From: rossum on
On Tue, 22 Jun 2010 23:34:49 -0700, Ross MacGregor
<ross__macgregor(a)hotmail.com> wrote:

>Thanks everyone for giving me the better search terms.
>
>Paul Rubin wrote:
>> If you don't care about speed, the simplest thing to do is chop the 108
>> bits in half and make a Feistel cipher using some standard cryptographic
>> hash function as the round function.
>Sounds interesting, can anyone point me to some code to help
>me implement such a thing? What would be a "standard
>cryptographic hash function?" I am a senior software
>developer but without much cryptographic experience.
The Wikipedia article is helpful. The nice thing about Feistel is
that you can put anything (reasonable) you want into the F function,
it does not have to be reversible. That gives you a lot of
flexibility. Hash functions are covered in Wikipedia under
'Cryptographic Hash Functions'. Use SHA-1, SHA-256, SHA-512, MD-4 or
MD-5. SHA-1 and MD-4 are not completely secure, but if you have no
security requirement then this will not matter.

The main problem you are likely to have is fitting 108/54 bits into
your program.

You also don't say if you require that the block cypher you use has to
be secure, i.e. does it matter if someone can reverse your algorithm
to get back to the original counter that you encrypted in the first
place? I get the impression that this aspect is not very important;
you just want provably unique random numbers.

Here is my amateur attempt at an insecure 108 bit block Feistel
cypher. You do not state a language preference so I will use
pseudocode.

rossum


// --- Pseudocode --- //

int64 mask54 <- (1 << 54) - 1

// Four is the minimum number of rounds you should use.
int32 numRounds <- 4

function int128 encrypt(int128 plaintext, int128 key)

// Split plaintext into two 54 bit halves
int64 rightHalf <- plaintext AND mask54
int64 leftHalf <- (plaintext >> 54) AND mask54

// Do the rounds
for (int32 count <- 0; count < numRounds; ++count) do
// No swap on first round
if (count > 0) then
// Swap left and right
int64 temp <- rightHalf
rightHalf <- leftHalf
leftHalf <- temp
endif

rightHalf <- rightHalf XOR F(leftHalf, key)
endfor

// Reassemble halves
int128 cyphertext <- (leftHalf << 54) + rightHalf

return cyphertext
endfunction


// You have a lot of flexibility with function F
// what I have written is just a suggestion
function int64 F(int64 halfBlock, int128 key)

// MD5 hash returns 128 bits
int128 temp <- MD5(halfBlock XOR key)
// Preserve (some) high bits
temp <- temp XOR (temp >> 64)

// Ensure 54 bit return
return (temp AND mask54)
endfunction

From: Francois Grieu on
This thread drifted to exploring the suitability of r rounds
of Feistel cipher with an independent PRF at each round, for
building a PRP of an input of n bits.
<http://en.wikipedia.org/wiki/Feistel_cipher>
Unless otherwise noted, n is even, each PRF has n/2 bits of
input and output (symmetric Feistel cipher), we focus on n<=8.

My understanding is that Luby & Rackoff have proven that for
r>=4, breaking the PRP requires work exponential in n, even
under choosen-plaintext and choosen-ciphertext attack. This is
an asymptotic result, NOT applicable to the small n that we
consider.


Each PRFs is uniquely defined by n*(2**(n/2-1)) bits,
and there are 2**(r*n*(2**(n/2-1))) possible choices of PRFs.

The number of permutations of the n-bit message space is (2**n)!

When r>=3, any reachable permutation corresponds to at least
2**(n/2) different sets of PRFs for r=3, at least 2**n for r=4.
[proof hint: XORing the output of the first PRF with any
constant can be compensated by XORing the input of the second
PRF and output of the third PRF with that same constant]

Worse, some permutations are reached more often than that.
For r=3, a permutation that reduce to inversion of the two halves
and XOR with a constant K is reached exactly 2**(n*(2**(n/2-1)))
times [proof hint: the first PRF can be chosen arbitrarily,
the second and third PRF are then uniquely defined by K and the
first PRF]. For r = 4, any of the 2**n permutations reducing
to XOR with a constant can be reached if either the first or
second PRF is constant.

For example, for n = r = 4, we have 4294967296 choices of PRF
versus 20922789888000 permutations, each reachable permutation
is reached at least 16 times (at least 2032 times for some),
thus less than one permutation in 77943 can be reached.
Since 77943 > 8!, knowing the output of the permutation for half
of the 16 distinct input values is generally more than enough to
predict the output for all the other input values.


Francois Grieu
From: Maaartin on
On Jun 24, 12:32 am, Francois Grieu <fgr...(a)gmail.com> wrote:
> My understanding is that Luby & Rackoff have proven that for
> r>=4, breaking the PRP requires work exponential in n, even
> under choosen-plaintext and choosen-ciphertext attack. This is
> an asymptotic result, NOT applicable to the small n that we
> consider.

So you say, we have nothing for small n, right? We could use more
rounds and this would help against your argument (I mean your counting
of achievable permutations etc.), but still we have no security proof
whatsoever, right?

So there's only HPC left, but I've got the feeling, nobody took it
seriously, so do we have nothing at all?
From: Paul Rubin on
Maaartin <grajcar1(a)seznam.cz> writes:
> So there's only HPC left, but I've got the feeling, nobody took it
> seriously, so do we have nothing at all?

Patarin has a bunch of papers on multi-round Luby-Rackoff including
one in Crypto 2003 that I've been wanting to read:

http://www.iacr.org/archive/crypto2003/27290510/27290510.pdf

Bellare did something called VIL mode which is apparently patented:

http://cseweb.ucsd.edu/~mihir/papers/lpe.pdf

There is a wikipedia article "format preserving encryption" on the
general subject:

http://en.wikipedia.org/wiki/Format-preserving_encryption

For the OP's original question (108 bits) I think 4 rounds of
Luby-Rackoff / SHA should do a reasonable job (somebody has already
posted sample code). If overkill is desired, use more rounds.
From: Ross MacGregor on

Mok-Kong Shen wrote:
> [Addendum] I meant that the wordings of your previous posts leave open
> a (IMHO at least 'minutely') possible interpretation that security might
> not be a requirement for you and what you seek was only randomness, in
> which case the solution would have been rather simple.
>
> M. K. Shen

Yes, randomness is what I am seeking. I am actually trying
to build a non-repeating PRNG to fit a 108 bit number space.