even better description of algoithm with an attempt at a security proof.
- From: "Antony Clements" <antony.clements@xxxxxxxxxxxxxxx>
- Date: Sat, 10 Mar 2007 13:31:40 +1100
even better description
a = h(k||m)
P = a||m
if i = 1; Ci = E((K1 xor K2) xor Pi) xor n mod 256
else Ci = E(((K1 xor K2) xor Pi) xor n) xor Ci -1
K1 = f(K1)
K2 = (f(K2) xor Pi)
n = (K1 xor K2) xor n
for i = 1,...,k
for decryption
if i = 1; Pi = E((K1 xor K2) xor Ci) xor n 256
else Pi = E(((K1 xor K2) xor Ci) xor n) xor Ci -1
K1 = f(K1)
K2 = (f(K2) xor Pi)
n = (K1 xor K2) xor n
for i = 1,...,k
m' = l(m) - l(a)
a = l(m) - l(m')
a = h(k||m)
Where block sizes are an arbitrary fixed length. Used as a block cipher K1
and K2 must be = to block size. Used as a stream cipher K1 and K2 must be at
least 512 bits and can be as long as a||m.
collison attacks:
Collisions are coincidental in stream mode as for example, the ciphertext ë
will decrypt to A in one byte of the stream, decrypt to c in a second byte
of the stream, and decode back to A in a third third byte of the stream.
This property effectively disallows either collision attack because
collisions are coincidental and do not always occur in the same byte
position and may never occur at all.
This method when used as a block cipher is used in CBC mode and has the same
property.
K1 and K2 are generated using a combination of OFB and CTR mode. this is
achieved by feeding back each K1 as the input to the function 32 times after
which a counter is added to K1 and rehashed. K2 is fed back into the
function a total of 20 times after which a counter is added to K2 and
rehashed.
Having this particular key generation method allows for avoiding collisions
in the keystream(s) up until and probably past 2^1024 bytes (i can only test
up to 2^1024 bytes). Although there may be collisions between K1 and K2, no
two key blocks in K1 are the same, and the same applies for K2.
plaintext attacks:
Some plaintext attacks are not viable as both K1 and K2 must be known as
well as n in order to retrieve any plaintext, chosen plaintext attacks not
particularly viable due to the collision property.
ciphertext attacks:
While the ciphertext is known to the attacker which will allow some
ciphertext attacks, other ciphertext attacks are not viable due to the
collision attack property.
traffic analysis:
Traffic analysis may leak information on the nonce and therefore n which is
derived from the nonce. This could also potentially leak the passphrase. The
nonce is protected in the following way.
for i = 1,...,k
value = asc(passphrase) mod 12
Where k is the length of the passphrase
for j = 1,...,n
Cj = nonce xor value xor Cj-1
Where j is the length of the nonce
The attacker need only find the first character and the rest will fall.
After the the nonce has been broken, the attacker only needs to take that
value, reverse the modulo division, and do an exhastive key search for keys
that match the value.
Clearly i either need a better way of hiding the nonce, or to not attempt to
hide the nonce at all.
Comments and corrections are always welcome.
.
- References:
- restating question with better description of algoithm
- From: Antony Clements
- restating question with better description of algoithm
- Prev by Date: re:Could these 2 newer dentists be mistaken?
- Next by Date: RSA-1024 verilog
- Previous by thread: restating question with better description of algoithm
- Next by thread: Discrete log Challenges
- Index(es):
Relevant Pages
|
|
