[Cryptography] how to detect breakage -- lures etc.??

Peter Fairbrother peter at tsto.co.uk
Mon Jan 6 06:54:33 EST 2020 

On 05/01/2020 00:19, Ray Dillinger wrote:
> On Fri, 2020-01-03 at 15:25 +0000, Peter Fairbrother wrote:
>>
>> In a flat version, if I understand you, if it is permanently fixed
>> to
>> something other than 1:1 it doesn't do much cryptographically
>> (Kerckhoff); if it changes per key - well, a rotor changes even
>> more,
>> sometimes per letter.
>>
>> I guess they thought 3/4 rotors was enough.
>>
> 
> It's that "sometimes per letter" thing that is the crucial part.
> 
> "sometimes" isn't often enough.  This is about the difference between
> uniform movement and movement complex enough that you hope the enemy
> never figures it out. Uniform movement, natch, the enemy has already
> figured out.  But it doesn't present opportunities to use partial
> information the way complex movement does, so having figured it out
> doesn't do the enemy any good.  IOW, you don't need movement complexity
> to hide behind if there is nothing to be gained from knowing the
> movement pattern.

Lorenz used different-sized (well they were the same physical size, but 
with different numbers of pins) rotors. Five rotors moved together at 
every character, with a period of 22 million, and some other rotors 
moved sometimes. It was of course broken.

One problem with the Lorenz system was that for each Lorenz rotor you 
only got an XOR bit, not a permutation.

I don't think anybody has ever built a rotor machine with variable 
length permuting rotors and reuse of the unused rotor inputs and 
outputs, either with or without intervening permutations. If you did 
some input characters would necessarily be treated differently to 
others, so eg a message of zzzzz's might not involve the first rotor at all.

> 
> The fact that with same-size rotors some of them must move only
> "sometimes" in order to get a decent period, means the opponent sees
> the results of different sets of the rotors moving.  From the
> differences in effect, the opponent can isolate the effects of one
> rotor or one subset of rotors, then use that connection matrix to
> subtract its effect and isolate another, etc....

Indeed, that was how Lorenz was broken. But the period of the Enigma 
rotors was only 15,000/375,000 (3/4 rotor).

> But if the opponent never sees anything but the effects of "all the
> rotors moved simultaneously" there is no opportunity to isolate the
> effects of a single rotor or subset.  There's no mathematical
> distinction between what happened at any two different steps that can
> be detected or exploited - no contrasts to decompose.
> 
> And then cyclometry doesn't work, [...] there's not really anything
> that can be used to decompose the rotor stack and reconstruct the 
> effects of any single rotor. 

I don't think so. After r1 characters rotor 1 will be back in its 
original position. To say that is condition is indistinguishable under 
all circumstances implies a lot about the rest of the machine, which may 
not be true - and often isn't.

It is hard to explain without an example, so consider a two-rotor 
machine with three and five inputs (and outputs) per rotor and a 4 
character alphabet.

If the five rotor ("f") comes first it might have 4 character input 
lines fi1-fi4 and one input fi5 from output fo1, with 3 outputs fo2-fo4 
going to the three ("s") rotor and output fo5 going to main output. The 
s-rotor would have the three inputs fo2-fo4 as mentioned, and three 
outputs going to main output.

Now every 5 characters the f rotor will be in the same position, and if 
we have input fi3 every 5 characters such that it goes on the path 
fi3-fo1-fi5-fox-siy- we have separated out the rotor actions.

Something similar is true if the 3-rotor is first.

Afaict the difference in rotor sizes makes this sort of weakness 
necessarily true, though it might not be significant in a very complex 
machine.


The art of cipheranalysis is largely about seeing things the cipher 
designer didn't - and there are a lot of things to miss in your system. 
I certainly wouldn't like to certify any particular design secure .. 
especially if the intervening circuitry changes.

6th Law: Larger and more complicated systems have more places to attack.



Peter Fairbrother

More information about the cryptography mailing list