Path: msuinfo!midway!ncar!elroy.jpl.nasa.gov!usc!cs.utexas.edu!peyote!ritter

From: ritter@peyote.cactus.org (Terry Ritter)

Newsgroups: sci.crypt

Subject: Design of Cryptosystem CLOAK

Keywords: cipher dynamic substitution additive RNG cloak

Message-ID: <3492@peyote.cactus.org>

Date: 16 Nov 90 21:32:32 GMT

Distribution: usa

Organization: Capital Area Central Texas Unix Society, Austin, TX

Lines: 294





     Apparently something went wrong with the first post -- if this

is a duplicate, sorry!





      If you found the source for the CLOAK cipher a bit much, or

even irritating, you are not alone.  Gee, folks, I just don't use

C much; I prefer Turbo Pascal.  A short "theory" document was

included in the distribution file CLOAK.ZIP which is on many

bulletin boards.  But I was worried about message length, and did

not include it in the CLOAK posting here.  



      Basically, CLOAK is a stream cipher, with an improved and non-

linear combiner design (instead of the usual linear exclusive-OR),

and an improved Random Number Generator (with up to 44K of internal

state).  The sequence of operations is approximately as follows:  



      * A textual User Key is processed into 992 bits

      * The User Key bits initialize a large RNG

      * The RNG is extended

      * A 992-bit "really random" Message Key is created

      * The RNG is used to XOR-cipher the Message Key

      * The plaintext Message Key re-inits the RNG

      * The RNG is extended to operational length 

      * The RNG is used to init the Dynamic Substitution tables

      * The RNG and Dynamic Substitution encipher plaintext data



      Since an enciphered Message Key is added to every enciphered

file anyway, additional header information is also added.  This

includes a flag to indicate "enciphered," and values which indicate

the cipher technique being used.  In this way, the design can be

extended in the future, and yet still remain compatible with

existing enciphered files.  



      The cryptographic RNG is an Additive design, which is based on

some arbitrary primitive mod 2 polynomial; GFSR designs using

trinomials of degree 521 have been reported.  The CLOAK RNG uses

particular primitive 9-nomials found by the author, and includes a

selection between degrees 1279, 4253, and 11213 when enciphering. 

This is a very big RNG.  



      Should you wish to work on breaking CLOAK, please first work

on breaking the Dynamic Substitution demo DYNSUB.PAS posted here

last year.  Using the Turbo internal LCG RNG, without a message

key, and just a single level of Dynamic Substitution, an attack

should be far easier, and may demonstrate methods which could be

used on the larger system.  









                          CLOAK DESIGN THEORY



                             Terry Ritter

                              26 Oct 1990





CLOAK was designed to be a strong cipher.  Of course, most cipher

programs produce ciphertext which seems to be complex, but very few

available ciphers could be expected to win a confrontation with

professional cryptanalysts and their fast computers.  



CLOAK was designed to be as simple as possible, so that the design

could be fully revealed.  The usual practice is to invent a

"proprietary" cipher, and keep the design secret.  What this really

means is that serious cryptanalysts will know the design, while

buyers and users will not; a strange situation indeed.  



At this point in the public development of cryptography, there is

still no practical cipher which is provably secret.  Since the

design of CLOAK is open to examination, each expert may come to

their own conclusion as to its strength.  





STREAM CIPHERS

      CLOAK is an example of a stream cipher.  The classical Vernam

stream cipher simply combines plaintext data with the output from

a random number generator in an additive combiner, which is often

a single exclusive-OR gate or XOR operation.  



Unfortunately, additive combiners are inherently susceptible to

"known plaintext" attacks.  Moreover, most random number generators

have only a tiny amount of internal state, and are easy to break. 

Such a system is really a "toy" cipher.  



CLOAK improves upon the classical stream cipher design with a

completely new class of cryptographic combiner (patent pending), a

very large cryptographic random number generator, and "really

random" message keys.  



Alternative design approaches include DES, which is now rather

small, and RSA, which is slow and complex.  Public-key systems may

seem to improve the key-distribution situation, but they also

forego the inherent source verification of a secret-key system. 

This can be overcome only with complex and precise protocols, thus

adding even more complexity to the system.  



CLOAK is a secret-key system, which means that it is necessary to

somehow get the secret key to the far end, so that enciphered

messages may be deciphered.  However, once this is done, only those

possessing the secret key may cipher messages in that key.  A

secret-key system thus mimics the use of a house key, and has

similar problems and risks.  





DYNAMIC SUBSTITUTION COMBINER

      The new cryptographic combiner can be described as an

extension of classical Simple Substitution.  In simple

substitution, each plaintext data value is translated into a

ciphertext value using a substitution table.  The innovation of

Dynamic Substitution is to re-arrange the content of the

substitution table after every substitution operation.  In this

case, the just-used substitution is exchanged with some

substitution selected at random.  



The result is a non-linear combiner with a substantial amount of

internal state.  Only non-linear combiners make sense when several

are used in sequence; linear additive combiners do not.  



In CLOAK, I have used a two-level Dynamic Substitution design.  The

first level randomizes the incoming data, and the second level has

16 separate combiners selected for use at random.  Because the

second-level combiners are used at random, it should be difficult

for a cryptanalyst to work on the content of any particular

substitution table.  



Dynamic Substitution technology is patent-pending.  





CRYPTOGRAPHIC RANDOM NUMBER GENERATOR

      The usual computer-language random number generator (RNG) is

a 32-bit linear congruential generator (LCG), and can be solved

very easily given one, or perhaps a few of the random values.  This

is a very weak cryptographic design.  



The generator I selected for use in CLOAK is the Additive RNG, as

discussed in Knuth II.  



The strength of an RNG is at least partially related to the amount

of its internal state, and the ones designed for statistical

service are rather small.  But the Additive generator is easily

customized, and can be made one or more bytes wide.  For CLOAK, the

width has been set at 32 bits.  



The Additive generator can also be made as long as desired,

provided that one can find primitive mod 2 polynomials of large

degree.  For CLOAK primitives have been found at degrees 1279, 4253

and 11213.  Thus, the amount internal state can be 11213 times as

large as the usual computer language LCG RNG.  



There are billions of acceptable polynomials; the particular ones

selected for use in CLOAK are protected by copyright.  





JITTERIZER

      Despite its size, the Additive generator is nonetheless a

linear system, and thus "easily" solved (assuming a cyptanalyst

gets past the combiners).  Naturally, the manipulation of 11,000

equations in 11,000 unknowns of 32-bits each might be expected to

slow cryptanalysis somewhat.  Nevertheless, it is still necessary

to add some sort of isolation mechanism to hide the true sequence

from analysis.  



For CLOAK, I have devised a mechanism which periodically deletes

some of the Additive RNG result values from the output stream.  A

random number of values are deleted after a random number of steps. 

In addition, each group of values is given a separate value offset. 

This should make cryptanalysis a real exercise; certainly the

jitterizer cannot be expected to make cryptanalysis any easier.  





THE MESSAGE KEY

      An RNG will produce a particular sequence of random numbers

after being initialized from a particular key.  Thus, when the

usual stream cipher is used twice with the same key, the messages

will be combined with the same sequence.  But one of the properties

of additive combiners is that repeated sequences can "canceled

out," thus leaving a combination of two plaintext messages.  Such

a combination is likely to be broken easily.  



Consequently, it is important that the same sequence not be used

for each message.  This could be done, for example, by having a

different User Key for each message.  But this is surely

unacceptable, for who could remember that many keys?  Who could

transfer that many keys to the far end with any degree of secrecy? 



An alternative is to use a different key for each message, but do

so only internally.  Each Message Key is enciphered and included in

the message header; the User Key is used to encipher and thus

protect the message key.  



Each message key is a "really random" value which is created

dynamically for each message.  Because the message key is a truly

arbitrary value, and since most cryptanalysis methods require that

a message "make sense," an enciphered message key will be very

difficult to crack.  



Another advantage of the message key is that it can be made quite

large, as well as random.  CLOAK uses a message key consisting of

31 values of 32 bits each; a 124-byte message key (992 bits).  This

is enough to directly initialize a degree-31 Additive RNG, which is

then stepped until enough data are produced for a degree-127 RNG,

etc.  Thus, the "really random" message key automatically satisfies

many of the questions about a statistically correct initialization

of the RNG.  It also reduces the need for extreme length in the

user key.   





THE USER KEY

      Although the User Key is used only to protect the message key,

it must initialize an RNG in order to do so.  This initialization

should be as arbitrary as possible.  I decided to use LFSR or CRC

technology to perform a polynomial division of the textual key, and

use remainders as the initialization value.  



The user key is processed by 32 degree-31 polynomials, thus

producing 32 different results of 31 bits each.  By eliminating the

unused bits, 31 values of 32 bits each are produced; this is

exactly the right amount of data to initialize a degree-31 Additive

RNG.  By stepping the Additive RNG, it will eventually fill enough

to initialize a degree-127 RNG, and so on.  



CLOAK collects the user key from the keyboard into a string with a

maximum length of 255 bytes; thus, up to 2040 bits of randomness

are collected.  This is then reduced (or expanded) to the 992 bits

needed for degree-31 Additive RNG initialization.  CLOAK does not

insist on a long user key, but the serious user will create very

unique keys of 30 characters or longer.  



There are millions of acceptable degree-31 primitive mod 2

polynomials; the particular ones selected for CLOAK are protected

by copyright.  







SELECTED BIBLIOGRAPHY

      .  Beker, H. and F. Piper.  1982.  Cipher Systems.  John

Wiley: New York.

      .  Blum, L., M. Blum and M. Shub.  1986.  A Simple

Unpredictable Pseudo-Random Number Generator.  SIAM Journal of

Computing.  15: 364-383.  

      .  Chaitin, G.  1975.  Randomness and mathematical proof. 

Scientific American.  232(5): 47-52.  

      .  Ciarcia, S.  1986.  Build a Hardware Data Encryptor. 

Byte.  Sept: 97-111.  

      .  Devours, C., D. Kahn, L. Kruh, G. Mellen, B. Winkel.

1987.   Cryptology Yesterday, Today, and Tomorrow.  Artech House: 

Norwood, MA.  

      .  Geffe, P.  1973.  How to protect data with ciphers that

are really hard to break.  Electronics.  46(1): 99-101.  

      .  Golomb, S.  1982 (original 1967).  Shift Register

Sequences.  Aegean Park Press:  POB 2837, Laguna Hills, CA 92653. 

      .  Kahn, D.  1967.  The Codebreakers.  Macmillan: New York. 

      .  Knuth, D.  The Art of Computer Programming, Vol. 2,

Seminumerical Algorithms.  2nd ed.  Addison-Wesley: Reading,

Massachusetts.  

      .  Kochanski, M.  1987.  A Survey of Data Insecurity

Packages.  Cryptologia.  XI(1): 1-15.  

      .  Kochanski, M.  1988.  Another Data Insecurity Package. 

Cryptologia.  XII(3): 165-173.  

      .  L'Ecuyer, P. and R. Proulx.  1989.  About Polynomial-

Time "Unpredictable" Generators.  Proceedings of the 1989 Winter

Simulation Conference.  467-476.  

      .  Lu, S.  1979.  The Existence of Good Cryptosystems for

Key Rates Greater than Message Redundancy.  IEEE Transactions on

Information Theory.  IT-25(4): 475-477.  

      .  MacWilliams, F. and N. Sloane.  1977.  The Theory of

Error-Correcting Codes.  North Holland:  Amsterdam / New York.  

      .  Marsaglia, G.  1984.  A current view of random number

generators.  Proceedings of the Sixteenth Symposium on the

Interface Between Computer Science and Statistics.  3-10.  

      .  Marsaglia, G. and L. Tsay.  1985.  Matrices and the

Structure of Random Number Sequences.  Linear Algebra and its

Applications.  67: 147-156.  

      .  Pearson, P.  1988.  Cryptanalysis of the Ciarcia

Circuit Cellar Data Encryptor.  Cryptologia.  12: 1-10.  

      .  Plauger, P.  1988.  Locking the Barn Door.  Computer

Language.  October, 17-22.  

      .  Retter, C.  1984.  Cryptanalysis of a Maclaren-

Marsaglia System.  Cryptologia.  8(2): 97-108.  (Also see 8(4):

374-378.)  

      .  Retter, C.  1985.  A Key-Search Attack on Maclaren-

Marsaglia Systems.  Cryptologia.  9(2): 114-130.  

      .  Ritter, T.  1990.  Substitution Cipher with Pseudo-

Random Shuffling:  The Dynamic Substitution Combiner.  Cryptologia. 

XIV(4): 289-303.  

      .  Siegenthaler, T.  1985.  Decrypting a Class of Stream

Ciphers Using Ciphertext Only.  IEEE Transactions on Computers. 

C-34(1): 81-85.  

      .  Vahle, M. and L. Tolendino.  1982.  Breaking a Pseudo

Random Number Based Cryptographic Algorithm.  Cryptologia.  6(4):

319-328.  

      .  Wolfram, S.  1986.  Random Sequence Generation by

Cellular Automata.  Advances in Applied Mathematics.  7: 123-169. 

