snake oil alert: "Polymorphic Encryption Method"?

Zefram zefram at
Fri Dec 13 15:01:36 EST 2002

Stefan Kelm wrote:

This lacks a lot of the usual snake oil signs.  There is actually
a paper there that describes the design of the new cipher, there is
little invented crypto terminology, the standard terminology is used
mostly correctly.  The author is clear that what he has isn't a one-time
pad.  On the down side, the paper describes a method of cipher design,
rather than a specific cipher, the analysis is very inadequate, and the
description is tied to a particular machine architecture.  On the whole I
get the impression of someone who genuinely thinks he's had a good idea,
and has tried to do the right thing (by publishing his idea), but has
made a couple of basic mistakes, starting with his expectation that he
can do better than any of the major published ciphers.

The basic idea of the "polymorphic cipher" is to be to combine simple
elements in a key-dependent arrangement.  The author seems to be using
this technique in much the same way that Schneier uses key-dependent
S-boxes in Twofish, to frustrate analysis.  The problem is that in the
case of the polymorphic cipher this is the *only* source of strength in
the algorithm.  Of course, this makes analysis of the security of the
algorithm extremely difficult.  To the author's credit, he does point
out this difficulty, but he seems largely oblivious to the uselessness
of an unanalysable cipher.

The paper's analysis of the cipher's vulnerability to DPA is particularly
amusing.  The structure of the cipher naturally leads to key-dependent
code paths, which of course make it unusually vulnerable to DPA, timing
analysis, and other forms of side channel cryptanalysis.  Yet the
author considers only the code segment that *selects* which code path
to follow; he claims to show that that part can be made to execute in
constant time, and on that basis states that the entire cipher can be
made resistant to DPA.  His claim even for that small code segment is
fundamentally flawed.  My impression here matches the impression I get
from the rest of the paper: he's heard of side-channel cryptanalysis,
but not really understood how it works.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list