On Fri, 12 Aug 2005, Tim Dierks wrote: > I'm attempting to design a block cipher with an "odd" block size (34 > bits). I'm planning to use a balanced Feistel structure with AES as the > function f(), padding the 17-bit input blocks to 128 bits with a pad > dependent on the round number, encrypting with a key, and extracting the > low 17 bits as the output of f(). > > If I use this structure, how many rounds do I need to use to be secure (or > can this structure be secure at all, aside from the obvious insecurity > issues of the small block size itself)? I've been told that a small number > of rounds is insecure (despite the fact that f() can be regarded as > "perfect") due to collisions in the output of f(). However, I don't > understand this attack precisely, so a reference would be appreciated.
IIRC the starting point was M. Luby and C. Rackoff, ``How to construct pseudorandom permutations from pseudorandom functions,'' SIAM Journal on Computing, vol. 17, nb 2, pp. 373--386, April 1988. Unfortunately, I was not able to quickly find it online, so you can try any other paper which mentions Luby-Rackoff construction, e.g., http://www.wisdom.weizmann.ac.il/%7Enaor/PAPERS/lr.ps -- Regards, ASK --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
