[Cryptography] Introducing Chicha stream cipher

EddyHawk quarsicon at yahoo.com
Fri Jun 5 03:41:57 EDT 2015


Dear  DJ and members of cryptography list,

--------------------------------------------
On Fri, 6/5/15, dj at deadhat.com <dj at deadhat.com> wrote:

 Subject: Re: [Cryptography] Introducing Chicha stream cipher
 To: "EddyHawk" <quarsicon at yahoo.com>
 Cc: cryptography at metzdowd.com
 Date: Friday, June 5, 2015, 4:26 AM
  
 Thing
 #1:
 
 What makes you think
 Chi-Square T.O.R. is the right algorithm to test for
 randomness? I don't see the logic. It's
 not even easy to judge the output
 of that
 test because what you are looking for is the uniformity of
 the
 metric over many tests. No individual
 test tells you anything, nor is it
 sensitive
 to correlation between the data.
 
 In addition to base statistics like you get out
 of ent, I would look at
 things like the
 Markov-Renye min entropy test and run it over a few
 megabytes of data with group lengths > 7.
 It's described in draft
 SP800-90B. Also
 distinguishability tests (dieharder, SP800-22 etc), if
 you
 can get enough data.
 
 Thing #2:
 It reminds of
 meta-AES which is a lunatic cipher I dreamt up that has
 similar goals. Implement AES, but replace the
 key expansion algorithm with
 a reversible
 mode of AES that over 10 rounds is strongly
 indistinguishable
 from random, specifically
 AES-CTR. Inefficient as heck, but it works. If
 you want 256 bit keys, just make key[128:255] =
 the CTR IV rather than
 using the nasty 256
 bit key schedule of normal-AES. For this I probably
 deserve shooting.
 --------------------------------------------
 
Simply put, if XChacha/2 rounds keystreams are data-compressible
while XChicha/2 rounds keystreams are data-incompressible, wouldn't
it show that (X)Chicha/2 rounds has better randomness/diffusion over
(X)Chacha/2 rounds, regardless the metric used?
But yes, it alone doesn't show that Chicha has proper randomness and
it still needs further correlation/bias/whatever tests to ensure that.

For your super-AES, I suggest to replace its KSA with Anubis' KSA
and name it AESnubis  :-)


Best regards,
EddyHawk
 
 
 


More information about the cryptography mailing list