Wednesday, September 12, 2018

[gftkteax] Constructing large block ciphers with Feistel and SHA

It seems fairly straightforward to construct block ciphers with arbitrarily large block sizes using the Feistel cipher structure and a good cryptographic hash function as the mixing function F.  It won't be very efficient.  If the output of the hash function is limited to (say) 512 bits, then it becomes an unbalanced Feistel cipher for block sizes greater than 1024 bits.

The mixing function can be something like F=hash(key || round number || portion of block).  Keccak / SHA-3 based on the sponge construction seems for now to be able to handle concatenation just fine; one needs to be more careful with hashes of the Merkle-Damgard construction (e.g., SHA-1, SHA-2 family) which are vulnerable to length extension (but not sure if that kind of attack is relevant here).

There's a bunch of details that need to be hashed out (pun intended), ideally standardized.  There's one very large detail: number of rounds (probably a function of block size).  This requires cryptanalytic effort to determine the correct minimum number.  Easiest for now is if the standard were to be parametrized by number of rounds without specifying a number.  The user should choose as large as possible that doesn't cause the system to become unacceptably sluggish.

More ambitious: given a large block cipher, I recall it's possible to create a cryptographic hash function with large block size, so this can feed itself, allowing producing ciphers accepting large keys.

No comments :