[Next] [Up] [Previous] [Index]

Quadibloc 2002E W, WS, WD and SD

This section deals with variants of Quadibloc 2002E that allow it to operate on a 256-bit block. One cipher mode that has sometimes been considered involves the XOR of the key with the plaintext input, and the ciphertext output, of a block cipher with a fixed, known key.

This encryption mode is not trivially breakable in the way that using a block cipher with a fixed, known key twice, with the XOR of the key in between, would be. That case, discussed in the section on Red Thread Resistance, can be broken with just one block of known plaintext, since the plaintext and ciphertext can be brought through the known transformations at the start and the finish to produce the input and the output of the XOR, yielding the key immediately.

However, the mode involving an XOR before and after still has a limitation. Given a large quantity of different blocks where both the plaintext and ciphertext are known, one can compare the XOR of plaintext and ciphertext, which is also the XOR of the input and output of the central known transformation, to that latter XOR as one performs a brute-force search on that transformation for a match. This is essentially a birthday attack. While using a different value to XOR before and after would seem to stymie that attack, taking the known plaintext blocks in pairs may provide a method by which that case can also be similarly dealt with.

This birthday attack depends on the block size, not the key size. Thus, a 128-bit block would still allow an attack involving on the order of 2^64 operations, but a 256-bit block would increase this to 2^128, believed secure, thus allowing the use of this cipher mode, should there be a reason for doing so.

Quadibloc 2002E W

It had been noted previously that the input to the Quadibloc 2002E core round master f-function is based on the 64-bit left half of the block, and so it does not have 2^128 different values that are all possible in any one round, since the subkeys are static. This can be remedied by using the components of Quadibloc 2002E in a cipher with a 256-bit block size.

This variant, Quadibloc 2002E W (Wide) is organized as follows:

Encipherment is divided into four stages. In each stage, the left 128-bit half of the block is enciphered by means of five standard rounds, organized as follows:

Here, the keys are identified as they are for the first stage; successive keys are used for following stages.

The right half of the block, in the mean time, is enciphered by means of four cryptographic core rounds. These rounds are modified in one way; in the overall f-function, after the intermediate results from encipherment of the right half of the right half undergo first a bit swap, and then go through a substitution in S-box S7, the 128-bit intermediate result at that stage is modified by having the corresponding value of the left 128-bit half of the overall 256-bit block XORed to it. Since five standard rounds are performed on the left half, there are four values available, one for each of the four core rounds performed on the left half.

After each of the first three of the four segments which form the cipher, the two 128-bit halves of the block are swapped.

In addition, the two halves of the block both undergo a bit swap phase and then an alternate nonlinearity phase at the beginning of the cipher, followed by the four 64-bit quarters of the block being rearranged from the order:

1 2 3 4

to the order

1 3 2 4

This is done to swap bits between halves of the block, while maintaining all the exchange keys used at the standard size.

At the end of the cipher, first this transposition of 64-bit quarters is again performed, as it is its own inverse, then an alternate nonlinearity phase and a bit swap phase are performed on each half of the block.

The key material used by Quadibloc 2002E W is as follows:

and the order in which this key material is generated is the following:

For decipherment, the subkeys would have to be modified as follows:

The order of groups of two subkeys within subkeys EK1 through EK4 is reversed, with the order of subkeys within each group staying the same.

The order of groups of eight subkeys within subkeys K1 through K384 is reversed, with the order of subkeys within each group staying the same, and in addition the order of the four bytes within each subkey is reversed.

The order of subkeys LK1 through LK40 is reversed.

The order of subkeys EK5 through EK28 is reversed.

S-boxes SB1 and SB2 are exchanged.

The order of groups of three subkeys within subkeys K385 through K480 is reversed.

The order of groups of thirty-two subkeys within subkeys K481 through K992 is reversed.

The order of subkeys EK29 through EK44 is reversed, and in addition the bits of each of these subkeys are inverted. (This refers to the actual subkey, not the input to the 4 of 8 code.)

The order of subkeys EK45 through EK60 is reversed, and in addition the bits of each of these subkeys are inverted.

Note also that the total number of core rounds performed in Quadibloc 2002E W, compared to regular Quadibloc 2002E, is sixteen instead of eight, while the number of standard rounds is only increased to twenty (in four groups of five) from eleven; however, the number of greater diffusion phases is exactly doubled, to twelve from six; thus, Quadibloc 2002E W uses almost twice as much key material as Quadibloc 2002E, but not exactly twice as much; for example, only the same key-dependent S-boxes are used; also, it takes almost twice as long to run, thus making it slightly faster, as it enciphers twice as much data at a time.

Quadibloc 2002E WS

Since the left half of the block in Quadibloc 2002E W supplies a 128-bit value for the master f-function by itself, instead of XORing it with the output of the bit swap of the intermediate results from the left half of the right half, a variant automatically suggests itself in which that 128-bit value is used by itself, with the old 128-bit value used as the input in regular Quadibloc 2002E used for some other purpose.

Specifically, as that value only has 2^64 possible values, begin by condensing it back down to 64 bits by XORing together its left and right halves. And then, with each of subkeys K481 through K992 in the cipher replaced by a subkey pool of four subkeys, use that 64-bit result, two bits at a time, to select the appropriate element from the corresponding subkey pool.

This variant can be called Quadibloc 2002E WS (Wide Secure). The subkey pools will be generated at the point in the subkey generation sequence originally occupied by K481 through K992, and noting this should make its specification unambiguous.

Quadibloc 2002E WD and SD

Quadibloc 2002E W and Quadibloc 2002E WS can both have the modification outlined in Quadibloc 2002E DC applied to them, replacing the main f-function in the core rounds by a greater diffusion phase. The resulting ciphers shall be called Quadibloc 2002E WD (Wide Diffusion) and Quadibloc 2002E SD (Secure Diffusion) respectively.

[Next] [Up] [Previous] [Index]

Start of Section
Skip to Next Chapter
Table of Contents
Main Page