1

Have tried to create simplest example. A,B,C,D are 32-bit unsigned, as is k[4]. P is an expansion type p-box of 256 "random" 32-bit values. Assume key-whitening and multiple rounds/keys

#define b0(u) ((u)&0xff)
#define b1(u) (((u)>>8)&0xff)
#define b2(u) (((u)>>16)&0xff)
#define b3(u) (((u)>>24))

// rounds...
A += P[b0(D)^b1(D)^b2(D)^b3(D)] ^k[0];
B += P[b0(A)^b1(A)^b2(A)^b3(A)] ^k[1];
C += P[b0(B)^b1(B)^b2(B)^b3(B)] ^k[2];
D += P[b0(C)^b1(C)^b2(C)^b3(C)] ^k[3];
k+=4
// end rounds

Also, is there a term for this specific method? (besides just "weak")

fgrieu
  • 149,326
  • 13
  • 324
  • 622
Chris Miller
  • 61
  • 5

1 Answers1

1

This is a simple 128-bit block cipher, reversibly changing a 32-bit word of the state at each of 4 steps shown. It is very similar to an unbalanced Feistel cipher, except that the change of state is with += rather than the conventional ^=. In the context that deviation has three consequences, with the first rather desirable:

  1. It creates alternation of ^ and + in the diffusion pattern.
  2. Decryption is less similar to encryption than in a Feistel cipher (I guess the decryption code use uses -= ).
  3. Hardware implementation would be slightly bigger/more power hungry, perhaps even slightly slower; but 1 more than compensates, and that's a non-issue in software.

To hope for security, there must of course be MUCH more rounds than shown. We have not even reached full diffusion (nothing in B or C influenced the outcome of A ). As a crude reference, AES-128 modifies its full state 10 times (discounting the initial XOR with a subkey); and Speck-128-128 modifies it 16 times. Security will depend a lot on the number of rounds, on a sensible choice of table P, and on the key schedule (producing the array k of subkeys from the actual key).

Note: Implementation in software is likely to suffer from data cache timing dependencies and other cache-related side channels, due to indexing in P at data-dependent indexes.

Note: as pointed by Poncho (correcting my mistakes), this cipher generates an even permutation; but that's not a weakness, since that reveals 1 bit of information only after $2^{128}-2$ input-output pairs are collected.

fgrieu
  • 149,326
  • 13
  • 324
  • 622