From: Maaartin on
On Jun 22, 3:51 pm, Francois Grieu <fgr...(a)gmail.com> wrote:
> I wrote
>
> > [3 bits is left as an exercise to the reader / for me later]
>
> Solved: a 3-bit (unbalanced) Feistel cipher has the potential to
> generate all (2^3)! permutations.
>
> More generally, unless I err, an unbalanced Feistel cipher can generate
> odd permutations when one of the stage is such that a single bit of the
> block is XOR-ed width an appropriate key-dependent one-bit function of
> all the other bits.

IMHO, you're right. The permutation is odd, iff card({x: f(x)=1} is
odd.

> That can be useful when one needs a cipher with small block size:
> start with
>    b0 := b0 XOR (AND(other_bits) AND hash(key))
> then proceed with an appropriately long Luby-Rackoff construction.

I don't know what you mean by AND(other_bits) AND hash(key). With
b1 & b2 & b3 ... & aBitDerivedFromTheKey
it could work. Anding all bits of the hash wouldn't be of much use as
it is nearly always 0. Taking an arbitrary bit would be better.

With "appropriately long Luby-Rackoff construction" do you mean 4 more
rounds? I don' think you could use less, since the above unbalanced
round adds nearly nothing to security.

What about this? Stay with balanced Feistel, denote the parts x and y,
compute hash(x) and split it into three parts h0, h1, and h2, where
length(h0)=1 and length(h1)=length(h2)=length(y). Compute

y ^= h0 || y!=0 && y!=h2 ? h1 : h2

This is the same like the standard operation (y ^= h1), except that it
with probability of 0.5 swaps 0 and h2. The probability of getting odd
permutation is slightly lower than 0.5, because of the possibility of
h2=0. However, it's more efficient than an additional round, as long
as the used hash is long enough.
From: Greg Rose on
In article <aVYTn.25269$Xp4.22045(a)newsfe23.iad>,
Ross MacGregor <ross__macgregor(a)hotmail.com> wrote:
>Is there a symmetric block encryption algorithm that can
>encrypt a 108 bit buffer using a key and output a 108 bit
>buffer?
>
>I'd like to feed it a sequential range of numbers
>(1001,1002,1003,1004...) and have the algorithm generate for
>me a pseudo-random sequence of numbers that are guaranteed
>to be unique. This is why it is important that I only encode
>the 108 bits of data as this is the size of the random
>number I need to generate.
>
>I've been searching for days for a bit level encryption
>algorithm but everything seems to be based on byte sized
>buffers.

Reading between the lines above, it seems to me
that what you are asking for is a PRG
(pseudo-random generator) that can take a key and
a short nonce and generate some number of
random-looking bits. Funnily enough, this is the
accepted interface for stream ciphers these days.
So you might want to look at the results of
EStream, for a bunch of efficient and tested
ciphers.

Greg.
--
From: Francois Grieu on
On 22/06/2010 17:36, Maaartin wrote:
> On Jun 22, 3:51 pm, Francois Grieu <fgr...(a)gmail.com> wrote:
>> I wrote
>>
>>> [3 bits is left as an exercise to the reader / for me later]
>>
>> Solved: a 3-bit (unbalanced) Feistel cipher has the potential to
>> generate all (2^3)! permutations.
>>
>> More generally, unless I err, an unbalanced Feistel cipher can generate
>> odd permutations when one of the stage is such that a single bit of the
>> block is XOR-ed width an appropriate key-dependent one-bit function of
>> all the other bits.
>
> IMHO, you're right. The permutation is odd, iff card({x: f(x)=1} is
> odd.
>
>> That can be useful when one needs a cipher with small block size:
>> start with
>> b0 := b0 XOR (AND(other_bits) AND hash(key))
>> then proceed with an appropriately long Luby-Rackoff construction.
>
> I don't know what you mean by AND(other_bits) AND hash(key). With
> b1 & b2 & b3 ... & aBitDerivedFromTheKey
> it could work. Anding all bits of the hash wouldn't be of much use as
> it is nearly always 0. Taking an arbitrary bit would be better.

Sorry it was not clear; I'm thinking of hash(key) as a single bit
pseudo-randomly dependant on all bits of the key, your
aBitDerivedFromTheKey. This is to protect againt related-key attacks
(when using an arbitrary bit of the key, the permutation remains of
unchanged parity when other key bits change).

> With "appropriately long Luby-Rackoff construction" do you mean 4 more
> rounds? I don' think you could use less, since the above unbalanced
> round adds nearly nothing to security.

I'm thinking a bit *more* than 4 rounds when we are talking very small
blocks, because Luby-Rackoff leaves some permutations more likely than
others, I think appreciably for 4 rounds and up to 4 bits. I welcome a
quantitative evaluation of the number of rounds necessary for this
effect to fade away beyond observability.


Francois Grieu
From: Paul Rubin on
Francois Grieu <fgrieu(a)gmail.com> writes:
> I'm thinking a bit *more* than 4 rounds when we are talking very small
> blocks, because Luby-Rackoff leaves some permutations more likely than
> others, I think appreciably for 4 rounds and up to 4 bits. I welcome a
> quantitative evaluation of the number of rounds necessary for this
> effect to fade away beyond observability.

There have been a couple threads about this in the past. I remember
doing some experiments on blocks up to 8 bits or something like that.
From: Maaartin on
On Jun 22, 8:29 pm, Paul Rubin <no.em...(a)nospam.invalid> wrote:

> There have been a couple threads about this in the past.  I remember
> doing some experiments on blocks up to 8 bits or something like that.

How can it be done? With n bits, there are (2**n) ** (2**n)
functions, which for n=4 equals 2**64, and the number of permutation
is too high as well. I see no way how to find out if you can get them
all using e.g. 4 rounds plus a modification as I or Francois Grieu
proposed. I don't even know how to do any useful statistics. For n=3
it's easy to evaluate all possibilities, but for n=4 you need
something less trivial.

Interestingly, using Lai-Massey on 2 bits gives you only 4 functions
for any number of rounds greater than zero.