|
THE "GodSave" ENCRYPTION ALGORITHM version 3 December 28, 1998 Author: Dianelos Georgoudis, TecApro International Click here to download (international web site located in Costa Rica): Pascal source code (ASCII file,
75 kBytes) GodSaveF (a free DOS disk file encryption utility, self-extracting EXE file, 105 kByte)
Contents :PART 1: The Algorithm and the Source Code 1. Introduction 2. Description of the algorithm 2.1. The basic GodSave algorithm 2.2. Optional features of the GodSave algorithm 2.2.1. Multiple rounds
2.3. The Scrambler 2.3.1. Variability of code
executed 2.4. Encryption 2.4.1. The "style" parameter 2.5. Key processing 2.6. Security of GodSave 2.7. Performance of the algorithm 2.8. The pseudo-random number generator 3. The source code 3.1. Rights of use 3.2. Availability of the source code 3.3. Modifying the GodSave algorithm 3.4. Products that incorporate GodSave encryption 3.5. Future versions and communication PART 2: Ideas, observations and open questions 4. The key distribution problem 5. Other ideas concerning GodSave 5.1. Recursive Karn 5.2. Variable random number generator 5.3. The affinity between ciphers, scramblers and RNGs 6. The ethics of data encryption
Normal encryption algorithms, such as the IDEA encryption algorithm that is used by PGP, apply a single complex function to the plaintext and the key in order to produce the ciphertext. Since the algorithm is public this means that even though the data flow in the algorithm is unknown, the operations applied to this data flow are known. Any such encryption algorithm can by cryptanalysed and maybe broken. For example, we can be sure that there are a lot of smart people with a lot of expensive equipment trying to break IDEA right now, in fact it may have been broken already. If a commonly used encryption algorithm has already been broken by some agency we can be sure that the same agency will do all that they can in order to get it trusted and used by many organizations. The GodSave encryption algorithm which is described in this paper represents a departure from the normal approach. It does not employ a single encryption function, but rather it employs a very large family of different encryption functions and it chooses one of them every time it encrypts a new block of plaintext. The choice of which encryption function is applied depends both on the key and on the plaintext. With traditional encryption algorithms an attacker knows exactly what operations are applied to the plaintext and key. With GodSave what the algorithm does is variable so the attacker does not know what operations are applied to the plaintext and the key, even though the algorithm itself is public. By keeping secret not only the key but also what is done to the key and the plaintext the GodSave approach tries to maximize the security of the encryption algorithm, regardless of the current or future state of the art of cryptanalysis. Even more important, the GodSave algorithm can very easily be modified to produce non standard versions. The principal design criteria of GodSave encryption algorithm are: A . What the algorithm does to the plaintext must be variable, depending on both the key and the plaintext. Version 3 has at least 2^1636 variations and when used at the level of security recommended it has at least 2^1836 variations, assuming a sufficiently large key is used. (By a "variation" I mean a different sequence of computer operations that is applied on the plaintext in order to encrypt it.)B . The security of the algorithm is much more important than its speed. Since the state of art of cryptanalysis is unknown, it is best to assume the worst and use overkill at all levels of the algorithm.Many of the encryption algorithms used today are based on developments from a time when computers were expensive and slow. Many of these algorithms were relatively simple and designed to be implemented in hardware. The design of the GodSave algorithm takes full advantage of the power of modern technology and the flexibility that a pure software implementation offers. For example, the GodSave algorithm uses an encryption key of 256 bytes (2048 bits) which greatly enhances the security of the algorithm. C. Render a broad range of attacks virtually impossible even if at the cost of increasing the size of the ciphertext. The GodSave algorithm can combine the user key with a good organization-wide master-key in order to defend against dictionary attacks, or careless safeguarding of personal passwords. GodSave can also randomize the key and/or the plaintext before encrypting. When used at this level of security, GodSave will virtually never apply the same encryption function twice or use the same plaintext or key twice. The penalty you pay is an increase of 32 bytes in the size of the ciphertext per block encrypted and an encryption/decryption rate of one kByte per second per MHz when using a Pentium processor. These are limitations which should be acceptable in most situations. Consult section 2.7 for more information about the speed of GodSave.The GodSave algorithm is implemented in Pascal and should be available in C by the time you read this. The source code contains some 8086 assembly language routines for the definition of the 32 hash functions. These routines can easily be translated into other assembly languages. The GodSave interface is simple and flexible allowing the encryption of blocks of size between 16 bytes and 1024 bytes. Currently, GodSave does not include key distribution and user authentication utilities that are important for the creation of a distributed secure system. The RSA public key cryptography is well known, but patented, and possibly insecure because it depends on an unproved mathematical premise. Also, in many cases, e.g. closed organizations, there are other possibilities for solving the key distribution problem. For more ideas on this matter see section 4. The remainder of this document is in two parts. The first part provides a complete description of the GodSave algorithm. The second part contains some general ideas about security. 2. DESCRIPTION OF THE ALGORITHM The GodSave algorithm is based on a very elegant idea of Phil Karn. Take a plaintext of 2N bytes and split it into two halves T1 and T2, each of N bytes. Also split the encryption key into two halves K1 and K2. Now find a very good one way hash function S and use it to scramble the "concatenation" of K1 and T1 in order to produce a block of N bytes which you then XOR (exclusive OR) with T2 to produce C2 a block of N bytes which is the second half of the ciphertext: S( K1, T1 ) xor T2 -> C2 In a similar manner, scramble the other half of the key K2 with C2 (the ciphertext already computed) and XOR it with the first half of the plaintext T1 to produce C1 the first half of the ciphertext: S( K2, C2 ) xor T1 -> C1 The complete ciphertext is the concatenation of blocks C1 and C2. In order to decrypt the ciphertext, repeat the operation in reverse order. Split the ciphertext (C1,C2) in two halves C1 and C2. Now scramble C2 with K2 and XOR the result with C1 in order to produce the first half of the plaintext T1, a block of N bytes: S( K2, C2 ) xor C1 -> T1 Now that you know T1 you can compute T2 as follows: S( K1, T1 ) xor C2 -> T2 The beauty of Karn's idea is that its security is based on the quality of the scrambler S. If you can create a good scrambler then you can create a good encryption algorithm. By the way, Karn put his idea in the public domain, which is the main reason I did the same with GodSave. Before I describe the GodSave algorithm I want to introduce my terminology. I use the term "scrambler" for a one-way hash function that produces a block of data of the same size as the original block, and "hash function" for a one-way hash function that reduces the size of the block that it processes. A byte is a 8 bit value. 2.1. THE BASIC GODSAVE ALGORITHM The GodSave algorithm is based upon Karn's method but it differs from it in three ways. The first change I made was to introduce a parametric scrambler. I start by dividing the key in four equal parts: K1s, K1t, K2s, K2t. The component K1t is used as the first half of the encryption key and the component K1s is used to select from the very large number of scramblers available the one to be used to encrypt the first half of the plaintext T1: S ( K1t, T1 ) xor T2 -> C2 In a similar manner K2t and K2s are used to encrypt the second part of the ciphertext to produce the first half of the ciphertext: S ( K2t, C2 ) xor T1 -> C1 To decrypt the ciphertext (C1,C2) the operations are applied in reverse order: S ( K2t, C2 ) xor C1 -> T1 S ( K1t, T1 ) xor C2 -> T2 As you can see, the sub-keys K1t and K2t are used to modify the data to be scrambled, and the subkeys K1s and K2s are used to select a scrambler, that is they define how the data will be scrambled. Since GodSave uses a key of 256 bytes each sub-key is still a very large 64 bytes (512 bits) long. The second change I made was designed to remove a weakness in Karn's algorithm which was detected by Luby-Rackoff. This can be illustrated as follows: suppose that we know the plaintext (A,B) and we know that it produces a ciphertext (X,Y), and that we also know that the plaintext (A,C) - in which we know that the first half of the message but we do not know the second half - produces a ciphertext (W,Z). Then we can compute the unknown plaintext C as follows: The first stage in the encryption of first message gives us: S( K1, A ) xor B -> Y; therefore S( K1, A ) = B xor Y The first stage in the encryption of second message gives us: S( K1, A ) xor C -> W; therefore C = S( K1, A) xor W Combining these two results gives us the value of C in the form: C = ( B xor Y ) xor W GodSave avoids the weakness in Karn's algorithm by always modifying the first half of the plaintext before encrypting it. This can be achieved by replacing the first half of the plaintext T1 by the (T1 xor T2) before applying the original algorithm. Thus GodSave's version of the Karn algorithm (without parametrization) is : To encrypt S( K1, T1 xor T2 ) xor T2 -> C2 To decrypt: S( K2, C2 ) xor C1
->
(T1 xor T2 ) There still remains a weakness in the much rarer case in which the XOR of the two halves of a plaintext is known (but not the plaintext itself). I cannot imagine any real world situation where such a case arises. Furthermore, GodSave does not actually split the plaintext in two, but rather distributes the bytes of the plaintext in two halves and modifies them in a complicated manner that depends on the key, eliminating this weakness. After encrypting, it re-unites the two halves in another complicated way that depends on the key. Additonaly, GodSave also allows for "multiple Luby-Rackoff rounds" which is the definite solution to this type of problem ( see below).The third change I made is designed to defend against dictionary attacks, that is against the situation in which the attacker tries to determine the encryption key by testing in turn the values in a dictionary of potential keys. Dictionary attacks are based on the fact that people do not like to have to remember long or complicated keys or passwords and so very often use quite simple ones. No matter how good the encryption algorithm, if an attacker tries a few million possibilities and in this way is able to discover the encryption key of just a few users then the security of the entire organization could be compromised. In the GodSave algorithm I defend against this kind of attack by introducing the concept of a secure "master key". The algorithm uses the master key to generate an encryption key. The procedure used is the following: before encrypting or decrypting a text, first GodSave XORs the master key with a real random sequence which is include in the code of GodSave, in order to erase any "statistical features" in the master key itself; next it combines the result with the user key; and finally, it scrambles the result to produce the "real" key that is subsequently used to encrypt or decrypt a block of data (for more information about this, see section 2.5 about Key Processing).As long as the organization creates a fairly good master key and keeps it secret (even from its own employees), it doesn't need to worry about its employees using simple personal keys. It does not even need to worry about employees selling their key to the competition! For added security the organization can periodically change the master key or maintain a hierarchy of master keys. See section 4 for more ideas on this matter.A final note: For operational reasons GodSave does not concatenate the key and plaintext before applying the scrambler, but rather combines them in a different manner (through operations XOR). Here is the detailed description of two rounds GodSave: To encrypt: process( master-key, user-password ) -> K1t, K1s, K2t, K2s, Ksep, Kuni separate ( T )
->
T1, T2 S ( K1t, T1 xor T2 ) xor
T2 -> C2 S ( K2t, C2 ) xor ( T1 xor T2 ) -> C1 unite ( C1, C2 )
->
C To dencrypt: process( master-key, user-password ) -> K1t, K1s, K2t, K2s, Ksep, Kuni separate ( C )
->
C1, C2 S ( K2t, C2 ) xor C1
-> ( T1 xor
T2 ) S ( K1t, T1 xor T2 ) xor C2 ->
T2 ( T1 xor T2 ) xor T2 -> T1 unite ( T1, T2 )
->
T 2.2. OPTIONAL FEATURES OF THE GODSAVE ALGORITHM GodSave includes several optional features designed to strengthen its security. All of these optional features can be used individually on in a combined manner. Luby-Rackoff, who detected the weakness in Karn's algorithm, proposed another way to avoid it. His idea was to use Karn's algorithm twice, i.e. Karn( Karn( T ) ) -> C, that is to say the plaintext (T1-T2) is first encrypted into (X1,X2) which is then encrypted again to produce the ciphertext (C1,C2). To further increase security a different set of keys is used for the third and fourth round. Thus the double Karn algorithm (or four-round Luby-Rackoff) is: to encrypt: S( K1, T1 ) xor T2 -> X2 to decrypt: S( K4, C2 ) xor C1 -> X1 The GodSave algorithm allows four, six and eight rounds of Luby-Rackoff encryption as an option. For example, the GodSave version of six rounds Luby-Rackoff encryption is as follows (observe that different keys are used in each round): To encrypt: separate( T )
->
T1,T2 To decrypt: separate( C
) ->
C1, C2 2.2.2. KEY AND TEXT RANDOMIZATION Apart from dictionary attacks which were treated in the previous section, most cryptanalytic attacks belong to one of two types: known plaintext attack or chosen plaintext attacks. Here the attacker studies a large number of plaintext-ciphertext pairs, and tries to deduce the key used to perform the encryption. GodSave includes two optional features to defend against these types of attack: a) The first of these options allows the user to randomize the key so that the algorithm virtually never uses the same key twice. The procedure is as follows: before encrypting a message GodSave substitutes 16 bytes of the user key with a value produced by a pseudo random number generator. It then uses the parametric scrambler, with a scrambler key unknown to the attacker, to scramble the entire key and thus distribute the change throughout the key. By applying this procedure you can generate 2^128 different "working" keys for each user key, which means that for all practical purposes the algorithm will never use the same key twice. The 16 random bytes used to generate the "working" key are appended to the end of the ciphertext after being encrypted by a simple method. However even if an attacker knew these 16 bytes, he wouldn't be able to compute the "working" key because he does not know the scrambler key that was used.The pseudo random number generator used is not part of GodSave and must be provided by the user. (The source code includes a very simple generator that you can use if you like.) When multiple rounds encryption is used (4, 6 or 8 rounds of Luby-Rackoff) then the corresponding keys are randomized too. b) The second option allows the user to scramble the plaintext so that the algorithm virtually never encrypts the same plaintext twice. The procedure is as follows: before encrypting a message, GodSave combines 16 randomly generated bytes with the key (optionally already randomized), then it uses the parametric scrambler to scramble this, using another scrambler key unknown to the attacker, and then XORs the result with the plaintext. In this way each block of text is converted into one of 2^128 variants, which means that for all practical purposes the same plaintext will never be processed twice. Again the 16 random bytes are encrypted and appended to the ciphertext.I have provided one other option in GodSave for those who need maximum security. This GodSave optional feature offers what I call "lazy" encryption. The procedure applied is as follows: first a pseudo random sequence is generated of the same size as the plaintext. This sequence is then appended to the plaintext and the "extended" plaintext is then encrypted. Lazy encryption avoids the need to divide the plaintext in two, but produces a ciphertext that is twice as large. The algorithm is as follows: To encrypt a plaintext T: Produce pseudo random sequence R To decrypt: S( K2, C2 ) xor C1
-> ( T xor R )
This variant of the GodSave algorithm has the interesting property that both C2 and C1 will be at least as good a random sequence as the original random sequence R, even if you use a mediocre scrambler S. I suspect that if you use a true random generator to produce R, then this cipher is absolutely unbreakable. All GodSave's options are independent and can be combined one with another. For example, the user can ask for a four rounds and lazy encryption if he wishes. The resulting algorithm is quite complex: To encrypt plaintext T: Produce pseudo random sequence R To decrypt: S( K4, C2 ) xor C1
-> (
X1 xor X2 ) GodSave normally allows the encryption of blocks up to 1024 bytes. When using lazy encryption only blocks up to 512 bytes can be used. The heart of the GodSave algorithm is its parametric scrambler ( GSSCRAMBLE). The scrambler is based upon 7 primitive scramblers (SCRAMBLE0 .. SCRAMBLE6). It also uses 32 hash functions (HASH0 .. HASH31) that always produce a 32 bit value. Given as input a plaintext T and scrambler key K, the algorithm executes a series of iterations to obtain the scrambled text. At the n-th iteration the algorithm executes the following four steps:1. Extract the next 5 bits of the key K to obtain an index "i" (value between 0 and 31) that indexes one of the 32 hash functions. On every other iteration, the five bits of the key are combined with the value of H computed in the previous iteration: K, H -> i ( 0..31 )
2. Use index i to select a hash function and apply it to the current value of text T to produce a 32 bit value H: HASH_i( T ) -> H
3. Combine H with the key K to produce an index "j" (value between 0 and 6) that indexes one of the 7 primitive scrambler functions. K, H -> j 4. Use the index j to select a primitive scrambler function and apply it to the current value of text T to produce an incrementally scrambled text to be used as input to the next iteration. SCRAMBLE_j( T , K, H ) -> T
As you will see in section 2.3.3 some of the primitive scramblers use several bits of the scrambler key or the value H.In short, in each iteration bits of the key are used to select a hash function which is then applied to the current state of the text to generate a value which is used to select a primitive scrambler function which in turn is then used to modify the text. Notice that both the key and the text are used to define the sequence in which the hash functions and primitive scramblers are applied. 2.3.1. VARIABITY OF CODE EXECUTED The precise number of iterations executed by the algorithm is not fixed. The user can control the number of iterations by means of the parameter "level" which instructs the algorithm to execute between level+5 and 2*(level+5) iterations. For example with level set to 10, the algorithm executes between 15 and 30 iterations (the definite number is defined as a function of the current state of the encryption). Each iteration calls one out of 32 possible hash functions depending on the key. Therefore there are a total 32^15 + 32^16 + 32^17 + ... + 32^30 of combinations of hash functions used. This number approximately equals 2^150. GodSave uses the scrambler at least twice (controlled by a different part of the encryption key) increasing the number of combinations to 2^300. In version 3, the initialization values of the 32 hash functions depends on the key, increasing the variability of the code by a factor of 2^1536, for a total of 2^1836. When used at the minimum level of 0, the same analysis produces a still huge 2^50*2^50*2^1536 = 2^1636 variations.The following sections provide some more detailed information about the components of the scrambler ( GSSCRAMBLE).All 32 hash functions are implemented in 8086 assembler and all have a similar structure, but not an identical size. Each function, first traverses the complete text processing 8 bytes at a time, then it processes either the first or the last 32 bytes of the text again. (It follows that the permitted sizes of input text are multiples of 8 bytes and that the minimum size of the input text is 32 bytes.) All hash functions are built up from a variety of machine instructions including XORs, additions and subtractions (with or without carry), circular and linear shifts, and, less frequently, ANDs and ORs. These hash functions were derived by a process of brute force searching. A generator was created which randomly produced over 100 million potential hash functions, respecting a few basic design criteria (such as that all available registers should be used) and a test procedure then ran these hash functions on random data blocks with sizes between 32 y 256 bytes, changing 1, 2, 3 or 4 bits and testing how often the resulting hash value was identical to the original, or differed only in 1 bit, 2 bits, etc. In this way the best 32 hash functions were chosen. The hash functions chosen are both fast and of good quality. By combining any two of these hash functions it is possible to produce a really excellent hash function. Note that the source code includes the function HASH defined as the XOR of the functions HASH21 and HASH30, that you may find useful. A similar general purpose hash function HASHX is also included in the source code.2.3.3. THE PRIMITIVE SCRAMBLERS All primitive scramblers are relatively simple functions and each one is implemented both in high level language and in 8086 assembler. Here follows a brief description of each of the primitive scramblers. SCRAMBLE6 regards the text as a list of 32 bit values. It traverses the text summing each successive value with the two next: ( li[i] + li[i+1] + li[i+2] -> li[i]). The effect is to smear information throughout the text. It does not work in a circular manner so the last two values are left unchanged. SCRAMBLE5 regards the text as a list of 16 bit values and it smears the information through the text by combining each successive value with the next two values. The function used is: w[i] xor (w[i+1] or w[i+2]) -> w[i]. It does not work in a circular manner, so the last two values are left unchanged. SCRAMBLE4 uses 24 bits of the hash value H and parts of the text to compute a 32 bit value, which it then XORs with the entire text. SCRAMBLE3 uses 3 bits of the hash value H to compute a value n (between 1 and 8), then regarding the text as a list of bits, it circularly rotates the entire text n bits to the right. SCRAMBLE2 combines the values of H with the scrambler key and the text in order to compute the four constants of a linear congruential random number generator, i.e. the values "a", "b" and "m" as well as the initial value "n" of a function with the form: (a*n+b) mod m -> n. Regarding the text as a list of 16 bit values it then uses this generator to define how many bits each value in the text gets circularly rotated to the right. SCRAMBLE1 also uses the values of H, the key and the text to create a random number generator. It then uses the key and the text to define a number of iterations. Regarding the text as a list of 16 bit values, it uses the random number generator to select an initial position in the text, then for each iteration it uses the random number generator to select a position in the text and copy the value at this position into the previous position selected, ending in a circular fashion. Its effect is to jumble up the values in the text. SCRAMBLE0 also uses the values of H, the key and the text to create a random number generator. Regarding the text as a list of 16 bit values, it scans through the whole list and XORs each value with a value generated by the random number generator. It is not easy to justify this choice of primitive scramble functions. However the following arguments provide the rational for the functions which I chose. SCRAMBLE0, SCRAMBLE1 and SCRAMBLE2 define a primitive but highly variable pseudo random number generator, and use it to delete any statistical regularity in the text (by scrambling values, the relative position of values, and bit positions, respectively). SCRAMBLE3 shifts the entire text some bits to the right in order to diminish the significance of the division of the text into 16 or 32 bit that is used by the rest of the scramblers. SCRAMBLE4 is a simpler and much faster version of SCRAMBLE0. SCRAMBLE5 and SCRAMBLE6 serve to smear data locally without losing any information. I believe that both SCRAMBLE6 and SCRAMBLE5 have the property that when applied to different texts they always produce a different result. I also believe that all the primitive scramble functions have the property that they do not reduce the information content (or entropy) of the original text. There are a few other details of the scrambler that should be mentioned, namely: At the start of the scrambling process, an initial scrambling is applied by executing SCRAMBLE0 twice and then executing SCRAMBLEINIT. SCRAMBLEINIT is a primitive scrambler used only here. It scans the text working one byte at a time. It XORs each byte with the value of a table (B2BINIT) indexed by the previous byte in the text. It then modifies a byte in the table by XORing it with the byte in the text just calculated. The effect of executing SCRAMBLE0 twice and then SCRAMBLEINIT is to produce a text that appears random to a wide range of statistical tests. Half way through the scrambling process (after (level+5) div 2 - 1 iterations) the definitive number of iterations is computed. After completing these iterations, a check is made to verify that each primitive scrambler function has been executed at least once, twice or three times (depending on the value of the level parameter). If not, the unused primitive scramblers are applied to the text up to the minimum number of times. The scrambler uses a key of 64 bytes. The first 254 bits (almost exactly 32 bytes) are used as parameters for the primitive scrambler functions, while the last 32 bytes are used (5 bits at a time) to select the next hash function. With a level value of 10, which generates between 15 and 30 iterations, 75 to 150 bits of the key are used for this purpose. This means that with a level value of 10 a total of 329 to 404 bits of the key affect the processing performed by the scrambler. Note that even at the minimum value of level (0), which generates between 5 and 10 iterations, at least 279 bits of the key are used by the scrambler. Thus the performance of the scrambler is highly dependent on its key. Finally some comments on the quality of the scrambler. I believe the GodSave scrambler to be of very good quality. At the minimum value of level (0) and with several of the primitive scramblers disabled the scrambler produces an excellent "avalanche" effect, that is to say that a 1 bit change in the original text thoroughly scrambles the end-result. I also applied the scrambler with a level value of 0 on a sequence of text blocks that were filled with consecutive integers (1, 2, 3, etc) followed by zeros to produce a sequence of blocks filled with pseudo-random values. This sequence of pseudo random values passed all tests for randomness I could find (including the DIEHARD group of tests). The encryption process is implemented on two levels. On the inner level the basic encryption algorithm (ENCRYPT0 in the source code) implements the pure Karn algorithm. Since the GodSave scrambler cannot operate on blocks with less than 32 bytes, if the plaintext has a size of between 16 and 48 bytes zeros must be appended to the text (after it is split) to increase the size of the block to 32. Afterwards the scrambled text is reduced in length to the original number of bytes. On the outer level, which implements the main encryption algorithm (GSENCRYPT in the source code), the input parameters are a block of plaintext and its size, and the output is a block of ciphertext. Note that the internal keys used have already been computed by DECLAREENCRYPTION and are available to GSENCRYPT. Also the "LEVEL" and "STYLE" parameters have already been declared. The level parameter specifies how many iteration the main scrambles will execute. The style parameter specifies which of the optional features of GodSave will be included. The next chapter explains the style parameter in detail. Before applying the encryption algorithm the plaintext is divided into two halves in a way that depends on the variable HOWSEPARATE that is one of the internal keys already computed. Depending on the value of the next bit of this variable, the next byte of the text is assigned to one or the other half. After this division, the first half of the text is XORed with the second half (in order to avoid a weakness of the Karn algorithm described earlier - see section 2.1). After completing the encryption the two halves of the ciphertext are combined in a similar way that depends on HOWUNITE, another internal key, to produce the definite block of ciphertext. The 16 bytes that are appended to the ciphertext when the key randomization or text randomization procedures are applied are encrypted in a simple but highly variable manner (see procedure "ENCRYPT16" in the source code for details). The style parameter has a five bit value which is interpreted as follows: The least significant bit defines whether the key should be randomized or not. The next bit defines whether the plaintext should be randomized or not. The next two bits define whether two, four, six or eight rounds will be executed. The most significant bit defines whether "lazy" encryption is to be applied or not. All values of the style parameter, from 0 to 31, are legal, but the processing necessary for implementing each one varies a lot. The following table describes each encryption style and gives you an idea about the workload for each one, assuming encryption of blocks of 256 bytes and level parameter set to 10. style effect relative workload 0:
2-rounds
100 (arbitrary) I recommend the use of the following style values:
Before using the encryption algorithm to encrypt or decrypt a text, it is necessary to declare the master key and the end-user's key (see procedure " DECLAREENCRYPTION" in the source code). These are combined to produce several internal keys that are to be used by the GodSave algorithm. The method used to compute these keys is described in this chapter. This method is not fundamental for GodSave and can be changed by any other method that computes the internal keys as a function of the master key and the user key. The internal keys are:- The primary encryption key (256 bytes) used for rounds one and two. - The secondary encryption key (256 bytes) used for rounds tree and four. - The tertiary encryption key (256 bytes) used for rounds five and six. - The quaternary encryption key (256 bytes) used for rounds seven and eight. - The scrambler key (64 bytes) used with key randomization - The scrambler key (64 bytes) used with text randomization - 32 bytes needed to initialize the index for the 32 primitive hash functions. - 192 bytes needed to initialize the 32 primitive hash functions. - 128 bytes that specify how each block of text will be distributed in two halves. - 128 bytes that specify how the two halves are united again in one block In all, the user key and master key (up to 512 bytes) are used to produce a total of 1632 bytes for the internal keys. Not all keys are necessarily used. For example, when GodSave is called with four rounds, then the tertiary and quaternary encryption keys are not used. When the master key and user key are sufficiently long (more then 10 characters) then one fourth of them is reserved for the computation of the secondary encryption key. In this case the primary and secondary keys are functionally independent. The GodSave algorithm itself includes two base keys initialized with true random sequences. One is a base scrambler key of 64 bytes (BSK) and the other is the base key of 448 bytes (BK). Half of the declared master key (MK1) is combined with the declared user key UK and XORed with the base key to obtain a new value for the base key: ( MK1, UK ) xor BK -> BK (448 bytes) The other half of the declared master key (MK2) is combined with the base scrambler key (BSK) to produce a new value for the base scrambler key: ( MK2, BSK ) -> BSK (64 bytes) Using this base scrambler key, the entire 448 bytes of the new base key (BK) are scrambled to produce the definitive value of the base key: S ( BK ) -> BK (448 bytes)
The first 256 bytes of the base key are used to initialize the working encryption key. The next 128 bytes are used to initialize the two internal scrambler keys to be used in the optional procedures for the randomization of the key or the text. The following 32 bytes are used as the key of the simple encryption procedure ( ENCRYPT16 in the source code). The last 32 bytes are used to initialize the pointers in the table that addresses the 32 hash functions:BK -> encryption key (256 bytes)
The base scramble key is modified and the base key is scrambled again in three successive cycles. The resulting base keys are used to initialize the rest of the internal keys: the base key computed in the second cycle initializes:
the secondary encryption key (256 bytes), the initial values of the
hash functions (192 bytes ) the base key computed in the fourth cycle initializes: the quaternary encryption key (256 bytes), the "HOWUNITE" vector (128 bytes) that specifies how each the two cipher halves should be joined. It is difficult to estimate the security of GodSave because the state of the art in cryptology is unknown. Nevertheless, the variable nature of the algorithm allows for some projections. Let us suppose that level 10, style 3 encryption is used. Comparing a large number of known plaintext ciphertext pairs is not useful because each uses a different key. Choosing a plaintext is not useful, because it gets randomized before encryption. So an attacker is stuck with unknown keys and plaintexts. GodSave's scrambler calls iteratively 7 primitive scramblers, several of which are highly depended on the key. Even so, let us suppose that if one knew the sequence of the scramblers used (for example, first S4, then S1, then S6, etc.) then using very powerful computers and very smart algorithms, GodSave could be broken in, say, one millionth of a second. When GodSave is used at level 10, then it iterates between 15 and 30 times. The approximate total number of variations of sequences is a huge 3 * 10^23. Even if each sequence could be broken in one millionth of a second, one would need more than 9 billion years to search through all possible variations.Even if an attacker is able to decrypt one particular block of ciphertext and discover the key used, this same working key will not be used again; the attacker would have to start anew with the next block of ciphertext. To recover the original user key and master key, the attacker would have to invert the scrambler functions used in the key processing parts of GodSave. Here, normally, a higher level of iterations is used, typically 20. In this case the same analysis would result in 10^25 years needed.2.7. PERFORMANCE OF THE ALGORITHM Up to this point in the description of the GodSave algorithm I have focused attention on the structure of the algorithm and the level of security which it can provide. In this final section I want to comment on the performance of the algorithm. The speed of GodSave (as implemented in the original Pascal source code made available in http://196.40.15.121/Encryption/index.html) is described in the following table where the number of bytes encrypted per second is given per 1 MHz of Pentium. This means that if you use a 166 MHz Pentium processor you should multiply these numbers by 166 to find the approximate speed for your computer. Number of bytes encrypted per second per MHz on a Pentium block size.. -----16----- ------64-----
-----256----- -----1024-----
style 0 263 167 124 959 635 479 1700 1175 914 2097 1514 1181 1 96 80 68 369 310 264 999 801 653 1720 1306 1046 2 151 114 93 528 421 343 976 787 661 1247 1016 854 3 75 66 57 285 247 219 698 603 522 1119 923 801 4 138 87 63 551 351 259 1039 683 504 1324 897 672 5 51 42 35 202 168 141 571 444 364 1049 761 593 6 100 70 55 379 272 212 719 526 418 926 691 556 7 45 38 32 173 147 128 460 373 313 784 613 498 8 94 59 43 385 240 174 743 473 352 964 635 473 9 34 28 24 140 115 97 401 311 251 758 536 412 10 75 51 38 290 201 152 564 397 305 737 526 409 11 31 26 22 125 105 90 342 272 226 609 461 366 12 71 45 32 295 183 134 580 366 268 766 488 361 13 26 22 18 106 87 73 309 236 192 593 413 315 14 59 40 30 237 159 119 465 317 239 613 424 324 15 24 20 17 98 82 69 274 215 175 499 368 287 16 246 159 122 588 409 323 771 595 471 17 93 79 68 295 246 211 587 478 393 18 146 110 90 355 283 237 502 412 354 19 74 64 56 222 193 168 417 355 307 20 135 85 63 363 244 180 523 367 280 21 50 42 35 171 139 116 377 285 228 22 98 69 53 256 192 151 381 288 235 23 44 37 32 143 120 103 295 237 197 24 92 58 43 264 172 127 397 264 199 25 34 28 24 120 96 81 271 204 163 26 73 50 38 204 144 110 308 224 175 27 31 26 22 106 86 74 228 178 146 28 70 44 32 207 133 97 319 210 154 29 26 21 18 93 73 62 215 159 126 30 59 40 30 167 115 87 257 182 139 31 24 20 17 84 68 57 185 143 116 Observe that encrypting blocks of less then 64 bytes (512 bits) is especially cumbersome because their halves are expanded to 32 bytes before scrambling and then reduced again to their original size. In these measurements the levels defined in " An encryption/decryption speed of 50 Kbytes per second on a mid-range PC is adequate for many popular applications, such as communications (including phone conversations) and the storage of sensitive documents. However this level of performance may be a limiting factor in the implementation of other applications such as secure data bases. 2.8. THE PSEUDO-RANDOM NUMBER GENERATOR Version 3 of GodSave includes a pseudo-random number generator, GSRANDOM, based on the same variable technology. Here is how it works: The key processing DECLAREENCRYPTION initializes a 256 bytes large buffer as a function of both the user key and the master key. The first 192 bytes of this buffer are the random values that GSRANDOM returns. When these are used up the last 64 bytes are used as the scramble key to scramble the entire buffer. In this way an indefinite number of random values can be generated. This generator can be used in an application where a stream cipher is needed.GSrandom is a deterministic: when DECLAREENCRYPTION is called with the same master and user keys and the same level parameter then the same sequence of numbers will be generated (the STYLE parameter does not affect this operation).When used at level 0, then 1000 bytes per second per 1 MHz of Pentium processor will be generated. At level 10, 650 bytes will be generated per second. GodSave technology and the source code included here are copyrighted by TecApro International but they are placed in the public domain so that they can be used freely. TecApro makes no claims is not liable for any consequences deriving from the use of this technology or source code. Any product that uses this technology must display the notice "Encryption using TecApro's GodSave technology, version 3". Users may also freely modify the GodSave source code or technology. If you choose to do so, your product must display the notice "Encryption derived from TecApro's GodSave technology, version 3". 3.2. AVAILABILITY OF THE SOURCE CODE The source code developed by TecApro to implement the GodSave technology can be downloaded from several Internet Web sites. For an up to date list of these Web sites, please visit "http://www.tecapro.com/". Currently only the Pascal source code is available; by the time you read this the C implementation should be available. In the same site you will find a Windows DLL file, which you can use from C and Pascal applications.
There are many simple and straightforward changes a user can make to the source code, to produce a non standard version of the GodSave technology, without compromising the quality of the algorithm. The strength of the GodSave algorithm resides in its variability which is increased by the creation of non standard versions. Security is increased by the use of a non standard version because in that case an attacker needs to have physical access to the source code or the executable code and in the later case the attacker also has to disassemble the code before being able to mount an effective attack on the algorithm. Any non standard version of GodSave that is produced will of course not work with the standard version, nor with other non standard versions. However the use of a non standard version may be the best choice in some situations, such as security for a closed organization, or the development of a vertical application. Here are some examples of the sort of simple changes that can be made to the GodSave algorithm:
If you want to be more ambitious you could add a new primitive scrambler (but I recommend you do not remove one of the existing scramblers). Be careful that the new primitive scrambler does not diminish in a significant way the information content of the text which it processes, that is to say the new scrambler when applied to two different texts should generate with high probability two different results. 3.4. PRODUCTS THAT INCORPORATE GODSAVE TECHNOLOGY Currently only TecApro is developing products that incorporate GodSave technology. The products currently available, or soon to be available which incorporate this technology are: "TecApro GodSaveF" is a free utility that encrypts or decrypts disk files using GodSave. It uses by default level 10, style 7 encryption on blocks of aprox. 1000 bytes. Before encryption, it compresses the file using a propriety algorithm with an efficiency comparable to PKZIP. GodSaveF is specially well suited for creating back-ups on a random access medium (such as a recordable CD), while maintaining the directory structure and file names you are using on your hard disk. As an alternative it can also merge several files in one encrypted file. Also it can create executable (self-extracting) encrypted files. It is fairly fast; on a 75 MHz Pentium notebook and its slowish hard disk, it encrypts some 4 Mbytes of files per minute. Click here to download GodSaveF.EXE."TecApro TecaMail" is a secure E-mail client for Internet. Besides message encryption, the product includes many interesting features such as: multi-language user interface and spell-checkers; validation of the reception and reading of messages; filters; inclusion of spoken messages in an E-mail; internal compression of messages; etc. "TecApro TecaCom" is a secure, real-time communications program for Internet. It allows two users to concurrently perform activities such as: chat using the keyboard; talk to each other; send or receive files; and remotely control each others DOS applications. The price of this product is USD 24. "TecApro Eureka" is a plug-in for Eudora Pro 3.0 that offers GodSave encryption for the users of this popular E-mail program. This product is under development and will cost USD 9 when available (aprox. date August 1997). "TecApro TecaCrypt" is a general purpose encryption utility. The aim is to provide a utility which the user can use to maintain specific files or directories in disk encrypted at all times, while allowing all Windows applications to access them in a transparent way. This product is under development and will cost USD 24 when available (aprox. date July 1997). For an up to date list of other products that incorporate GodSave technology please visit " http://www.tecapro.com".3.5. FUTURE VERSIONS AND COMMUNICATION Information about future versions and developments of the GodSave Technology can be found at TecApro's Internet Web site " http://www.tecapro.com" . Also if you decide to work with the GodSave technology please keep me informed about what you are doing and send me also any observations and ideas you many have for improvements to the GodSave's technology. My E-mail address is: dianelos@tecapro.com
4. THE KEY DISTRIBUTION PROBLEM The current version of the GodSave technology is a block encryption/decryption algorithm, and does not include algorithms for key management. In this section I want to describe the way in which one could construct a key management algorithm for the GodSave Technology. The GodSave algorithm is a member of a class of algorithms known as "symmetric". This means that the key used to decrypt a ciphertext must be the same as the key used to encrypt the plaintext. In a networked environment with many individual users, it soon becomes impractical to create and distribute different keys for all the possible pairs of users who need to communicate. What's more the keys have to be distributed over a secure channel and protected and stored with great care by each user. One way to solve this problem is to use an asymmetric encryption algorithm known as "public key cryptography". In these systems the key needed to decrypt a message is different from the key need to encrypt it. The use of public key encryption greatly simplifies the key management problem because each user can "publish" the key to be used to encrypt messages sent to him. In addition a user has a private key which he uses to decrypt the messages sent to him. The problem with public key encryption is that the two keys are related and the security of the system depends on the analytic impossibility or the computational unfeasibility of deducing one key from the other. However the security of the most widely used implementation of public key cryptography, RSA, depends on the assumption that it is extremely difficult to factor very large numbers. Even though the currently known (published) mathematical methods of factoring are slow, there is no proof that much more efficient methods cannot exist. Therefore it is prudent to suppose that more efficient algorithms do indeed exist and that they may have already been discovered but not published because the discover wants to benefit from keeping the procedure secret. Key management lies at the very heart of a secure communication system. If everybody uses a particular method (say RSA public keys) to create, communicate and store keys, and if this system can be broken then the security of the whole system is compromised, because all the keys will be discovered. It is an important feature of a good security system that if a breach occurs it should be possible to contain it locally and not let it compromise the overall security of the system. Fortunately, In many situations the use of public key cryptography as a means of solving the key management problem is not essential. As an example of how the GodSave technology can help an organization solve its key management problem consider the following situation: An organization which has offices in several different locations, each with its own local area network, wants all its staff to be able to communicate by means of a secure E-mail system. If the organization uses GodSave technology as the basis for implementing its secure communication system then it could use the following protocol to solve the key management problem: 1. In each local area network designate one of the stations as a "security server". This computer must be physically secure and totally inaccessible to all, except in extraordinary circumstances, and then only by the most dependable personnel.On the security server (one per network) and only on the security server resides a level-0 master key, which is unique for the whole organization. This master key could for example de stored in a physical device that is tamper proof. In principle nobody needs actually know and have to remember this level-0 master key. Once per day, the level-0 master key is only used to produce a level-1 master key. This can be achieved in many ways, for example by scrambling the current date. When Alice wants to send a secure message to Bob she must first identify herself. This is a local problem, which depending on the level of security required can be solved in many ways. For example Alice could be identified by: her personal password; her physical location; her signature on a digitizing tablet; correct answers to a personal quiz; a voice timbre test; an image of her retina; her fingerprints; the heat distribution on her face, or whatever. Alice constructs a block of data (the message "ticket") that contains the following information:
She then encrypts this message ticket using her personal password and an empty (null) master key and mails the resulting ciphertext to the local security server. 3. The security server receives this, decrypts it using Alice's password, and validates her personal identification. Then it produces two pseudo random sequences to be used as the level-2 master key and level-3A master key, and adds to the ticket the following information:
The security server then encrypts the message ticket using an empty password and the level-1 master key, and it then encrypts the level-2 master key using Alice's password and the level-3A master key. It sends Alice's computer both ciphertexts and the level-3A master key unencrypted. 4. Alice's system now recovers the level-2 master key using Alice's password and the level-3A master key. Using an empty password and the level-2 master key it then encrypts her message and sends both the encrypted message ticket and the encrypted message to Bob's local network, using any unsecured medium.5. At the destination, the local security server decrypts the ticket using an empty password and the level-1 master key, making sure that all is in order. It then informs Bob that he has a message.6. Once Bob has properly identified himself, the system creates a level-3B master key, and uses Bob's password and the level-3B master key to encrypt the message ticket. It then sends Bob's computer the encrypted message, the encrypted message ticket, and the level-3B master key unencrypted.7. Bob's computer decrypts the message ticket using Bob's password and the level-3b master key and recovers the level-2 master key. It then decrypts the message using an empty password and the level-2 master key, and validates its hash value.Here are some of the important characteristics of this protocol:
Personal keys are known only by the local security server; there is no organization wide list personal keys and no need to communicate these keys to remote networks. This key protocol can be extended to cover individual remote users. For example, if Alice travels all around the country and needs to communicate using her notebook, then the following modification to step 3 in the key protocol already described can be used. Periodically load, by some means or other, Alice's computer with a level-3 master key that is known only to Alice's computer and the security server to which she is assigned. This way it is not necessary to transmit an unencrypted level-3 master key. In order to read Alice's mail, an attacker must now have physical access to her computer in order to steal the level-3 master key, be able intercept her communications, and know or be able to guess her password. If an attacker is able to achieve such a broad range of security breaches then the organization will not do any better using public key cryptography. 5. OTHER IDEAS CONCERNING GODSAVE In this section I want to share with you some of my ideas for developing and extending the GodSave technology. This way I hope to encourage you to explore and exploit some of these ideas. A good encryption algorithm makes a good one-way hash function because, by definition, it is very difficult to deduce the plaintext from the ciphertext. The idea here then is to use the Karn encryption algorithm as the scrambler for a "higher order Karn". Start by dividing the key in 4 subkeys K1..K4, and the text in 4 subtexts T1..T4, and then apply the basic Karn algorithm to obtain: SS ( T1.T2 ) xor T3.T4 -> C3.C4
SS ( C3.C4 ) xor T1.T2 -> C1.C2
where the symbol "." means "concatenated with", E denotes the GodSave encryption algorithm and C1.C2.C3.C4 is the ciphertext. Substituting the Karn algorithm for the scrambler function SS we get: To encrypt: S( K1,T1 ) xor T2 -> X2 To decrypt: S( K3,C3 ) xor C4 -> X4 where S denotes the Scrambler used. It is an open question whether this approach produces a stronger cipher. 5.2. VARIABLE RANDOM NUMBER GENERATOR With all algorithmic (pseudo) random generators some regularity can be found by studying a sequence that is long enough. I believe it is possible to build a "cryptographically secure generator", by randomly selecting a group of independent generators out of a large pool of generators, XORing their output, and using this particular generator only to generate a small random sequence. For example, suppose we can find 24 fairly good and independent random number generators, and we pick 12 out of this pool, and XOR their output in order to build a random sequence that on average is 100 bytes long. After that we pick another group of 12 and build another random sequence. There are 24!/( 12! * (24-12)! ) different groups of 12 we can pick (in this case there are 2.7 million alternatives). Therefore the same generator would be used on average only once every 270 Megabytes of the sequence.We would achieve comparable security (quality of randomness) but better performance if we chose 5 generators out of a pool of 50. How easy is it to find dozens of independent algorithmic random number generators? Every known cipher algorithm can be used as a random number generator and they are all, presumably, independent. GodSave's "variable" nature provides a simpler solution. Just use the GodSave's scrambler with some particular key to produce the first one hundred, or so, bytes of the random sequence. Then generate some more bytes to serve as the next key to be used to generate the next one hundred bytes of the random sequence and so on. Since each new key effectively changes GodSave's code this is equivalent to using a set of independent scramblers. GodSave 3 source code includes the function GSrandom that does just that. GSrandom changes the internal scrambler after every 192 pseudo random bytes produced.5.3. THE AFFINITY BETWEEN CIPHERS, SCRAMBLERS AND RNGS An interesting consequence of Karn's algorithm is the affinity between ciphers and scramblers: if you have a good scrambler you can produce a good cipher. The contrary is also true: if you have a good cipher you can produce a good one-way function, i.e. a good scrambler. Interestingly there is also an affinity between Random Number Generators and scramblers. Obviously you can use a scrambler as a RNG (as I suggested in section 5.2). But the contrary is also true. Suppose you have a good RNG with an internal state of 256 bytes. You can use this RNG to produce a good scrambler of blocks of 256 bytes: all you have to do is use this block as the RNG's state and use the RNG to produce the scrambled block.6. THE ETHICS OF DATA ENCRYPTION To round out this paper I would like to present some personal observations on the ethics of trying to develop a secure encryption algorithm. Without doubt, encryption is a tool that can be used by criminals and other "enemies of society" to do harm. However, the same applies to almost any other tool, such as cars, cellular phones or binoculars. I can understand the preoccupation of governments that the existence of a secure encryption algorithm would make it impossible to intercept the communications of criminals and other enemies of society. However, I firmly believe that our personal information is our private property and that we have the right to safeguard it as well as we can. Personally I am not paranoid about governments. I believe that modern democratic governments are basically good and accurately reflect the attitudes and culture of the people they govern. But Internet is becoming the nervous system of our world, and if any entity were permitted the right to read or disrupt the flow of information on the Internet, it would amount to an unacceptable and dangerous concentration of power. With the advances of the information technologies, governments already have at their disposal many powerful tools to aid them in their fight against crime (both violent and white-collar). Take the international financial system as an example. This system has been created as a public service and is regulated by governments. I feel such systems should be designed in a way that they take full advantage of modern technology, and that they should be open to inspection. Thus, for example, all large or repetitive financial transactions, without even the need for any warrants, should be routinely and automatically examined to detect criminal activity. My point is that even though personal information is private, nobody should have the right to use the international financial system created by society, in a way contrary to the public interest. Personally I don't want anybody to be able to read my work or my letters, but I don't care if there are automatic systems in place that detect whether I am using the financial system in order to sell drugs or arms or to avoid paying taxes. One last personal note on ethics and public policy. I believe that
ethics in politics should not be an abstract concept, and that the impact
of a law or regulation on the public interest should be quantified so as
to keep it in perspective. For example, organizations that produce or sell
tobacco or handguns contribute directly to the killing of orders of
magnitude more people than criminal organizations which produce or sell
illegal drugs, but governments invest much more in combating and
controlling the latter than the former. Then again people who cheat on
their taxes do orders of magnitude more harm to society than criminals who
rob banks or gas stations. Ask yourself, how probable it is that you will
die in a war or a terrorist attack compared with the probability that you
will die from cancer? Clearly the second threat is hundreds of times more
serious for the average individual, yet governments invest much more in
combating the former risk. If public investment in defending against these
threats is inversely proportional to the threats themselves, then there is
something very wrong with our democracy. It seems to me that law makers
who pressure for spending public funds on defense instead of on cancer
research, are orders of magnitude more dangerous to the average citizen
then an international terrorist. Every political decision and its impact
on the public interest should not be discussed in isolation and out of
context, nor should they be discussed in an emotional manner, rather it
should be weighed (for both cost and benefit) and put into perspective
with the whole of public interest.
Quadralay Cryptography Archive: has quite a lot of good links to encryption-related pages, mainly to technologies and articles.
Modified on July 15, 1997. (webmaster@tecapro.com)Every trademark mentioned is the property of their respective owners. |
|
  |
Para más información: tecapro@tecapro.com |