[Cryptography] "Perpetual Encryption" - Coda

Dennis E. Hamilton dennis.hamilton at acm.org
Fri Apr 7 15:56:51 EDT 2017 

Wherein perpetual-motion remains unachievable ...

> -----Original Message-----
> From: cryptography [mailto:cryptography-
> bounces+dennis.hamilton=acm.org at metzdowd.com] On Behalf Of Dennis E.
> Hamilton
> Sent: Thursday, April 6, 2017 08:48
> To: 'Crypto' <cryptography at metzdowd.com>
> Subject: Re: [Cryptography] "Perpetual Encryption"
> 
> 
> 
[ ... ]
> 
> With respect to the security model, RNG2 is essentially a means for
> stretching the (K1, X1, ...) stream for some operationally-valuable
> purpose (including hiding of that stream) in producing (XK1, XK2, ...)
> and the associated parameters.
> 
[ ... ]
[orcmid] 

Having provided a Conceptual Pilot, CP, that demonstrates the procedure can be implemented, we can now argue that, despite all of that, the entropy-based argument must fail.

STRETCHING OF AN OTP STREAM IS MAYBE NOT AN OTP STREAM?

The perpetual equivocation argument presumes a sequence

  K1 || X1 || X2 || ... || Xn

 derived from "truly random" sources.  If this stream be exchanged entirely and independently in secret, it would serve as an OTP.

The proposed methodology depends on *deterministic* derivation of a definite stream

  XK1 || XK2 || ... || XKn || XK[n+1]

 claimed to be a cryptographically-sufficient OTP stream cipher.  This is the cipher stream applied to a same-sized plaintext stream that conveys chunks of a message M *and* the X1, ..., Xn.  

In theory, the XK1 ... XK[n+1] stream must be compressible to at least the K1 || X1 ... || Xn stream for a message longer than K1.  Whatever the feasibility of breaking that, it points out that there cannot be any more entropy in the key stream than that of the K1 || ... || Xn stream.

In fact, the theoretical compressibility is to merely K1.  That's because the Xi are conveyed in the plaintext.

  XK1 depends on K1 only,
  XK2 depends on K1 || X1 (as *given*),
   ..., and
  XK[n+1] depends on K1 || X1 (as *given*) ... || Xn (as *given*)

Since the Xi are conveyed in the plaintexts of earlier blocks, they are effectively unsurprising and it all depends on K1, the only secret not carried in the ciphertext.


RACING TO THE FINISH

Accepting that an argument from compressibility is not the same as a break, it should be worrisome with respect to claims of increasing entropy beyond whatever that means for K1.

There is another problem.  The preamble to the Perpetual Encryption White Paper states that ideal secrecy is achieved if entropy is added to the cryptosystem at a faster rate than it is consumed.

It seems clear that if the message, M, is longer than the initial key, K1, it is not possible to catch up before the last bit of M is transmitted.  It's not even possible to break even.  (Sound familiar?)  And that's assuming introduction of the Xi in earlier parts of the plaintext amounts to something, cryptographically.

Whether the scheme has practical value despite its questionable characteristics, it would seem that there are better-understood systems, with hardware-assisted implementations, that also have better general-purpose application.

 - end -

More information about the cryptography mailing list