Polymorphic Cascade Cipher

Discussion in 'privacy technology' started by berndroellgen, Dec 4, 2012.

Thread Status:
Not open for further replies.
  1. berndroellgen

    berndroellgen Registered Member

    I'd like to announce the public availability of a new polymorphic cipher that is open source and royalty-free:

    In the thread "polymorphic cipher"on page 3, Mr.Troutman inspired me with the words ".. cascades add complexity that is of no practical benefit to cryptographic security, yet makes the implementation harder to get right."

    I was digging deeper and found an interesting paper from Mr. Gazi and Mr. Maurer:
    P. Gazi, U. Maurer. Cascade Encryption Revisited. ASIACRYPT 2009, LNCS 5912, pp. 37–51. (2009) (ftp://ftp.inf.ethz.ch/pub/crypto/publications/GazMau09.pdf)
    "In a recent paper, Bellare and Rogaway showed that in the
    ideal cipher model, triple encryption is significantly more secure than
    single and double encryption, stating the security of longer cascades as
    an open question."

    Well, I thought that it might be a good idea to make a cascade of these ciphers: AES, Twofish, Serpent, Cast-256, RC6, SEED, Camellia and Anubis
    In order to make the task to break this cascade much harder, there exist 2^24 (approx. 16 million) different ways to cascade those ciphers.

    The best thing about it is the availablility of the entire source code and that it's legal to use it in any civil application. This could be interesting for programmers and for cryptanalysts. Peer review is always good and I guess that I cannot do much more to make people interested.

    A new code breaking challenge was launched yesterday (http://www.pmc-ciphers.com/eng/content/Backround-Info/12-2012-challenge.html). Not really much can be won, but three gold coins are better than nothing as reward for breaking a 38 bit key.

    The thread "polymorphic cipher" was apparently too old to add something. So I simply try to open a new thread.

    I'm pretty busy these days. I might thus only be able to answer a bit late.
  2. x942

    x942 Guest

  3. berndroellgen

    berndroellgen Registered Member

    Oops, sorry! My mistake. The last character was missing.

    Here's the URL of the press release:http://www.pressebox.de/pressemitte...or-the-Polymorphic-Medley-Cipher/boxid/559746

    @x942 Did you find any weakness in the Polymorphic Cipher that you wanted to analyze 7 or 8 months ago? Haven't heard anything about that. So I assume that things look good here.
  4. happyyarou666

    happyyarou666 Registered Member

    thou AES 256bit would be sufficient ....for now and the next 200 years, double or triple or more ciphering is overkill imo, no need for cascading unless your really paranoid and your scared of this , not even with that hardware power will they be able to crack aes 256 in atleast another 100 years minimum


    , btw the more ciphers you use the slooooower your read/writes become as you know, and unless your running top of the line raid arrays ,id not recommend it for daily usage, once again sloooooooowwwww
    Last edited: Dec 6, 2012
  5. Techwiz

    Techwiz Registered Member

    I remember reading somewhere, correctly me if I am wrong, that using multiple encryption ciphers can weaken encryption and that properly cascading ciphers is a rather difficult and risky task. Not suggesting in anyway that this applies to the author's service/product.
  6. LockBox

    LockBox Registered Member

    Here we go again.....
  7. ComputerSaysNo

    ComputerSaysNo Registered Member

    Agreed. Really...
  8. berndroellgen

    berndroellgen Registered Member

    Well, it's open source and use is free for use in any civil application. Above of all, it's different. That makes the cipher interesting to more folks than the commentators here will admit.

    When cascading AES Rijndael, Twofish, Serpent, Cast-256, RC6, SEED, Camellia and Anubis in a pseudorandom way, a very interesting construct results. We'll see how easy it is to break short keys for this one.

    Code-breaking hardware that is dedicated to crack AES is useless here (too much RAM required and key setup time by far too long). Keys are different for each cipher and it's up to attackers to first try AES, then Twofish, followed by Serpent, Cast-256, RC6, SEED, Camellia and Anubis
    .. or is it Anubis, SEED, AES, Twofish, RC6, Cast-256, Camellia and Serpent..
    .. or RC6, then Camellia, Anubis, AES, Serpent, SEED, Cast-256 and finally Twofish..

    Plenty of choices! The cipher is actually a bridge to high-end Polymorphic Ciphers, one that people who trust in encryption algorithms that have received a lot of peer review can use without having to worry about anything.

    The source code is even good for something else: It's a handy collection of popular encryption algorithms without much overhead - and it's just another proof that it's quite easy to implement more than one cipher in one piece of software.

    Execution time: Well, all of the implemented base ciphers like AES can run very well on microcontrollers that do their work in washing machines. Consequently there's not much too worry when using them on a PC that is at least 1000 times faster.

    So it's likely that this cipher will find its way into commercial software. If such an application software would be programmed to use only 64 bit keys (by setting key bits to a static value), the advantage over a single leight-weight cipher like AES or Serpent or likewise is obvious.
    When taking this into account, this paper here makes even more sense:

    In short: Cascades of 3 ciphers and more very well increase attack security!
  9. tuatara

    tuatara Registered Member

    Thanks, Bernd.

    A nice gift to the community.
    Especially for those like me , that don't always want to bet on one and the same horse.
    And it will certainly increase some difficulty for the ones that
    are used to brute force small passwords with AES.

    Of course not everybody will be happy with this ;)

    Even if it is free and if the sources are open, as i can remember from this old thread:

    Congrats ! :thumb:

    Last edited: Dec 7, 2012
  10. happyyarou666

    happyyarou666 Registered Member

    oh yes i remember this thread , good read , very informative indeed :thumb: , as usual im always for the best and most tried of ciphers and atm theres just nothing better than to go with aes 256 like it or not , this isnt a pro aes stance by no means just choosing a safe encryption for your data thats all , hell if theyd prove that using 12 ciphers in cascade is better than one solid cipher , hell id go with it asap , thats after it was thouroughly inspected and tested dont get me wrong im all for alternative better ways, and yes ive read the above "that using multiple encryption ciphers can weaken encryption and that properly cascading ciphers is a rather difficult and risky task" , lol, just giving my 2 cents
    Last edited: Dec 7, 2012
  11. tuatara

    tuatara Registered Member

    yes, and in combination with a most commonly used password size. (< 9 chars)

    Nobody should be allowed to first encrypt with AES256 and again with any other algorithm. :D

    It is too difficult, you might make mistakes, even if the software does the work for you, it can't be right. :D

    And information on brute forcing passwords that people really used should be illegal. ;)

    hehe :D
  12. happyyarou666

    happyyarou666 Registered Member

    you should read the entirety of my post not just picking out the parts you like to make unneeded jokes about ok , 9 chars ...suuuure , whatever , over here we use high entropy 64 char passphrases and thats more than secure enough , btw i understand from the old thread that you just dont have any faith in aes 256 no more , even thou forum member cryptanalysts have explained over and over again why aes 256 is so "pushed" to the world , because its a trialed and proven safe algorithm thats why,

    not cause the nsa is scheming an evil plan to overtake the world , even with theyre new datacenter theyre building , "pushing out already cracked algorithms to the crowds" ?, lols most unlikely , thats why governments around the globe use it and corporations too , jesus get a grip -.-', and if YOU wouldve red beyond that sentence you wouldve realized im NOT the one pushing aes 256, matter of fact i welcome new ciphers, BUT they must get the attention and go through the rigorous testing aes 256 has gone through ,wich takes years! , period , no need to be such a thick head about it , do as you wish , noones stopping you but stop trying to put youre wrong point of view on matters like these , as countless people have said , its not like choosing an AV , this is a completely different matter , and here i thought i was the most paranoid around but you sir take the cake , cheers
    Last edited: Dec 9, 2012
  13. tuatara

    tuatara Registered Member

    That's very good, more difficult to brute force then the passwords that most people use! Most users choose a password with a length below the 20 chars.
    TrueCrypt for example advises as a minimum password length.

    No i really don't believe that.
    But which encryption algorithm do you think they will encounter most?
    And i don't worry about the NSA , but more about their counterparts in other, less-friendly countries.

    Me too ! Can you give some examples ?

    Wow, only because i don't prefer AES256 any longer? :D
    Last edited: Dec 9, 2012
  14. happyyarou666

    happyyarou666 Registered Member

    "Wow, only because i don't prefer AES256 any longer?"

    yeah "only" because you dont trust a tried and hardened cipher and you being overly paranoid and having a twisted point of view on encryption ciphers ? yes , and about new ciphers , im sure youd like to hear me say well pmc looks great , but it dont for so many reasons mentioned in the old thread , there arent any that have been through the

    rigorous testing and analysing high end ciphers like AES 256 have gone through and been accepted ..yet!, so no i cant give you any examples , even thou id wish i could , well just have to wait till an adequate alternative surfaces until then well just have to use "evil" ciphers like AES 256 , or you can go and use AES 256 and then encrypt all your files into a container again with another cipher like twofish as you please, thats the only secure way atm , thou i see no sense in doing so as said, since unlike you i trust in AES 256 theres no reason not to , for a real alternative thats been rigourously tested and analysed hasnt surfaced as of yet ,sorry
  15. berndroellgen

    berndroellgen Registered Member

    The good thing about cascade ciphers is that it's good for anyone:
    - for those who can't go to bed without AES
    - for those who are looking for a cipher that even secures data protected with short passwords

    But somehow I have the feeling that those who pretend to love AES256 were the same who said that DES can never be broken. Once AES is broken, they will move on to the next tiny construct and pretend that this one is the ultimate thing.
    The way that an encryption algorithm is defended is bizarre and suspicious. AES is an algorithm. Nothing more. Has nothing to do with religion. But has to do with money and with control.

    People out there are not dumb. They realize very well what goes on here and that there is extensive peer review underway right now. I've so far launched three code-breaking challenges. The first one was very tough for any attacker. The second was very risky for me. 32 bit key length are almost nothing - for any cipher!!! This challenge (with the cascade cipher) is again very risky for me. 38 bit are shorter than the former limit for crypto export restriction (40 bit until 1999 I think). The cascade cipher has a small block size. That's why a 38 bit key was chosen.
    It is very likely that quite a number of offspring cryptanalysts are right now analyzing the new cascade cipher for weakneses just because it's popping up recently and because it's surely good practice to try and analyze new stuff from time to time. If somebody unveils the passphrase by pure chance or by successful analysis, they'd surely publish that here or in some other forum. It's not more than 6 characters! Let's be honest - it's a very small number of possibilities!

    If on the other hand the passphrase is not identified until January 03, 2013, there is a certain likelyhood that the proposed cipher is not that bad.

    For quite a number of folks this is the best kind of peer review!
  16. tuatara

    tuatara Registered Member

    Indeed, AES256 with less then 20 chars is considered to be unsafe:

    From: http://www.truecrypt.org/docs/choosing-passwords-and-keyfiles
    happyyarou666 wrote on AES256:

  17. LockBox

    LockBox Registered Member

    Or, could it be nobody pays you any attention anymore? Your last comment in red (above) shows why. You equate serious peer review with your online contests and think they're the "best kind of peer review'?? Really?

    By the way, as much as you try to make this about AES - it isn't. It's about your PT Barnum marketing. Period. I still can't believe that last sentence of yours.

    If you had any respect - it's gone now.
  18. happyyarou666

    happyyarou666 Registered Member

    "But somehow I have the feeling that those who pretend to love AES256 were the same who said that DES can never be broken. Once AES is broken, they will move on to the next tiny construct and pretend that this one is the ultimate thing.
    The way that an encryption algorithm is defended is bizarre and suspicious. AES is an algorithm. Nothing more. Has nothing to do with religion. But has to do with money and with control."

    lols seriously money and control , oh boy now here we go again berndroellgen and AGAIN with the completely wrong understanding of what people replied to him , jesus,

    lemme explain it for you again , NOONE ever said anything about DES not being crackable NOONE ,except for your false comprehension,in the old thread http://www.wilderssecurity.com/showthread.php?t=321583

    this has been explained many times over to you and youve apparently somehow blocked it out of youre comprehension , anyhow as many people including me have said that choosing an cipher or ciphers is not about wich is "best" its about how secure and how many institutions and people have rigourously trialed and used it , its not an AV! , and no this is not about

    "pushing" a single cipher as you still may think , that would be pretty serious , cause that would mean every cryptanalyst out there would be a fake except for youre graciousness that seems to invented the holy grail of ciphers, yeah most unlikely, no offense , but reading youre posts and noticing youre stubornness to be open-minded about ciphers and how security in general views ciphers leaves me with doubt about youre , new cipher, sorry , wish id be able to be more positive about it but you leave little to no room in this situation , good luck
    Last edited: Dec 12, 2012
  19. tuatara

    tuatara Registered Member

    Perhaps it was better to have separate AES and Polymorphic Cascade Cipher
    threads , it turns into a A versus B here.
  20. berndroellgen

    berndroellgen Registered Member

    A vs. B: yep, if it really was purely A vs. B, then it would even be nice:
    Challenge with reduced key length:
    AES with key reduceed to 38 bit: Easy to break.
    Polymorphic Medley Cipher with key reduceed to 38 bit: probably not so easy to break (otherwise I'd not bet a few gold coins on that).

    Obviously I must have lots of credibility! You can only lose what you have. People here are quite eloquent. It would have been easy to write: "you have lost any credibility since over a decade".

    About not being open-minded:
    Sorry, but unbiased readers might not be able to believe that. Somebody who proposes long key setup times, variable block lengths and variable ciphers is automatically quite open-minded.

    About the quality of real peer review - and this is actually very important:
    The Enigma (Germany, very popular encryption device in WW2) received extensive peer review by German experts in the late 1930's and the leader of the German submarine fleet was repeatedly affirmed that the thing could not be broken by the enemy. That's the kind of peer review that you think of.
    We know that it was broken. The real challenge was accepted by clever experts on the other side of the Britsh Channel and that kind of peer review was demonstrably successful.

    Ok, here the motivation is different. But it's easy to see that it would be nice for some folks to be able to post "this is the keyphrase: 123456". I might subsequently have a tough time to explain that a 38 bit key is "nothing".
    The Enigma was certainly used with the full key length. I cut the key length from 128 to 38 bit in order to account for the fact that the challenge is not as important as winning or losing a war.

    Again: An 38 bit key used with AES is no protection for the data at all. Any expert in this field will agree.
    Might it be possible that there exist ciphers that perform better with short keys? Probably YES.

    Let's be open-minded!
  21. berndroellgen

    berndroellgen Registered Member

    But it was a government standard for data encryption. Right?

    The following quote is from here:

    "We would like the government to finally admit that DES is not secure and to encourage stronger cryptography," said Barry Steinhardt, EFF president.
  22. tuatara

    tuatara Registered Member

    Of course it was the standard before AES:



    But also:

    For the record, please try to read the above Wiki pages in other languages as well,
    in a several languages i have checked, the information is more complete then in the English pages.
    Last edited: Dec 13, 2012
  23. Hungry Man

    Hungry Man Registered Member

    You could probably a couple hundred million passwords per second but it would likely be a few thousand dollars of hardware. I doubt anyone on this forum is willing to spend the money on that type of system and then customize it to work with this, I don't even think the amount of gold would pay for it. But if you're looking at this level of encryption I expect your data to be far far far more valuable than gold, and your attacker to be very willing to spend more than a couple thousand dollars. 6 characters with a character set of 95 just doesn't seem like enough. I would not substitute a competition where the cost/ benefit is really unclear for peer review. I'm not sure how to go about that, would you submit it to NIST or some organization? Have you looked into this?

    You say 50ms for an i7-950. What about a GPU, something that seems far more typical. What about a Tesla M2050? Or even just an ATI 7970? Serious questions, I'm wondering what kind of speeds you've gotten when you tested your software on GPU/ hardware meant to crack passwords.

    Most of those are fairly GPU friendly. With custom hardware I don't see these being so significant. Why not implement scrypt/bcryp to iterate a single one or multiple instead, this seems much more useful than slapping on as many as you can find? Not familiar with Tiger.

    I assume the reason you're stacking is to avoid problems where algorithms get sped up - like we've just recently seen with SHA2, where it got another 12% speed boost by cutting out redundant areas. But if you stretch enough, does it really matter? My point is that if I stretch MD5 enough it won't make a difference whether or not you can cut speed down, after 500,000 iterations your GPU's gonna have issues, especially if you're using bcrypt/scrypt. Obviously I'm not suggesting MD5, I'm just saying why use 5 ciphers once instead of, say, one cipher 1,000x, or all of them 1,000x? It seems that the problem is almost always "hashes are too fast" not "hashes are cryptographically insecure", so the solution, to me, would be to slow them down as much as possible. You've slowed them down by using multiple cyphers but not nearly as much as you could by simply iterating a single hash over and over in scrypt/bcrypt/pbkdf2 - your approach seems more inclined to preventing flaws in the crypto from being used to accelerate. Or is that not the approach? Because those flaws still exist - if I can reduce the time it takes for one sha512 iteration by 5% I can do the same to the SHA512 iteration used in your program, what you've done doesn't, to me, seem more effective than me implementing 1,000 iterations of SHA512.

    I'm sure your familiar with meet-in-the-middle attacks. This isn't necessarily directly relevant but I think the issue really speaks to cryptography. The idea of taking multiple keys to encrypt the data logically makes sense, you should theoretically increase the time to x^n*n. Makes sense... until people really took a look at it. Turns out this idea was not nearly as effective as some might have thought, the benefits were significantly less than expected.

    I'm not saying your cypher is weak to mitm attack, my point is more that people will be skeptical because, in the past, ideas that seem practical end up not being nearly as good as they look from afar.

    Not trying to pick anything apart. I honestly want to know what the design decisions are based on - the issues you're trying to solve. I'm willing to listen to the idea.
    Last edited: Dec 14, 2012
  24. LockBox

    LockBox Registered Member

    Hungry Man, You make some good points. You have more patience than I do because we've been dealing with Bernd for - what? - close to 15 years now? Always marketing hype but he fails to simply take the necessary steps to be taken seriously. He knows good and well what this entails.

  25. Hungry Man

    Hungry Man Registered Member

    Patience follows boredom.
Thread Status:
Not open for further replies.