[Cryptography] [cryptography] Underhanded Crypto

Ray Dillinger bear at sonic.net
Fri Nov 28 00:39:15 EST 2014

>> http://underhandedcrypto.com/rules/

Okay, I've got something....  though it's more
fatally-flawed than underhanded; I was trying
to make something secure when I came up with
it, but I failed. I don't have a way to actually
read the messages, but I did find a way to
distinguish encrypted messages from random
output, and a way to do better than random at
identifying messages encrypted with the same
key. And you know, attacks always get better,
not worse.  Still, it sounds like a great idea;
I could totally sell this.

It could be patched a little with complicated
cipher modes and things, but we don't like systems
that need to use complicated cipher modes and

I could "fix" it by increasing the block size.
But the construction is peculiar, and its good
properties only hold for a block sizes which
are exactly double the square of a natural number.
so I could totally make a 128-bit version, which
would not need such complicated cipher modes but
would still have encrypted messages distinguishable
from random.

The design is simple: generate a key stream from a
CPRNG, but instead of using it to XOR the plaintext
as in a typical stream cipher, you use the keystream
to generate an infinite key schedule of S-boxes for
a Feistel cipher.

Put on your best snake-oil salesman voice....

"I invented a four-round Feistel cipher on 32-bit blocks,
that's totally unbreakable! The sekrit is it uses totally
unpredictable secure S-boxes!  It generates a new,
random set of S-boxes every round, using a secure CPRNG
that you seed with the key.  It runs just four rounds,
because the S-boxes are totally unbreakable so you
don't need any more rounds than that!

'Cause there are about 2^48 permutations of all the
4-bit blocks, and each block uses four of them chosen
completely at random from all the possible sets,
That's 144 bits of randomness that goes into every
block, which is enough to generate every POSSIBLE
permutation of 32-bit blocks with a factor of ten
million or so left over for lunch!  And it totally
does generate that total set of permutations, with
just four rounds! Luby and Rackoff proved it, way
back in 1988, so I don't know why all those losers
haven't been using that result and making totally
secure ciphers ever since then!

You can't even analyze it, because every block is
encrypted with a totally DIFFERENT 32-bit permutation!
Selected randomly and with equal probability from ALL
the POSSIBLE 32-bit permutations!  The uncorrelated
sequence length is 12k bits, and it uses 256 bits of
output to generate S-boxes per 32-bit block, so up to
a message 48 blocks, or 192 bytes, long, there's
SOME key, not that anybody could ever find it, that'll
transform ANY message into ANY ciphertext!

Oh yeah, that reminds me, you can use any size key
you want!  The pseudo random generator I invented
for it has about 12.5k bits of state, so it won't
repeat until sometime AFTER THE UNIVERSE DIES.
Until you start getting keys six kilobytes long
or so, there's probably not ANY two keys that will
produce the same output, stream and that's including
the stoopid birthday paradox.  If you use a key
that's over 12 kilobytes long, then yeah, there's
probably some other key out there twelve kilobytes
long or less, that'll produce the same sequence of
S-boxes.  But there's no way anybody could possibly
find it!  Like anybody even has to worry about that,
when finding a key 256 bits long is the next best
thing to impossible!

Okay, no more snake-oil salesman voice.

Can you figure it out, or do you want me to post
the code?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141127/4fa1a6bf/attachment.sig>

More information about the cryptography mailing list