Moderator: mosher

Keying the Chaocipher from "unkeyed" wheels

atoponce
Just registered
atoponce
Just registered
Joined: October 8th, 2014, 3:08 am

July 6th, 2015, 4:01 am #1

I have implemented the Chaocipher with playing cards, that can be found on my wiki at http://aarontoponce.org/wiki/card-ciphers/chaocipher. I would now like to implement the Chaocipher in Python. However, I am curious if a "standard" has been set for keying the two wheels. I'm assuming the unkeyed wheels are:

Code: Select all

ABCDEFGHIJKLMNOPQRSTUVWXYZ[space](right)
ABCDEFGHIJKLMNOPQRSTUVWXYZ[space](left)
I'm familiar with both the "simple algorithm", where one wheel is used exclusively for the plaintext and another for the ciphertext, and the "advanced algorithm" where there is a "takeoff pattern" determining which wheel is used for which plaintext and ciphertext characters. Did John Byrne or his son describe a keying or priming method for setting the wheel alphabets from a chosen password? If not, is there an accepted standard on how this is done? If so, how?

Also, even though the algorithm is meant to be executed by hand, what are the thoughts of using an initialization vector (IV) at the start of the plaintext message, before encrypting? So, 5 random characters? Something like:

Code: Select all

TEMP:[space]JELLY[space]LIKE[space]ABOVE[space]THE[space]HIGH[space]WIRE[space]SIX[space]QUAKING[space]PACHYDERMS[space]KEPT[space]THE[space]CLIMAX[space]OF[space]THE[space]EXTRAVAGANZA[space]IN[space]A[space]DAZZLING[space]STATE[space]OF[space]FLUX
PASS:[space]HGIYBDWJXGEQGKKRRHIAAYTQFPWASJ
IV:[space]WYWIA

PAD[space]=[space]XXX
PT[space]=[space]TEMP[space]+[space]PAD[space]=[space]JELLYLIKEABOVETHEHIGHWIRESIXQUAKINGPACHYDERMSKEPTTHECLIMAXOFTHEEXTRAVAGANZAINADAZZLINGSTATEOFFLUXXXX

TEMP[space]=[space](encrypt[space]PT)
CT[space]=[space]IV[space]+[space]TEMP
Here, padding is defined by PKCS#7 such that the resulting plaintext is a multiple of 5 characters (standard field ciphers). Thus, the following could be appended as necessary to meet that requirement: "V", "WW", "XXX", "YYYY", or "ZZZZZ".

It would seem to follow that both the password and the IV would key the wheels in the same deterministic manner, and that that algorithm could be different than the standard algorithm for encrypting the plaintext. However, I'm just curious if a standard already exists. If so, I couldn't find anything online, including the papers published by Moshe and others.

Thanks.
Last edited by atoponce on July 6th, 2015, 4:05 am, edited 2 times in total.
Quote
Like
Share

mosher
Super member
mosher
Super member
Joined: May 26th, 2009, 10:24 am

July 6th, 2015, 10:53 am #2

Hi Aaron,

Good to hear from you in the Crypto Forum!

In answer to your question whether Byrne documented a standard method for generating alphabets, the answer is a definite yes! Check out the document Chaocipher Revealed: Deciphering Exhibit #1 of "Silent Years" on page 8, in the section called "Deriving Starting Alphabets from a Keyword". There you will see Byrne's method for priming the left and right alphabets. His method has a weakness that, given the starting alphabets, a cryptanalyst can work backwards to derive the key word(s). See Carl Scheffler's page Chaocipher: Cracking Exhibit 1, in the section entitled "How to Reverse Engineer a Key from a Starting Alphabet"

Moshe
.
Quote
Like
Share

atoponce
Just registered
atoponce
Just registered
Joined: October 8th, 2014, 3:08 am

July 6th, 2015, 12:16 pm #3

Ah. Perfect. Thanks Moshe!

So, if I understand the weakness correctly, the key phrase can be discovered, if and only if the starting alphabets are known. Because the starting alphabets are the key itself, so long as they are secrets, the key phrase priming the alphabets, as of currently, cannot be discovered by observing the ciphertext only. In fact, if every enciphered message is encrypted with a different pair of starting alphabets (as it should be), it seems that both CPA and KPA won't work here, as Carl Scheffler used in his attack, with known starting alphabets.

However, as you mentioned in your paper, it is interesting that "THINKITHINK" with the pattern "RLLRLLRRLR" produces the same starting alphabets as the key phrase "TILNOYHIVK" with "RRRRRRRRRR", or "THIKKTBDNB" with "LLLLLLLLLL". This seems problematic to me. This reduces the keyspace by 1/3. So, if I am understanding this correctly, suppose I want at least 80-bits on entropy in my key phrase. This means I would need at least an 18 character key phrase for keying the deck. But, knowing that 3 key phrases can key identical alphabets, if I have done my math correctly, I need at least a 26-character key phrase to achieve those same 80-bits of entropy.

Is this correct?
Quote
Like
Share

mosher
Super member
mosher
Super member
Joined: May 26th, 2009, 10:24 am

July 6th, 2015, 1:47 pm #4

That's a difficult questions to answer, so I leave it to you to do the math ;) . But yes, there are equivalent key sets.

We have two examples of Byrne's priming the alphabets, one in Exhibit #1 (which you saw in the paper) and the other in Exhibit #4. In both cases, Byrne started with straight alphabets (i.e., A-to-Z), enciphered a key word ('THINKTHINK' in Exhibit #1 and 'CHAOCIPHER' in Exhibit #4), findings all plaintext letters in the right alphabet, and using the resulting alphabets.

The ability to backtrack on the alphabets and discover the keyword is dependent on the fact that the original alphabet A-Z order is still retained somewhat (see Scheffler's method). If a longer keyword were used, the diffusion would probably destroy whatever alphabet letter order there is left, rendering the task of reconstructing the keyword extremely hard to impossible.
Quote
Like
Share

atoponce
Just registered
atoponce
Just registered
Joined: October 8th, 2014, 3:08 am

July 6th, 2015, 4:57 pm #5

Perfect! Thanks Moshe!
Quote
Like
Share

mosher
Super member
mosher
Super member
Joined: May 26th, 2009, 10:24 am

July 6th, 2015, 5:18 pm #6

Having said that, Kruh and Deavours, in their Exhibit #5 challenge message, used a left/right alphabet takeoff key for priming the alphabets. See Chaocipher: Exhibit 5 Solution (by Jeff Calof) page 1 for just such a key.
Last edited by mosher on July 6th, 2015, 5:43 pm, edited 2 times in total.
Quote
Like
Share

atoponce
Just registered
atoponce
Just registered
Joined: October 8th, 2014, 3:08 am

July 6th, 2015, 7:47 pm #7

So, after looking over the papers, I'm thinking that just sticking with an all-pile pattern (using a deck of playing cards) with a key of sufficient entropy should be fine for keying the alphabets prior to encryption/decryption.

Knowing that two field agents already need to exchange either enough: 1) key material or 2) passphrase material for sufficient message exchanges, it seems burdensome and possibly problematic to communicate yet another secret, in this case, the takeoff pattern. If a field code book is printed, then this wouldn't be problematic, and field agents should be familiar with how to use the takeoff patterns for keying the alphabets, as well as encrypting/decrypting the messages. But, unnecessarily using both left and right alphabets with the key phrase could introduce human error due to the unnecessary complexity.

As such, for simplicity without compromising security, as well as minimizing the chance of error when executing the cipher by hand, it seems to make the most sense to use either the left or right alphabet for the key phrase, rather than both. So, I think at this point, in my wiki on the card cipher implementation of the Chaocipher, that I'll recommend just using the right alphabet for keying. The diffusion of the alphabet order will depend on the entropy of the key phrase. So, provided such a key phrase, two field agents will need to rely in the security of the algorithm, as the unpredictability of the starting alphabets will be too high.
Quote
Like
Share