# Nonlinear block chaining

*From*: Mok-Kong Shen <mok-kong.shen@xxxxxxxxxxx>*Date*: Sat, 03 Oct 2009 11:30:56 +0200

Hi,

Years ago I suggested to use nonlinear block chaining instead of

CBC etc. In essence, one computes for the purpose of chaining

a 'summation' of the previous plaintext and/or ciphertext blocks,

using a mixture of simple operators, including +/-, xor, mul and

circular shift. (The operation is done wordwise instead of strictly

blockwise for computing efficiency.)

I am thinking now that, excepting the certainly critical issue

of higher computing cost, which may however be tolerable, I suppose,

in at least certain practical situations, a more satisfactory method

of nonlinear block chaining seems to be to simply employ a block

encryption algorithm to do the said 'summation'.

That is, given two block ciphers E1 and E2 and n plaintext blocks

P_i (i=0..n-1), one computes C_i as follows (^ could be replaced

e.g. by +):

S_i = E1(K1, S_(i-1)^P_(i-1))

(or S_i = E1(K1, S_(i-1)^P_(i-1)^C(i-1)) )

C_i = E2(K2, S_i^P_i)

S_0 is provided by an initialization vector.

Of course, one could use the same E (eventually with different

number of rounds) and also the same K, if desired.

S_n can be computed and sent for verification purposes. (I think

it could also be considered as a hash of the plaintext.)

I should be very grateful for constructive comments and critiques.

Thanks,

M. K. Shen

---------------------------------------------------------------------

Was sich ueberhaupt sagen laesst, laesst sich klar sagen;

und wovon man nicht sprechen kann, darueber muss man schweigen.

L. Wittgenstein

.

**Follow-Ups**:**Re: Nonlinear block chaining***From:*Quadibloc

- Prev by Date:
**Digram substitution using a polyalphabetic substitution table** - Next by Date:
**Re: Authenticating variables size payloads with RSA** - Previous by thread:
**Digram substitution using a polyalphabetic substitution table** - Next by thread:
**Re: Nonlinear block chaining** - Index(es):