Re: [Cfrg] Crystalline Cipher

William Whyte <wwhyte@securityinnovation.com> Thu, 21 May 2015 15:09 UTC

Return-Path: <wwhyte@securityinnovation.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C371F1A1A9C for <cfrg@ietfa.amsl.com>; Thu, 21 May 2015 08:09:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gX5CgbLfdU14 for <cfrg@ietfa.amsl.com>; Thu, 21 May 2015 08:09:25 -0700 (PDT)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6B191A1A4A for <cfrg@irtf.org>; Thu, 21 May 2015 08:09:24 -0700 (PDT)
Received: by qkx62 with SMTP id 62so10078981qkx.3 for <cfrg@irtf.org>; Thu, 21 May 2015 08:09:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=securityinnovation.com; s=google; h=from:references:in-reply-to:mime-version:thread-index:date :message-id:subject:to:content-type; bh=ijYwxO511pT2hRj6sdCZSkQC9AljDTE3LgDaGj4Pj+I=; b=Y5gSST+rEpNVo/zNZRaG5uCSm/PORgHy6AmHUaEc2P08uTwOswtQHI5qXokqYLXhlS NxA7EN7erN8wWQBmu6Hi4t+CKq/itGnwELWhqq0rm6WwTq88wdRgRUycRuUcRIawiqSF grBxbuug/EVicCK3PHXoN1jGvem/brM4gDmGg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:references:in-reply-to:mime-version :thread-index:date:message-id:subject:to:content-type; bh=ijYwxO511pT2hRj6sdCZSkQC9AljDTE3LgDaGj4Pj+I=; b=RoIEXEh4WfTH4maA6yTJWP0wEclqBYAd2ZRfNCqiRb94wJLc75Qc2m2oWp+n+GoLe5 Iug5yTsGGQ95vjx1av1IbvAs5USM0J967VAeGq+GS/MNbC9OmzwIlN2y00Ir9rG9vGKV APOumSQKklR8zdum5XiANiSLBmxKxFqE47NG9fWIp9th3IQC19fRU/CyuvT0nTGgmcCS L8SJVNKmJpniPDn/do/M7hBeXY6Ixj8bxPEZgHTXCY39V3/BbjPGDtXZeu0urHHKthCZ 5Hj278wy7YHAepnPNIEPB9m4AJO3eh1zN6pgfbbmT7ue6Sb/IVnwoxwbPOqCGptJqJTX B9Vw==
X-Gm-Message-State: ALoCoQmd7u1jMNDmzZddxTaesxZzOIIx3ejuLG8v8HNCqdFNv6VGlqueWsbiS5PO8hyLAvhdEfqQ
X-Received: by 10.140.81.135 with SMTP id f7mr4343250qgd.33.1432220963942; Thu, 21 May 2015 08:09:23 -0700 (PDT)
From: William Whyte <wwhyte@securityinnovation.com>
References: <78c28854a0cbb9ab7930141285059c6c@mail.eclipso.de> <2F4CC1DD-32CE-4D0A-B8F6-7BCEAD39F931@shiftleft.org> <55433468cb391822b334aa3363962202@mail.eclipso.de> <CAHOTMVJa64otGeoRYrQVRTwt53_0Dpa_s8Hgg5PVMLo8eWeXLg@mail.gmail.com> <385e922556bc3cabb98f7bb3f7faa47b@mail.eclipso.de> <555D7E95.9080500@shiftleft.org> <8e7ec9ae7082fac7061fe60faaa00106@mail.eclipso.de>
In-Reply-To: <8e7ec9ae7082fac7061fe60faaa00106@mail.eclipso.de>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKquZwRvhr9cpSSu1yHYTvHhqgGagMqmzoEApyazp8BSIvLHAJRpqyJAvwixyUCMqOYq5tduOyA
Date: Thu, 21 May 2015 11:09:24 -0400
Message-ID: <ef7496ae281c7636e31c05fd8423c150@mail.gmail.com>
To: Mark McCarron <mark.mccarron@eclipso.eu>, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="001a11c12ae6cbbeab051698ed32"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/GKFeIrTi2UWWZmlEdKz9Uqv_CJ8>
Subject: Re: [Cfrg] Crystalline Cipher
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 15:09:27 -0000

Hi Mark,



There are a lot of proposed ciphers out there, and if you want someone to
spend time analyzing it, you need to give a reason for why it’s worth their
time. Existing widely-used ciphers and modes of operation have the
properties that (a) they use the minimum number of key bits necessary to
give the desired level of security and (b) they leak as little information
as possible, including leaking whether or not there are repeating patterns
within the ciphertext. Your cipher allows someone to distinguish the
encryption of plaintext with a repeating pattern from the encryption of a
plaintext without a repeating pattern. In the terms this group uses, that
counts as broken, because there are other well-studied ciphers that don’t
reveal that information. If you can come to the group with a cipher that
uses a 128-bit key, doesn’t leak information, and has performance (memory
consumption / processing time) better than AES, you may find people are
willing to spend time on it. If your cipher doesn’t meet those conditions,
there’s no particular reason for people to take it seriously.



Cheers,



William



*From:* Cfrg [mailto:cfrg-bounces@irtf.org] *On Behalf Of *Mark McCarron
*Sent:* Thursday, May 21, 2015 2:52 AM
*To:* cfrg@irtf.org
*Subject:* Re: [Cfrg] Crystalline Cipher



Mike,

I see a lot of talking and not a lot of doing.  If you think this can be
used to recover the plaintext, then I am sure you can provide a worked
example.  But I can tell you now that you are wasting your time.

Regards,

Mark McCarron

--- Ursprüngliche Nachricht ---
*Von:* Mike Hamburg <mike@shiftleft.org>
*Datum:* 21.05.2015 08:43:33
*An:* Mark McCarron <mark.mccarron@eclipso.eu>, Tony Arcieri <
bascule@gmail.com>
*Betreff:* Re: [Cfrg] Crystalline Cipher

But you see Mark, he did break it.

This is why I wrote to you (off-list) about why cryptographers don't like
this sort of interaction, and why I tried to brush you off originally.
We'll spend some effort and break your code, but you won't agree that it's
broken and nobody will be happy.  It's just a waste of time all around.

We cryptographers want to build things on our ciphers, not just use them to
send compressed files around.  To do that with confidence, the ciphers must
be a firm foundation, not something that itself needs to be protected by
compression or whatever your next excuse will be.  If you need to protect
the cipher in this way, it is already broken.

-- Mike

On 5/20/2015 11:36 PM, Mark McCarron wrote:

Hi Tony,

I have examined this issue in depth.  The repeated pattern that you pointed
out does not lead to a break in the cipher.  That image is drawn from a
file filled with 0x00 which is a junk test in the context of Crystalline.
Due to the way in which Crystalline encrypts, such patterns are
unobservable in files that contain data.  Further, that pattern is the
result of using a limited set of colours to represent the entire range of
values.  When you examine the byte stream, it is chaotic and the
salt/key/plaintext are mathematically unrecoverable.  Basically, what you
are seeing is a bias introduced by long runs of the same initial value.  It
is easily resolved through the use of compression as can be seen in this
image:

http://i.imgur.com/3DLWNTc.jpg

So, its a bit of a red herring in any practical sense.  Try to use it to
break the cipher, it doesn't work.

Regards,

Mark McCarron

--- Ursprüngliche Nachricht ---
*Von:* Tony Arcieri <bascule@gmail.com> <bascule@gmail.com>
*Datum:* 21.05.2015 02:34:45
*An:* Mark McCarron <mark.mccarron@eclipso.eu> <mark.mccarron@eclipso.eu>
*Betreff:* Re: [Cfrg] Crystalline Cipher

On Wed, May 20, 2015 at 3:59 PM, Mark McCarron <mark.mccarron@eclipso.eu>
wrote:

I'm somewhat disappointed in your reply, as I presumed that someone with a
stated interest in ciphers would be eager to investigate anything new to
pop up that didn't have obvious holes in it.



Hi Mark,



I did investigate your scheme, and I'm afraid to say it's obviously broken.
It appears to be an implementation of a Knuth Shuffle with a few added
bells and whistles.



This image, which I believe you produced, shows repeated patterns in the
ciphertext:



https://i.imgur.com/MWmMc0J.png



Likewise, there are severe failures on Chi Squared tests:



http://www.freecx.co.uk/cryptanalysis/Crystalline/



Specifically:



http://www.freecx.co.uk/cryptanalysis/Crystalline/bias-result_(1)_10MB.txt

Overall Chi Squared value is 7474.808 (threshold 18.4753)

Overall likely non-uniform (>99%)

http://www.freecx.co.uk/cryptanalysis/Crystalline/bias-result_(2)_10MB.txt

Overall Chi Squared value is 13485.34 (threshold 30.5779)

Overall likely non-uniform (>99%)

http://www.freecx.co.uk/cryptanalysis/Crystalline/bias-result_(4)_10MB.txt

Overall Chi Squared value is 20607.94 (threshold 52.1914)

Overall likely non-uniform (>99%)

http://www.freecx.co.uk/cryptanalysis/Crystalline/bias-result_(8)_10MB.txt

Overall Chi Squared value is 45699.52 (threshold 91.81917)

Overall likely non-uniform (>99%)

I think the biggest problem though is all of this has already been pointed
out to you repeatedly in other forums and you completely refuse to
acknowledge that your cipher fails to meet the absolute most minimum
criteria for a secure cipher.



If your cipher were secure, this image would not contain obvious repeating
patterns:



https://i.imgur.com/MWmMc0J.png



If your cipher were secure, it would pass all randomness tests.



There are many more requirements for a secure cipher, but your cipher fails
to meet the baseline requirements.



-- 

Tony Arcieri


---
Free, fast and secure email: https://www.eclipso.eu


---
Free, fast and secure email: https://www.eclipso.eu