[Cryptography] Nu supr unbrakable cripto

John-Mark Gurney jmg at funkthat.com
Thu Dec 31 15:37:47 EST 2015


Bill Cox wrote this message on Thu, Dec 31, 2015 at 10:01 -0800:
> def E(key, data):
>     if key >= (1 << 256) or data >= (1 << 512):
>         raise Exception("E input data too large")
>     dlow = data & ((1<<256)-1)
>     dhigh = data >> 256
>     for i in range(4):
>         dlow ^= H(key, dhigh)
>         dhigh ^= H(key, dlow)
>     dlow ^= H(key, dhigh)
>     return (dhigh << 256) | dlow
> 
> Assuming H acts as an ideal cryptographic hash function, then after the
> first iteration of the for loop, the output is scrambled beyond
> recognition.  However, at that point, the output is "malleable", meaning
> that an attacker can flip bits of the dhigh output, and the same bits of
> the dhigh input will be flipped when decrypted.  This gives an attacker too
> much control, so we need at least one more iteration, and just to be
> paranoid, I did 4, though I think technically only 2 are required.  The
> last XOR is just to make this function the inverse of itself so that I do
> not need a separate encrypt and decrypt function.

This is also known as a Feistel cipher to help people look up literature
on this, such as the original Luby-Rackoff paper...  I believe that the
key in each round needs to be independant for it to be secure...

The wikipedia article on Feistel cipher has more info:
https://simple.wikipedia.org/wiki/Feistel_cipher

And says that 3 rounds is required to make it a PRP, and 4 rounds to
make it strong...

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."


More information about the cryptography mailing list