What type of encryption is this homebrew “encyption algorithm”? $$Why is writing your own encryption discouraged?What are recommended, general strategies to start block-cipher design and/or analysis?Easy explanation of “IND-” security notions?tweakable block cipher and ideal block cipherTraditional DES scheme in Unix crypt functionWhat exactly does a key do?What characters are valid in PGP encrypted and signed messages?How to perform frequency analysis of a substitution cipher using a Base64 alphabetHow many characters per block in an El Gamal ECC cryptosystem?Deciphering “easy” ciphers without hintsReverse Encryption Algorithm from Decryption codeCan a Vigenère cipher be solved if the alphabet is modified (custom)?How to decrypt a substitution cipher using a Base64 alphabetHow to know the type of encryption method
Is it a Munchausen Number?
Is this state of Earth possible, after humans left for a million years?
How to get my matrix to fit on the page
Is it nonsense to say B -> [A -> B]?
Removing all characters except digits from clipboard
My perfect evil overlord plan... or is it?
Was Mohammed the most popular first name for boys born in Berlin in 2018?
Why can't I prove summation identities without guessing?
Is ‘despite that’ right?
Examples where existence is harder than evaluation
date to display the EDT time
Is there an application which does HTTP PUT?
Improving Sati-Sampajañña (situative wisdom)
How is CoreiX like Corei5, i7 is related to Haswell, Ivy Bridge?
Succinct and gender-neutral Russian word for "writer"
Should I pay on student loans in deferment or continue to snowball other debts?
Would encrypting a database protect against a compromised admin account?
How to evaluate sum with one million summands?
Is it bad writing or bad story telling if first person narrative contains more information than the narrator knows?
Renting a house to a graduate student in my department
Why does the Earth follow an elliptical trajectory rather than a parabolic one?
Is a vertical stabiliser needed for straight line flight in a glider?
Are there variations of the regular runtimes of the Big-O-Notation?
Windows OS quantum vs. SQL OS Quantum
What type of encryption is this homebrew “encyption algorithm”? $$
Why is writing your own encryption discouraged?What are recommended, general strategies to start block-cipher design and/or analysis?Easy explanation of “IND-” security notions?tweakable block cipher and ideal block cipherTraditional DES scheme in Unix crypt functionWhat exactly does a key do?What characters are valid in PGP encrypted and signed messages?How to perform frequency analysis of a substitution cipher using a Base64 alphabetHow many characters per block in an El Gamal ECC cryptosystem?Deciphering “easy” ciphers without hintsReverse Encryption Algorithm from Decryption codeCan a Vigenère cipher be solved if the alphabet is modified (custom)?How to decrypt a substitution cipher using a Base64 alphabetHow to know the type of encryption method
$begingroup$
Background:
Quite a long time ago (somewhere 1998) I thought I was really clever and invented my own encryption/decryption code. Looking through old code I rediscovered my old algorithm. (No, it was never used in any production environment.)
I'm wondering what type of encryption my naive self invented back then. I'm guessing it is a polyalphabetic substitution cipher, but I'm not really sure?
My Questions:
- What type of algorithm is this?
- How weak is it against modern day cryptanalysis and what methods would be used to break it?
What the code below does:
The algorithm encrypts and decrypts based on a set 64 alphabets. Each alphabet consists of the same 64 characters in random order; each character is included exactly once per alphabet. This set of alphabets is effectively the key for the algorithm.
To start, the plaintext is base64 encoded. Then each individual character, in the base64 encoded plaintext, is substituted by a character from one of the alphabets. The first characters is (always) picked form the first alphabet, for subsequent characters the alphabet is selected based on the index-number of the substituted value of the character preceding it. So, it 'encrypts' one character at the time and, if one character in the ciphertext changes, the decryption will (most likely) be garbled from that point on.
The code also adds base64 style padding to the ciphertext, in an attempt to be 'even more secure' by passing of the ciphertext like regular base64 encoded data.
The Algorithm:
Encryption is being carried out over letters from a 64-element alphabet in the following mode:
$$C_0=F_0(P_0)quad C_i=F_C_i-1(P_i)$$
Where $F:mathbb Z_64times mathbb Z_64tomathbb Z_64$ represents 64 different, random, fixed permutations forming the key.
Reference PHP-Code can be found in the revision history.
encryption
asked Apr 30 at 15:09
JaccoJacco
1116
$endgroup$
add a comment |
$begingroup$
Background:
Quite a long time ago (somewhere 1998) I thought I was really clever and invented my own encryption/decryption code. Looking through old code I rediscovered my old algorithm. (No, it was never used in any production environment.)
I'm wondering what type of encryption my naive self invented back then. I'm guessing it is a polyalphabetic substitution cipher, but I'm not really sure?
My Questions:
- What type of algorithm is this?
- How weak is it against modern day cryptanalysis and what methods would be used to break it?
What the code below does:
The algorithm encrypts and decrypts based on a set 64 alphabets. Each alphabet consists of the same 64 characters in random order; each character is included exactly once per alphabet. This set of alphabets is effectively the key for the algorithm.
To start, the plaintext is base64 encoded. Then each individual character, in the base64 encoded plaintext, is substituted by a character from one of the alphabets. The first characters is (always) picked form the first alphabet, for subsequent characters the alphabet is selected based on the index-number of the substituted value of the character preceding it. So, it 'encrypts' one character at the time and, if one character in the ciphertext changes, the decryption will (most likely) be garbled from that point on.
The code also adds base64 style padding to the ciphertext, in an attempt to be 'even more secure' by passing of the ciphertext like regular base64 encoded data.
The Algorithm:
Encryption is being carried out over letters from a 64-element alphabet in the following mode:
$$C_0=F_0(P_0)quad C_i=F_C_i-1(P_i)$$
Where $F:mathbb Z_64times mathbb Z_64tomathbb Z_64$ represents 64 different, random, fixed permutations forming the key.
Reference PHP-Code can be found in the revision history.
encryption
asked Apr 30 at 15:09
JaccoJacco
1116
$endgroup$
1
$begingroup$
See Do we accept questions asking for cryptanalysis of your cipher (hash function, ...) design?
$endgroup$
– kelalaka
Apr 30 at 15:19
$begingroup$
@kelalaka, Yes, I read that part. But I'm not asking for cryptanalysis, I'm interested in the type of algorithm and the methods of cryptanalysis typically employed to defeat the given type of algorithms. Peer review is not part of the question at all.
$endgroup$
– Jacco
Apr 30 at 15:51
1
$begingroup$
See What are recommended, general strategies to start block-cipher design and/or analysis? then and Why is writing your own encryption discouraged?
$endgroup$
– kelalaka
Apr 30 at 15:55
$begingroup$
I'm well aware that writing your own crypto is highly discouraged. I'm my question I mentioned that a) the algorithm was written somewhere around 1998 and b) that I did not use it in production even then. I'm certainly will not attempt writing my own cipher today. I'm just interested in what type of algorithm I created back in the days I was still naive. Also, maybe we should continue this discussion in chat instead of in the comments?
$endgroup$
– Jacco
Apr 30 at 16:00
add a comment |
$begingroup$
Background:
Quite a long time ago (somewhere 1998) I thought I was really clever and invented my own encryption/decryption code. Looking through old code I rediscovered my old algorithm. (No, it was never used in any production environment.)
I'm wondering what type of encryption my naive self invented back then. I'm guessing it is a polyalphabetic substitution cipher, but I'm not really sure?
My Questions:
- What type of algorithm is this?
- How weak is it against modern day cryptanalysis and what methods would be used to break it?
What the code below does:
The algorithm encrypts and decrypts based on a set 64 alphabets. Each alphabet consists of the same 64 characters in random order; each character is included exactly once per alphabet. This set of alphabets is effectively the key for the algorithm.
To start, the plaintext is base64 encoded. Then each individual character, in the base64 encoded plaintext, is substituted by a character from one of the alphabets. The first characters is (always) picked form the first alphabet, for subsequent characters the alphabet is selected based on the index-number of the substituted value of the character preceding it. So, it 'encrypts' one character at the time and, if one character in the ciphertext changes, the decryption will (most likely) be garbled from that point on.
The code also adds base64 style padding to the ciphertext, in an attempt to be 'even more secure' by passing of the ciphertext like regular base64 encoded data.
The Algorithm:
Encryption is being carried out over letters from a 64-element alphabet in the following mode:
$$C_0=F_0(P_0)quad C_i=F_C_i-1(P_i)$$
Where $F:mathbb Z_64times mathbb Z_64tomathbb Z_64$ represents 64 different, random, fixed permutations forming the key.
Reference PHP-Code can be found in the revision history.
encryption
asked Apr 30 at 15:09
JaccoJacco
1116
$endgroup$
Background:
Quite a long time ago (somewhere 1998) I thought I was really clever and invented my own encryption/decryption code. Looking through old code I rediscovered my old algorithm. (No, it was never used in any production environment.)
I'm wondering what type of encryption my naive self invented back then. I'm guessing it is a polyalphabetic substitution cipher, but I'm not really sure?
My Questions:
- What type of algorithm is this?
- How weak is it against modern day cryptanalysis and what methods would be used to break it?
What the code below does:
The algorithm encrypts and decrypts based on a set 64 alphabets. Each alphabet consists of the same 64 characters in random order; each character is included exactly once per alphabet. This set of alphabets is effectively the key for the algorithm.
To start, the plaintext is base64 encoded. Then each individual character, in the base64 encoded plaintext, is substituted by a character from one of the alphabets. The first characters is (always) picked form the first alphabet, for subsequent characters the alphabet is selected based on the index-number of the substituted value of the character preceding it. So, it 'encrypts' one character at the time and, if one character in the ciphertext changes, the decryption will (most likely) be garbled from that point on.
The code also adds base64 style padding to the ciphertext, in an attempt to be 'even more secure' by passing of the ciphertext like regular base64 encoded data.
The Algorithm:
Encryption is being carried out over letters from a 64-element alphabet in the following mode:
$$C_0=F_0(P_0)quad C_i=F_C_i-1(P_i)$$
Where $F:mathbb Z_64times mathbb Z_64tomathbb Z_64$ represents 64 different, random, fixed permutations forming the key.
Reference PHP-Code can be found in the revision history.
encryption
encryption
asked Apr 30 at 15:09
JaccoJacco
1116
asked Apr 30 at 15:09
JaccoJacco
1116
edited May 1 at 6:16
Jacco
asked Apr 30 at 15:09
JaccoJacco
1116
asked Apr 30 at 15:09
JaccoJacco
1116
asked Apr 30 at 15:09
JaccoJacco
1116
1116
1
$begingroup$
See Do we accept questions asking for cryptanalysis of your cipher (hash function, ...) design?
$endgroup$
– kelalaka
Apr 30 at 15:19
$begingroup$
@kelalaka, Yes, I read that part. But I'm not asking for cryptanalysis, I'm interested in the type of algorithm and the methods of cryptanalysis typically employed to defeat the given type of algorithms. Peer review is not part of the question at all.
$endgroup$
– Jacco
Apr 30 at 15:51
1
$begingroup$
See What are recommended, general strategies to start block-cipher design and/or analysis? then and Why is writing your own encryption discouraged?
$endgroup$
– kelalaka
Apr 30 at 15:55
$begingroup$
I'm well aware that writing your own crypto is highly discouraged. I'm my question I mentioned that a) the algorithm was written somewhere around 1998 and b) that I did not use it in production even then. I'm certainly will not attempt writing my own cipher today. I'm just interested in what type of algorithm I created back in the days I was still naive. Also, maybe we should continue this discussion in chat instead of in the comments?
$endgroup$
– Jacco
Apr 30 at 16:00
add a comment |
1
$begingroup$
See Do we accept questions asking for cryptanalysis of your cipher (hash function, ...) design?
$endgroup$
– kelalaka
Apr 30 at 15:19
$begingroup$
@kelalaka, Yes, I read that part. But I'm not asking for cryptanalysis, I'm interested in the type of algorithm and the methods of cryptanalysis typically employed to defeat the given type of algorithms. Peer review is not part of the question at all.
$endgroup$
– Jacco
Apr 30 at 15:51
1
$begingroup$
See What are recommended, general strategies to start block-cipher design and/or analysis? then and Why is writing your own encryption discouraged?
$endgroup$
– kelalaka
Apr 30 at 15:55
$begingroup$
I'm well aware that writing your own crypto is highly discouraged. I'm my question I mentioned that a) the algorithm was written somewhere around 1998 and b) that I did not use it in production even then. I'm certainly will not attempt writing my own cipher today. I'm just interested in what type of algorithm I created back in the days I was still naive. Also, maybe we should continue this discussion in chat instead of in the comments?
$endgroup$
– Jacco
Apr 30 at 16:00
1
1
$begingroup$
See Do we accept questions asking for cryptanalysis of your cipher (hash function, ...) design?
$endgroup$
– kelalaka
Apr 30 at 15:19
$begingroup$
See Do we accept questions asking for cryptanalysis of your cipher (hash function, ...) design?
$endgroup$
– kelalaka
Apr 30 at 15:19
$begingroup$
@kelalaka, Yes, I read that part. But I'm not asking for cryptanalysis, I'm interested in the type of algorithm and the methods of cryptanalysis typically employed to defeat the given type of algorithms. Peer review is not part of the question at all.
$endgroup$
– Jacco
Apr 30 at 15:51
$begingroup$
@kelalaka, Yes, I read that part. But I'm not asking for cryptanalysis, I'm interested in the type of algorithm and the methods of cryptanalysis typically employed to defeat the given type of algorithms. Peer review is not part of the question at all.
$endgroup$
– Jacco
Apr 30 at 15:51
1
1
$begingroup$
See What are recommended, general strategies to start block-cipher design and/or analysis? then and Why is writing your own encryption discouraged?
$endgroup$
– kelalaka
Apr 30 at 15:55
$begingroup$
See What are recommended, general strategies to start block-cipher design and/or analysis? then and Why is writing your own encryption discouraged?
$endgroup$
– kelalaka
Apr 30 at 15:55
$begingroup$
I'm well aware that writing your own crypto is highly discouraged. I'm my question I mentioned that a) the algorithm was written somewhere around 1998 and b) that I did not use it in production even then. I'm certainly will not attempt writing my own cipher today. I'm just interested in what type of algorithm I created back in the days I was still naive. Also, maybe we should continue this discussion in chat instead of in the comments?
$endgroup$
– Jacco
Apr 30 at 16:00
$begingroup$
I'm well aware that writing your own crypto is highly discouraged. I'm my question I mentioned that a) the algorithm was written somewhere around 1998 and b) that I did not use it in production even then. I'm certainly will not attempt writing my own cipher today. I'm just interested in what type of algorithm I created back in the days I was still naive. Also, maybe we should continue this discussion in chat instead of in the comments?
$endgroup$
– Jacco
Apr 30 at 16:00
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
What type of algorithm is this?
The best capturing for this algorithm that I can see would be as "mode of operation for a tweakable block cipher" with the tweakable block cipher being the one that has keyspace size $(64!)^64approx 2^18943$ and in its current representation uses (at least) $64^2cdot 6=24576$ bits for key representation. The tweak size is 64 as is the message and ciphertext space. Key decoding then works by partitioning the key into 64 equal-sized strings and then using each string to identify one permutation over 64 elements. Encryption works by selecting the permutation indicated in the tweak and applying it.
Using the notation $E^textTweak_textKey(textPlaintextLetter)$ the mode is then $$C_0=E_K^0(P_0)quad C_i=E^C_i-1_K(P_i)$$ for a given plaintext sequence $P_i$ and the corresponding ciphertext sequence $C_i$ and the key $K$.
How weak is it against modern day cryptanalysis and what methods would be used to break it?
This construction has four main problems for modern cryptography:
- Ridiculous keysize (for symmetric cryptography). It takes 2.3kB to represent the key, normally our keys use 32 bytes which is plenty (because you can't search $2^256$ fully).
- Small block size. This is a problem in and of itself as an attacker can just build a dictionary of the input-output pairs by making a sufficient number of block cipher queries (this is part of the reason why modern block ciphers use 128 instead of 6 bit blocks).
- Deterministic Encryption. The given encryption scheme cannot be CPA secure, because it is deterministic. That is an attacker can recognize whether two encryptions yield the same value. Even worse, this scheme has the same issue as CBC (the best one could hope for in online deterministic encryption), namely it leaks prefixes. If I encrypt
abcdeand then encryptabcghunder the same key, the attacker can see that the messages were equal up toabc. - Lack of authentication. In theory one could think about fixing the previous point by forcing $P_0$ to be a random value (that's what CBC does). In this case this construction might be secure against CPA attackers. But of course it still isn't secure against the most standard adversary model in modern cryptography: CCA secure, that is attackers who also get to ask for decryptions (with one exception input). To break CCA security when given a challenge ciphertext of one of two possible plaintexts an attacker would simply change the last ciphertext letter and ask for the decryption and use the first few letters to determine what plaintext was encrypted.
Also if you don't understand something in this answer, please just ask (in the comments) and don't be frightened if you think "it should be obvious" or something like that.
answered Apr 30 at 18:47
SEJPM♦SEJPM
29.9k659142
$endgroup$
$begingroup$
Actually the question whether this mode would be secure (within bounds because of the small block size) assuming $P_0$ is random would be quite intriguing...
$endgroup$
– SEJPM♦
Apr 30 at 18:48
$begingroup$
Actually CBC would also be an instance of this mode with $E_K^T(P)=E'_K(Toplus P)$ with $E'$ being something like AES, so I suppose one could potentially adapt the CBC security proof if one wanted to...
$endgroup$
– SEJPM♦
Apr 30 at 18:53
$begingroup$
I'm going to read your answer with a search engine as my friend. So it may take me a while to fully understand it, up to the level of detail I'm looking for.
$endgroup$
– Jacco
Apr 30 at 19:12
add a comment |
$begingroup$
This scheme reminds be of the Jefferson Wheel Cipher. Variants were actually used in the military so at one point the general idea was 'secure'.
If I understand it right, the presented construct seems weaker however and suffers a Know Plaintext Attack.
If I know P0, C0 and the algorithm then I can deduce one entry of the F0 alphabet. With 64 or so messages, I can get the full first alphabet. Given sufficient text, I can use the same idea to deduce all of the scrambled alphabets.
With these old style ciphers, it is interesting to consider if a cipher text only attack is possible. If we know that the language is US English then we can do a frequency count on the first letter of the cipher text. Based on that we can deduce some of the entries in F0. With sufficient cipher text, all of the most common letters could be pinpointed in all of the alphabets. At that point, the full set of alphabets could be unraveled with further frequency analysis and human deduction.
Working through the weakness of an older cipher is a great way to learn about modern cryptography. While there have been some big jumps, ciphers have mostly evolved against new and stronger attacks.
answered Apr 30 at 20:29
Matthew FisherMatthew Fisher
275147
$endgroup$
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70194%2fwhat-type-of-encryption-is-this-homebrew-encyption-algorithm%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
What type of algorithm is this?
The best capturing for this algorithm that I can see would be as "mode of operation for a tweakable block cipher" with the tweakable block cipher being the one that has keyspace size $(64!)^64approx 2^18943$ and in its current representation uses (at least) $64^2cdot 6=24576$ bits for key representation. The tweak size is 64 as is the message and ciphertext space. Key decoding then works by partitioning the key into 64 equal-sized strings and then using each string to identify one permutation over 64 elements. Encryption works by selecting the permutation indicated in the tweak and applying it.
Using the notation $E^textTweak_textKey(textPlaintextLetter)$ the mode is then $$C_0=E_K^0(P_0)quad C_i=E^C_i-1_K(P_i)$$ for a given plaintext sequence $P_i$ and the corresponding ciphertext sequence $C_i$ and the key $K$.
How weak is it against modern day cryptanalysis and what methods would be used to break it?
This construction has four main problems for modern cryptography:
- Ridiculous keysize (for symmetric cryptography). It takes 2.3kB to represent the key, normally our keys use 32 bytes which is plenty (because you can't search $2^256$ fully).
- Small block size. This is a problem in and of itself as an attacker can just build a dictionary of the input-output pairs by making a sufficient number of block cipher queries (this is part of the reason why modern block ciphers use 128 instead of 6 bit blocks).
- Deterministic Encryption. The given encryption scheme cannot be CPA secure, because it is deterministic. That is an attacker can recognize whether two encryptions yield the same value. Even worse, this scheme has the same issue as CBC (the best one could hope for in online deterministic encryption), namely it leaks prefixes. If I encrypt
abcdeand then encryptabcghunder the same key, the attacker can see that the messages were equal up toabc. - Lack of authentication. In theory one could think about fixing the previous point by forcing $P_0$ to be a random value (that's what CBC does). In this case this construction might be secure against CPA attackers. But of course it still isn't secure against the most standard adversary model in modern cryptography: CCA secure, that is attackers who also get to ask for decryptions (with one exception input). To break CCA security when given a challenge ciphertext of one of two possible plaintexts an attacker would simply change the last ciphertext letter and ask for the decryption and use the first few letters to determine what plaintext was encrypted.
Also if you don't understand something in this answer, please just ask (in the comments) and don't be frightened if you think "it should be obvious" or something like that.
answered Apr 30 at 18:47
SEJPM♦SEJPM
29.9k659142
$endgroup$
$begingroup$
Actually the question whether this mode would be secure (within bounds because of the small block size) assuming $P_0$ is random would be quite intriguing...
$endgroup$
– SEJPM♦
Apr 30 at 18:48
$begingroup$
Actually CBC would also be an instance of this mode with $E_K^T(P)=E'_K(Toplus P)$ with $E'$ being something like AES, so I suppose one could potentially adapt the CBC security proof if one wanted to...
$endgroup$
– SEJPM♦
Apr 30 at 18:53
$begingroup$
I'm going to read your answer with a search engine as my friend. So it may take me a while to fully understand it, up to the level of detail I'm looking for.
$endgroup$
– Jacco
Apr 30 at 19:12
add a comment |
$begingroup$
What type of algorithm is this?
The best capturing for this algorithm that I can see would be as "mode of operation for a tweakable block cipher" with the tweakable block cipher being the one that has keyspace size $(64!)^64approx 2^18943$ and in its current representation uses (at least) $64^2cdot 6=24576$ bits for key representation. The tweak size is 64 as is the message and ciphertext space. Key decoding then works by partitioning the key into 64 equal-sized strings and then using each string to identify one permutation over 64 elements. Encryption works by selecting the permutation indicated in the tweak and applying it.
Using the notation $E^textTweak_textKey(textPlaintextLetter)$ the mode is then $$C_0=E_K^0(P_0)quad C_i=E^C_i-1_K(P_i)$$ for a given plaintext sequence $P_i$ and the corresponding ciphertext sequence $C_i$ and the key $K$.
How weak is it against modern day cryptanalysis and what methods would be used to break it?
This construction has four main problems for modern cryptography:
- Ridiculous keysize (for symmetric cryptography). It takes 2.3kB to represent the key, normally our keys use 32 bytes which is plenty (because you can't search $2^256$ fully).
- Small block size. This is a problem in and of itself as an attacker can just build a dictionary of the input-output pairs by making a sufficient number of block cipher queries (this is part of the reason why modern block ciphers use 128 instead of 6 bit blocks).
- Deterministic Encryption. The given encryption scheme cannot be CPA secure, because it is deterministic. That is an attacker can recognize whether two encryptions yield the same value. Even worse, this scheme has the same issue as CBC (the best one could hope for in online deterministic encryption), namely it leaks prefixes. If I encrypt
abcdeand then encryptabcghunder the same key, the attacker can see that the messages were equal up toabc. - Lack of authentication. In theory one could think about fixing the previous point by forcing $P_0$ to be a random value (that's what CBC does). In this case this construction might be secure against CPA attackers. But of course it still isn't secure against the most standard adversary model in modern cryptography: CCA secure, that is attackers who also get to ask for decryptions (with one exception input). To break CCA security when given a challenge ciphertext of one of two possible plaintexts an attacker would simply change the last ciphertext letter and ask for the decryption and use the first few letters to determine what plaintext was encrypted.
Also if you don't understand something in this answer, please just ask (in the comments) and don't be frightened if you think "it should be obvious" or something like that.
answered Apr 30 at 18:47
SEJPM♦SEJPM
29.9k659142
$endgroup$
$begingroup$
Actually the question whether this mode would be secure (within bounds because of the small block size) assuming $P_0$ is random would be quite intriguing...
$endgroup$
– SEJPM♦
Apr 30 at 18:48
$begingroup$
Actually CBC would also be an instance of this mode with $E_K^T(P)=E'_K(Toplus P)$ with $E'$ being something like AES, so I suppose one could potentially adapt the CBC security proof if one wanted to...
$endgroup$
– SEJPM♦
Apr 30 at 18:53
$begingroup$
I'm going to read your answer with a search engine as my friend. So it may take me a while to fully understand it, up to the level of detail I'm looking for.
$endgroup$
– Jacco
Apr 30 at 19:12
add a comment |
$begingroup$
What type of algorithm is this?
The best capturing for this algorithm that I can see would be as "mode of operation for a tweakable block cipher" with the tweakable block cipher being the one that has keyspace size $(64!)^64approx 2^18943$ and in its current representation uses (at least) $64^2cdot 6=24576$ bits for key representation. The tweak size is 64 as is the message and ciphertext space. Key decoding then works by partitioning the key into 64 equal-sized strings and then using each string to identify one permutation over 64 elements. Encryption works by selecting the permutation indicated in the tweak and applying it.
Using the notation $E^textTweak_textKey(textPlaintextLetter)$ the mode is then $$C_0=E_K^0(P_0)quad C_i=E^C_i-1_K(P_i)$$ for a given plaintext sequence $P_i$ and the corresponding ciphertext sequence $C_i$ and the key $K$.
How weak is it against modern day cryptanalysis and what methods would be used to break it?
This construction has four main problems for modern cryptography:
- Ridiculous keysize (for symmetric cryptography). It takes 2.3kB to represent the key, normally our keys use 32 bytes which is plenty (because you can't search $2^256$ fully).
- Small block size. This is a problem in and of itself as an attacker can just build a dictionary of the input-output pairs by making a sufficient number of block cipher queries (this is part of the reason why modern block ciphers use 128 instead of 6 bit blocks).
- Deterministic Encryption. The given encryption scheme cannot be CPA secure, because it is deterministic. That is an attacker can recognize whether two encryptions yield the same value. Even worse, this scheme has the same issue as CBC (the best one could hope for in online deterministic encryption), namely it leaks prefixes. If I encrypt
abcdeand then encryptabcghunder the same key, the attacker can see that the messages were equal up toabc. - Lack of authentication. In theory one could think about fixing the previous point by forcing $P_0$ to be a random value (that's what CBC does). In this case this construction might be secure against CPA attackers. But of course it still isn't secure against the most standard adversary model in modern cryptography: CCA secure, that is attackers who also get to ask for decryptions (with one exception input). To break CCA security when given a challenge ciphertext of one of two possible plaintexts an attacker would simply change the last ciphertext letter and ask for the decryption and use the first few letters to determine what plaintext was encrypted.
Also if you don't understand something in this answer, please just ask (in the comments) and don't be frightened if you think "it should be obvious" or something like that.
answered Apr 30 at 18:47
SEJPM♦SEJPM
29.9k659142
$endgroup$
What type of algorithm is this?
The best capturing for this algorithm that I can see would be as "mode of operation for a tweakable block cipher" with the tweakable block cipher being the one that has keyspace size $(64!)^64approx 2^18943$ and in its current representation uses (at least) $64^2cdot 6=24576$ bits for key representation. The tweak size is 64 as is the message and ciphertext space. Key decoding then works by partitioning the key into 64 equal-sized strings and then using each string to identify one permutation over 64 elements. Encryption works by selecting the permutation indicated in the tweak and applying it.
Using the notation $E^textTweak_textKey(textPlaintextLetter)$ the mode is then $$C_0=E_K^0(P_0)quad C_i=E^C_i-1_K(P_i)$$ for a given plaintext sequence $P_i$ and the corresponding ciphertext sequence $C_i$ and the key $K$.
How weak is it against modern day cryptanalysis and what methods would be used to break it?
This construction has four main problems for modern cryptography:
- Ridiculous keysize (for symmetric cryptography). It takes 2.3kB to represent the key, normally our keys use 32 bytes which is plenty (because you can't search $2^256$ fully).
- Small block size. This is a problem in and of itself as an attacker can just build a dictionary of the input-output pairs by making a sufficient number of block cipher queries (this is part of the reason why modern block ciphers use 128 instead of 6 bit blocks).
- Deterministic Encryption. The given encryption scheme cannot be CPA secure, because it is deterministic. That is an attacker can recognize whether two encryptions yield the same value. Even worse, this scheme has the same issue as CBC (the best one could hope for in online deterministic encryption), namely it leaks prefixes. If I encrypt
abcdeand then encryptabcghunder the same key, the attacker can see that the messages were equal up toabc. - Lack of authentication. In theory one could think about fixing the previous point by forcing $P_0$ to be a random value (that's what CBC does). In this case this construction might be secure against CPA attackers. But of course it still isn't secure against the most standard adversary model in modern cryptography: CCA secure, that is attackers who also get to ask for decryptions (with one exception input). To break CCA security when given a challenge ciphertext of one of two possible plaintexts an attacker would simply change the last ciphertext letter and ask for the decryption and use the first few letters to determine what plaintext was encrypted.
Also if you don't understand something in this answer, please just ask (in the comments) and don't be frightened if you think "it should be obvious" or something like that.
answered Apr 30 at 18:47
SEJPM♦SEJPM
29.9k659142
answered Apr 30 at 18:47
SEJPM♦SEJPM
29.9k659142
answered Apr 30 at 18:47
SEJPM♦SEJPM
29.9k659142
answered Apr 30 at 18:47
SEJPM♦SEJPM
29.9k659142
29.9k659142
$begingroup$
Actually the question whether this mode would be secure (within bounds because of the small block size) assuming $P_0$ is random would be quite intriguing...
$endgroup$
– SEJPM♦
Apr 30 at 18:48
$begingroup$
Actually CBC would also be an instance of this mode with $E_K^T(P)=E'_K(Toplus P)$ with $E'$ being something like AES, so I suppose one could potentially adapt the CBC security proof if one wanted to...
$endgroup$
– SEJPM♦
Apr 30 at 18:53
$begingroup$
I'm going to read your answer with a search engine as my friend. So it may take me a while to fully understand it, up to the level of detail I'm looking for.
$endgroup$
– Jacco
Apr 30 at 19:12
add a comment |
$begingroup$
Actually the question whether this mode would be secure (within bounds because of the small block size) assuming $P_0$ is random would be quite intriguing...
$endgroup$
– SEJPM♦
Apr 30 at 18:48
$begingroup$
Actually CBC would also be an instance of this mode with $E_K^T(P)=E'_K(Toplus P)$ with $E'$ being something like AES, so I suppose one could potentially adapt the CBC security proof if one wanted to...
$endgroup$
– SEJPM♦
Apr 30 at 18:53
$begingroup$
I'm going to read your answer with a search engine as my friend. So it may take me a while to fully understand it, up to the level of detail I'm looking for.
$endgroup$
– Jacco
Apr 30 at 19:12
$begingroup$
Actually the question whether this mode would be secure (within bounds because of the small block size) assuming $P_0$ is random would be quite intriguing...
$endgroup$
– SEJPM♦
Apr 30 at 18:48
$begingroup$
Actually the question whether this mode would be secure (within bounds because of the small block size) assuming $P_0$ is random would be quite intriguing...
$endgroup$
– SEJPM♦
Apr 30 at 18:48
$begingroup$
Actually CBC would also be an instance of this mode with $E_K^T(P)=E'_K(Toplus P)$ with $E'$ being something like AES, so I suppose one could potentially adapt the CBC security proof if one wanted to...
$endgroup$
– SEJPM♦
Apr 30 at 18:53
$begingroup$
Actually CBC would also be an instance of this mode with $E_K^T(P)=E'_K(Toplus P)$ with $E'$ being something like AES, so I suppose one could potentially adapt the CBC security proof if one wanted to...
$endgroup$
– SEJPM♦
Apr 30 at 18:53
$begingroup$
I'm going to read your answer with a search engine as my friend. So it may take me a while to fully understand it, up to the level of detail I'm looking for.
$endgroup$
– Jacco
Apr 30 at 19:12
$begingroup$
I'm going to read your answer with a search engine as my friend. So it may take me a while to fully understand it, up to the level of detail I'm looking for.
$endgroup$
– Jacco
Apr 30 at 19:12
add a comment |
$begingroup$
This scheme reminds be of the Jefferson Wheel Cipher. Variants were actually used in the military so at one point the general idea was 'secure'.
If I understand it right, the presented construct seems weaker however and suffers a Know Plaintext Attack.
If I know P0, C0 and the algorithm then I can deduce one entry of the F0 alphabet. With 64 or so messages, I can get the full first alphabet. Given sufficient text, I can use the same idea to deduce all of the scrambled alphabets.
With these old style ciphers, it is interesting to consider if a cipher text only attack is possible. If we know that the language is US English then we can do a frequency count on the first letter of the cipher text. Based on that we can deduce some of the entries in F0. With sufficient cipher text, all of the most common letters could be pinpointed in all of the alphabets. At that point, the full set of alphabets could be unraveled with further frequency analysis and human deduction.
Working through the weakness of an older cipher is a great way to learn about modern cryptography. While there have been some big jumps, ciphers have mostly evolved against new and stronger attacks.
answered Apr 30 at 20:29
Matthew FisherMatthew Fisher
275147
$endgroup$
add a comment |
$begingroup$
This scheme reminds be of the Jefferson Wheel Cipher. Variants were actually used in the military so at one point the general idea was 'secure'.
If I understand it right, the presented construct seems weaker however and suffers a Know Plaintext Attack.
If I know P0, C0 and the algorithm then I can deduce one entry of the F0 alphabet. With 64 or so messages, I can get the full first alphabet. Given sufficient text, I can use the same idea to deduce all of the scrambled alphabets.
With these old style ciphers, it is interesting to consider if a cipher text only attack is possible. If we know that the language is US English then we can do a frequency count on the first letter of the cipher text. Based on that we can deduce some of the entries in F0. With sufficient cipher text, all of the most common letters could be pinpointed in all of the alphabets. At that point, the full set of alphabets could be unraveled with further frequency analysis and human deduction.
Working through the weakness of an older cipher is a great way to learn about modern cryptography. While there have been some big jumps, ciphers have mostly evolved against new and stronger attacks.
answered Apr 30 at 20:29
Matthew FisherMatthew Fisher
275147
$endgroup$
add a comment |
$begingroup$
This scheme reminds be of the Jefferson Wheel Cipher. Variants were actually used in the military so at one point the general idea was 'secure'.
If I understand it right, the presented construct seems weaker however and suffers a Know Plaintext Attack.
If I know P0, C0 and the algorithm then I can deduce one entry of the F0 alphabet. With 64 or so messages, I can get the full first alphabet. Given sufficient text, I can use the same idea to deduce all of the scrambled alphabets.
With these old style ciphers, it is interesting to consider if a cipher text only attack is possible. If we know that the language is US English then we can do a frequency count on the first letter of the cipher text. Based on that we can deduce some of the entries in F0. With sufficient cipher text, all of the most common letters could be pinpointed in all of the alphabets. At that point, the full set of alphabets could be unraveled with further frequency analysis and human deduction.
Working through the weakness of an older cipher is a great way to learn about modern cryptography. While there have been some big jumps, ciphers have mostly evolved against new and stronger attacks.
answered Apr 30 at 20:29
Matthew FisherMatthew Fisher
275147
$endgroup$
This scheme reminds be of the Jefferson Wheel Cipher. Variants were actually used in the military so at one point the general idea was 'secure'.
If I understand it right, the presented construct seems weaker however and suffers a Know Plaintext Attack.
If I know P0, C0 and the algorithm then I can deduce one entry of the F0 alphabet. With 64 or so messages, I can get the full first alphabet. Given sufficient text, I can use the same idea to deduce all of the scrambled alphabets.
With these old style ciphers, it is interesting to consider if a cipher text only attack is possible. If we know that the language is US English then we can do a frequency count on the first letter of the cipher text. Based on that we can deduce some of the entries in F0. With sufficient cipher text, all of the most common letters could be pinpointed in all of the alphabets. At that point, the full set of alphabets could be unraveled with further frequency analysis and human deduction.
Working through the weakness of an older cipher is a great way to learn about modern cryptography. While there have been some big jumps, ciphers have mostly evolved against new and stronger attacks.
answered Apr 30 at 20:29
Matthew FisherMatthew Fisher
275147
answered Apr 30 at 20:29
Matthew FisherMatthew Fisher
275147
answered Apr 30 at 20:29
Matthew FisherMatthew Fisher
275147
answered Apr 30 at 20:29
Matthew FisherMatthew Fisher
275147
275147
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70194%2fwhat-type-of-encryption-is-this-homebrew-encyption-algorithm%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
$begingroup$
See Do we accept questions asking for cryptanalysis of your cipher (hash function, ...) design?
$endgroup$
– kelalaka
Apr 30 at 15:19
$begingroup$
@kelalaka, Yes, I read that part. But I'm not asking for cryptanalysis, I'm interested in the type of algorithm and the methods of cryptanalysis typically employed to defeat the given type of algorithms. Peer review is not part of the question at all.
$endgroup$
– Jacco
Apr 30 at 15:51
1
$begingroup$
See What are recommended, general strategies to start block-cipher design and/or analysis? then and Why is writing your own encryption discouraged?
$endgroup$
– kelalaka
Apr 30 at 15:55
$begingroup$
I'm well aware that writing your own crypto is highly discouraged. I'm my question I mentioned that a) the algorithm was written somewhere around 1998 and b) that I did not use it in production even then. I'm certainly will not attempt writing my own cipher today. I'm just interested in what type of algorithm I created back in the days I was still naive. Also, maybe we should continue this discussion in chat instead of in the comments?
$endgroup$
– Jacco
Apr 30 at 16:00