[Cryptography] Terakey, An Encryption Method Whose Security Can Be Analyzed from First Principles

[Arnold Reinhold]

> On Jul 28, 2020, at 4:05 PM, Ben Laurie <ben at links.org> wrote:
> 
> 
> On Tue, 28 Jul 2020 at 00:49, Arnold Reinhold via cryptography <cryptography at metzdowd.com <mailto:cryptography at metzdowd.com>> wrote:
> Thanks for your comments. What I am doing is quite similar to the additive books you describe, with the important difference that because mass storage has gotten so cheap, we can afford to make the “book” tens of millions of times bigger than what was possible in WW II. Most of the security of Terakey is based on this fact alone.
> 
> Tens of million times bigger means you can do 3s of thousands times as much traffic. I suspect we do a lot more than that, relative to WWII.
> 

I am not proposing Terakey as a replacement for all current encryption. You wouldn’t use it to directly encrypt a 4K video stream. I envision it being used for high value communications on relatively small networks, an international bank, say, or as a backup system for coordinating response to a cyber attack where the PKI infrastructure is in doubt. A one terabyte key can comfortably protect a gigabyte of data. That is a lot of text messages. Terakey can also be used to exchange symmetric keys, similarly to Quantum Key Distribution. in that mode a one terabyte key can protect one AES key exchanged per second for a year, a speed comparable to current QKD systems over long distances. And even that limitation is based on the very conservative assumption that an attacker has acquired the key used to encrypt most previous messages, not just the plaintext.

Current public key systems rely on mathematical problems whose difficulty is conjectured, not proven. This is a single point of failure with a probability that is not quantifiable. Progress in mathematics is extremely sporadic. Problems that have stymied great mathematicians for centuries have been solved in recent memory. I’m not saying a breakthrough is likely any time soon, just that having some backup might be a good idea.

On 28 Jul 2020 12:11 +0100 Peter Fairbrother wrote:

>> 
>> The security analysis then consists of estimating the likelihood of a cypherbyte already known to the attacker 
> 
> Oh no no no. That might be your analysis, but it isn't the only analysis.
> 
> Suppose I am the NSA and manage to tweak the PRNG to my nefarious means.
> 
> Perhaps I can arrange that 1 in 3 selections is to a limited set of 
> terabyte bytes. After getting some known plain/cyphertext traffic I can 
> read 1/3 of the plaintext characters - enough to do serious damage.

If the NSA can tweak my algorithm, they can make it emit rot13, or an apparently strong PRNG stream where they know most of the seed. That is true of any crypto system.  If I have somehow created the impression that I am proposing the PRNG be something that is negotiated between the parties, my fault for not being clear. I did not specify a specific PRNG because I wanted to consider ones that were reversible vs ones that were based on security primitives.  A Terakey system fielded would have a fixed PRNG.  If you like, the one specified in NIST SP 800-90A Rev 1, section 10.2, using a block cipher such as AES-256 or whichever block cipher is being used with key exchange mode.

Arnold Reinhold


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200729/49ecf727/attachment.htm>