Re: Blockcipher >256 bit (for hardware implementation)

Luc The Perverse <sll_noSpamlicious_z_XXX_m@xxxxxxxxxx> wrote:
"Mike Amling" <spamonly@xxxxxxxxxxx> wrote in message
news:ep62ts$a4@xxxxxxxxxxxxxxxxxxxxxxxxxx
Two iterations of Rijndael with block size 192 bits, with code-stealing
to get the block size down to 320.

I was about to make several uneducated responses - instead, could someone
explain what code stealing is?

You'll find it if you search for "ciphertext stealing".

It is problematic in that if the first 192 bits of two plaintexts are
identical, that would make the first 320-192 = 128 bits equal. So this
leaks more information about the plaintext than one 320-bit block cipher
does. I don't know if the OP cares about that, though.

Perhaps if you do three passes:

c1 = Rijndael(k,m[1..192])
c2 = Rijndael(k,c1[129..192] || m[193..256] || 0^64)
c3 = Rijndael(k,c1[1..128] || c2[1..128])

c = c3 || c2[129..256]

Depending on the number of ciphertexts you are creating, 64 bits of
overlap may not be enough (if you can get a collision in the overlap
part of c1, the tail of the ciphertext would be identical), it could be
better to use a 256-bit block size.

But the cost of this is may be fast approaching the cost of a generic
construction for a wide-block block cipher.

--
Kristian Gjøsteen
.