[Cryptography] Security of a permute-only system?
Ray Dillinger
bear at sonic.net
Mon Nov 30 18:51:56 EST 2015
On 11/30/2015 07:03 AM, Henry Baker wrote:
> At 09:49 PM 11/29/2015, Ray Dillinger wrote:
>> Like a stream cipher means XORing with a random string of
>> bits but you NEVER repeat that random string, any security
>> gained from permutations only holds as long as you don't
>> repeat the same permutation.
>
> Could you provide just a tad more info?
>
>
> If you can compare input to output, you can eventually reveal the permutation, even if you can't choose the input.
>
> But if you can't compare the bits coming in to the bits going out, how do you recover the permutation?
The only thing that the permutation protects against is the
XOR class of attacks against stream ciphers. But the attacker
is still able to apply XOR attacks against the (repeated)
permutation and observe the precise ways in which this messes
things up. In many protocols that would mean he can first
identify the permuted locations of first and last bits due to
block boundary issues, then other bits relative to them to the
extent that different field boundaries within the block or
protocol result in different hashes being violated or different
protocol invariants failing, etc. The exact point at which
the destination machine stops responding reveals the moment
at which it detected the error. If it gets a wrong bit in
the middle of a nonce, it will not know until a later step
in the protocol when the derived key doesn't match, vs. getting
a wrong bit in the middle of an amount, in which case it will
know immediately because accounting invariants are violated.
To know to exactly what extent a particular application is
vulnerable to this type of field-matching attack you'd have
to see the entire protocol it uses. And a carefully coded
application might be able to detect any bit-error immediately
if there is, eg, a checksum on each block, or otherwise force
any failure in a given block to cause failure-of-response at
exactly the same time regardless of which field/s in the
block contain/s the detected error.
The point is that the necessary security measures (checksum
on each block) are identical to the necessary security measures
for an unpermuted stream cipher - hence the permutation was of
limited use.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151130/a9c7d61a/attachment.sig>
More information about the cryptography
mailing list