Welcome Guest [Log In] [Register]
Welcome to Crypto. We hope you enjoy your visit.


You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free.


Join our community!


If you're already a member please log in to your account to access all of our features:

Username:   Password:
Add Reply
Keying the Chaocipher from "unkeyed" wheels
Topic Started: Jul 6 2015, 04:01 AM (387 Views)
atoponce
Member Avatar
Just registered
[ * ]
I have implemented the Chaocipher with playing cards, that can be found on my wiki at http://aarontoponce.org/wiki/card-ciphers/chaocipher. I would now like to implement the Chaocipher in Python. However, I am curious if a "standard" has been set for keying the two wheels. I'm assuming the unkeyed wheels are:

Code:
 
ABCDEFGHIJKLMNOPQRSTUVWXYZ[space](right)
ABCDEFGHIJKLMNOPQRSTUVWXYZ[space](left)


I'm familiar with both the "simple algorithm", where one wheel is used exclusively for the plaintext and another for the ciphertext, and the "advanced algorithm" where there is a "takeoff pattern" determining which wheel is used for which plaintext and ciphertext characters. Did John Byrne or his son describe a keying or priming method for setting the wheel alphabets from a chosen password? If not, is there an accepted standard on how this is done? If so, how?

Also, even though the algorithm is meant to be executed by hand, what are the thoughts of using an initialization vector (IV) at the start of the plaintext message, before encrypting? So, 5 random characters? Something like:

Code:
 
TEMP:[space]JELLY[space]LIKE[space]ABOVE[space]THE[space]HIGH[space]WIRE[space]SIX[space]QUAKING[space]PACHYDERMS[space]KEPT[space]THE[space]CLIMAX[space]OF[space]THE[space]EXTRAVAGANZA[space]IN[space]A[space]DAZZLING[space]STATE[space]OF[space]FLUX
PASS:[space]HGIYBDWJXGEQGKKRRHIAAYTQFPWASJ
IV:[space]WYWIA

PAD[space]=[space]XXX
PT[space]=[space]TEMP[space]+[space]PAD[space]=[space]JELLYLIKEABOVETHEHIGHWIRESIXQUAKINGPACHYDERMSKEPTTHECLIMAXOFTHEEXTRAVAGANZAINADAZZLINGSTATEOFFLUXXXX

TEMP[space]=[space](encrypt[space]PT)
CT[space]=[space]IV[space]+[space]TEMP


Here, padding is defined by PKCS#7 such that the resulting plaintext is a multiple of 5 characters (standard field ciphers). Thus, the following could be appended as necessary to meet that requirement: "V", "WW", "XXX", "YYYY", or "ZZZZZ".

It would seem to follow that both the password and the IV would key the wheels in the same deterministic manner, and that that algorithm could be different than the standard algorithm for encrypting the plaintext. However, I'm just curious if a standard already exists. If so, I couldn't find anything online, including the papers published by Moshe and others.

Thanks.
Edited by atoponce, Jul 6 2015, 04:05 AM.
Offline Profile Quote Post Goto Top
 
mosher
Super member
[ *  *  *  * ]
Hi Aaron,

Good to hear from you in the Crypto Forum!

In answer to your question whether Byrne documented a standard method for generating alphabets, the answer is a definite yes! Check out the document Chaocipher Revealed: Deciphering Exhibit #1 of "Silent Years" on page 8, in the section called "Deriving Starting Alphabets from a Keyword". There you will see Byrne's method for priming the left and right alphabets. His method has a weakness that, given the starting alphabets, a cryptanalyst can work backwards to derive the key word(s). See Carl Scheffler's page Chaocipher: Cracking Exhibit 1, in the section entitled "How to Reverse Engineer a Key from a Starting Alphabet"

Moshe
.
Offline Profile Quote Post Goto Top
 
atoponce
Member Avatar
Just registered
[ * ]
Ah. Perfect. Thanks Moshe!

So, if I understand the weakness correctly, the key phrase can be discovered, if and only if the starting alphabets are known. Because the starting alphabets are the key itself, so long as they are secrets, the key phrase priming the alphabets, as of currently, cannot be discovered by observing the ciphertext only. In fact, if every enciphered message is encrypted with a different pair of starting alphabets (as it should be), it seems that both CPA and KPA won't work here, as Carl Scheffler used in his attack, with known starting alphabets.

However, as you mentioned in your paper, it is interesting that "THINKITHINK" with the pattern "RLLRLLRRLR" produces the same starting alphabets as the key phrase "TILNOYHIVK" with "RRRRRRRRRR", or "THIKKTBDNB" with "LLLLLLLLLL". This seems problematic to me. This reduces the keyspace by 1/3. So, if I am understanding this correctly, suppose I want at least 80-bits on entropy in my key phrase. This means I would need at least an 18 character key phrase for keying the deck. But, knowing that 3 key phrases can key identical alphabets, if I have done my math correctly, I need at least a 26-character key phrase to achieve those same 80-bits of entropy.

Is this correct?
Offline Profile Quote Post Goto Top
 
mosher
Super member
[ *  *  *  * ]
That's a difficult questions to answer, so I leave it to you to do the math ;) . But yes, there are equivalent key sets.

We have two examples of Byrne's priming the alphabets, one in Exhibit #1 (which you saw in the paper) and the other in Exhibit #4. In both cases, Byrne started with straight alphabets (i.e., A-to-Z), enciphered a key word ('THINKTHINK' in Exhibit #1 and 'CHAOCIPHER' in Exhibit #4), findings all plaintext letters in the right alphabet, and using the resulting alphabets.

The ability to backtrack on the alphabets and discover the keyword is dependent on the fact that the original alphabet A-Z order is still retained somewhat (see Scheffler's method). If a longer keyword were used, the diffusion would probably destroy whatever alphabet letter order there is left, rendering the task of reconstructing the keyword extremely hard to impossible.
Offline Profile Quote Post Goto Top
 
atoponce
Member Avatar
Just registered
[ * ]
Perfect! Thanks Moshe!
Offline Profile Quote Post Goto Top
 
mosher
Super member
[ *  *  *  * ]
Having said that, Kruh and Deavours, in their Exhibit #5 challenge message, used a left/right alphabet takeoff key for priming the alphabets. See Chaocipher: Exhibit 5 Solution (by Jeff Calof) page 1 for just such a key.
Edited by mosher, Jul 6 2015, 05:43 PM.
Offline Profile Quote Post Goto Top
 
atoponce
Member Avatar
Just registered
[ * ]
So, after looking over the papers, I'm thinking that just sticking with an all-pile pattern (using a deck of playing cards) with a key of sufficient entropy should be fine for keying the alphabets prior to encryption/decryption.

Knowing that two field agents already need to exchange either enough: 1) key material or 2) passphrase material for sufficient message exchanges, it seems burdensome and possibly problematic to communicate yet another secret, in this case, the takeoff pattern. If a field code book is printed, then this wouldn't be problematic, and field agents should be familiar with how to use the takeoff patterns for keying the alphabets, as well as encrypting/decrypting the messages. But, unnecessarily using both left and right alphabets with the key phrase could introduce human error due to the unnecessary complexity.

As such, for simplicity without compromising security, as well as minimizing the chance of error when executing the cipher by hand, it seems to make the most sense to use either the left or right alphabet for the key phrase, rather than both. So, I think at this point, in my wiki on the card cipher implementation of the Chaocipher, that I'll recommend just using the right alphabet for keying. The diffusion of the alphabet order will depend on the entropy of the key phrase. So, provided such a key phrase, two field agents will need to rely in the security of the algorithm, as the unpredictability of the starting alphabets will be too high.
Offline Profile Quote Post Goto Top
 
1 user reading this topic (1 Guest and 0 Anonymous)
« Previous Topic · Chaocipher · Next Topic »
Add Reply