[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PR und Patent um "Polymorphe Verschlüsselung



.. und wieder um ein ganzes Jahr verspätet ..

Welch Freude – hier wird doch tatsächlich über Sinn und Unsinn
intellektuellen Eigentums diskutiert!

Diskutieren wir doch lieber über Verschlüsselung. Ich finde nämlich
auch, dass die Messages über dieses Thema doppelt archiviert werden
sollten. Gegen eine exponentielle Vermehrung würde ich der letzte sein,
der dagegen einen Einwand hat.
Wenn mehr Menschen wüssten, dass Datenverschlüsselung nützlich sein
kann… dann wären beispielsweise weniger WLANs einfach „offen“. 

Englisch ist als internationale Sprache durchaus geeignet, eine noch
größere Reichweite zu erzielen. … dann wollen wir mal …

It seems to be the right time to start a public discussion about
polymorphic encryption as the interest in the underlying principle is
growing as I can see by surfing the internet.

We had some difficulties to describe the cipher in a general way for
some time. Mathematics is normally applied to mechanisms that are
constant, but for a changing structure only the change may appear
somehow constant.

A basic polymorphic cipher is the "Cipher of Ciphers". Let's imagine a
crypto engine which can choose from four secure 128 bit encryption
algorithms, e.g. AES Rijndael, AES Twofish, RC6 and Mars. Each of the
base ciphers is regarded as being unbreakable. A 130 bit key is used to
encrypt messages - 2 bit select one of the four available base ciphers
and the remaining 128 bit represent the key for the chosen base cipher.
The result is an unbreakable 130 bit cipher as each of the 128 bit base
ciphers is unbreakable and each base cipher generates ciphertext with
good pseudo-randomness and thus cannot be identified by its output bit
pattern. The two additional bits make the proposed "Cipher of Ciphers"
stronger than each of the base ciphers with the following advantages:

1. The Brute Force Attack takes longer on 130bit than on 128 bit

2. The two additional bits consume only once a little CPU time while
they don't require any time when encrypting the next 100 terabytes e.g.
when used in server-to-server communication

3. An attacker must try to crack four base ciphers instead of one in
order to be able to read all encrypted messages which are encrypted
using this polymorphic cipher. It might be possible to reduce the number
of rounds for Twofish or some other algorithm, but it's unlikely that
the whole base cipher set can be cracked with time. A more powerful
polymorphic cipher might feature a set of 128 base ciphers. Cracking one
of them would expose less than 1% of all encrypted messages. Cracking
one of the base ciphers might be as difficult as cracking Rijndael. If
Rijndael was cracked, it could be a disaster for the industry, but if
Rijndael was only a base cipher of a polymorphic cipher, by far less
people would even try to crack it because this wouldn't be a huge
success at all.

The advantages of the proposed polymorphic cipher are a noticeable
increase in safety and additional key bits which do not consume
processing time after key setup.

It is clear that this general principle can be improved. The idea to
implement a compiler which generates a polymorphic cipher out of a
password is the solution for the problem that we cannot have more than a
handful of base ciphers to choose from. Being able to choose from 2^128
ciphers for a 128 bit encryption algorithm would render most of the
known attacks inapplicable. The size of the crypto engine would still be
OK for smart card implementations and there might be a way to make the
crypto engine, which inevitably includes the crypto compiler, safe
against the Differential Power Attack (DPA). It should be clearly noted
that DPA is a very successful attack against DES, Rijndael, Twofish,
Safer, RC6 and all other AES candidate algorithms if these algorithms
are attacked on small smart card processors. Please see
http://csrc.nist.gov/CryptoToolkit/aes/round1/conf2/papers/chari.pdf for
more information.

Some people might say that vulnerabilities in smart card applications
are acceptable, but the idea of AES was to supply a powerful
multi-purpose encryption algorithm to the industry, wasn't it? If AES
has vulnerabilities on smart cards, it is also vulnerable in other
low-power applications like mobile phones, PDAs, wireless access points,
crypto ASICs, etc. As the target machines change with time, new methods
to encrypt data evolve inline with technological advances in other
areas. AES would have been impossible to implement with mechanical
wheels at the time when the Enigma was state of the art.

This should be sufficient motivation to discuss other than the current
mainstream technologies. As all AES candidate algorithms together seem
to represent state-of-the-art symmetric cipher design, there is
definitely the need to develop better operating principles. Compiled
crypto code is probably one of them. It is obvious that new technologies
sometimes require a different terminology and that their internals
cannot necessarily be described with the models used to describe old
technologies. AES and the Enigma are probably good examples for this
thesis.

At 5Gbit/s encryption speed on an AMD Athlon XP1800+ microprocessor, our
latest 512 bit polymorphic cipher design seems to be the fastest cipher
in the world; about 10 times faster than AES! The internal structure
guarantees that the code which encrypts plaintext is compiled in a
uniform way in order not to leak any information about the key as well
as the remaining internal state. The same principle is employed to make
the compiler DPA-proof.

Speed and randomness can be easily checked with the free evaluation
version of our BPP Disk encryption software. Interested readers may
create a 64Mbyte (or bigger) virtual volume, unmount it and then check
the image file with a randomness test (e.g. the diehard test suite by
George Marsaglia: http://stat.fsu.edu/~geo/diehard.html). It must be
noted that the first 512 bytes of a virtual volume file contain
plaintext information (the boot sector for FAT32 volumes and copyright
data for small volumes) and that the plaintext of the FAT area may not
contain all zeros! When splitting the file into two pieces or by
removing the first 512 bytes, a bitstream with very good randomness can
be observed on the second piece.

For a closer look at the current implementation of the cipher, we would
like to invite experts in cryptanalysis to analyze it.

C.B. Roellgen
PMC Ciphers, Inc.



--
To unsubscribe, e-mail: debate-unsubscribe@lists.fitug.de
For additional commands, e-mail: debate-help@lists.fitug.de