Number of rounds needed for perfect Feistel?

[Tim Dierks]

I'm attempting to design a block cipher with an odd block size (34
bits). I'm planning to use a balanced Feistel structure with AES as the
function f(), padding the 17-bit input blocks to 128 bits with a pad
dependent on the round number, encrypting with a key, and extracting the
low 17 bits as the output of f().

If I use this structure, how many rounds do I need to use to be secure (or
can this structure be secure at all, aside from the obvious insecurity
issues of the small block size itself)? I've been told that a small number
of rounds is insecure (despite the fact that f() can be regarded as
perfect) due to collisions in the output of f(). However, I don't
understand this attack precisely, so a reference would be appreciated.

Thanks,
 - Tim


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Number of rounds needed for perfect Feistel?

[Tim Dierks]

Barney Wolff wrote:
 On Fri, Aug 12, 2005 at 11:47:26AM -0400, Tim Dierks wrote:
 I'm attempting to design a block cipher with an odd block size (34
 bits). I'm planning to use a balanced Feistel structure with AES as the
 function f(), padding the 17-bit input blocks to 128 bits with a pad
 dependent on the round number, encrypting with a key, and extracting the
 low 17 bits as the output of f().

 Pardon a dumb question, but how do you plan on avoiding collisions in
 the encrypted values, independent of the number of rounds?  Seems to me
 that even if the 128-bit encryption is guaranteed to be 1-to-1 with the
 plaintext, there is no such guarantee on any subset of the 128 bits.

A Feistel network doesn't depend on lack of collision in f(). The Handbook
of Applied Cryptography,
http://www.cacr.math.uwaterloo.ca/hac/about/chap7.pdf describes it pretty
well.

 - Tim

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]