Nonlinear block chaining

Hi,

Years ago I suggested to use nonlinear block chaining instead of
CBC etc. In essence, one computes for the purpose of chaining
a 'summation' of the previous plaintext and/or ciphertext blocks,
using a mixture of simple operators, including +/-, xor, mul and
circular shift. (The operation is done wordwise instead of strictly
blockwise for computing efficiency.)

I am thinking now that, excepting the certainly critical issue
of higher computing cost, which may however be tolerable, I suppose,
in at least certain practical situations, a more satisfactory method
of nonlinear block chaining seems to be to simply employ a block
encryption algorithm to do the said 'summation'.

That is, given two block ciphers E1 and E2 and n plaintext blocks
P_i (i=0..n-1), one computes C_i as follows (^ could be replaced
e.g. by +):

S_i = E1(K1, S_(i-1)^P_(i-1))

(or S_i = E1(K1, S_(i-1)^P_(i-1)^C(i-1)) )

C_i = E2(K2, S_i^P_i)

S_0 is provided by an initialization vector.

Of course, one could use the same E (eventually with different
number of rounds) and also the same K, if desired.

S_n can be computed and sent for verification purposes. (I think
it could also be considered as a hash of the plaintext.)

I should be very grateful for constructive comments and critiques.

Thanks,

M. K. Shen
---------------------------------------------------------------------

Was sich ueberhaupt sagen laesst, laesst sich klar sagen;
und wovon man nicht sprechen kann, darueber muss man schweigen.

L. Wittgenstein
.