A parameter characterizing a CA cryptosystem is its aspect ratio. The aspect ratio is the ratio between the number of iterations of an irreversible rule during a diffusion phase and the block size. The aspect ratio determines both the relative speed of encryption and decryption and the relative size of the block and link.
The higher the aspect ratio, the higher the encryption speed relative to the decryption speed. That is, given enough processors, there is no penalty in terms of computation time for increasing the number of encryption iterations, raising the aspect ratio. On the other hand, given enough processors, there is no penalty in terms of decryption computation time for increasing the size of the block, lowering the aspect ratio.
Via the aspect ratio, computation speed is related to the rate of data expansion for single-block (unchained) encryption. For fixed block size, the higher the aspect ratio, the higher the number of iterations of an irreversible rule in the system. Consequently, a larger number of bits required in the link to inverse iterate during encryption. Thus the aspect ratio gives the relative importance of the block and link in the system. From the standpoint of security, a large number of encryption iterations, each driven by purely random bits from the link is desirable. This potentially has the undesirable side effect of high data expansion, which is aggravated when chain formation is not possible. Hence, the higher the aspect ratio, the more care required to achieve acceptable rates of data expansion.
The optimal aspect ratio depends on the application. For instance, in digital television broadcast the broadcast station has much more computational power at its disposal for encryption of signal than the television sets have for decryption. Here one would choose a cryptosystem with a low aspect ratio, favoring parallelism at the decryption end. Encryption of messages from a satellite to a ground station, on the other hand, might call for a high-aspect-ratio cryptosystem.
Note that CA-1.0 is a fairly low ratio system, in which only 32
encryption iterations are carried out in parallel in each
subround, while the block size is 384, yielding an aspect ratio of
. In order to illustrate
a strategy for constructing cryptosystems with high aspect ratio but
low data expansion, a variant to CA-1.0 is now briefly described.
The high aspect ratio/low data expansion problem is solved in the variant by building up a collection of bits to drive inverse iterations from encryption of part of the data block. One begins with a small piece of the block and a small radius rule. The smaller the radius of the rule, the more inverse iterations which can be performed for a given number of link bits. After a number of iterations have been performed with the small radius rule, the ciphertext produced can be used as link information to drive encryption of the next piece of plaintext, this time with a rule of larger radius. This process can be arbitrarily continued, at the price of requiring a continually larger key. In the hierarchical variant the data-expansion rate is held at 1/8th, while allowing an aspect ratio which increases at each round. The schedule of operations in this cryptosystem is summarized in table 6.
Table 6: This table gives the rule radius, the number of iterations
applied, and the number of bits in the block, link, and total block+link
for the four rounds of encryption under the variant cryptosystem.
The 64 link bits input at the first round as well as 2 in
the 4th round are generated randomly within the encryption apparatus.
The message is divided into 512-bit blocks. Pieces of the block are stirred into the encryption as it proceeds, much as one adds flour to a mixing bowl. The first 128-bit piece is encrypted with 16 inverse iterations of a radius-2 toggle rule, requiring 64 bits of random information to be input from the link. The resulting ciphertext is 192 bits, sufficient to drive 32 inverse iterations of a radius-3 rule, applied to the next 128-bit piece of the message. In the same way, 384 bits become available to drive 40 iterations of a radius-4 rule, consuming the next 128-bit piece of the message. To drive the final 45 iterations of a radius-5 rule, on the last 128-bit piece of the message, two more random bits need to be generated internally in the encryption apparatus to be added to the 448 bits of ciphertext from the radius-4 stage of encryption.
Observe that in this cryptosystem the link, as well as the block, contains message information. This is not the case for CA-1.0. Encryption of message information in the link, combined with the performance of different stages of encryption with different rules, allows for a number of new cryptographic goals to be achieved. An example is the authorized postman problem. Here the address to which a message is to be sent should be encrypted into the message itself in such a way that an authorized postman can read the address, but not the message. This can be done by placing the address in the last 128-bit piece of the block, and the message in the rest of the block. The sender and intended recipient of the message share in secret all the CA rules, radius 2-5, used in encryption. A postman can be authorized to deliver the message by giving him only the radius-5 rule used for the last stage of encryption, at which the address information was encrypted. The authorized postman decrypts the address, and then re-encrypts the message with the radius-5 rule. Many variations on this theme are possible [7].