[Cryptography] how to detect breakage -- lures etc.??

Ray Dillinger bear at sonic.net
Sat Jan 4 19:19:23 EST 2020 

On Fri, 2020-01-03 at 15:25 +0000, Peter Fairbrother wrote:
> 
> In a flat version, if I understand you, if it is permanently fixed
> to 
> something other than 1:1 it doesn't do much cryptographically 
> (Kerckhoff); if it changes per key - well, a rotor changes even
> more, 
> sometimes per letter.
> 
> I guess they thought 3/4 rotors was enough.
> 

It's that "sometimes per letter" thing that is the crucial part.

"sometimes" isn't often enough.  This is about the difference between
uniform movement and movement complex enough that you hope the enemy
never figures it out. Uniform movement, natch, the enemy has already
figured out.  But it doesn't present opportunities to use partial
information the way complex movement does, so having figured it out
doesn't do the enemy any good.  IOW, you don't need movement complexity
to hide behind if there is nothing to be gained from knowing the
movement pattern.

The fact that with same-size rotors some of them must move only
"sometimes" in order to get a decent period, means the opponent sees
the results of different sets of the rotors moving.  From the
differences in effect, the opponent can isolate the effects of one
rotor or one subset of rotors, then use that connection matrix to
subtract its effect and isolate another, etc.... 

But if the opponent never sees anything but the effects of "all the
rotors moved simultaneously" there is no opportunity to isolate the
effects of a single rotor or subset.  There's no mathematical
distinction between what happened at any two different steps that can
be detected or exploited - no contrasts to decompose.

And then cyclometry doesn't work, Index of Coincidence attacks don't
work (at least not on any index smaller than than the length of the
entire cycle), and there's not really anything that can be used to
decompose the rotor stack and reconstruct the effects of any single
rotor.  So I don't agree with you that it "doesn't do much."

FWIW, I had envisioned a machine in which part of the wiring between
rotors would be determined by the key, for the reason of making the
sequence of cipher alphabets for the whole cycle vary by key.  This
would prevent "depths" from appearing when a sequence of rotor
positions appearing halfway through one message becomes the "message
key" of a different message.  

This kind of rerouting would cause a lot more mathematical chaos when
it means that signals actually go to a different next-rotor instead of
just going to a different point on the same rotor.  Instead of treating
it as a composition of matrices (a composition of *known* matrices if
you have one or more of the rotors' wirings known) you now have to
figure out which parts of what you see are the result of composing
*which* matrices in what order, which is hard to do even if the
matrices are known.

Even if you did figure out the wiring of a rotor (or one of your spies
managed to steal one) it would have a profoundly different effect on
the output under one key than it would under another.  And, again,
because nothing ever moves at a moment when something else does not,
there's still no way to pick out the effect of your known rotor from
the effect of the other rotors. 

				Bear


Static parts of the key could be: orientation and direction of each
rotor (which side up, and +1 or -1 position at every letter) plus order
and orientation of a half-dozen 'permutation blocks' that complete
internal wiring paths.  Any change to the static key and the entire
cycle of cipher alphabets is changed.  The dynamic part of the key
would be the rotor positions, which should not be relied on for
security.

More information about the cryptography mailing list