reduced block size cipher

From: Roland (rolandp66_at_yahoo.com)
Date: 04/13/04 

Date: 13 Apr 2004 13:07:47 -0700

My application needs to generate unpredictable 32-bit permutations for
a given largish key. An out-of-the-box solution is to use RC5 in
"counter mode" with a 32-bit block size. For non-technical reasons,
however, I don't have RC5 available. What I do have, however, is a
128-bit block cipher, namely AES.

Is there some generally accepted way to reduce the block size of a
trusted cipher, without compromising the security of the algorithm?
(Notwithstanding attacks based solely on the reduced block size, of
course.) Put another way, is there a way to transform AES into a
32-bit block cipher in such a way that it can be trusted at least as
far as 32-bit block RC5 of the same key length.

One scheme I have considered is to use AES as the F function in a 32
bit Feistel network. Unfortunately I am grossly under-qualified in
such matters, so I really have no idea how many rounds I need, or if
the result is secure, etc, etc.

I am aware that the AES round transformations operate on 32-bit blocks
with the exception of ShiftRow. There is an old deja/google thread
that discusses the possibility of using the remaining transformations
as a 32-bit block cipher. I feel even less qualified to do this than
the Fiestel scheme, however. What I'd prefer is a generalized scheme
that doesn't actually depend on the details of the larger block
cipher, merely its strength. Put simply, I am looking for something
at is either generally accepted, or so obviously correct that it can
withstand reasonable debate.

My application is not time constrained within reason, so something
brute force would suffice if that is the best that is available. The
app is however very space constrained, so anything requiring a swap
buffer isn't going to fly.

TIA,

Rol

Relevant Pages

  • Re: "Small" problem
    ... Let E_Kdenote a encryption under some block cipher (AES will do ... Then consider this algorithm: ... The design I've sketched scales OK, and you gain security with the extra ...
    (sci.crypt)
  • Re: Doubling the block size of a cypher
    ... the choice was between a doubled AES and a cypher with a 256 bit block ... any existing 256 bit block cypher. ... Why would you need a 256-bit block cipher? ... a 256-bit block cipher, come tell us about your real problem, and I suspect ...
    (sci.crypt)
  • Re: Doubling the block size of a cypher
    ... Most AES finalists are more efficient then previous ciphers. ... larger one you'll need more than a couple rounds. ... Turtle design] in my TC5 design. ... to a 64-bit block cipher. ...
    (sci.crypt)
  • Re: Triple AES (3AES)
    ... >would give better security against brute-force then simple AES? ... Only if it can be proven that the AES block cipher shares the ... algebraic property of the DEA cipher that it is not a Group. ... Forensic Software Countermeasures ...
    (sci.crypt)
  • Re: AES in LibTomCrypt
    ... > discrepancy is because aes has blowfish's block size). ... For rc5, the ... > number of rounds is unspecified in addition to the block and key ... Cycle per byte timings for both the Athlon XP and P4 ...
    (sci.crypt)
Quantcast