Quadibloc IX

Quadibloc IX is a block cipher that obtains its security through the principle of indirection. It has only four rounds. However, each round involves performing a form of the basic Quadibloc f-function ten times. Hence, the f-function is represented in a schematic form:

a box, bearing on it the numbers of the two S-boxes used within it, from the standard Quadibloc set (note that they are used so to avoid a symmetry involving rotating each 32-bit subblock by an integer number of bytes), has an input and an output, and in addition, three subkeys as input, and two intermediate results as output. Note also that the key-dependent S-box is noted here as S9, since the first eight of the standard Quadibloc S-boxes are used.

This compact schematic notation allows the Quadibloc IX round to be illustrated in a compact fashion:

and the round, in essence, is composed of the following elements:

• The first and second 32-bit subblocks of the 128-bit block are enciphered by means of two Feistel rounds involving the version of the Quadibloc f-function used here.
• The four intermediate results produced during this encipherment are enciphered in two pairs by means of two Feistel rounds with the same f-function.
• The result of this encipherment is used as the source of the subkeys for an encipherment of two subkeys as a 64-bit block through two Feistel rounds. Additionally, two of the subkeys used are derived from intermediate results produced during this encipherment; this is shown in a dark green color in the diagram above.
• The following three items are used as the subkeys for each f-function in an encipherment, by two Feistel rounds, of the third and fourth 32-bit subblocks of the 128-bit block.
  • The results of the previous encipherment;
  • as shown in a light blue color in the diagram above, so that the principal part of the round is more clearly visible, additional intermediate results from the encipherment which produced that encipherment's subkeys as well as intermediate results from the previous encipherment, combined by XOR;
  • one of two fixed subkeys.

After each round except the last, the 64-bit halves of the block are swapped.

Since each round contains two Feistel rounds for each half of the block, four such rounds involve only eight Feistel rounds, but the F-function is of the SPSPS type instead of the SP type.

The number of rounds, therefore, might be barely enough to provide a degree of security even without considering the cipher's main feature. Because the intermediate results from the left half are first enciphered, and then used as subkeys for encipherment, it is difficult to work backwards from known plaintext and ciphertext for a single round to determine the subkeys for the round. The use of a key-dependent S-box further frustrates differential cryptanalysis and related techniques.

The key material used in this cipher consists of 88 subkeys, each 32 bits long, and one S-box containing the 256 bytes from 0 to 255 in a scrambled order.

In the detailed description of the cipher which follows, should there be any appearance of ambibuity, please remember that I consistently use big-endian conventions; that is, the most significant bit or byte of a word is always the first one, the leftmost one, and the one with the lowest number.

The f-function

The f-function used here is essentially as illustrated with Quadibloc VIII.

• First, the 32-bit input is XORed with the first 32-bit subkey.
• Then, the first three bytes of the result are replaced by their equivalents in the first of the two S-boxes selected for this f-function from among those described in the section Euler's Constant and the Quadibloc S-Boxes which, for this cipher, may be either S-box 1, 3, 5, or 7, and the fourth byte of the result is replaced by its equivalent in the subsequent S-box from that selection.
• Then, the bits of the result of the substitution are transposed, from the order 1, 2, 3,... 32 to the order

 1  2 27 28 21 22 15 16
 9 10  3  4 29 30 23 24
17 18 11 12  5  6 31 32
25 26 19 20 13 14  7  8

• The current value constitutes the first intermediate result generated by the f-function.
• Now, the 32-bit value is XORed with the second 32-bit subkey.
• The four bytes of the result are replaced by their equivalents in the S-boxes used before, but this time only the first byte is replaced by its equivalent in the first of those S-boxes, and the last three bytes are replaced by their equivalents in the second S-box.
• The bits undergo the same transposition as before.
• The current result is now the second intermediate result availible from this f-function.
• The 32-bit value is now XORed with the third 32-bit subkey used with this f-function.
• The four bytes of the result are replaced by their equivalents in the key-dependent S-box, which for Quadibloc IX is designated S-box 9.
• The result is now the output from the f-function.

The Round in Detail

A round of Quadibloc IX encipherment consists of the following steps:

• The first quarter of the block is used as input to an f-function using S-boxes 1 and 2, with subkeys which are subkeys 1, 5, and 9 in the first round, and which increase in number by 1 in each subsequent round (as do all subkeys used in a round of Quadibloc IX). The two intermediate results produced shall be designated D and C. The output of the f-function is XORed to the second quarter of the block, permanently modifying it.
• The second quarter of the block is used as input to an f-function using S-boxes 1 and 2, with subkeys which are subkeys 13, 17, and 21 in the first round, and so on. The two intermediate results produced shall be designated B and A. The output of the f-function is XORed to the first quarter of the block, permanently modifying it.
• Intermediate results B and C shall form one 64-bit block, and intermediate results D and A shall form a second 64-bit block, each of which shall be enciphered by means of two Feistel rounds, proceeding as follows:
  • B is used as input to an f-function using S-boxes 3 and 4, with subkeys 37, 41, and 45 in the first round. The two intermediate results produced will be designated E and U. The output of the f-function is XORed to C, permanently modifying it.
  • C is used as input to an f-function using S-boxes 3 and 4, with subkeys 61, 65, and 69 in the first round. The two intermediate results produced will be designated G and W. The output of the f-function is XORed to B, permanently modifying it.
  • The following two Feistel rounds proceed independently from the two previously described.
  • D is used as input to an f-function using S-boxes 3 and 4, with subkeys 25, 29, and 33 in the first round. The two intermediate results produced will be designated F and V. The output of the f-function is XORed to A, permanently modifying it.
  • A is used as input to an f-function using S-boxes 3 and 4, with subkeys 49, 53, and 57 in the first round. The two intermediate results produced will be designated H and X. The output of the f-function is XORed to D, permanently modifying it.
• Two subkeys, subkeys 73 and 77 in the first round, shall form one 64-bit block, and this block will be enciphered by means of two Feistel rounds, as follows:
  • The left half of the block formed by the two subkeys shall be used as input to an f-function using S-boxes 5 and 6. The subkeys used as input to this f-function shall be, in order:
    • A, as modified by the preceding step in which A, B, C, and D were enciphered;
    • The XOR of intermediate results F and G from the preceding step;
    • C, as modified by the preceding step.
  • The two intermediate results produced will be designated P and R. The output of the f-function will be XORed to the right half of the block formed by the two subkeys, permanently modifying it. (That is, the right half of the block is permanently modified for the remainder of the round computation in which it is used. The subkey itself is not modified for subsequent encipherments, as this is a block cipher, containing no state which is preserved between encipherments, other than that which is wholly dependent on the key alone.)
  • The right half of the block formed by the two subkeys shall be used as input to an f-function using S-boxes 5 and 6. The subkeys used as input to this f-function shall be, in order:
    • D, as modified by the preceding step;
    • The XOR of intermediate results E and H from the preceding step;
    • B, as modified by the preceding step.
  • The two intermediate results produced will be designated Q and S. The output of the f-function will be XORed to the left half of the block formed by the two subkeys, permanently modifying it.
• The third quarter of the block is used as input to an f-function using S-boxes 7 and 8. The subkeys used as input to this f-function shall be, in order:
  • The right half of the block formed from subkeys 73 and 77 as enciphered by the preceding step;
  • A 32-bit subkey, which is subkey 81 in the first round;
  • The XOR of the following four intermediate results from the preceding step and the step which preceded it: X, U, P, S.
• The intermediate results are not used. The output of the f-function is XORed to the fourth quarter of the block, permanently modifying it.
• The fourth quarter of the block is used as input to an f-function using S-boxes 7 and 8. The subkeys used as input to this f-function shall be, in order:
  • The left half of the block formed from subkeys 73 and 77 as enciphered by the preceding step;
  • A 32-bit subkey, which is subkey 85 in the first round;
  • The XOR of the following four intermediate results from the preceding step and the step which preceded it: W, V, Q, R.
• The intermediate results are not used. The output of the f-function is XORed to the third quarter of the block, permanently modifying it.

After each round, the halves of the block, the first half being composed of the first and second 32-bit quarters of the block, and the second half being composed of the third and fourth 32-bit quarters of the block, are swapped.

The Key Schedule

As noted, this block cipher uses 88 subkeys, each one 32 bits long, numbered from 1 to 88, and one 256-byte key dependent S-box designated S9.

The key must be a multiple of 16 bits in length.

Two strings of bytes will be produced from the key.

If the length of the key is a multiple of 32 bits in length, then let that multiple be N, where the key is 4*N bytes in length. In that case, the first string shall be 14*N-1 bytes in length, and the second string shall be 14*N+1 bytes in length.

If the length of the key is an odd multiple of 16 bits in length, then let that multiple be M, where the key is 2*M bytes in length. In that case, the first string shall be 7*M-2 bytes in length, and the second string will be 7*M bytes in length.

In other words, the second string shall be initially three and one half times as long as the key, and the first string shall be initially one byte shorter than the second string, and if the number of bytes in the first string is even, it shall be shortened by one byte, but if instead the number of bytes in the second string is even, it shall be lengthened by one byte.

The first string shall be filled with repetitions of the following material, up to its length: the key itself, followed by a single byte containing the one's complement of the XOR of all the bytes of the key together.

The second string shall be filled with repetitions of the following material, up to its length: the one's complement of the key, followed by the bytes of the key in reverse order.

The 88 subkeys, each one four bytes in length, shall be formed in order, one byte at a time, starting with the most significant and leftmost byte of the first subkey.

Each string will be called upon to produce output bytes by the process of chain addition. A chain addition step consists of calculating the sum, modulo 256, of the last two bytes in the string. This sum shall be the output byte from the step. The string will then be modified as follows: the last byte of the string shall be removed, and the output byte shall be appended to the string before the first byte, with the result that the bytes in the string shall advance one position.

Each string has associated with it a 256-byte buffer. Before beginning to generate subkey material, each string shall generate 256 bytes, and these bytes will be placed in the cells of this buffer, beginning with cell 0 and ending with cell 255.

Producing a byte of subkey material proceeds as follows:

• The first string will generate a byte, which shall be called A.
• The second string will generate a byte, which shall be called B.
• The contents of cell B of the buffer associated with the first string shall be called X, and then cell B of that buffer will have the value A stored in it.
• The first string will generate a byte, which shall be called C.
• The second string will generate a byte, which shall be called D.
• The contents of cell C of the buffer associated with the second string shall be called Y, and then cell C of that buffer will have the value D stored in it.
• The XOR of X and Y shall constitute the byte of subkey material generated.

An additional 256 bytes of subkey material shall be generated after all the required subkeys are generated. This subkey material, along with the buffers associated with the two strings, shall be used to generate the key-dependent S-box S9 as follows:

• Let the extra 256 bytes of subkey material be kept in an array designated P, and the 256-byte buffers associated with the first and second strings be designated Q and R respectively. In addition, initialize a 256-byte buffer S with zeroes. A buffer designated T will also be used, which may contain the value -1 in its cells in addition to the numbers from 0 to 255. As well, there will be two buffers of unsigned 16-bit quantities, called QQ and RR.
• For each number from 0 to 255 in order, called c (for counter): consider the element of P indicated by that number, and call it x; that is, set x to be P(c). If S(x) is zero, set S(x) to be 1, and set T(c) to be x. If S(x) is not zero, set T(c) to be -1.
• Count the elements of S that are equal to zero. If none are, then skip the next step. If one is, then exactly one element of T(c) will be -1; set that element to the index of the zero element of S, and skip the next step. Otherwise, continue.
• Scan the arrays S and T from beginning to end, independently. Look for zero elements in S, and the value -1 in T. When one of these is found in one array, wait for the corresponding item in the other array. Then replace the value -1 in T by the index of the zero element in S. Once this step is complete, the array T will contain one copy of every value from 0 to 255.
• Fill the array QQ with 16-bit quantities consisting of the element of the array Q at the same index times 256, plus the index. Fill the array RR with 16-bit quantities consisting of the element R at the same index times 256, plus the index.
• Sort arrays QQ and RR.
• AND each element of QQ and RR with 255, masking out all but the least significant byte of each element.
• For each number from 0 to 255 in order, called c, perform the following calculation: set element RR(c) of P to element QQ(c) of T; that is, P(RR(c))=T(QQ(c)).
• The contents of array P are to be used as S-box S9.

Decipherment

To decipher a block encrypted in Quadibloc IX, it is necessary to modify the round, as well as to perform the four rounds in reverse order. The modified round for decryption involves performing the two Feistel rounds acting on the first and second quarters of the block, and the two Feistel rounds acting on the third and fourth quarters of the block, in reverse order in each case, while retaining all designations of subkeys used and intermediate values output.

Next
Start of Section
Skip to Next Section
Skip to Next Chapter
Table of Contents
Main Page