[Cryptography] basic cryptography ... was: key breaking

Ray Dillinger bear at sonic.net
Wed Nov 25 18:35:52 EST 2015 


On 11/24/2015 08:16 AM, Sandy Harris wrote:
> On Sun, Nov 22, 2015 at 4:05 PM, John Denker <jsd at av8n.com> wrote:
> 
>> It seems obvious that if we wanted to do the Right Thing™ we
>> would use a separate key for each block of the message.
> 
> Sounds like a stream cipher. If having key as long as the
> message was practical, we could go to one time pads,
> but it isn't so use a keyed PRNG to give enough key.

I actually developed one of these.  It's three full rounds
of a Feistel cipher on 128-bit blocks, with all S-boxes
generated by a cryptographically secure pseudorandom number
generator.  The key is put through a secure hash to get
the initial state of the PRNG, because otherwise related
keys producing PRNG output offset by a known number of
blocks would be easy to generate.

That said, it's a moderately silly exercise - more a
design and coding exercise than a real thing that people
might want to use.  It would never be used in a real
design because its encryption/decryption speed *and*
its key agility both suck harder than rocks.  It sucks
up six (If I remember right) times the number of bits
of PRNG output that it encrypts, and spends the time
to do Feistel rounds on top of that.

If you're interested in it, I can send you the C
implementation I made.

I like a lot of its properties;  Like a stream cipher,
it can produce literally ANY ciphertext from ANY
plaintext, with a different permutation of plaintext-
to-ciphertext in effect for each block. All ciphertexts
for a given block are provably equiprobable for a given
plaintext in fact, if the PRNG is good.  It can also
be used without an IV, or with repeated use of the
same key, to at least the same extent that any 128-bit
block cipher can, and can be used ECB in lots of places
where "normal" block ciphers can't.  If you have the
same 128-bit plaintext encrypted with the same key, a
normal block cipher in ECB mode will always give you
the same ciphertext.  This one will do so only if the
identical block is ALSO at the identical offset in the
plaintext.  Its key space is essentially the size of
your RNG's state or your hash output, which can be as
much or as little as you want.

In fact 3 rounds is massive overkill for the "equiprobable
transformations" thing if the PRNG is secure - the third
round is just to insure it against any PRNG correlation
that is detectable at all (looking at you, RC4).

			Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151125/7f9b58ec/attachment.sig>

More information about the cryptography mailing list