[Next] [Up] [Previous] [Index]

The block cipher Quadibloc X operates on a 128-bit block divided into four 32-bit subblocks. All four subblocks are modified in each round, and three different types of cipher step are used to modify the various subblocks.

### Overview of the Quadibloc X Round

The leftmost subblock is modified directly in one piece, using a method somewhat reminiscent of SAFER. Two subrounds of this method are applied to it during each round of Quadibloc X. The intermediate value of that subblock between the two subrounds is used as a master nonlinear control input for the cipher steps applied to the remaining subblocks. Because the number of these rounds is even, an interchange of the two middle bytes of the subblock in a round does not interfere with the swap of 16-bit subblock segments between Quadibloc X rounds.

The two middle subblocks are modified by means of Feistel rounds using the Quadibloc f-function. Three Feistel rounds are applied. Because the number of these rounds is odd, the swap of 16-bit subblock segments between Quadibloc X rounds is simplified, since each Quadibloc X round can be treated as a single Feistel round.

The rightmost subblock is modified through both XOR and addition of intermediate results of the Feistel rounds applied to the middle two subblocks. Between each application of an intermediate result, a substitution is performed of a type that leads to this modification of the subblock approximating decorellation. Four intermediate results are used, and the operations are, in order, XOR, bytewise addition modulo 256, bytewise addition modulo 256, and XOR.

Between each pair of Quadibloc X rounds, the 128-bit block is considered to be divided into eight 16-bit subblock segments, and these are permuted from the order

```1 2 3 4 5 6 7 8
```

to the order

```7 4 1 6 3 8 5 2
```

so that the left halves of each subblock move to the next rightmost subblock between rounds, and the right halves of each subblock move to the next leftmost subblock between rounds.

### The Leftmost Subround Type

The subround applied to the leftmost subblock twice in a Quadibloc X round is illustrated below:

• First, in the modification step, the subblock is XORed with a 32-bit subkey.
• Then, in a substitution step, the bytes of the subblock are replaced with their equivalents in either S-box S5 from the set generated from Euler's constant and used with other Quadibloc ciphers or S-box S10, to be described in the section concerning the transformation applied to the rightmost subblock, and chosen to produce decorrelation. The S-boxes are used in the order S5, S10, S5, S10.
• Third, in another modification step, the individual bytes of another 32-bit subkey are added to the individual bytes of the subblock modulo 256.
• Then, the four bytes of the block operate on each other in the unification step.
• First, each two bytes enter into two mini-Feistel rounds, using the key-dependent S-box S8 as the f-function. The left byte is used as the index into S8, and the result is added to the right byte modulo 256. Then, the right byte is used as the index into S8, and the result is XORed with the left byte.
• Then, of the four bytes, the two middle ones are swapped.
• Third, each pair of bytes again goes through two mini-Feistel rounds; this time, the operations used are first XOR and then subtraction modulo 256.
• Fifth, in another modification step, the individual bytes of another 32-bit subkey are added to the individual bytes of the subblock modulo 256.
• Another substitution step is used, this time using S-block S5 and S-block S11 in the order S11, S11, S5, S5. Because of the byte swap in the middle of the unification step, bytes that went through S10 before now go through S5, and bytes that went through S5 before now go through S11, so each byte goes once through a 'random' S-box and once through a 'decorrelative' S-box.
• Finally, a 32-bit subkey is XORed with the subblock in the last modification step.

Two such subrounds are performed on the leftmost subblock in each round of Quadibloc X, and the value of the leftmost subblock between those two subrounds is used as the nonlinear control word for the remaining part of the round.

### The Central Feistel Rounds

The Feistel subround which operates on the central two 32-bit subblocks of the 128-bit block is illustrated below.

On the left is shown one byte from the 32-bit nonlinear control word derived from the encipherment of the leftmost subblock. For the three Feistel subrounds performed in a Quadibloc X rounds, the first, second, and third bytes, from the left of that word, are used for the three rounds in order.

The second subblock is used as the input to the F-function.

The F-function proceeds as follows:

• XOR one 32-bit subkey with the input.
• Use the bytes of the result to index into either S-box S1 or S-box S2 of those generated from Euler's constant under the control of the bits of the first nybble of the control word byte used for this subround. (0 indicates S1, 1 indicates S2.)
• Permute the 32 bits of the result so that the first two bits of each byte remain in the same position with that byte, the next two advance to the next byte, the next two are swapped in those in the byte two places before or after, and the last two are moved to the preceding byte. This is the permutation used elsewhere with the standard Quadibloc F-function.
• At this point, we have the first intermediate result from this F-function.
• XOR a second 32-bit subkey with the current value.
• Use the bytes of the result to index into S-boxes S3 or S4 under the control of bits of the second nybble of the byte of the control word in use.
• Perform the bit transposition again.
• The second intermediate result from this F-function is now available.
• XOR a third 32-bit subkey with the current value.
• Replace each byte with its substitute in key-dependent S-box S8.

The Feistel round is then completed when the F-function output is XORed with the third subblock.

Of the three subrounds performed, the the first intermediate result of each round will be known as IR5, IR6, and IR7, respectively, and the second intermediate result of each round will be known as IR1, IR2, and IR3, respectively. These intermediate results will be used in the modification of the rightmost subblock.

After the first two of the three Feistel subrounds performed in a Quadibloc X round, the second and third subblocks of the 128-bit block will be swapped, these being the right and left halves of the block on which those Feistel subrounds operate.

### The Decorrelated Modification of the Rightmost Subblock

Finally, the last step in the Quadibloc X round is illustrated in the diagram below:

Four quantities, derived from the intermediate results produced from the three Feistel rounds applied to the middle two subblocks, are applied to the rightmost subblock.

The quantities IR4A and IR4B are defined as follows:

```IR4A = IR5 xor IR6 xor IR7
IR4B = IR5 + IR6 + IR7
```

where + in the equations above refers to bytewise addition modulo 256.

The assignment of intermediate results from the Feistel rounds to the four inputs to this modification step is determined by the last four bits of the last byte of the nonlinear control word according to the following table, which uses 16 of the 24 possible arrangements, when each intermediate result is only used once, and IR4B, created by addition, is always used as input to an XOR step, and IR4A, created by XOR, is always used as input to an additon step:

```     IN1  IN2  IN3  IN4
0000 IR4B IR1  IR2  IR3
0001 IR4B IR2  IR3  IR1
0010 IR4B IR3  IR2  IR1
0011 IR4B IR2  IR1  IR3
0100 IR2  IR4A IR3  IR1
0101 IR3  IR4A IR1  IR2
0110 IR3  IR4A IR2  IR1
0111 IR1  IR4A IR3  IR2
1000 IR1  IR2  IR4A IR3
1001 IR3  IR1  IR4A IR2
1010 IR2  IR1  IR4A IR3
1011 IR1  IR3  IR4A IR2
1100 IR1  IR2  IR3  IR4B
1101 IR2  IR3  IR1  IR4B
1110 IR3  IR2  IR1  IR4B
1111 IR2  IR1  IR3  IR4B
```

The S-boxes S10, S11, S6, and S7 used in this step are ones specifically designed to produce decorrelation. Since only addition modulo 256 is used, the decorellation is only approximate.

The S-box S11 contains successive powers of 3, under Galois Field multiplication using the polynomial x^8 + x^6 + x^5 + x^3 + 1 (cancellation binary string 101101001) as used with Twofish, except that the last entry in the S-box is 0. The S-box S10 is the inverse of an S-box containing successive powers of 3, under Galois Field multiplication using the polynomial x^8 + x^4 + x^3 + x + 1 (cancellation binary string 100011011) as used with Rijndael, except that the last entry in the S-box being inverted is 0.

Thus, these S-boxes (and their inverses, as required for deciphering) are as follows:

```S-box S11:
1   3   5  15  17  51  85 255
104 184 161 138 247 112 144 217
2   6  10  30  34 102 170 151
208  25  43 125 135 224  73 219
4  12  20  60  68 204  61  71
201  50  86 250 103 169 146 223
8  24  40 120 136 241 122 142
251 100 172 157 206  59  77 215
16  48  80 240 121 139 244 117
159 200  49  83 245 118 154 199
32  96 160 137 242 127 129 234
87 249  98 166 131 236  93 231
64 192  41 123 141 254 107 189
174 155 196  37 111 177 186 167
128 233  82 246 115 149 214  19
53  95 225  74 222  11  29  39
105 187 164 133 230  67 197  38
106 190 171 148 213  22  58  78
210  31  33  99 165 134 227  76
212  21  63  65 195  44 116 156
205  62  66 198  35 101 175 152
193  42 126 130 239  88 232  81
243 124 132 229  70 202  55  89
235  84 252 109 183 176 185 162
143 248  97 163 140 253 110 178
191 168 145 218   7   9  27  45
119 153 194  47 113 147 220  13
23  57  75 221  14  18  54  90
238  91 237  94 226  79 209  26
46 114 150 211  28  36 108 180
181 182 179 188 173 158 203  52
92 228  69 207  56  72 216   0

The inverse of S-box S11:
255   0  16   1  32   2  17 204
48 205  18 125  33 215 220   3
64   4 221 119  34 153 141 216
49  25 231 206 236 126  19 145
80 146  20 164 237 107 135 127
50  98 169  26 157 207 232 211
65  74  41   5 247 120 222 182
252 217 142  61  35  38 161 154
96 155 162 133  36 250 180  39
253  30 123 218 151  62 143 229
66 175 114  75 185   6  42  88
173 183 223 225 248  94 227 121
81 194  90 147  57 165  21  44
8 128 136 102 238 187 198 108
13 212 233 116 158  71  77 208
51  68  54  99 177  27 170  85
112  86 171  92 178 131 149  28
52  83  11  69 196 100  55 192
14 202  46 213 139 117 234  23
167 209  78 105 159  59 245  72
82  10 191 195 130 148  91 111
201  45  22 138  58 244 104 166
189 109 199 242 239 240 241 188
9 190 110 129 243 103 137 200
97 168 210 156 106 134 163  79
73  40 181 246  37 160  60 251
24 230 144 235 152 140 118  63
254  15 203  31 214 219 124  47
29 122 228 150 249 179 132  95
174 113  87 184  93 226 224 172
67  53  84 176  70  76 115  12
193  89  43  56 186 197 101   7

The inverse of S-box S10:
1   3   5  15  17  51  85 255
26  46 114 150 161 248  19  53
95 225  56  72 216 115 149 164
247   2   6  10  30  34 102 170
229  52  92 228  55  89 235  38
106 190 217 112 144 171 230  49
83 245   4  12  20  60  68 204
79 209 104 184 211 110 178 205
76 212 103 169 224  59  77 215
98 166 241   8  24  40 120 136
131 158 185 208 107 189 220 127
129 152 179 206  73 219 118 154
181 196  87 249  16  48  80 240
11  29  39 105 187 214  97 163
254  25  43 125 135 146 173 236
47 113 147 174 233  32  96 160
251  22  58  78 210 109 183 194
93 231  50  86 250  21  63  65
195  94 226  61  71 201  64 192
91 237  44 116 156 191 218 117
159 186 213 100 172 239  42 126
130 157 188 223 122 142 137 128
155 182 193  88 232  35 101 175
234  37 111 177 200  67 197  84
252  31  33  99 165 244   7   9
27  45 119 153 176 203  70 202
69 207  74 222 121 139 134 145
168 227  62  66 198  81 243  14
18  54  90 238  41 123 141 140
143 138 133 148 167 242  13  23
57  75 221 124 132 151 162 253
28  36 108 180 199  82 246   0

S-box S10:
255   0  25   1  50   2  26 198
75 199  27 104  51 238 223   3
100   4 224  14  52 141 129 239
76 113   8 200 248 105  28 193
125 194  29 181 249 185  39 106
77 228 166 114 154 201   9 120
101  47 138   5  33  15 225  36
18 240 130  69  53 147 218 142
150 143 219 189  54 208 206 148
19  92 210 241  64  70 131  56
102 221 253  48 191   6 139  98
179  37 226 152  34 136 145  16
126 110  72 195 163 182  30  66
58 107  40  84 250 133  61 186
43 121  10  21 155 159  94 202
78 212 172 229 243 115 167  87
175  88 168  80 244 234 214 116
79 174 233 213 231 230 173 232
44 215 117 122 235  22  11 245
89 203  95 176 156 169  81 160
127  12 246 111  23 196  73 236
216  67  31  45 164 118 123 183
204 187  62  90 251  96 177 134
59  82 161 108 170  85  41 157
151 178 135 144  97 190 220 252
188 149 207 205  55  63  91 209
83  57 132  60  65 162 109  71
20  42 158  93  86 242 211 171
68  17 146 217  35  32  46 137
180 124 184  38 119 153 227 165
103  74 237 222 197  49 254  24
13  99 140 128 192 247 112   7
```

The S-box S6 contains successive powers of 19 in multiplication modulo 257, except that 256, when it occurs, is replaced with zero, and the S-box S7 is the inverse of S6. Hence, the contents of these S-boxes are as follows:

```S-box S6:
1  19 104 177  22 161 232  39
227 201 221  87 111  53 236 115
129 138  52 217  11 209 116 148
242 229 239 172 184 155 118 186
193  69  26 237 134 233  58  74
121 243 248  86  92 206  59  93
225 163  13 247  67 245  29  37
189 250 124  43  46 103 158 175
241 210 135 252 162 251 143 147
223 125  62 150  23 180  79 216
249 105 196 126  81 254 200 202
240 191  31  75 140  90 168 108
253 181  98  63 169 127 100 101
120 224 144 166  70  45  84  54
255 219  49 160 213 192  50 179
60 112  72  83  35 151  42  27
0 238 153  80 235  96  25 218
30  56  36 170 146 204  21 142
128 119 205  40 246  48 141 109
15  28  18  85  73 102 139  71
64 188 231  20 123  24 199 183
136  14   9 171 165  51 198 164
32  94 244  10 190  12 228 220
68   7 133 214 211 154  99  82
16  47 122   5  95   6 114 110
34 132 195 107 234  77 178  41
8 152  61 131 176   3  57  55
17  66 226 182 117 167  89 149
4  76 159 194  88 130 157 156
137  33 113  91 187 212 173 203
2  38 208  97  44  65 207  78
197 145 185 174 222 106 215 230

S-box S7:
128   0 240 213 224 195 197 185
208 170 179  20 181  50 169 152
192 216 154   1 163 142   4  76
165 134  34 127 153  54 136  90
176 233 200 124 138  55 241   7
147 207 126  59 244 109  60 193
149 114 118 173  18  13 111 215
137 214  38  46 120 210  74  99
160 245 217  52 184  33 108 159
122 156  39  91 225 205 247  78
131  84 191 123 110 155  43  11
228 222  93 235  44  47 177 196
133 243  98 190 102 103 157  61
2  81 253 203  95 151 199  12
121 234 198  15  22 220  30 145
104  40 194 164  58  73  83 101
144  16 229 211 201 186  36  66
168 232  17 158  92 150 143  70
106 249 140  71  23 223  75 125
209 130 189  29 231 230  62 226
115   5  68  49 175 172 107 221
94 100 139 171  27 238 251  63
212   3 206 119  77  97 219 167
28 250  31 236 161  56 180  89
117  32 227 202  82 248 174 166
86   9  87 239 141 146  45 246
242  21  65 188 237 116 187 254
79  19 135 113 183  10 252  72
105  48 218   8 182  25 255 162
6  37 204 132  14  35 129  26
88  64  24  41 178  53 148  51
42  80  57  69  67  96  85 112
```

### The Complete Round

Thus, the entire Quadibloc X round looks like this:

and, as previously noted, 16-bit subblock halves are rotated after each round except the last from the order:

```1 2 3 4 5 6 7 8
```

to the order

```7 4 1 6 3 8 5 2
```

as illustrated in the diagram below:

which shows clearly that the left half of each subblock is rotated one place to the right, and the right half of each subblock is rotated one place to the left.

Normally, ar least 8 rounds of Quadibloc X are used for encryption. Ideally, 12 or 16 rounds would be preferable. 32 rounds allow the four bits per round that alter the algorithm fundamentally (by changing the order in which the intermediate results of the three Feistel rounds are applied decorellatively to the fourth subblock) to total to 128 bits, thus the algorithm can no longer be brute-force searched; this allows Quadibloc X to realize its full potential.

One round is definitely insecure, since the first 32-bit subblock is essentially subjected to a block cipher with a 32-bit block size. Two rounds are already an interesting problem for the cryptanalyst, and four rounds might possibly be secure, but cannot be recommended.

### The Key Schedule

Quadibloc X uses the following key material: 17 subkeys, each 32 bits long, per round, and one key-dependent S-box, S8, containing the bytes from 0 to 255 in a shuffled order. The subkeys used by the first round are K1 through K17, as shown in the diagram, and those used by the second round are K18 through K34, and so on.

The key will be a multiple of four bytes in length.

Subkey generation proceeds as follows:

### Initialization

Three strings of bytes of different length are produced from the key.

The first string consists of the key, followed by one byte containing the one's complement of the XOR of all the bytes of the key.

The second string consists of the one's complements of the bytes of the key in reverse order, with three bytes appended containing the following three quantities:

• The sum, modulo 255, of the bytes of the key, incremented by one by normal addition. (Thus, this produces a number from 1 to 255.)
• The XOR of all the bytes at odd numbered positions in the key, where the first byte in the key is considered to be byte 1, and odd.
• The one's complement of the XOR of all the bytes at even numbered positions in the key.

The third string consists of alternating bytes, taken from the bytes of the key in reverse order, and then from the bytes of the one's complement of the key, and then that string is followed by the one's complements of the first four bytes of the key.

Thus, if the key is:

``` 128  64  32  16   8   4   2   1   1   2   3   4   5   6   7   8
```

then the strings generated from it are as follows:

```First string:
128  64  32  16   8   4   2   1
1   2   3   4   5   6   7   8
8

Second string:
247 248 249 250 251 252 253 254
254 253 251 247 239 223 191 127
37 170  93

Third string:
8 127   7 191   6 223   5 239
4 247   3 251   2 253   1 254
1 254   2 253   4 252   8 251
16 250  32 249  64 248 128 247
127 191 223 239
```

Given that the length of the key is 4n, the lengths of the three strings are 4n+1, 4n+3, and 8n+4, and hence all three are relatively prime, since both 4n+1 and 4n+3 are odd, and 8n+4 is two times 4n+2.

Two buffers are filled by generating bytes from the first and second strings by chain addition.

Chain addition applied to a string is defined as follows:

The sum, modulo 256, of the last two bytes in the string is calculated. This sum is the output of the chain addition step. Also, the last byte of the string is removed, and the sum is appended to the beginning of the string.

Both buffers contain 256 bytes. The first buffer, called buffer A, is filled with 256 successive bytes generated from the second string by chain addition. The second buffer, called buffer B, is filled with 256 successive bytes generated from the first string by chain addition.

### Subkey Byte Generation

Once the setup is complete, subkey material is generated one byte at a time, the first byte generated being the leftmost byte of subkey K1, and so on.

A subkey byte is generated as follows:

• A byte is generated from the first string by chain addition.
• The byte at the position in buffer A indicated by this value is taken, and called P.
• A byte is generated from the third string by chain addition. Its value is placed in buffer A, replacing the value taken.
• A byte is generated from the second string by chain addition.
• The byte at the position in buffer B indicated by this value is taken, and called Q.
• A byte is generated from the third string by chain addition. Its value is placed in buffer B, replacing the value taken.
• The subkey byte generated is the XOR of P and Q.

Note that this procedure, since it exercises the two strings used to select bytes, rather than the string used to generate values, results in a small change in the key resulting in large changes in the subkeys from the very beginning.

### Permutation Generation

Once all the required 32-bit subkey words are generated, the key-dependent S-box S8 must be generated. This is done as follows:

• 256 bytes are generated following the same procedure as for subkey byte generation, and these bytes are placed in a 256-byte buffer called buffer C.
• A 256-byte buffer called buffer D is filled with the numbers from 0 to 255 in order.
• For every i from 0 to 255, if element i of buffer C (hereinafter called C(i)) is not equal to i, swap elements i and C(i) of buffer D.
• For every i from 0 to 255, if B(i) is not equal to i, swap elements i and B(i) of buffer D.
• For every i from 0 to 255, if A(i) is not equal to i, swap elements i and A(i) of buffer D.

The resulting contents of buffer D are used as S-box S8. Note that this is a much more straightforwards procedure than used previously to produce S8 in other ciphers in this series.

With the complexity of the Quadibloc X round, its two kinds of subkeys, and the lack of unused intermediate values, it would be difficult to propose a key augmentation procedure for this cipher as used with some other block ciphers in the Quadibloc series. Instead, a different method of providing an improved key schedule, which makes use of the existing logic of Quadibloc X encipherment, is proposed.

Two keys are required, a setup key and a direct key. The setup key is used to create a key schedule, including a key-dependent S-box S8, for single-round Quadibloc X encipherment. Then, using buffers A and B as they stand (generating S8 does not change them), additional key bytes are generated by the same process as used for the subkeys to produce two more values: a 96-bit seed value, and a 96-bit initial counter value.

Then the direct key is used to generate the bytes to be used in the key schedule for the actual Quadibloc X encipherment desired. However, after each four bytes are generated, they are enciphered in an unusual stream cipher mode of single-round Quadibloc X, as illustrated below.

The first four bytes are enciphered as follows:

The 128 bit value composed of the 96-bit seed value and the 32-bit group of four bytes generated by the MacLaren-Marsaglia-based technique used for subkey generation are encrypted in single-round Quadibloc X, using the key schedule derived from the setup key.

The rightmost 32 bits of the result are the encrypted four keystream bytes.

Successive groups of four bytes are encrypted by following these additional steps:

The first 96 bits of the result are divided into six 16-bit subblock halves, and they are permuted from:

```1 2 3 4 5 6
```

to:

```5 4 1 6 3 2
```

After being permuted, the counter value is added to them, and the result of that addition will be used as the new seed value for input along with the next 32 bits to be encrypted.

The counter value is incremented by one.

Note that when the final step of creating the key-dependent S-box S8 is taken, the contents of buffer C, being ordinary output, will have gone through this encryption step, but the contents of buffers A and B will not have.

### Deciphering

In deciphering, it is necessary to replace S-boxes S10, S11, and S5 by their inverses, switch addition and subtraction modulo 256 as appropriate, and perform the steps within the round in reverse order as appropriate, leaving steps within f-functions unaffected.

### Variation 1:

Because the Quadibloc X round is somewhat time-consuming, it might be considered tempting to use fewer than eight rounds. This is likely to be insecure. One reason for that is that the rightmost block is modified only on a byte-by-byte basis by the Quadibloc X round; while other portions of the block go through the equivalent of multiple rounds, for this one part of the block, the Quadibloc X round behaves like a single ordinary Feistel round.

Thus, to permit Quadibloc X to be used with only four rounds, the following alteration to the round is proposed:

Before and after applying the intermediate results of the central Feistel rounds are applied to the rightmost subblock in the fashion including decorrelation, the 32-bit rightmost subblock is to go through the same unification step that is used as part of the subround applied to the leftmost subblock. This is key-dependent, as it involves the key-dependent S-box S8, but it requires the use of no additional subkeys. Thus, it is important to remember that only the unification step, not the whole subround of which it is a part, is added in this variation.

The form of Quadibloc X including this variation shall be termed Quadibloc X C (Convoluted).

### Variation 2:

This variation involves making the Quadibloc X round somewhat more elaborate, to permit the constructs in it to be used to their full potential.

The number of subrounds applied to the leftmost subblock is increased from two to four, and additional subkeys are used as appropriate. Thus, in the first round, K1 through K4 are used in the first of these subrounds, K5 through K8 in the next, K9 through K12 in the third, and K13 through K16 in the fourth.

This leads to the existence of three 32-bit intermediate results. Each one is used with one of the three central Feistel rounds.

The least significant 8 bits of the intermediate result are used as the byte from the one intermediate result was used before: to select the S-boxes used.

The preceding three nybbles are used to pick each subkey used from a pool of 16 possible subkeys. Thus, for the first Feistel subround in the first Quadibloc X round, the fourth most significant nybble selects from subkeys K17 through K32, the fifth most significant nybble selects from K32 through K48, and the sixth most significant nybble selects from K49 through K64.

The first 12 bits of the first and third intermediate results are XORed together. Of this result, the three nybbles are used as follows:

The first nybble selects whether S10, or the inverse of S11, is used with each byte of the rightmost subblock.

The second nybble selects whether S11, or the inverse of S10, is used with each byte of the rightmost subblock.

The third nybble selects between S6 and S7 in the fashion in which the second least significant nybble of the one intermediate result did for standard Quadibloc X.

The first 8 bits of the second intermediate result are used to determine the correspondence between the intermediate results of the central Feistel rounds, and the inputs to the decorrelated modification of the rightmost subblock using the following table:

```                               IN1  IN2  IN3  IN4
00000000     11011000 11110000 IR4B IR1  IR2  IR3
00000001     11011001 11110001 IR4B IR2  IR3  IR1
00000010     11011010          IR4B IR3  IR1  IR2
00000011     11011011 11110010 IR4B IR3  IR2  IR1
00000100     11011100 11110011 IR4B IR2  IR1  IR3
00000101     11011101          IR4B IR1  IR3  IR2
00000110     11011110          IR1  IR4A IR2  IR3
00000111     11011111 11110100 IR2  IR4A IR3  IR1
00001000     11100000 11110101 IR3  IR4A IR1  IR2
00001001     11100001 11110110 IR3  IR4A IR2  IR1
00001010     11100010          IR2  IR4A IR1  IR3
00001011 ... 11100011 11110111 IR1  IR4A IR3  IR2
00001100     11100100 11111000 IR1  IR2  IR4A IR3
00001101     11100101          IR2  IR3  IR4A IR1
00001110     11100110 11111001 IR3  IR1  IR4A IR2
00001111     11100111          IR3  IR2  IR4A IR1
00010000     11101000 11111010 IR2  IR1  IR4A IR3
00010001     11101001 11111011 IR1  IR3  IR4A IR2
00010010     11101010 11111100 IR1  IR2  IR3  IR4B
00010011     11101011 11111101 IR2  IR3  IR1  IR4B
00010100     11101100          IR3  IR1  IR2  IR4B
00010101     11101101 11111110 IR3  IR2  IR1  IR4B
00010110     11101110 11111111 IR2  IR1  IR3  IR4B
00010111     11101111          IR1  IR3  IR2  IR4B
```

The remaining four bits of the intermediate result are not used.

The form of Quadibloc X including this variation shall be termed Quadibloc X E (Expanded); the form including both this variation and the first one shall be termed Quadibloc X EC (Expanded/Convoluted).

### Variation 3:

Instead of not using the remaining four bits of the intermediate result, when the first four bits of the byte that is used are 1111, these bits can replace it. That will reduce the bias in selecting possible orderings of the intermediate results still further.

This variation is a slight modification of Variation 2, and produces Quadibloc X BR (Bias Reduced) in combination with that variation, and Quadibloc X BRC (Bias Reduces/Convoluted) in combination with both variations 1 and 2.

### Variation 4:

When four subrounds are used with the leftmost subblock, the subround used can be simplified to use only two subkeys instead of four, as follows:

• First, in the modification step, the subblock is XORed with a 32-bit subkey.
• Then, in a substitution step, the bytes of the subblock are replaced with their equivalents in S-box S5 from the set generated from Euler's constant and used with other Quadibloc ciphers.
• Then, the four bytes of the block operate on each other in the unification step.
• First, each two bytes enter into two mini-Feistel rounds, using the key-dependent S-box S8 as the f-function. The left byte is used as the index into S8, and the result is added to the right byte modulo 256. Then, the right byte is used as the index into S8, and the result is XORed with the left byte.
• Then, of the four bytes, the two middle ones are swapped.
• Third, each pair of bytes again goes through two mini-Feistel rounds; this time, the operations used are first XOR and then subtraction modulo 256.
• Fourth, another substitution step is used, again using S-box S5.
• Finally, a 32-bit subkey is XORed with the subblock in the last modification step.

The designations of the forms of Quadibloc X including this variation are noted in the table below, beside the related forms not including this variation:

```Variations Designation        Variations Designation
1 2        Quadibloc X EC     1 2   4    Quadibloc X SC (Simplified/Convoluted)
1 2 3      Quadibloc X BRC    1 2 3 4    Quadibloc X FM (Fully Modified)
2 3      Quadibloc X BR       2 3 4    Quadibloc X MS (Modified Standard)
```

The complete round of Quadibloc X FM is shown below:

When the Advanced Key Schedule is used with any of these variations, either the original Quadibloc X round can be used, giving AKSO (Advanced Key Schedule Original), or the round of the variation can be used, giving AKSN (Advanced Key Schedule Native).

When the number of rounds is not specified, the default number of rounds for each variation is as follows:

```Quadibloc X              16
```

Note that it is not claimed that the more complicated rounds fully make up for the reduced security due to fewer rounds, merely that they make faster versions possible.

### Fixed-length Variants

Three additional variant forms of Quadibloc X are now described which of necessity must have exactly 16 rounds, and a fourth is described which must have at least 16 rounds.

Due to the nature of these variants, they can only be of the AKSO type if the Advanced Key Schedule is used.

### Variation 5:

An additional 32-bit subkey is produced after the subkeys required for the rounds of the cipher. Exactly ten subkeys, not eight or sixteen, are produced for each round for the subrounds operating on the leftmost subblock. This variation can only be used in conjunction with Variation 2.

In this variation, the first two bits of the extra subkey determine for round 1, the next two bits determine for round 2, and so on, which of the four subrounds for the leftmost subblock is in the form used in the original Quadibloc X, 00 indicating the first, 01 the second, and so on, the other three being in the simplified form introduced in Variation 4.

Applying this variation to the BR/MS type round produces Quadibloc X VA (Variable Algorithm). Applying this variation to the BRC/FM type round produces Quadibloc X VC (Variable/Convoluted). In addition, four rounds of the VC type, followed by eight rounds of the VA type, and then four rounds of the VC type produce Quadibloc X VL (Variable/Layered).

This chart illustrates the relationship between the variant forms involved:

```Variations Designation        Variations Designation        Variations Designation
2 3      Quadibloc X BR       2 3 4    Quadibloc X MS       2 3   5  Quadibloc X VA
1 2 3      Quadibloc X BRC    1 2 3 4    Quadibloc X FM     1 2 3   5  Quadibloc X VC
```

### Variation 6:

This variation of Quadibloc X is designated Quadibloc X L (Layered), and consists simply of four rounds of Quadibloc X MS followed by eight rounds of Quadibloc X C and then four rounds of Quadibloc X MS. If more than 16 rounds are used, rounds of Quadibloc X C are added in the middle. Thus, in the beginning and ending rounds, subkey pools of 16 subkeys are used in the central Feistel rounds; in the middle rounds, this is not done, but the other complicating factors are used instead. This structure has some resemblance to masking a block cipher with a stream cipher.

### General Notes

• Quadibloc X VA, VC, and VL are, of course, vulnerable to timing and power attacks, and are not for use in circumstances where these may be mounted.
• Keys longer than 1024 bits, or, in the case of the advanced key schedule, either a setup key or a direct key longer than 1024 bits, increase the likelihood of a successful related-key attack, as the initial step of filling the buffers does not have the opportunity of completely mixing the contents of the selection shift registers.
• In the original Quadibloc X round, a differential attack is likely to be possible against two rounds. Since the four bytes of the rightmost subblock are modified independently, these being handled in a fashion similar to that of the target half of the block in a traditional Feistel round, changes to the first 16 bits of that subblock will affect only the leftmost subblock in the next round. This has limited effects on the encipherment of the rest of the block, through such things as selecting S-boxes, and could therefore be used to indicate information about the subkeys. As well, differential characteristics that propagate through two rounds can be used against a four-round cipher by means of the boomerang attack.
• Considering the possible alternative key schedules, but not possible changes to the number of rounds used, the 14 variant forms of Quadibloc X described on this page become 37, as the first may be regular or AKS, and the last four regular or AKSO, and the other nine either regular, AKSO, or AKSN.

It operates on a 256 bit block. The left and right halves of the block are each operated on, in each round, by a Quadibloc X C round. The subkeys for the round operating on the left half are generated before those for the round operating on the right half.

The round operating on the right half is modified in this way: the intermediate result from the leftmost subblock is XORed with IR6 from the round operating on the left half before use.

Between rounds, the 32 bytes of the 256-bit block are to be permuted as follows:

```From:
1  2  3  4  5  6  7  8
9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24
25 26 27 28 29 30 31 32

To:
29  14 23 24 17 18 27 28
21  22 31 32 25 26 19  3
13  30  7  8  1  2 11 12
5   6 15 16  9 10  3 20
```

16 rounds are required.

### The Quadibloc X Hash Function

If the message to be hashed contains an odd number of bits, 0 is appended to it. If it contains an even number of bits, 01 is appended to it.

Then, the message has 00 appended to it.

The result is divided into blocks of 512 bits, or 64 bytes, or 16 32-bit words. If the last block requires padding, the padding is calculated as follows:

Let the number of bits of padding required be N. Since the message has previously been padded to consist of an even number of bits, N/2 is an integer. Let the message before any padding be divided into blocks of N/2 bits, the last block being filled with zeroes on the right.

The XOR of all these blocks will produce an N/2 bit result. This result becomes the N bits of padding required through the following translation of each bit:

```0 01
1 10
```

Thus, through these padding steps, 101 would first be padded to 1010, then to 101000, and then to 101000100110 followed by 01 repeated as many times as needed to fill a complete block.

The series of blocks of 16 32-bit words thus produced will be hashed as follows:

Initially, the constant value

```00 F0 11 E1 22 D2 33 C3 44 B4 55 A5 66 96 77 87
88 78 99 69 AA 5A BB 4B CC 3C DD 2D EE 1E FF 0F
```

will be used as the starting point.

The following has been extensively changed from the original form of the Quadibloc X hash function. For a hash function to perform its task, each element of the data being hashed must have an opportunity to affect the entire output of the hash function. If four 32-bit words work together to produce a result that is only 32 bits long, before other portions of the hash function are affected, then the effort in using all four words is wasted as far as preventing collisions is concerned. Hence, the original form, which derived all subkeys directly from the block being hashed, was misconceived.

It will then be enciphered, for each block of 16 32-bit words, through 16 rounds of Double Quadibloc X, as follows:

The 512 bits will be used as the key, producing subkeys and the key-dependent S-box S8 by means of the standard key schedule, except that the ninth subkey for each round (the first subkey used in the first central Feistel round acting on the left half of the 256-bit block), the twenty-first subkey for each round (the fourth subkey acting on the leftmost subblock of the right half of the 256-bit block, the one XORed immediately before taking an intermediate result), and the twenty-fourth subkey for each round (the seventh one applied, to the leftmost subblock of the right half of the 256-bit block, or the one applied by bytewise addition after the unification step in the second subround) are skipped when generating subkey bytes.

In the 16 rounds, the 16 32-bit words are used in order, starting with the first, as the ninth subkey for each round.

In the 16 rounds, the 16 32-bit words, starting with the eighth, are used in order, with the sixteenth followed by the first, as the twenty-first subkey for each round.

In the 16 rounds, the constant 24 3F 6A 88 is to be used as the twenty-fourth subkey for each round. (Pi is 3.243F6A88... in hexadecimal.)

The final result of the encipherment from the last block is the 256-bit hash of the data.

[Next] [Up] [Previous] [Index]