[Cryptography] Terakey, An Encryption Method Whose Security Can Be Analyzed from First Principles

Arnold Reinhold agr at me.com
Mon Aug 31 16:12:24 EDT 2020

On  Sat, 29 Aug 2020 04:32 +0100 Peter Fairbrother wrote:

> On 28/08/2020 23:30, Arnold Reinhold via cryptography wrote:
>> The first-principle security proof I do claim is for confidentiality 
>> from people who do not have access to the current Terakey. In particular 
>> they would not be able to mount the active attacks we have been 
>> discussing.  
> Why do you say that? Of course an attacker could mount these attacks. 
> That is the entire point.
> While active chosen-key attacks are not straightforward to execute, they 
> are in the armamentarium of at least some potential attackers. They are 
> part of the literature. And more important, they are something which any 
> proof of confidentiality must take into account - ignoring them is like 
> building a huge strong gate but leaving holes in the fence for people to 
> walk through.
> Step 1, Mallory, who does not have access to the terakey, wants to 
> cryptanalyse a message ciphertext. First he breaks the PRNG.
> Mallory then knows the indicators for the terakey bytes used in the 
> message he wants to break, though he doesn't know the actual terakey 
> byte values.
> Step 2, he then finds a PRNG key which generates some of the same 
> indicators, and does a chosen-key known-plaintext attack, or two, or 
> seventy thousand. He gets someone who does know the terakey to encrypt a 
> known message with his chosen key. He then calculates the relevant 
> terakey byte values by comparing the known plaintext with the ciphertext.
> Step 3, he then uses his knowledge of the terakey bytes to break the 
> original message.
> If you are talking in terms of _proof_, you cannot prove that Mallory 
> cannot do any or all of these steps. If he does them, he gets the 
> plaintext of any message he wants.
>> I appreciate your thoughts on Terakey, but at this point we don?t seem 
>> to disagree so much about what Terakey does, 
> I strongly disagree.
> In terms of proof, it simply does not do what you say it does - it does 
> not provably protect 99.9% of the traffic. It does not provably protect 
> *ANY* of the traffic.
> To claim terakey provides provable security you have to prove that the 
> attack above is impossible. Nothing else will do.

What you are describing is a variant of standard attacks on stream ciphers (which Terakey is). And yes, they are well known in the literature and there are standard defenses that have been known since before World War II. I describe them in my paper[1] as an essential part of Terakey, as follows:
"Terakey consists of three major elements: ...

	2. A method for assigning each message a unique message indicator v, which can be determined by a transmitted nonce, by hashing the message, by hashing just its header, from a prearranged list, communicated using a separate mechanism, such as conventional public key cryptography, or some combination of these methods”

These measures can prevent an attacker from getting "someone who does know the terakey to encrypt a 
known message with his chosen key.”  In particular, including an automatically generated random nonce, which is standard practice with modern stream ciphers, completely foils such an attack.

If you want to posit an insider with the necessary permissions to modify the Terakey software to inject a chosen PRNG seed, they can just as well read out the Terakey directly. No encryption system can survive an attack by someone who can modify the encryption software at will.

Arnold Reinhold

[1] https://www.researchgate.net/publication/342697247 <https://www.researchgate.net/publication/342697247>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200831/f6c90fa6/attachment.htm>

More information about the cryptography mailing list