[Cryptography] Introducing Chicha stream cipher
EddyHawk
quarsicon at yahoo.com
Fri Jun 5 03:41:57 EDT 2015
Dear DJ and members of cryptography list,
--------------------------------------------
On Fri, 6/5/15, dj at deadhat.com <dj at deadhat.com> wrote:
Subject: Re: [Cryptography] Introducing Chicha stream cipher
To: "EddyHawk" <quarsicon at yahoo.com>
Cc: cryptography at metzdowd.com
Date: Friday, June 5, 2015, 4:26 AM
Thing
#1:
What makes you think
Chi-Square T.O.R. is the right algorithm to test for
randomness? I don't see the logic. It's
not even easy to judge the output
of that
test because what you are looking for is the uniformity of
the
metric over many tests. No individual
test tells you anything, nor is it
sensitive
to correlation between the data.
In addition to base statistics like you get out
of ent, I would look at
things like the
Markov-Renye min entropy test and run it over a few
megabytes of data with group lengths > 7.
It's described in draft
SP800-90B. Also
distinguishability tests (dieharder, SP800-22 etc), if
you
can get enough data.
Thing #2:
It reminds of
meta-AES which is a lunatic cipher I dreamt up that has
similar goals. Implement AES, but replace the
key expansion algorithm with
a reversible
mode of AES that over 10 rounds is strongly
indistinguishable
from random, specifically
AES-CTR. Inefficient as heck, but it works. If
you want 256 bit keys, just make key[128:255] =
the CTR IV rather than
using the nasty 256
bit key schedule of normal-AES. For this I probably
deserve shooting.
--------------------------------------------
Simply put, if XChacha/2 rounds keystreams are data-compressible
while XChicha/2 rounds keystreams are data-incompressible, wouldn't
it show that (X)Chicha/2 rounds has better randomness/diffusion over
(X)Chacha/2 rounds, regardless the metric used?
But yes, it alone doesn't show that Chicha has proper randomness and
it still needs further correlation/bias/whatever tests to ensure that.
For your super-AES, I suggest to replace its KSA with Anubis' KSA
and name it AESnubis :-)
Best regards,
EddyHawk
More information about the cryptography
mailing list