[18176] in cryptography@c2.net mail archive
Re: Number of rounds needed for perfect Feistel?
daemon@ATHENA.MIT.EDU (Alexander Klimov)
Fri Aug 12 16:26:06 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 12 Aug 2005 23:18:28 +0300 (IDT)
From: Alexander Klimov <alserkli@inbox.ru>
To: Tim Dierks <tim@dierks.org>
Cc: cryptography@metzdowd.com
In-Reply-To: <23090.38.119.128.203.1123861646.squirrel@webmail2.pair.com>
On Fri, 12 Aug 2005, Tim Dierks wrote:
> I'm attempting to design a block cipher with an "odd" block size (34
> bits). I'm planning to use a balanced Feistel structure with AES as the
> function f(), padding the 17-bit input blocks to 128 bits with a pad
> dependent on the round number, encrypting with a key, and extracting the
> low 17 bits as the output of f().
>
> If I use this structure, how many rounds do I need to use to be secure (or
> can this structure be secure at all, aside from the obvious insecurity
> issues of the small block size itself)? I've been told that a small number
> of rounds is insecure (despite the fact that f() can be regarded as
> "perfect") due to collisions in the output of f(). However, I don't
> understand this attack precisely, so a reference would be appreciated.
IIRC the starting point was
M. Luby and C. Rackoff,
``How to construct pseudorandom permutations from pseudorandom functions,''
SIAM Journal on Computing, vol. 17, nb 2, pp. 373--386, April 1988.
Unfortunately, I was not able to quickly find it online, so you can
try any other paper which mentions Luby-Rackoff construction, e.g.,
http://www.wisdom.weizmann.ac.il/%7Enaor/PAPERS/lr.ps
--
Regards,
ASK
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
