[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Educational cryptanalysis competition (small prize)

To: [email protected]
Subject: Re: Educational cryptanalysis competition (small prize)
From: [email protected] (David Wagner)
Date: 18 Jul 1996 18:39:26 -0700
Newsgroups: isaac.lists.cypherpunks
Organization: ISAAC Group, UC Berkeley
References: <[email protected]>
Sender: [email protected]

In article <[email protected]>,
Peter M Allan <[email protected]> wrote:
> Obviously my crytanalysis needs some serious help.
>     Answers resembling "That's junk - use XXXXX." score zero.

If you have a n-byte plaintext P[0..n-1], define f(P) as 
	f(P) = P[0] ^ P[1] ^ P[2] ^ ... ^ P[n-1].
Now encrypt P[0..n-1] under your cipher to obtain C[0..n-1].
(Ignore the final reversible unkeyed transformation to hex,
which has no impact on security.)

My observation is that
	f(C) = rotate_byte(f(P), rot_constant) ^ key_dep_byte
no matter how many rounds you use.  Here rot_constant is a
key-independent constant, and key_dep_byte depends only on the
key (and not on the plaintext or anything).  Therefore, (for
example) knowing C[0..n-1] reveals f(P) when one known-plaintext
is available.

I'll leave it as an exercise to discover why and derive the
values of the two constants.  Hint: it's enough to prove it
for one round.

I think that I don't need to spend any more time on it (though
I am sure there are many more weaknesses lurking in the code).

In all fairness I can reasonably conclude that

	That's junk.  Use triple DES.

Take care,
-- Dave Wagner

References:
- Educational cryptanalysis competition (small prize)
  - From: [email protected] (Peter M Allan)

Prev by Date: Re: #E-CASH: PRODUCT OR SERVICE?
Next by Date: Re: Alternative Journalism
Prev by thread: Educational cryptanalysis competition (small prize)
Next by thread: FTP SW to support PGP in OnNet
Index(es):
- Date
- Thread