In 2001-2002 the members of "sci.crypt" had taken part in the competition of ciphers. This was called "Sci.Crypt Cipher Contest",
there were about 15 participants, unfortunately I forgot their names and the names of their ciphers.
The only one I remember was Matthew Fisher with a cipher named "Vortex", and I remember that I also made a submission named "LETSIEF"
(FEISTEL spelled backwards).
The idea was very simple - why not break the convention about combining function in Feistel ciphers? Usually the
right and left halves were combined via XOR, but who has ever said that other options were nonexistent? The candidate function
was readily available - modular multiplication.
It is impossible to use the right half itself as a multiplier - there is some risk that it will have no multiplicative inverse.
However, it is possible to use the right half in order to determine the multiplier for the left half. If cipher's block size
was going to be 64 bit, it implied modular multiplication (mod 2^32+1), for which it is relatively easy to build a table
of 256 key-dependent multipliers with inverses. Then 32-bit right half of the plaintext can be regarded as 4 bytes,
the bytes are XOR-ed together, and the resulting byte used as an index for picking the modular multiplier from the table.
Then the right and left halves are swapped, and the same procedure repeated. Naturally there is XOR whitening between the rounds.
Original version of LETSIEF cipher had a conventional whitening operation also at the beginning and at the end of encryption,
when 8 subkey bytes are XOR-ed with the 8 bytes of plaintext. Another weird idea came to my mind - what if it would be
not the XOR addition, but the multiplication (mod 2^64+1)?
Just like F5, Fermat Number F6 is not prime, it is the product of 2 prime numbers - 274177 and 67280421310721.
However, since these days most C compilers support 64-bit "long long integer" type, using this number as a modulus
for multiplication is no more difficult than using F5.
The Euler Totient for F6 is calculated as the LCM of (274177-1) and (67280421310721-1). Some simple calculations
yield the number: 2^8 * 3^2 * 5 * 47 * 119 * 373 * 2998279 = 72057331223781120 (just under 2^56).
Search for a generator number is a little more difficult than it is in the case of F5, due to the very long loop.
It turned out to be necessary to test the multipliers of the Euler Totient separately, and then multiply the resulting partial loops.
Anyway, an interesting SEED64 emerged out of these tries - 0xB7E151628AED2A6A with inverse 0x8FF3298F2832F7C8.
This SEED64 happens to be the first 16 hex fractional digits of "e" (less initial 2).
The properties of this multiplication can define a whole new approach to the 64-bit block ciphers.
As it happens, the mixing properties of this multiplication are such as they should be for a fully bijective S-box 64-bit wide.
Additionally, there are about 2^56 such boxes possible with a single SEED64, they are just powers of one original number.
The S-boxes are fully invertible, each of the 2^56 eligible multipliers has a multiplicative inverse.
However, any attempt to trace the propagation of differences through such 64-bit wide S-box is just hopeless.
If there would exist just 1 or 2 multipliers, it would be theoretically possible to figure out the patterns of 1-s and 0-s in
the 64-bit product, but with 2^56 possible multipliers the problem becomes unmanageable. It is sufficient
to use multiplication (mod 2^64+1) as the very first and the very last operation in any 64-bit block cipher in order
to make the cipher immune to any differential attacks from the plaintext side as well as from the ciphertext side.
The Euler Totient for (2^64+1) is 72057331223781120 long (just under 2^56), so it is possible to use 56-bit subkeys for exponentiation.
In real cipher, the subkeys are 32-bit long, so we randomly choose our 64-bit multiplier among 2^32 powers of SEED64
and among 2^32 powers of its inverse.
The beauty of using multiplication (mod 2^64+1) as a whitening operation is that multiplication stops dead all patterns
of propagation for differences. Simple differences, truncated differences, sliding differences, impossible differences -
all turn into an unpredictable mess after application of this huge size 64x64 substitution box.
The rest of LETSIEF did not change - same 8 rounds of swapping the plaintext halves, same intermediate XOR whitening,
same plaintext-dependent modular multiplications. The difference is in the initial and final whitening steps,
being now the multiplication (mod 2^64+1), this step prohibits any differential attacks both from plaintext and from ciphertext side.