Schneier on Security

Clive Robinson • June 18, 2021 1:42 AM

@ SpaceLifeForm, MarkH,

I guess what I am saying, is there really any proof that stream ciphers are truly secure and can not leak?

Empirical evidence of non secret stream ciphers suggests very much not.

Now lets take a 20,000ft view as a start to a theoretical view,

1) A stream cipher generator has no changing random element to it.

2) A stream cipher “key” is just an offset, that changes the starting point of the generator not how the generator produces output.

3) A stream cipher has only three parts,

3.1) A counter.
3.2) A mapping function[1].
3.3) A linear mixer function.

4) The only random element is in the plaintext and that is usually highly predictable with strong easily recognisable statistics.

So the only real security comes from that mapping function…

The problem is to get the level of security required means that the mapping function has to be highly non linear it has to do it over a range of four times or more the number of bit of an equivalent block cipher[2]. So AES 256 equivalent requires a stream cipher with a counter of atleast 1024bits.

But… You should consider the maximum run length issue as well. With a stream cipher it boils down to 3W-2 that is think of the all zero state output, the output before has to differ by atleast one bit likewise the next output. So the maximum run length of zeros over those three outputs would be,

100…000,000…000,000…001

So realy you should be thinking of 12 times the block cipher key bit width. Or for AES-256 equivalent 3072 bit counter and map width. As the mapping function has to be complex needing a very very high “gate equivalence” complexity you can quickly see how the effective gate count in the mapping function would be immense.

So yes you would expect stream ciphers to not be very good security wise from the theoretical point of view as well.

Yes there are tricks to get a non-linear complexty with less gates but you then need to consider how you pick the points on the linear Walsh Map to give you that non-linear complexity with reduced gate count and that can be hard very hard and it’s not a well studied area in the Open community.

Also because of the “known plaintext” issue you should consider two other things,

1, A very nonlinear mixing function of large alphabet size.

2, Use the stream cipher in a nonlinear feedback or feedforward mode.

By which time any perceived advantages of a stream cipher over a block cipher have diminished astoundingly or compleatly vanished.

And that’s all before we have left the 20,000ft view point to start getting into actual theory.

[1] Any binary maping linear or not can be replaced withba Walsh or Sequency map of XOR gates. The simple example you are most likely to come across is the “Grey Code” map where there is one XOR gate for every bit of map width configured in a cascade.

https://en.m.wikipedia.org/wiki/Gray_code

However the highly cyclic nature of such simple Grey codes as can be seen on the Wikipedia page kind of smacks you in the eye… Thus the lack of complexity is painfully obvious.

[2] You can kind of see this from, a block cipher has a bit width input of “data bit width pluss key bit width” then the fact that the mixing effect of data and key effects the entire maping width.

Clive Robinson • June 18, 2021 9:06 AM

@ Bob Paddock,

“This random noise source is a ring oscillator that is sensitive to random noise (temperature variations, voltage variations, cross-talk and other random noise) within the device in which the TRNG is used. “

That is mainly “chaos” at best and very frequently very determanistic.

As I mentioned yesterday on abother thread there is the principle of the “Loose Locked Oscillator” and it’s something that is,a right royal pain when you are developing TRNG’s.

Ring oscillators are very very very sensitive to the effects that make “loose Locked Oscillators”.

Briefly Ring Oscillators are “phase shift” oscillators where the phase shift is caused by either direct invertion or the transmission charecteristics of the gate.

In microcontrolers the ring oscilator gets it’s phase delay from either a very high Q tuned circuit (XTAL) or charging and discharging one or more RC lowpass circuits.

The the problem is that the gates be they inverters or buffers are very very high gain analog amplifiers designed for “smashing into the rails” as such their stability around the switching or mid point is quite unstable and they are very sensitive to “rail noise” which gets shifted by the bucket load around logic IC internal power traces. Worse inba ring oscillator you get “metastibility” issues that lead to tempory and soft lock ups which means they stop oscillating so stop producing output. So when combined with a determanistic algorithm it ceases to be a TRNG but a PRNG that might or might not –probably not– be CS compliant.

In order to stop you observing just how crappy / usless ring oscillators are as TRNGs usually they hide them behind a Hash or other CS algorithm.

But you don’t have to stop a ring oscillator to make it usless justvsquirt an EM signal at it that either is close to the oscillators frequency or is a much higher frequency AM modulated close to the oscillators frequency. The result is the ring oscillator synchronizes to the signal. Just like the stereo pilot signal in an Analog FM broadcast or the Colour Chroma signal burst in an old analog Colour TV signal like NTSC or PAL.

But it gets more fun…

Usually because the individual gates in a eing oscillator provide so little time delay thus phase shift they will use more than 20 gates in each ring oscillator, making the susceptability to external signals very high, they also use multiple very high frequency ring oscillators and combine them in a D-Type latch or similar.

When you look “close in” at the latch outpit on an oscilloscope the trace does look very random. But it is nothing like random what so ever. If you open out the timebase you will see that the transitions change frequency and bunch up and spread a part very very reliably. If you “low pass” the output you get a very pure looking sinewave. Because rather than being random it’s an “over sampled difference frequency” between the two ring oscillator frequencies…

As you probably know sinewaves are very very easy to find in noise you just use a very narrow bandwidth filter to remove the bulk of the noise. There are DSP algorithms that will not just find a sinewave artifact but lock onto it and follow it as a Digital Phase Locked Loop (D-PLL) without going into details the sinewave will appear through the use of an encryption algorithm just like that frequently seen image of Linux’s Tux penguin mascot. Only a lot lot more easily synchronised. Worse unlike the Tux image, it does not matter how wide the encryption algorithm is in bits… Because it “samples the signal” and that means you will see either the actual sinewave at it’s natural frequency or as either a harmonic or sub-harnonic. Which evervit is does not matter because a D-PLL will lock onto it and that will discipline an “on frequency” oscillator even if it’s “software only” like a Digital Numeric Oscillator that can be steped up or down in the tiniest of frequency increments you want. You can also make it very frequency agile by using it in the equivalent of a “fractional N” or “Sigma Delta” D-PLL.

The result an attacker gets to know rxactly what your supppsed TRNG is doing… Thus you are lulled into a very very false sense of security by say Intels TRNG which is again ring oscilators but hiding behind a hash algorithm…

So if I see “ring oscillator” in a design depending on why I’m looking at it I either say in a polite way “The doors over there”, “You should think of a better way to do this”, or “At the very least run your crypto not in ECB mode but a nonlinear chaining mode with frequent IV change and restart”.

But if you look at our hosts TRNG the “entropy pools” in effect do the chaining with frequent IV change and restart, but with effectively a very very very long chain (it kind of makes it a lagged Fibonacci gennerator with multiple taps, which is still linear though).

Clive Robinson • June 18, 2021 9:45 AM

@ metaschima,

Can we just agree that any cryptographic primitive created in cooperation with a secret service agency cannot be trusted

Just one problem, if you did not fully create the crypto system, how do you actualy know if a Secret Service agency was involved or not?

In fact how can any company with employees designing crypto systems or parts there of, know that their employees do not have some “relationship” be it voluntary, coerced, or just hood winked by a security service agency?

Remember RSA and the Dual Eliptic Curve random generator? Or Jupiter Networks with similar odd code turning up in their shipped products.

Heck I’ve sat in on International Standards meetings and watched “technical representatives” comming up with “Health and Safety” excuses and similar to backdoor digital communications… You know exactly what they are upto, but if you challange them you get the ewuivalent of “Think of the Children” FUD comming at you from the Extended Five Eyes technical representatives and they just keep at it untill you are too exhausted ostracized… The idiot from the NSA that so badly tried to “finess” a standard caused such a hate that they got turned on and eventually “outed” and that caused all sorts of embarrassment for the standards body…

So if it’s not entirely your own work from the roll of a dice (entropy source) upwards, it’s best to assume it’s not secure.

It’s basically what they call a “root of trust issue”, if you can not establish a real root of trust then it’s probably “game over” for your security. But with law enforcment getting in the game it’s going to also be “Go straight to jail, do not pass go do not collect $200” regardless of what you might or might not have done. They can judicially squeeze you via the politically controled “Special Administrative Measures” or equivalent till you plead guilty to something. They get promotion brownie points and you are left bankrupt and unemployable such is the modern day version of “Rights Stripping”.

It’s kind of the new “Power Politics” and unless you have billions off shore, you don’t have the power if you behave legally…

Clive Robinson • June 18, 2021 12:37 PM

@ MarkH,

To describe a deterministic process as “random” or “true random” must surely lead to misunderstanding by some readers.

Unfortunately they both exist in a cipher system.

If you have say AES in ECB many might consider it “determanistic”. But the key should be “truely randomly selected” and even though it does not look random to most people even text “plaintext” contains truley random elements otherwise no new/useful information could be sent.

The same is true for an OTP, where the KeyMat should be truely random on every bit, but it still uses a determanistic process for it’s mixer function, and has a fair degree of localised determancy in it’s text based plaintext.

So the confusion does come “built in” in all crypto systems as at the end of the day it has to be at least truely random and determanistic.

Then of course there are “the shades inbetween” where determanistic becomes random to observation or pesudorandom. Also there is the notion of “chaos” to consider as well.

It’s all kind of messy and it’s not unusual to expect people to know just what sort of random you are talking about from the truly determanistic but too complex for an observer to tell through to the truly random where from time to time an observer might think they see determinism, simply because things are unbounded.

I hope that’s clear 😉

Clive Robinson • June 18, 2021 5:42 PM

@ Tatütata,

worked with GSM standards a while back), page flip, flip, flippitty flip…

The last time I was involved with the design of a GSM phone in earnest, the stack of A4 sheets was about four foot high and when in even very thin plastic binders there were so,many we had to make a new one just to hold an index of indexes…

And there were bugs in the documentation and we found one by bringing a UK network down…

As you are nodoubt aware the phone is supposed to re-register with the network every so often. The specification got changed because of certain issues. Put simply the phone was supposed to re-register in half the previous time period if the last re-register failed… But the spec dod nor give a minimum time… The UK network used a certain well known European Switch provider and the way it re-regisyered phones was not the new improved way…

So even though the phone was registered with the network it ended up halving the rime period untill it effectively monopolised the control channel… Fun days not…

Back then the backend systems of network providers were “Unix” and that was in effect “big iron” compared to the High end PC systems we did CAD/CAM etc on…

Then somebody “fingered me to QC” as being “The man who spoke guru”, as the machine I was using –that was actually my own– ran AT&T Sys Vr4 with “DOS-Merge” that you could run around 6-8 copies simultaneously via a multi-port Serial Card that the individual “In Circuit Debuger/Developer Emulator (ICE) hardware for the CPU’s ranwith. So I suddenly “owned the problem” with dealing with the UK network people.

If that were not bad enough “The big-big boss” got told and it turned out his daughter was in her First year at Uni and “Could I just help a little with her Unix and maths stuff”…

And so on giving me less and less time to do my “real work” that my boss kept piling up on me because I got things done…

I thus learned the true meaning of,

“If you want something done quickly, but well, give it to a busy person”.

Clive Robinson • June 19, 2021 8:14 AM

@ MarkH, SpaceLifeForm,

As far as I have been able to discover, no cryptanalytic attack has been found against the shrinking generator with secret polynomials

It is easily proved that there is a worse case condition where it could be broken in as little as 2W bits of the “generator” LFSR where W is the size of the “effective counter” in bits.

Basically there is known attack on an LFSR that says all you need is 2W bits out of the LFSR.

To get that out of shrinking generator, all that needs to happen is the run length on the gating/decimating generator to be 2W or longer. As I demonstrated in a comment further up you can get a maximum run length of 3W-2 bits out of an LFSR…

So it’s more than possible for some one who controls the two LSFR’s to compleatly bork the shrinking generator with out the user being aware of it…

Clive Robinson • June 20, 2021 5:25 AM

@ SpaceLifeForm,

Who is watching the watchers?

Best answered with another question,

“Have you ever seen a circular firing squad, taking a shot in the dark?”…

Clive Robinson • June 28, 2021 2:17 AM

@ MarkH,

In other words, capturing parts of the bit stream can reveal another part which was not captured.

Now take it on a bit.

You’ve got C=X+Y, from just two messages being sent.

Now think D=X+C, E=Y+C, thus the question of how far you can extend the addition and what you can get from it.

It turns out a lot have a look at how the Walsh transform is constructed.

If you look into the Berlekamp-Massey algorithm and how it uses “gaps” to measure linear complexity and build an LFSR that approximates the sequence Sn you start to see “observe” some correlations.

Which brings us to,

However, no educated person uses the output of a single LFSR as a cryptographic keystream, so the hypothetical above is not useful.

But you’ve also said of the shrinking / decimating generator,

It’s wonderfully small and simple, made of two LFSRs. One is the source for keystream bits; the other functions as a “gate”, with raw outputs of the first either being used in the keystream, or discarded.

What is the shrinking generator in the worst case?

That is what if in effect I put all zero’s in the second LFSR?

Or I pick tap and start values for the second LFSR such that I get two or three “long gaps” early on?

I’ve already shown that a “chosen plaintext attack” can be used to strip the plaintext off by just sending two messages that are the bit inverses of each other.

So if I know or can find out how long the “gaps between ‘gaps'” are I can build most of the 2N bits needed for the Berlekamp-Massey algorithm to work.

Whilst the shrinking generator algorithm might in theory be secure, the impementation need only add “jitter” to the edge of a pulse when the shrinking generator second LFSR changes state. If you doubt this I’m reasonably certain that the NSA manipulated the AES contest to deliberately ensure implemebtations would have covert time based channels leaking information.

Why, as I’ve mentioned before one of the original failings of the One Time Tape super encryption machines was the “pull-in and drop-out” times of the circuit used to perform the XOR function. All you needed to do to strip the One Time Pad tape off was observe the teletype pulse widths on the line with an oscilloscope… Both of the agencies that preceeded the NSA and GCHQ were well aware of this… They have exploited various “key strength” tricks not just with the systems they issue to their own Military for field ciphers but equipment supplied to foreign goverments via Crypto AG. Thus to say they have “previous” is an understatment. Thus rigging the AES competition is very very much in line with their historic MO.

It’s why having any part of your crypto under somebody elses control,

1, In any way you can not fully see

and

2, You do not fully understand

Is a real danger. Which is the case with ALL current consumer level crypto in use for communications.

Arguably even the “open community” does not “fully understand” what the SigInt agencies currently do, thus we fail at point 2 and will continue to do so almost indefinitely.

It’s why I say,

“Assume any communications channel to be a plain broadcast channel and mitigate appropriately”.

That is just as Diplomats and the Military have for centuries, put your own layer of crypto over the top and assume everything below it is “untrustworthy”.

It’s why I’ve continuously said on this blog and other places “Do all your encryption/decryption Off-line, never On-Line” and “Use two energy-gapped systems, one for your work and encryption, the other as your communications end point”.

Because if you do not you have no security thus have no privacy and potentially all the problems that will cause you.

But as a continuing thought, ask yourself this,

“How nonlinear is decimation of an entirely linear function?”

I have my own thoughts on that and it’s a trade off in many ways.

Clive Robinson • June 28, 2021 8:37 AM

@ MarkH,

within the period of a strong stream cipher, examination of any number of keystream bits does not enable prediction of even one other keystream bit by a feasible amount of computation

Please do not say “strong” it has no meaning the same as “short or long” when talking about a bit of string.

By definition only one type of stream cipher meets,

examination of any number of keystream bits does not enable prediction of even one other keystream bit

And that is one where all bits are fully independent of each other. That is “not determanistic in any way”… Which is the equivalent of a One Time Pad.

What you are trying to argue is that the linear complexity L(Sn) over S₀…S_n-1 requires a significant level of resources for a significant period of time to determine. The problem is in the Open Community it is not as well researched as we need. It’s the reason the Stream Cipher finalists in the EU NSSIE competition were basically a bust.

You can show that the size of the State Array has some influance on the size of the “gaps” used to calculate L(Sn) but realistically the State Array update mechanisum is always reducable to a purely linear function thus it is always going to be possible to determine.

To prevent or delay this determination you have a generator output function that is all to frequently a static mapping of what is hoped to be a “one way function”. There is no proof that one way functions actually exist, or that they can not be reduced to a series of successive linear mappings by the use of certain algorithms that “guess out” nonlinear behaviour from linear behaviour.

The only solution is to make the mapping somehow non determanistic. In block ciphers one way is to mix the plain text with round keys before putting it through what are hoped are one way functions.

The general case with stream ciphers is to use a purely linear easily reversable mixing function after the generator output function. Thus this very very simple substitution cipher ensures that the plain text can easily be stripped by various real world attacks.

Thus the entire strength of stream ciphers relys on what are little more than very large invarient substitution ciphers that are made to look polyalphabetic by the equivalent of a counter…

Due to the size of the needed total stream space most such mappings are going to have quite a large linear component. Thus the question of the coresponding linear complexity L(Sn) arises virtually every time, and the quality of the thin veneer of nonlinear complexity that overlays it…

Because once that thin veneer is breached it’s just the linear complexity L(Sn) that we know needs only 2n bits and ~O(n^2) or less effort…

We know that the State Array will have “gaps” in the range n-1 to 2n-1 ordinarilly and can be as high as 3n-2. A good design would always try to keep the “gaps” down as close to n-1 as possible for obvious reasons. However how do you tell the difference between a good design and one that mostly looks like a good design?

Clive Robinson • June 28, 2021 11:16 AM

@ MarkH,

Not sure if you will be able to read this or not,

https://www.sciencedirect.com/science/article/pii/S0885064X15001338

In essence if you taken an LFSR and add a non-linear combining circuit to it you effectively make a “filter”

The down side of such filters is they are vulnerable to algebraic or spectral attacks that alow an attacker to effectively linearize it thus make it amenable to linear attacks.

Clive Robinson • June 29, 2021 10:54 AM

@ Weather,

What book or formula would you use on a line graph to exsopse patterns, like mean,log or combination.

Nearly all the tests are statistical in nature and produce a probabilistic output on a very long sequence of generator output either as bits or in the alphabet set (A{a₀…a_n}).

The best place to start getting a grip on it would probably be §3.3.4 The Spectral Test in vol 2 of Knuth. Then move upwards to the Dieharder etc tests.

The point being humans can only see points, lines, planes and manifolds on graphs which means at most 4 dimensions… Spectral tests go through many many dimentions looking for statistically significant patterns…

The important point to get your head around is that all deterministic generators at the end of the day consist of three basic parts,

1, A State Array
2, A State Array update function.
3, A Generator output function.

Often 2 and 3 are partially or fully combined. That s those functions are the equivalent of look up tables or mapping functions.

For human convenience in describing 1&2 we talk about either a “counter” or an “LFSR”, what it actually is does not matter in the slightest as any such state array and update function can be shown to be directly equivalent to a linear function acting on the bit array thus equivalent to a linear counter or linear LFSR and mapping function. Any non linearity gets moved to the right and becomes a map on it’s own that is added onto the linear mapping function at the left.

cnt+1 = f(cnt)

Were f =(Nmap(Lmap(x))

Thus the trick is to strip off the nonlinear map (Nmap) or extract any linear component and add that to the linear map (Lmap) in a successive process.

The thing is it has a very very high probability of success of reducing the nonlinear map (Nmap) down to a very very simple and sparse map which is well defined either in part (short sequence) or in whole (full sequence).

The downside is an “exponential run time”. However a “Brut force attack” is effectively exponential run time as well. Each linear map the algorithm pulls out knocks a big chunk of that exponential time off. Thus these attacks against generators will almost always run faster and with less resources than a brut force attack thus technically at least “Break the algorithm”.

The obvious and wrong idea is to try to make what appears a highly complex nonlinear map, often by random selection or gut hunches etc… The thing is that if you look at linear functions like the Half Adder whilst they may be made of nonlinear components their map is linear.

It’s actually very hard to come up with a nonlinear circuit where the output does not show bias that will show up in statistical tests.

The easiest way you can start is by not using nonlinear logic maps but permutation maps (card shuffling algorithms). Yes permutations have their own problems to deal with but as a starting point they are often easier in software and faster than logic maps, though slower than a two legged dog in hardware…

Clive Robinson • June 29, 2021 5:13 PM

@ Weather, ALL,

you gave me something to look at,

You might find this a more gentle introduction to the subject than the previous paper,

http://cacr.uwaterloo.ca/techreports/2009/cacr2009-04.pdf

Note in particular the comment at the bottom of page 2 as to why spectral attacks are shall we say more interesting.

I guess the big question some will be thinking is “Does this work back on Block Ciphers?” simple answer is yes it can do depending on how you use them. Also “What about Quantum Computer attack hardened cipher primatives?” well my knowledge in that area is insufficient, but my gut tells me that if it’s possible someone is going to find it sooner rather than later, if they have not already…

Clive Robinson • June 30, 2021 2:48 AM

@ Weather,

The rocket propulsion book I have uses that math and I’ve spent 15 years reading it…

To mix up a couple of quotes,

“Nobody said you had to be a rocket scientist to be here, but sometimes it does help!”

Speaking of rocket scientists one of my favourit observations on the life technical and personal lab equipment, is to be found in John Drury Clarke’s book “Ignition”. Often it is quoted in two seperate parts (highlighted) but the whole thing is worth reading,

“It is, of course, extremely toxic, but that’s the least of the problem. It is hypergolic with every known fuel, and so rapidly hypergolic that no ignition delay has ever been measured. It is also hypergolic with such things as cloth, wood, and test engineers, not to mention asbestos, sand, and water—with which it reacts explosively. It can be kept in some of the ordinary structural metals—steel, copper, aluminum, etc.—because of the formation of a thin film of insoluble metal fluoride that protects the bulk of the metal, just as the invisible coat of oxide on aluminum keeps it from burning up in the atmosphere. If, however, this coat is melted or scrubbed off, and has no chance to reform, the operator is confronted with the problem of coping with a metal-fluorine fire. For dealing with this situation, I have always recommended a good pair of running shoes.“

Apparently the word “golić” is Polish for “shave” thus I guess hypergolic could also mean “A very close shave”…

A friend who went to Birmingham University in the UK (place of the last known smallpox death in 78), went to do chemistry but came out doing computing…

He pointed out that using a phrase such as,

“It is, of course, extremely toxic, but that’s the least of the problem.”

Is much frowned upon, as it might after all discourage people. So the prefered phrase is,

“Known toxicological disadvantages”

Which apparently confuses first year students, so Chem Profs are known to say,

“Oh don’t worry about that, it just means it kills people”…

Clive Robinson • June 30, 2021 9:20 AM

@ Weather, ALL,

Can two data points be linear or do you need three at minimum

The number of points you need is dependent on the real “transfer function”.

Frequently what is done is the real transfer function is plotted then a lookup table is generated for the software that does “piecewise linear approximation”

You will need an absolute minimum of three points on each one of those piecewise linear approximations.

Just to check the circuit is acting within the norms of it’s transfer function. Then make any offset shifts and gain adjustments to get the actual required values in range.

You then need to take a series of readings around “a point of intetest” such as the pass/fail limit.

The reason you need to do things this way is,

1, You want the pass/fail point to be accurate to detect the crime.

2, You want the magnitude of the fail to decide on sentencing as in “The driver was recklessly three times the legal limit”.

3, If readings are within certain ranges the tests should be reperformed on other equipment because (1) could be in doubt.

4, Likewise if readings are not consistant with the state of the person then there may be another metabolic cause such as low or high blood sugar both of which “can not be slept off” just buried under 6ft of dirt…

Metrology is a fairly complex subject in it’s own right and mostly this is kept away from “non domain experts” because even with nice graphs people get glazed eyes.

Judges especially, hate science, what they want is a piece of paper with numbers that appear to be “evidence” not be told “Well there is a one in X chance the reading was incorrect because it was below the acceptable temprature range of the equipment…” or similar.

Judges hate scientists because as “experts” they can in effect “direct the judge”. If you realy want to see a seriously upset judge, just wait and see one who has just been told by a Chartered Accountant “the tax law says…” when the judge wants it to say something else…

When a scientist tells a judge the laws of physics etc say “that is not possible, the evidence provided by XXX is not factualy correct” it can get very very unpleasant…

One of the big issues with the US legislative and regulatory system is it prescribes tests not science. Thus if a new better more accurate test comes along and you are guilty by the old inacurate test but innocent by more modern more accurate tests, the legaslative and judicial conceit is you are guilty “because that is the way we’ve done it in the past”.

Judges “judge definitively” based on what it says on a “pieces of paper”, never ever make the mistake of thinking otherwise… You give a judge two conflicting pieces of paper and they are not going to behave rationally in many cases. Basically they fall back on the fallacy of “the preponderance of evidence” which is a bull5h1t way of saying they’ve stacked a bigger pile of cr4p up than you have…

https://www.merriam-webster.com/legal/preponderance%20of%20the%20evidence

Not only do they do this in “civil cases” which is bad enough, they do it in crininal cases as well… On the excuse it is “just one part of the evidence” so is some how contained in it’s effects on the outcome of a trial…

Oh and don’t forget “expert witnesses” lie all the time, they “simplfy for the jury” or similar nonsense…

For instance, if I say when talking about a paint fleck “the paint is a non standard green, and the defendent made it up from two cans of paint”, it might sound convincing but it’s almost certainly a compleate nonsense for various reasons.

The FBI pulled a similar stunt for years over matching bullet fragments by metallurgical content ratios. They never did the tests to show if their assumptions were valid or not. When somebody did and called “bull5h1t” did they appologise? Not that I can remember…, did anyone get sacked, demoted, lost their pension… I think you can guess the answer to that.

Clive Robinson • June 30, 2021 2:44 PM

@ JonKnowsNothing,

People ask me “How long will it take to learn to ride?”

I know the answer to that one in my case it’s “never”. To be honest I’m six foot six fairly broad and somewhat solid even as I approach my dotage eminent or otherwise…

Lets just say it’s unlikely that I could find a horse to learn on that would be large enough not to be injured if I did get on it’s back… Which lets be honest would be further off of the ground than I would like and there is that V^2 element to consider when you do inevitably go splat…

But to be honest I’ve looked in a horses eyes a number of times and I’ve been left with the distinct feeling that most horses are one shake of the mane away from madness. So hight and madness is a combination not that far from defenistration in my book…

I could be doing them an injustice, and it’s just that they have a hightened “flight response” but that’s not realy much better. Do you realy want to be sitting astride a creature that might suddenly take off like you’ld used it’s tail as the blue touch paper?

So no, I’m not climbing up, as I figure I’ll come to less harm if I don’t.

Clive Robinson • July 2, 2021 2:40 PM

@ MarkH,

However, either the paper is wrong, or linear complexity is not the Achilles’ heel of the Shrinking Generator.

The Shrinking Generator is now in it’s third decade, there has been NESSIE and eStream competitions in the last two decades. Each spawned new attacks, and “non linear algebraic complexity” is now believed not sufficient.

The likes of Sectral analysis and sequency/wavelet analysis have moved forwards and knocked chunks off of algebraic complexity in various ways.

Wavelet analysis in particular looks like it will be the next area where attacks against LFSR and equivalent systems move forward. It realy needs something to drive it forward (which crypto competitions have a habit of doing).

The thing is even though all stream generators can be viewed as a counter or shift register driving a mapping function, the question of the complexity of the mapping function comes up. Block ciphers and stream ciphers tend to use radically different mapping techniques, as do stream ciphers designed for software implementarion rather than hardware. Trying to make a mapping fuction that is all things to all situations is a recipe for trouble more often thwn not…

In effect the shrinking generator by being two more or less independent shift registers makes the mapping function rather more complex as it gives an increased degree of freedom. You can get similar effects using card shuffling algorithms. Where you use say a nonlinear function rather than an incremental pointer. So for arguments sake an LFSR with non linear filter to generate the incrementing pointer replacment.

The real question for theoretical attacks against the algorithm then becomes finding distinquishers and how you make the effects linear for easier analysis[1].

From an implementation perspective finding distinquishers can be trivial if there is some kind of time based channel. This was the issue with AES, the competiton appeared to push a strong algorithm, but realy encoraged weak implementations. The result a quater of a century of weak “on-line encryption” systems (hence the NSA only giving “data at rest” clearance with the likes of IME’s).

The likely hood of an “Open Community” break against the shrinking generator is not driven by security concernces outside of crypto competitions, but what will get your name not just published but associated with a new research area as it develops (get in whilst it’s small and your name grows with it via at a minimum citations).

Thus people playing with stream generators have in effect put the shrinking generator up on the shelf where it is gathering dust.

A student might take it down and dust it off but your name researchers are looking at other things such as Quantum Computer proof algorithms.

Thus the closed community of SigInt agencies may well have broken the shrinking generator or know how to make it weak under certain circumstances already. Because their research interests move under the force of entirely different drivers.

Don Coppersmith is a bright cookie but which side does he realy play for? Look back at the history of DES and what happened.

[1] A 2002 paper from Don Coppersmith and others where they attack NESSIE finalist Snow2.0 that used a cellular automaton as a non linear element ontop of a form of LFSR. Oh and quite a smack down on Don’s own earlier Scream cipher,

https://eprint.iacr.org/2002/020.pdf

Clive Robinson • July 3, 2021 7:56 AM

@ MarkH,

However, grad students (and their teachers) perennially struggle to find projects that haven’t been done before.

Sometimes I’m not surprised at all, especially when such projects actually go nowhere…

A little historical story for you with names etc witheld to stop blushes etc, but I will say it goes back oh just about all of four decades.

A person towards the bottom of the ladder was told a “fact” by a person somewhat further up the ladder. The lowly person doubts but was assured it was correct by the much more senior teller of the fact…

Well the low level rung holder still felt they were right and the senior rung holder was effectively wrong…

The “fact” is one you still here handed down even today in one form or another and “students hear”

“blah… blah… blah… since integer addition is nonlinear when considered over GF(2).”

Thus they assume incorrectly that “addition is nonlinear over GF(2)” is true for all additions, it’s not, and can be shown as such as the lowly rung hanger did…

The reality is somewhere in the middle… That is addition is sometimes non-linear and sometimes it is not and it depends on if your bit adders are behaving as a “half adder” that is linear, or a “full adder” that is nonlinear.

Why is a half adder linear well it’s an XOR gate and you can look the argument up as to why that is linear (or just draw out the truth table and observe the output in terms of number of set/clear bits, and more importantly the correlation between an input bit and the output bit).

The full adder however is both linear when acting as a half adder as you would expect and nonlinear when acting as a full adder (and has consequences we discussed the other day when talking about C’s lack of carry flag access). Thus what makes the difference is the state of the “carry in” bit… Which comes from the previous bit adder carry out.

So when you add two integers with no carry in the least significant bit (LSB) is always a half adder which has the same input to output mapping as the XOR, which is why the likes of the Mitchell-Moore Generator from 1958 gives a maximal length sequence in the bottom bit of the result as it’s actually a standard XOR LSFR.

Now if you thibk for a moment, you realise that when you add any integer to zero you get the same number and obviouly no carries in an of the bit by bit additions. Thus that set of additions is obviously compleately linear…

But now consider that carry goes from LSB to MSB. We know that the LSB result is always linear, we also know that carry is generated ONLY when both input bits are set, or the AND function. Which only happens for 1 of the four input states thus more likely than not carry will not happen. So no carry across to the next pair of bits… It’s fairly simple to show that if the full adder input Hamming weight is one then you get no carry.

I won’t go through doing the odds for the other bits but it can be seen that the “non-linearity” is going to not propagate more often than than it will, especially in the lowest bits.

Thus to find out where a run of carries starts AND the two integers together and upto the first set bit will be linear and the bit by bit additions will be independent of the preceading bits. That first set bit tells you where the nonlinearity starts in that addition and dependency on adjacent bits starts.

But a run of carries can and will stop when the next bits up are both clear… Something you can easily find by the logical OR of the two integers.

Thus you can come up with a simple “walk up” algorithm to count the actuall number of carries that will occur. This gives the “Hamming weight” that is the number of carries gives you the non-linear complexity of any given addition. Thus the amount of simple linear complexity thus the ability to simply attack an Addative-Feedback Shift Register (AFSR) can be calculated.

Something the lowly rung hanger kind of wrote up informally, but had realised that the more senior rung hanger was not going to be interested in seeing…

Well nearly a decade later this paper got published,

Staffelbach, O. and W. Meier : 1990. “Cryptographic Significance of the Carry for Ciphers Based on Integer Addition.” : Advances in Cryptology — CRYPTO ’90.

https://link.springer.com/content/pdf/10.1007%2F3-540-38424-3_42.pdf

Someone who had worked their way up the ladder somewhat by that point, sent the other rung hanger still with a death grip on the same rung as before an Email enquiring if they had seen the paper, and saying what a lost opportunity it was… The result that happened was not unexpected, so the world moved on around the death grip hanger on, who I asume has vacated their rung one way or another by now.

So in the rest of the world we now have the so called “Feedback With Carry Shift Registers” (FWCSR) that first fixed the LSB but later had to work with rather more bits.

In essence you do two adds, and add in something that changes dynamically. Which can be a delayed version of the previous additions etc or something more secure.

However all nice in theory, but in the real world adders are oh so slow especially when more than a couple of bytes wide, and they carry much higher gate counts than other non-linear circuits. So having many many adders in either a Galois LFSR or Fibonacci LFSR form as the “many taps to be secure” requirment calls for can rapidly break the “gate count budget” rather rapidly.

But even in software the algorithms are not that fast and starting to use a block cipher in counter or some other similar mode starts to look a better option as there are off the shelf macros or built in hardware etc.

The sad thing is, I’ve had similar academic experiences in several apparently unrelated knowledge domains. In fact when looking around to do a real PhD. I was horrified at the issues I crashed into. The main one being the “un-written rule” that “You are not supposed to do your own line of research, but do your supervisors line of research” on the excuse of “that’s why you are getting the stipend” etc. Oh and it you are lucky you might get your name mentioned on any paper they write out of your work…

As I’ve mentioned in the past I interviewed a lot of potential PhD supervisors and they realy were not what I would consider working with. One however at the LSE called me out of the blue… I’d been at an Xmas party and had been chatting to a rather nice Russian Girl who was doing her PhD. at the LSE, we got chatting and I mentioned to her about the problems I was having. She told me her supervisor called it “Academic Ma5turb4t1on” and we had a laugh about it and changed the subject and had a few more drinks and swapped numbers.

Thus the totally unexpected phone call from her supervisor we chated, we had a couple of meetings and it looked good. Unfortunately I’d have to be self funding, but that would not have been a problem as my then employer was prepared to have me work half time for the duration. Unfortunately other events happened and the world changed for the worst…

But hey I was never destined for the cut and thrust back-stabbing of academia, to much politics, boot licking and time serving, and not enough “fun” of finding out new and interesting things.