Re: My Open Letter.



On 3/10/2011 11:39 PM, Paulo Marques wrote:

Hi, all

Let me try to sum up the events so far in a nutshell:

- Adacrypt periodically writes to sci.crypt explaining how "vector
cryptography" is great and all the old methods (AES, RSA, etc.) are all
doomed to fail

- he uses his own "special" terminology for common cryptography concepts
and rambles for so long about the merits of vectors and ASCII that no
one takes him seriously

- so he believes that no one takes him seriously because no one
"understands" his radical new concepts

- I decided to give him a chance: put aside all the little details
(humoungous key material, ASCII fixation, Ada language fixation, etc.)
and focus on whether the algorithm was any good or not

- after a few conturbated iterations, I was able to finally understand
the algorithm and break it. I just needed 2 plain / cypher text pairs
and would be able to decrypt an extra cypher text without any extra
information (more on that below)

- adacrypt sent me the files all encrypted with different keys. At first
I thought it was a mistake, but he confirmed he did that on purpose and
that was the way the algorithm was always supposed to be used

Well, google is my friend and found a few gems for me:

"Clearly, there has to be one secure delivery of the copied database
from Alice to Bob ? this is a once in a lifetime delivery only. Alice
and Bob can scramble and slice the arrays of their mutual databases at
will and as long as they keep the shared information secure then they
can enjoy perfect secrecy of communications for evermore."
adacrypt - Jul, 10, 2010

"A downside of this method of working is that it needs a one-off secure
delivery of Alice?s copy software to Bob but in return there is no more
problems of key exchanges in the future."
adacrypt - Mar, 14, 2010

Of course, now that is clear that reusing the same "keyset" is
disastrous, the "scrambling" has always been a critical part of the
process. However, there was never any official scrambling procedure and
there is no description of the protocol that should be used to exchange
data and scramble the database in a away that it remains secure (which I
think it's not possible to do anyway).

Now for the fun part: how the break works.

I won't bore you with the details but after a few irrelevant scrambling
operations, the encryption process consists of:

Cn = (S[Pn] * V1n + V0n) + On

where:

Cn : cypher vector for character n
Pn : plain character n
S[] : secret constant S-Box
V1n, V0n, On: secret vectors to apply to character n

S[], V1, V0, On are part of the keyset, or at least derived from the
keyset in a deterministic way, which is basically the same.

Now if we set Kn = (V0n + On) the equation is simply:

Cn = S[Pn] * V1n + Kn

Lets forget about Kn for a while and focus on the "Cn = S[Pn] * V1n"
part. To break a cypher we would need to know the S-box and the vector.

However, and this is the real irony here, the fact that this cypher uses
vectors makes it a lot easier to extract all those.

All the numbers are integers here, so all the 3 components of Cn must
have a common divider that is S[Pn] or is a multiple of S[Pn] (if the
vector had already common factors to begin with). So, if we have a plain
text and a cypher text, extracting the S-box is trivial.

Now, to bring back Kn into the picture (and remove it in the process),
we just need a pair of cypher texts to subtract them both and get:

C1n - C2n = (S[P1n] - S[P2n]) * V1n + (Kn - Kn)

With the S-box differences it is easy to recover the S-box and then use
it (and the difference again) to break any cypher text produced from the
same "mutual database".

Basically this degenerates into an OTP using the On vector as the random
data to be added, except that it will start reusing key material when
the message becomes long enough. All the other operations (and the fact
that it's using vectors) only makes the cypher weaker.

Which brings us round to the "scrambling" argument: the only security
this algorithm might still have relies on the fact that On is unknown
and random. If the scrambling process is known and there was a previous
message using On, chances are the new message will be easy to break.

So we end up with an algorithm that is worse than OTP and needs more key
material.

Of course, adacrypt started protecting his escape already by saying
that: the "database" is a collective name for the collection of arrays,
program procedures, lines of sourcecode, language constructs etc etc
that are collectively called the "database", The database is just that
and is more than just being one of the elements of something else.

How can he say that "program procedures" are part of the secret database
while at the same time he says that he stands by the Kerckhoffs's principle?

In my view he's paving the way for later saying: this was just an
example of a database; you could even use AES in CBC mode with a random
IV as the "program procedures" and it would be secure. At which point
this boils down to: if you have a secure symmetric algorithm, you have a
secure symmetric algorithm. Welcome to the tautology club.

Bottom line: move along, nothing to see here...


Thanks for the work. Now Adacrypt can see an actual break - which he thought was impossible before - perhaps he will be interested in learning more.
.



Relevant Pages

  • My Open Letter.
    ... Adacrypt periodically writes to sci.crypt explaining how "vector ... I just needed 2 plain / cypher text pairs ... there has to be one secure delivery of the copied database ... the "scrambling" has always been a critical part of the ...
    (sci.crypt)
  • Re: My Open Letter.
    ... Adacrypt periodically writes to sci.crypt explaining how "vector ... I just needed 2 plain / cypher text pairs ... there has to be one secure delivery of the copied database ... the "scrambling" has always been a critical part of the ...
    (sci.crypt)
  • Re: More on "Real_Time_Encryption_Program_Mark_2" - ref. Earlier Post
    ... from 3 plaintexts create 3 cyphertexts with the ... same secret database but different parameters. ... should be equivalent to a real-world scenario where the attacker is able ... If your cypher is any good, it should resist this attack with ease, as ...
    (sci.crypt)
  • Re: More on "Real_Time_Encryption_Program_Mark_2" - ref. Earlier Post
    ... plaintexts but use a new random database that you create and keep ... you're saying there is no way I could recover the 3rd plaintext, ... No, normally in a known plaintext attack, the attacker can have ... the security of your cypher, ...
    (sci.crypt)
  • Re: Why Vector Ciphertext is Better.
    ... If each subsequent change right up to Mark_1000 is ... program setting each time then the operation of a multi faceted unique ... The chip becomes the database ... very serious - adacrypt ...
    (sci.crypt)