by encrypting the
integers 0b0, and 0b1, respectively, using the block cipher in ECB mode
without whitening. The post-whitening key is added modulo 2^64. The author
believes that even with independent subkeys, this method of generating
whitening keys would make related key attacks vastly more difficult.

It is suggested that 16 rounds be used, except for keys of 192-bits or
less, for which 12 rounds are suggested. Obviously no more than 256 rounds
could be used.

XXTEA-style mode of operation which expands the block is favored by the
author, but to avoid implementation errors, it is suggested that one limits
the number of possible block sizes and thoroughly test each one.
---
In a hash mode of operation, it uses a variant of Davies-Meyer fast wide
pipe construction, except it mixes the entire state more thoroughly.

The cryptographic function is used in a 1024-bit feistel network. The
message is prepended with a byte integer of the number of bytes of the hash
to be outputted (limited to 64 bytes, in essence the cipher is truncated by
at least half). The cipher is designed to be nothing more than 256-bit
secure from collisions and preimage.

It uses an initialization vector of zero, the internal state is xored with
a 1024-bit integer / counter of the number of blocks hashed after each
block.

It takes 1536-bits of message. Each 512-bit block is used as a subkey for
each of the first three rounds.

The remaining four rounds uses 384-bits from the message and expands it to
a 512-bit subkey using the stream cipher mode of operation with five rounds.



I hope this is more secure than many other ciphers from Buffer over-read,
Cache timing (at least it doesn't use an excess of matrix multiplication),
Differential Power, and other attacks.

A hardware unlimited implementation I believe should not be slower than
64-bit Speck in hardware (the S-box should accelerate diffusion). I
speculate that this would improve interoperability between smart cards, and
non-portable devices, so that support for Speck wouldn't cripple the
cryptographic capabilities of IBM-compatible PCs. It is likely for the
indefinite future that hundred dollar CPUs will carry AES-NI support (the
US government certainly still uses TripleDES).

Simple instruction set improvements for the function include an accessable
zero register (already available on many RISC processors), and a solo
instruction for AES subbytes (which would speed up Whirlpool and
Rijndael-256 (most commonly used for Freenet) as well).

I leave you with a Nasruddin joke.

The times were uncertain, and the King's spies read the mail.
Nasruddin did not like that and invented his own language to use with a
friend.
An officer of the king knocked on his door the day after he mailed a letter.
"Nasruddin, what is this?" holding up the letter.
"It is in a different language."
"Yes, but which one?"
"I invented it with a friend."
"...what does it say?"
"We disagree on some of the meanings of those words."
"...what about the other words?"
"I forget some of those words. I didn't have much time to learn the
language."
"...in the future, I will tear up letters like this."

And another joke:

Why is the cipher named AES?
Because no one can pronounce the original name.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150621/99258c7b/attachment.html>