Join Log in
Score:3
crypt avatar Crypto

Increasing Block Length of Symmetric Cipher

cn flag
crypt

Triple DES (using an existing cipher 'DES' of key length 56bits) provides security of 112bits (although it requires key material of 168bits).

Does there exist a mechanism to increase block length of an existing cipher? like creating double AES with block length of 256bits?

482
4 + 4
aes
fgrieu avatar
ng flag
fgrieu
AES is Rijndael with 128-bit block length; but [Rijndael has a 256-bit block variant](https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf#page=44)
1
Reply
Dmitry Grigoryev avatar
us flag
Dmitry Grigoryev
Triple DES is not a DES with triple block length, so your question has nothing to do with the example.
0
Reply
crypt avatar
cn flag
crypt
i gave example of triple DES in context of key increase, and asked do we have similar mechanism or idea for increasing block size?
1
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
What, no mentions of Format Preserving Encryption yet?
2
Reply
Score:5
Marc Ilunga avatar Crypto
tr flag
Marc Ilunga

This question has been studied in the literature and has been answered positively. Namely, it is possible to construct a variable input length (VIL) pseudo-random permutation from a fixed input length permutation.

Motivation:

  • Such a (generic) construction is valuable since we wouldn't need to custom-build block ciphers for different sizes if needed.
  • The advantage of such construction compared to typical modes of operations is that there's no length expansion. Consequently, such a mode provides weaker confidentiality guarantees compared to the traditional IND-CPA notion. However, this may be enough for certain applications where plaintexts are never encrypted twice, but bandwidth saving is highly important.

It is unclear if this is practical since we tend to standardize a small set of good primitives and modes of operations that are thoroughly analyzed. I would be curious whether there are applications built on VIL PRP. In any case, one of the first construction was presented by Bellare and Rogaway in their paper: On the Construction of Variable-Input-Length Ciphers. The construction feels somewhat magical; one encrypts with CBC but somehow removes part of the ciphertext, et voila... Concretely:

  1. Apply the CBC-MAC to the message and consider the output as an IV.
  2. From the previous IV, only encrypt part of the message with the CBC mode (remove a block from the plaintext).
  3. The block cipher output is now the concatenation of the outputs in steps 1 and 2.

Remark: Although we are somehow encrypting with CBC in step 2, this construction is different because the ciphertext length is the same as that of the plaintext.

The key property that allows this construction is what Bellare and Rogaway call parsimoniousness (hard to pronounce...). A keyed scheme $F$ (PRF, for example) is parsimonious if, for all keys, $k$ and input $m$, the last $n$ bits of $m$ can be deterministically derived from $F(k,m)$ and the first bits of $m$ besides the last $n$ bits. Observing that the CBC-MAC and the CBC mode of encryption are parsimonious is essentially what allows the construction above.

Some improvements to Bellare and Rogaway's work are in this paper: Efficient Constructions of Variable-Input-Length Block Ciphers by Patel, Ramzan, and Sundaram.

Very recently, Banfi introduced the Secure Codebook Mode (SCB) (an interesting wrapper around ECB). The paper takes a different approach to answer the question. In contrast to previous work (Bellare-Rogaway), SCB provides strong confidentiality guarantees, namely semantic security. At what cost? Well, one has to pay for the correctness and keeping state. That is, SCB "sacrifices" perfect correctness, but this can be tuned.

+ 0
Score:5
Daniel S avatar Crypto
ru flag
Daniel S

Although there are block cipher designs that naturally lend themselves to larger block sizes for the round function (see for example Simon and Speck), an increase in block size increases the difficulty of achieving diffusion/avalanche effects/removal of statistical distinguishers. For each block size cryptanalysis should be repeated to determine if there is a suitable number of rounds that the round function should be iterated for that block size. As far as I know, there is no established consensus as to how the number of rounds needs to grow as a function of block size and this prevents a general efficient mechanism for increasing the block size of existing ciphers. Naive attempts to increase block sizes on existing ciphers are fraught with danger and I would strongly counsel against making such efforts.

+ 0
Score:2
kodlu avatar Crypto
sa flag
kodlu

What exactly would be the goal?

There would be performance penalties to be paid since a larger block would require more rounds and mixing in a careful structure to stop meet in the middle attacks.

The advent of 3DES was driven by concrete requirements in keylength to ensure enough security, and the need to do this over existing deployed hardware in a backward compatible way. As is well known the bitlength did not triple.

Moreover, the AES blocklength is long enough to stop codebook attacks, so no gain there.

Note that there is no 3-BLOCK-DES but 3-KEYLENGTH-DES. For the same reasons I alluded to above, what's the point?

A similar effect can already be obtained by proper use of modes of operation.

+ 3
crypt avatar
cn flag
crypt
so there exists no such mechanism? will post quantum crypto need larger key size as well as block size? or only doubling the key length will suffice?
0
Reply
kodlu avatar
sa flag
kodlu
see this question and accepted answer regarding post quantum: https://crypto.stackexchange.com/questions/102671/is-aes-128-quantum-safe/102672#102672
0
Reply
crypt avatar
cn flag
crypt
so PQC will not effect block size, only key size might be doubled as per requirement. Just for info, is there a mechanism to double the block length? Following link highlights issue in CBC-MAC in PQC due to smaller block size https://crypto.stackexchange.com/questions/5902/does-grovers-algorithm-effect-block-size-or-only-key-size
0
Reply
Score:-2
Yuri Myakotin avatar Crypto
my flag
Yuri Myakotin

If you need symmetric cipher with very large block (and key) length - there is Threefish-1024.

+ 1
crypt avatar
cn flag
crypt
there are primitives with larger block and key size, but i am interested in mechanism to increase block size of existing primitives if there is any.
2
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.