Re: [long] C code of PEARL1, a block encryption algorithm emphasising simplicity



Tran Ngoc Duong:
"Mok-Kong Shen" wrote in message

How does the success of a method to break the
scheme B helps to break A? (M is unknown yet.)


This is how you possibly thought an adversary works:

Deduce K, deduce M => total deduction

(This is "to break A" in your terms.)


However, she works like this:

Deduce K => total deduction

(This is "to break B" in your terms.)


It means that once she breaks B, she can deduce everything you can
derive from the primary key at will, including M if needed. Just other
words to say that A is broken.

Sorry, I still haven't fully understood you. Let me quote your previous
post:

1. From the primary key, generate the key stream K[1] M[1] K[2] M[2] ...
K[n] M[n].

2. Encrypt the plaintext P[1] P[2]...P[n] into the ciphertext C[1] C[2]
... C[n] by

C[i] = M[i] * ( P[i] ^ K[i] )

An alternative, B, is the following:

1. From the primary key, generate the key stream K[1] M[1] K[2] M[2] ...
K[n] M[n].

2. Encrypt the plaintext P[1] P[2]...P[n] into the ciphertext C[1] C[2]
... C[n] by

C[i] = P[i] ^ K[i]

(M[i] are dropped.)

In case B, the analyst gets at once K. So assuming that she can break B
means she can then from K deduce the parameters of the PRNG, in my case
the compound PRNG. (O.k. The issue of attacking the compound PRNG is
not important in the present context.) But this is only "IF" B is used.
In the actual case, A is used and we have C[i] = M[i] * ( P[i] ^ K[i] ).
Now, "IF" M is known, we have C'[i] = M^(-1)*C[i] = P[i] ^ K[i] and from
the previous assumption the PRNG is again broken. However, M is not
(yet) known in the actual situation. So I don't yet clearly understand
the logic of your claim.

Thanks.

M. K. Shen

.



Relevant Pages