[Cryptography] Cipher having a universal polymorphic-decryption property

Ray Dillinger bear at sonic.net
Fri Dec 12 17:57:58 EST 2014

On 12/11/2014 08:56 PM, Natanael wrote:
> - Sent from my tablet
> Den 12 dec 2014 04:46 skrev "Ray Dillinger" <bear at sonic.net>:
>> I have developed an interesting and peculiar cipher. I don't believe
>> that there's any proper application for it because it is very slow, but
>> it has at least one rather astonishing and potentially underhanded
>> property, so I thought I would describe it and see if anyone here has
>> any idea of a good (or evil) use for it.
> [Crazier than usual version of one time pad, built with a block cipher &
> CSPRNG/semi-stream cipher hybrid]
> http://en.wikipedia.org/wiki/Deniable_encryption#Scenario
> You can also make multiple people believe they got the same message when
> they didn't.

It's actually even crazier than that.  Because each block is subject to a
chosen *complete permutation*, you can create a single key which maps
many different chosen plaintexts to different chosen ciphertexts,
subject only to the limitation that no block is repeated in position -
easy to satisfy with 128-bit blocks.

So you could construct a key that transforms, say, a boring stock
performance report into an entirely opaque ciphertext, and then on
encrypting again using the same key (rather than decrypting) the
ciphertext would become a "sensitive" letter outlining corporate
strategy - and on encrypting again, still using the same key, a
message that says where the missiles will be launched from and what
time the bombs that have been planted in your enemy's nuclear plant will

You'd need to have all of these texts in hand when creating the key; the
distinction between message and key is reversed except when talking
about messages greater in length than the number of blocks to which the
PRNG's output can be preselected.

Mathematically, I'm fairly certain that you could embed at least 30 such
chained messages to be "decrypted" from a given text, before the math to
find the desired set of S-boxes to set the initial PRNG state starts
getting Hard.

Alternatively you could create a key that would transform each of 30
different plaintexts into different chosen ciphertexts; you can use
that key as a normal symmetric key for encryption and decryption with
all other messages, but at certain moments, if you need to transmit
exactly one of the 30 preselected messages, you can do so using a
ciphertext that looks exactly like a completely innocent preselected


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141212/1e3c1c23/attachment.sig>

More information about the cryptography mailing list