The block cipher Quadibloc X operates on a 128-bit block divided into four 32-bit subblocks. All four subblocks are modified in each round, and three different types of cipher step are used to modify the various subblocks.
The leftmost subblock is modified directly in one piece, using a method somewhat reminiscent of SAFER. Two subrounds of this method are applied to it during each round of Quadibloc X. The intermediate value of that subblock between the two subrounds is used as a master nonlinear control input for the cipher steps applied to the remaining subblocks. Because the number of these rounds is even, an interchange of the two middle bytes of the subblock in a round does not interfere with the swap of 16-bit subblock segments between Quadibloc X rounds.
The two middle subblocks are modified by means of Feistel rounds using the Quadibloc f-function. Three Feistel rounds are applied. Because the number of these rounds is odd, the swap of 16-bit subblock segments between Quadibloc X rounds is simplified, since each Quadibloc X round can be treated as a single Feistel round.
The rightmost subblock is modified through both XOR and addition of intermediate results of the Feistel rounds applied to the middle two subblocks. Between each application of an intermediate result, a substitution is performed of a type that leads to this modification of the subblock approximating decorellation. Four intermediate results are used, and the operations are, in order, XOR, bytewise addition modulo 256, bytewise addition modulo 256, and XOR.
Between each pair of Quadibloc X rounds, the 128-bit block is considered to be divided into eight 16-bit subblock segments, and these are permuted from the order
1 2 3 4 5 6 7 8
to the order
7 4 1 6 3 8 5 2
so that the left halves of each subblock move to the next rightmost subblock between rounds, and the right halves of each subblock move to the next leftmost subblock between rounds.
The subround applied to the leftmost subblock twice in a Quadibloc X round is illustrated below:
Two such subrounds are performed on the leftmost subblock in each round of Quadibloc X, and the value of the leftmost subblock between those two subrounds is used as the nonlinear control word for the remaining part of the round.
The Feistel subround which operates on the central two 32-bit subblocks of the 128-bit block is illustrated below.
On the left is shown one byte from the 32-bit nonlinear control word derived from the encipherment of the leftmost subblock. For the three Feistel subrounds performed in a Quadibloc X rounds, the first, second, and third bytes, from the left of that word, are used for the three rounds in order.
The second subblock is used as the input to the F-function.
The F-function proceeds as follows:
The Feistel round is then completed when the F-function output is XORed with the third subblock.
Of the three subrounds performed, the the first intermediate result of each round will be known as IR5, IR6, and IR7, respectively, and the second intermediate result of each round will be known as IR1, IR2, and IR3, respectively. These intermediate results will be used in the modification of the rightmost subblock.
After the first two of the three Feistel subrounds performed in a Quadibloc X round, the second and third subblocks of the 128-bit block will be swapped, these being the right and left halves of the block on which those Feistel subrounds operate.
Finally, the last step in the Quadibloc X round is illustrated in the diagram below:
Four quantities, derived from the intermediate results produced from the three Feistel rounds applied to the middle two subblocks, are applied to the rightmost subblock.
The quantities IR4A and IR4B are defined as follows:
IR4A = IR5 xor IR6 xor IR7 IR4B = IR5 + IR6 + IR7
where + in the equations above refers to bytewise addition modulo 256.
The assignment of intermediate results from the Feistel rounds to the four inputs to this modification step is determined by the last four bits of the last byte of the nonlinear control word according to the following table, which uses 16 of the 24 possible arrangements, when each intermediate result is only used once, and IR4B, created by addition, is always used as input to an XOR step, and IR4A, created by XOR, is always used as input to an additon step:
IN1 IN2 IN3 IN4
0000 IR4B IR1 IR2 IR3
0001 IR4B IR2 IR3 IR1
0010 IR4B IR3 IR2 IR1
0011 IR4B IR2 IR1 IR3
0100 IR2 IR4A IR3 IR1
0101 IR3 IR4A IR1 IR2
0110 IR3 IR4A IR2 IR1
0111 IR1 IR4A IR3 IR2
1000 IR1 IR2 IR4A IR3
1001 IR3 IR1 IR4A IR2
1010 IR2 IR1 IR4A IR3
1011 IR1 IR3 IR4A IR2
1100 IR1 IR2 IR3 IR4B
1101 IR2 IR3 IR1 IR4B
1110 IR3 IR2 IR1 IR4B
1111 IR2 IR1 IR3 IR4B
The S-boxes S10, S11, S6, and S7 used in this step are ones specifically designed to produce decorrelation. Since only addition modulo 256 is used, the decorellation is only approximate.
The S-box S11 contains successive powers of 3, under Galois Field multiplication using the polynomial x^8 + x^6 + x^5 + x^3 + 1 (cancellation binary string 101101001) as used with Twofish, except that the last entry in the S-box is 0. The S-box S10 is the inverse of an S-box containing successive powers of 3, under Galois Field multiplication using the polynomial x^8 + x^4 + x^3 + x + 1 (cancellation binary string 100011011) as used with Rijndael, except that the last entry in the S-box being inverted is 0.
Thus, these S-boxes (and their inverses, as required for deciphering) are as follows:
S-box S11: 1 3 5 15 17 51 85 255 104 184 161 138 247 112 144 217 2 6 10 30 34 102 170 151 208 25 43 125 135 224 73 219 4 12 20 60 68 204 61 71 201 50 86 250 103 169 146 223 8 24 40 120 136 241 122 142 251 100 172 157 206 59 77 215 16 48 80 240 121 139 244 117 159 200 49 83 245 118 154 199 32 96 160 137 242 127 129 234 87 249 98 166 131 236 93 231 64 192 41 123 141 254 107 189 174 155 196 37 111 177 186 167 128 233 82 246 115 149 214 19 53 95 225 74 222 11 29 39 105 187 164 133 230 67 197 38 106 190 171 148 213 22 58 78 210 31 33 99 165 134 227 76 212 21 63 65 195 44 116 156 205 62 66 198 35 101 175 152 193 42 126 130 239 88 232 81 243 124 132 229 70 202 55 89 235 84 252 109 183 176 185 162 143 248 97 163 140 253 110 178 191 168 145 218 7 9 27 45 119 153 194 47 113 147 220 13 23 57 75 221 14 18 54 90 238 91 237 94 226 79 209 26 46 114 150 211 28 36 108 180 181 182 179 188 173 158 203 52 92 228 69 207 56 72 216 0 The inverse of S-box S11: 255 0 16 1 32 2 17 204 48 205 18 125 33 215 220 3 64 4 221 119 34 153 141 216 49 25 231 206 236 126 19 145 80 146 20 164 237 107 135 127 50 98 169 26 157 207 232 211 65 74 41 5 247 120 222 182 252 217 142 61 35 38 161 154 96 155 162 133 36 250 180 39 253 30 123 218 151 62 143 229 66 175 114 75 185 6 42 88 173 183 223 225 248 94 227 121 81 194 90 147 57 165 21 44 8 128 136 102 238 187 198 108 13 212 233 116 158 71 77 208 51 68 54 99 177 27 170 85 112 86 171 92 178 131 149 28 52 83 11 69 196 100 55 192 14 202 46 213 139 117 234 23 167 209 78 105 159 59 245 72 82 10 191 195 130 148 91 111 201 45 22 138 58 244 104 166 189 109 199 242 239 240 241 188 9 190 110 129 243 103 137 200 97 168 210 156 106 134 163 79 73 40 181 246 37 160 60 251 24 230 144 235 152 140 118 63 254 15 203 31 214 219 124 47 29 122 228 150 249 179 132 95 174 113 87 184 93 226 224 172 67 53 84 176 70 76 115 12 193 89 43 56 186 197 101 7 The inverse of S-box S10: 1 3 5 15 17 51 85 255 26 46 114 150 161 248 19 53 95 225 56 72 216 115 149 164 247 2 6 10 30 34 102 170 229 52 92 228 55 89 235 38 106 190 217 112 144 171 230 49 83 245 4 12 20 60 68 204 79 209 104 184 211 110 178 205 76 212 103 169 224 59 77 215 98 166 241 8 24 40 120 136 131 158 185 208 107 189 220 127 129 152 179 206 73 219 118 154 181 196 87 249 16 48 80 240 11 29 39 105 187 214 97 163 254 25 43 125 135 146 173 236 47 113 147 174 233 32 96 160 251 22 58 78 210 109 183 194 93 231 50 86 250 21 63 65 195 94 226 61 71 201 64 192 91 237 44 116 156 191 218 117 159 186 213 100 172 239 42 126 130 157 188 223 122 142 137 128 155 182 193 88 232 35 101 175 234 37 111 177 200 67 197 84 252 31 33 99 165 244 7 9 27 45 119 153 176 203 70 202 69 207 74 222 121 139 134 145 168 227 62 66 198 81 243 14 18 54 90 238 41 123 141 140 143 138 133 148 167 242 13 23 57 75 221 124 132 151 162 253 28 36 108 180 199 82 246 0 S-box S10: 255 0 25 1 50 2 26 198 75 199 27 104 51 238 223 3 100 4 224 14 52 141 129 239 76 113 8 200 248 105 28 193 125 194 29 181 249 185 39 106 77 228 166 114 154 201 9 120 101 47 138 5 33 15 225 36 18 240 130 69 53 147 218 142 150 143 219 189 54 208 206 148 19 92 210 241 64 70 131 56 102 221 253 48 191 6 139 98 179 37 226 152 34 136 145 16 126 110 72 195 163 182 30 66 58 107 40 84 250 133 61 186 43 121 10 21 155 159 94 202 78 212 172 229 243 115 167 87 175 88 168 80 244 234 214 116 79 174 233 213 231 230 173 232 44 215 117 122 235 22 11 245 89 203 95 176 156 169 81 160 127 12 246 111 23 196 73 236 216 67 31 45 164 118 123 183 204 187 62 90 251 96 177 134 59 82 161 108 170 85 41 157 151 178 135 144 97 190 220 252 188 149 207 205 55 63 91 209 83 57 132 60 65 162 109 71 20 42 158 93 86 242 211 171 68 17 146 217 35 32 46 137 180 124 184 38 119 153 227 165 103 74 237 222 197 49 254 24 13 99 140 128 192 247 112 7
The S-box S6 contains successive powers of 19 in multiplication modulo 257, except that 256, when it occurs, is replaced with zero, and the S-box S7 is the inverse of S6. Hence, the contents of these S-boxes are as follows:
S-box S6: 1 19 104 177 22 161 232 39 227 201 221 87 111 53 236 115 129 138 52 217 11 209 116 148 242 229 239 172 184 155 118 186 193 69 26 237 134 233 58 74 121 243 248 86 92 206 59 93 225 163 13 247 67 245 29 37 189 250 124 43 46 103 158 175 241 210 135 252 162 251 143 147 223 125 62 150 23 180 79 216 249 105 196 126 81 254 200 202 240 191 31 75 140 90 168 108 253 181 98 63 169 127 100 101 120 224 144 166 70 45 84 54 255 219 49 160 213 192 50 179 60 112 72 83 35 151 42 27 0 238 153 80 235 96 25 218 30 56 36 170 146 204 21 142 128 119 205 40 246 48 141 109 15 28 18 85 73 102 139 71 64 188 231 20 123 24 199 183 136 14 9 171 165 51 198 164 32 94 244 10 190 12 228 220 68 7 133 214 211 154 99 82 16 47 122 5 95 6 114 110 34 132 195 107 234 77 178 41 8 152 61 131 176 3 57 55 17 66 226 182 117 167 89 149 4 76 159 194 88 130 157 156 137 33 113 91 187 212 173 203 2 38 208 97 44 65 207 78 197 145 185 174 222 106 215 230 S-box S7: 128 0 240 213 224 195 197 185 208 170 179 20 181 50 169 152 192 216 154 1 163 142 4 76 165 134 34 127 153 54 136 90 176 233 200 124 138 55 241 7 147 207 126 59 244 109 60 193 149 114 118 173 18 13 111 215 137 214 38 46 120 210 74 99 160 245 217 52 184 33 108 159 122 156 39 91 225 205 247 78 131 84 191 123 110 155 43 11 228 222 93 235 44 47 177 196 133 243 98 190 102 103 157 61 2 81 253 203 95 151 199 12 121 234 198 15 22 220 30 145 104 40 194 164 58 73 83 101 144 16 229 211 201 186 36 66 168 232 17 158 92 150 143 70 106 249 140 71 23 223 75 125 209 130 189 29 231 230 62 226 115 5 68 49 175 172 107 221 94 100 139 171 27 238 251 63 212 3 206 119 77 97 219 167 28 250 31 236 161 56 180 89 117 32 227 202 82 248 174 166 86 9 87 239 141 146 45 246 242 21 65 188 237 116 187 254 79 19 135 113 183 10 252 72 105 48 218 8 182 25 255 162 6 37 204 132 14 35 129 26 88 64 24 41 178 53 148 51 42 80 57 69 67 96 85 112
Thus, the entire Quadibloc X round looks like this:
and, as previously noted, 16-bit subblock halves are rotated after each round except the last from the order:
1 2 3 4 5 6 7 8
to the order
7 4 1 6 3 8 5 2
as illustrated in the diagram below:
which shows clearly that the left half of each subblock is rotated one place to the right, and the right half of each subblock is rotated one place to the left.
Normally, ar least 8 rounds of Quadibloc X are used for encryption. Ideally, 12 or 16 rounds would be preferable. 32 rounds allow the four bits per round that alter the algorithm fundamentally (by changing the order in which the intermediate results of the three Feistel rounds are applied decorellatively to the fourth subblock) to total to 128 bits, thus the algorithm can no longer be brute-force searched; this allows Quadibloc X to realize its full potential.
One round is definitely insecure, since the first 32-bit subblock is essentially subjected to a block cipher with a 32-bit block size. Two rounds are already an interesting problem for the cryptanalyst, and four rounds might possibly be secure, but cannot be recommended.
Quadibloc X uses the following key material: 17 subkeys, each 32 bits long, per round, and one key-dependent S-box, S8, containing the bytes from 0 to 255 in a shuffled order. The subkeys used by the first round are K1 through K17, as shown in the diagram, and those used by the second round are K18 through K34, and so on.
The key will be a multiple of four bytes in length.
Subkey generation proceeds as follows:
Three strings of bytes of different length are produced from the key.
The first string consists of the key, followed by one byte containing the one's complement of the XOR of all the bytes of the key.
The second string consists of the one's complements of the bytes of the key in reverse order, with three bytes appended containing the following three quantities:
The third string consists of alternating bytes, taken from the bytes of the key in reverse order, and then from the bytes of the one's complement of the key, and then that string is followed by the one's complements of the first four bytes of the key.
Thus, if the key is:
128 64 32 16 8 4 2 1 1 2 3 4 5 6 7 8
then the strings generated from it are as follows:
First string: 128 64 32 16 8 4 2 1 1 2 3 4 5 6 7 8 8 Second string: 247 248 249 250 251 252 253 254 254 253 251 247 239 223 191 127 37 170 93 Third string: 8 127 7 191 6 223 5 239 4 247 3 251 2 253 1 254 1 254 2 253 4 252 8 251 16 250 32 249 64 248 128 247 127 191 223 239
Given that the length of the key is 4n, the lengths of the three strings are 4n+1, 4n+3, and 8n+4, and hence all three are relatively prime, since both 4n+1 and 4n+3 are odd, and 8n+4 is two times 4n+2.
Two buffers are filled by generating bytes from the first and second strings by chain addition.
Chain addition applied to a string is defined as follows:
The sum, modulo 256, of the last two bytes in the string is calculated. This sum is the output of the chain addition step. Also, the last byte of the string is removed, and the sum is appended to the beginning of the string.
Both buffers contain 256 bytes. The first buffer, called buffer A, is filled with 256 successive bytes generated from the second string by chain addition. The second buffer, called buffer B, is filled with 256 successive bytes generated from the first string by chain addition.
Once the setup is complete, subkey material is generated one byte at a time, the first byte generated being the leftmost byte of subkey K1, and so on.
A subkey byte is generated as follows:
Note that this procedure, since it exercises the two strings used to select bytes, rather than the string used to generate values, results in a small change in the key resulting in large changes in the subkeys from the very beginning.
Once all the required 32-bit subkey words are generated, the key-dependent S-box S8 must be generated. This is done as follows:
The resulting contents of buffer D are used as S-box S8. Note that this is a much more straightforwards procedure than used previously to produce S8 in other ciphers in this series.
With the complexity of the Quadibloc X round, its two kinds of subkeys, and the lack of unused intermediate values, it would be difficult to propose a key augmentation procedure for this cipher as used with some other block ciphers in the Quadibloc series. Instead, a different method of providing an improved key schedule, which makes use of the existing logic of Quadibloc X encipherment, is proposed.
Two keys are required, a setup key and a direct key. The setup key is used to create a key schedule, including a key-dependent S-box S8, for single-round Quadibloc X encipherment. Then, using buffers A and B as they stand (generating S8 does not change them), additional key bytes are generated by the same process as used for the subkeys to produce two more values: a 96-bit seed value, and a 96-bit initial counter value.
Then the direct key is used to generate the bytes to be used in the key schedule for the actual Quadibloc X encipherment desired. However, after each four bytes are generated, they are enciphered in an unusual stream cipher mode of single-round Quadibloc X, as illustrated below.
The first four bytes are enciphered as follows:
The 128 bit value composed of the 96-bit seed value and the 32-bit group of four bytes generated by the MacLaren-Marsaglia-based technique used for subkey generation are encrypted in single-round Quadibloc X, using the key schedule derived from the setup key.
The rightmost 32 bits of the result are the encrypted four keystream bytes.
Successive groups of four bytes are encrypted by following these additional steps:
The first 96 bits of the result are divided into six 16-bit subblock halves, and they are permuted from:
1 2 3 4 5 6
to:
5 4 1 6 3 2
After being permuted, the counter value is added to them, and the result of that addition will be used as the new seed value for input along with the next 32 bits to be encrypted.
The counter value is incremented by one.
Note that when the final step of creating the key-dependent S-box S8 is taken, the contents of buffer C, being ordinary output, will have gone through this encryption step, but the contents of buffers A and B will not have.
In deciphering, it is necessary to replace S-boxes S10, S11, and S5 by their inverses, switch addition and subtraction modulo 256 as appropriate, and perform the steps within the round in reverse order as appropriate, leaving steps within f-functions unaffected.
Several possible modifications may be made to the Quadibloc X round.
Because the Quadibloc X round is somewhat time-consuming, it might be considered tempting to use fewer than eight rounds. This is likely to be insecure. One reason for that is that the rightmost block is modified only on a byte-by-byte basis by the Quadibloc X round; while other portions of the block go through the equivalent of multiple rounds, for this one part of the block, the Quadibloc X round behaves like a single ordinary Feistel round.
Thus, to permit Quadibloc X to be used with only four rounds, the following alteration to the round is proposed:
Before and after applying the intermediate results of the central Feistel rounds are applied to the rightmost subblock in the fashion including decorrelation, the 32-bit rightmost subblock is to go through the same unification step that is used as part of the subround applied to the leftmost subblock. This is key-dependent, as it involves the key-dependent S-box S8, but it requires the use of no additional subkeys. Thus, it is important to remember that only the unification step, not the whole subround of which it is a part, is added in this variation.
The form of Quadibloc X including this variation shall be termed Quadibloc X C (Convoluted).
This variation involves making the Quadibloc X round somewhat more elaborate, to permit the constructs in it to be used to their full potential.
The number of subrounds applied to the leftmost subblock is increased from two to four, and additional subkeys are used as appropriate. Thus, in the first round, K1 through K4 are used in the first of these subrounds, K5 through K8 in the next, K9 through K12 in the third, and K13 through K16 in the fourth.
This leads to the existence of three 32-bit intermediate results. Each one is used with one of the three central Feistel rounds.
The least significant 8 bits of the intermediate result are used as the byte from the one intermediate result was used before: to select the S-boxes used.
The preceding three nybbles are used to pick each subkey used from a pool of 16 possible subkeys. Thus, for the first Feistel subround in the first Quadibloc X round, the fourth most significant nybble selects from subkeys K17 through K32, the fifth most significant nybble selects from K32 through K48, and the sixth most significant nybble selects from K49 through K64.
The first 12 bits of the first and third intermediate results are XORed together. Of this result, the three nybbles are used as follows:
The first nybble selects whether S10, or the inverse of S11, is used with each byte of the rightmost subblock.
The second nybble selects whether S11, or the inverse of S10, is used with each byte of the rightmost subblock.
The third nybble selects between S6 and S7 in the fashion in which the second least significant nybble of the one intermediate result did for standard Quadibloc X.
The first 8 bits of the second intermediate result are used to determine the correspondence between the intermediate results of the central Feistel rounds, and the inputs to the decorrelated modification of the rightmost subblock using the following table:
IN1 IN2 IN3 IN4
00000000 11011000 11110000 IR4B IR1 IR2 IR3
00000001 11011001 11110001 IR4B IR2 IR3 IR1
00000010 11011010 IR4B IR3 IR1 IR2
00000011 11011011 11110010 IR4B IR3 IR2 IR1
00000100 11011100 11110011 IR4B IR2 IR1 IR3
00000101 11011101 IR4B IR1 IR3 IR2
00000110 11011110 IR1 IR4A IR2 IR3
00000111 11011111 11110100 IR2 IR4A IR3 IR1
00001000 11100000 11110101 IR3 IR4A IR1 IR2
00001001 11100001 11110110 IR3 IR4A IR2 IR1
00001010 11100010 IR2 IR4A IR1 IR3
00001011 ... 11100011 11110111 IR1 IR4A IR3 IR2
00001100 11100100 11111000 IR1 IR2 IR4A IR3
00001101 11100101 IR2 IR3 IR4A IR1
00001110 11100110 11111001 IR3 IR1 IR4A IR2
00001111 11100111 IR3 IR2 IR4A IR1
00010000 11101000 11111010 IR2 IR1 IR4A IR3
00010001 11101001 11111011 IR1 IR3 IR4A IR2
00010010 11101010 11111100 IR1 IR2 IR3 IR4B
00010011 11101011 11111101 IR2 IR3 IR1 IR4B
00010100 11101100 IR3 IR1 IR2 IR4B
00010101 11101101 11111110 IR3 IR2 IR1 IR4B
00010110 11101110 11111111 IR2 IR1 IR3 IR4B
00010111 11101111 IR1 IR3 IR2 IR4B
The remaining four bits of the intermediate result are not used.
The form of Quadibloc X including this variation shall be termed Quadibloc X E (Expanded); the form including both this variation and the first one shall be termed Quadibloc X EC (Expanded/Convoluted).
Instead of not using the remaining four bits of the intermediate result, when the first four bits of the byte that is used are 1111, these bits can replace it. That will reduce the bias in selecting possible orderings of the intermediate results still further.
This variation is a slight modification of Variation 2, and produces Quadibloc X BR (Bias Reduced) in combination with that variation, and Quadibloc X BRC (Bias Reduces/Convoluted) in combination with both variations 1 and 2.
When four subrounds are used with the leftmost subblock, the subround used can be simplified to use only two subkeys instead of four, as follows:
The designations of the forms of Quadibloc X including this variation are noted in the table below, beside the related forms not including this variation:
Variations Designation Variations Designation 1 2 Quadibloc X EC 1 2 4 Quadibloc X SC (Simplified/Convoluted) 2 Quadibloc X E 2 4 Quadibloc X S (Simplified) 1 2 3 Quadibloc X BRC 1 2 3 4 Quadibloc X FM (Fully Modified) 2 3 Quadibloc X BR 2 3 4 Quadibloc X MS (Modified Standard)
The complete round of Quadibloc X FM is shown below:
When the Advanced Key Schedule is used with any of these variations, either the original Quadibloc X round can be used, giving AKSO (Advanced Key Schedule Original), or the round of the variation can be used, giving AKSN (Advanced Key Schedule Native).
When the number of rounds is not specified, the default number of rounds for each variation is as follows:
Quadibloc X 16 Quadibloc X C 8 Quadibloc X E 8 Quadibloc X S 8 Quadibloc X BR 8 Quadibloc X MS 8 Quadibloc X EC 4 Quadibloc X SC 4 Quadibloc X BRC 4 Quadibloc X FM 4
Note that it is not claimed that the more complicated rounds fully make up for the reduced security due to fewer rounds, merely that they make faster versions possible.
Three additional variant forms of Quadibloc X are now described which of necessity must have exactly 16 rounds, and a fourth is described which must have at least 16 rounds.
Due to the nature of these variants, they can only be of the AKSO type if the Advanced Key Schedule is used.
An additional 32-bit subkey is produced after the subkeys required for the rounds of the cipher. Exactly ten subkeys, not eight or sixteen, are produced for each round for the subrounds operating on the leftmost subblock. This variation can only be used in conjunction with Variation 2.
In this variation, the first two bits of the extra subkey determine for round 1, the next two bits determine for round 2, and so on, which of the four subrounds for the leftmost subblock is in the form used in the original Quadibloc X, 00 indicating the first, 01 the second, and so on, the other three being in the simplified form introduced in Variation 4.
Applying this variation to the BR/MS type round produces Quadibloc X VA (Variable Algorithm). Applying this variation to the BRC/FM type round produces Quadibloc X VC (Variable/Convoluted). In addition, four rounds of the VC type, followed by eight rounds of the VA type, and then four rounds of the VC type produce Quadibloc X VL (Variable/Layered).
This chart illustrates the relationship between the variant forms involved:
Variations Designation Variations Designation Variations Designation 2 3 Quadibloc X BR 2 3 4 Quadibloc X MS 2 3 5 Quadibloc X VA 1 2 3 Quadibloc X BRC 1 2 3 4 Quadibloc X FM 1 2 3 5 Quadibloc X VC
This variation of Quadibloc X is designated Quadibloc X L (Layered), and consists simply of four rounds of Quadibloc X MS followed by eight rounds of Quadibloc X C and then four rounds of Quadibloc X MS. If more than 16 rounds are used, rounds of Quadibloc X C are added in the middle. Thus, in the beginning and ending rounds, subkey pools of 16 subkeys are used in the central Feistel rounds; in the middle rounds, this is not done, but the other complicating factors are used instead. This structure has some resemblance to masking a block cipher with a stream cipher.
This form of Quadibloc X is based on Quadibloc X C.
It operates on a 256 bit block. The left and right halves of the block are each operated on, in each round, by a Quadibloc X C round. The subkeys for the round operating on the left half are generated before those for the round operating on the right half.
The round operating on the right half is modified in this way: the intermediate result from the leftmost subblock is XORed with IR6 from the round operating on the left half before use.
Between rounds, the 32 bytes of the 256-bit block are to be permuted as follows:
From: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 To: 29 14 23 24 17 18 27 28 21 22 31 32 25 26 19 3 13 30 7 8 1 2 11 12 5 6 15 16 9 10 3 20
16 rounds are required.
If the message to be hashed contains an odd number of bits, 0 is appended to it. If it contains an even number of bits, 01 is appended to it.
Then, the message has 00 appended to it.
The result is divided into blocks of 512 bits, or 64 bytes, or 16 32-bit words. If the last block requires padding, the padding is calculated as follows:
Let the number of bits of padding required be N. Since the message has previously been padded to consist of an even number of bits, N/2 is an integer. Let the message before any padding be divided into blocks of N/2 bits, the last block being filled with zeroes on the right.
The XOR of all these blocks will produce an N/2 bit result. This result becomes the N bits of padding required through the following translation of each bit:
0 01 1 10
Thus, through these padding steps, 101 would first be padded to 1010, then to 101000, and then to 101000100110 followed by 01 repeated as many times as needed to fill a complete block.
The series of blocks of 16 32-bit words thus produced will be hashed as follows:
Initially, the constant value
00 F0 11 E1 22 D2 33 C3 44 B4 55 A5 66 96 77 87 88 78 99 69 AA 5A BB 4B CC 3C DD 2D EE 1E FF 0F
will be used as the starting point.
The following has been extensively changed from the original form of the Quadibloc X hash function. For a hash function to perform its task, each element of the data being hashed must have an opportunity to affect the entire output of the hash function. If four 32-bit words work together to produce a result that is only 32 bits long, before other portions of the hash function are affected, then the effort in using all four words is wasted as far as preventing collisions is concerned. Hence, the original form, which derived all subkeys directly from the block being hashed, was misconceived.
It will then be enciphered, for each block of 16 32-bit words, through 16 rounds of Double Quadibloc X, as follows:
The 512 bits will be used as the key, producing subkeys and the key-dependent S-box S8 by means of the standard key schedule, except that the ninth subkey for each round (the first subkey used in the first central Feistel round acting on the left half of the 256-bit block), the twenty-first subkey for each round (the fourth subkey acting on the leftmost subblock of the right half of the 256-bit block, the one XORed immediately before taking an intermediate result), and the twenty-fourth subkey for each round (the seventh one applied, to the leftmost subblock of the right half of the 256-bit block, or the one applied by bytewise addition after the unification step in the second subround) are skipped when generating subkey bytes.
In the 16 rounds, the 16 32-bit words are used in order, starting with the first, as the ninth subkey for each round.
In the 16 rounds, the 16 32-bit words, starting with the eighth, are used in order, with the sixteenth followed by the first, as the twenty-first subkey for each round.
In the 16 rounds, the constant 24 3F 6A 88 is to be used as the twenty-fourth subkey for each round. (Pi is 3.243F6A88... in hexadecimal.)
The final result of the encipherment from the last block is the 256-bit hash of the data.
Next
Start of Section
Skip to Next Section
Skip to Next Chapter
Table of Contents
Main Page