POLYMORPHIC CIPHERS

1. POLYMORPHIC CIPHERS By: C.B. Roellgen Presented By: Prabal Kumar Gupta Id: 2005H103014

2. Contents • Introduction • Design Goals • Primitive Pseudo Random number Generators • Operating Principle of PMC • Design of primitive random number generators • Security of PMC • Attacks & their likelihood of success • Encryption Speed of PMC • Conclusion

3. Introduction • Belongs to class of Symmetric Ciphers (Stream Ciphers) • Strongest Cipher available today • Randomized Encryption Algorithm • Both data & Algorithm are undefined in the beginning • A mathematical equation equation cannot be solved !

4. Introduction (Contd..) • Machine Code is assembled at random to yield extra security against all attacks. • Safe against the analysis of the program’s instruction sequence. • Actual Polymorphic Algorithm is inherently UNKNOWN

5. Design Goals • Combine a stream cipher design with post processing methods used in block ciphers. • Create a key stream generator which is nearly as powerful as one time pad. • Stacking of randomly selected primitive key stream generators to form one single source for a pseudo random bit stream. • Randomize the encryption algorithm. • Increase the available history of all primitive random number generators to a practical maximum. • Maximize the processing speed.

6. Primitive Pseudo-Random Number Generators • Linear Congruential Random Number Generator (LCRNG) Xi+1 = a Xi + b mod m {X0,X1,…..} are output sequence with starting point X0 a, b, m are secret parameters. Knowledge of few Xi reveals all the secret. • Add with Carry Generator (ACG) Xn = Xn-s + Xn-r + carry mod m s, r are secret parameters.

7. Primitive Pseudo-Random Number Generators (Contd…) • Multiply with Carry Generators (MCG) It uses the following function: Xn = a Xn-1 + carry mod m a, m are secret parameters. If a set of set of primitive random number generators concatenated than the security holes of each primitive RNGs are easily filled.

8. Operating Principle of PMC

9. Operating Principle of PMC (Contd..) • Pass phrase (key) is compiled to machine code. • Compiler assembles the standardized RNGs (building Blocks) to form a single whole RNG which works on history data array • History data array is initialized with the pass phrase or its binary representation or a hash of it • After the execution of formed RNG the bit pattern in the history data array is near –random • Part of the compiled internal state or the whole of the data array can be used for bitwise XOR operation with plain text.

10. Design of Primitive RNG (Building Blocks) As an example consider LCGRNG which computes Xi+1 = a Xi + b mod m a = 515, b = 5 and m = 10000001d • The propagated history is passed from one building block to another in the 32 bit register ebx. • The processor register ebp is used as pointer to 32 bit words in data history array. • The compiler predetermines two variables x and y which determines which part of the history data array is used by LCGRNG and which data bits are later changed.

11. Design of Primitive RNG (Building Blocks) (Contd..) push ebp; //ebp must never be destroyed mov eax,[ebp+x]; //load history[ebp+x]in AL xor eax,ebx; //add the propagated history passed on in register ebx from the preceding primitive PRNG imul eax,$00000203; //a=515 b=5 add eax, $00000005; mov ecx, $000f4241; //m=1000001d idiv ecx; mov ebx,edx; //mov modulo part of the result in ebx xor [ebp+y],edx; //save 32 bits in the history data array pop ebp;

12. Security of PMC The security of this scheme lies in the fact that it has a large key space. An Example: Suppose there are 4 cryptographic instruction block and 128 instruction blocks have to be assembled chaotically then there will be 4128 = 1158*1077 encryption algorithms. In addition to this if the key size is 128 bit then total no. of keys would be 2128 =3403*1038. The two key spaces multiplied together would yield 1158*1077*3403*1038 possible key combinations of PMC.

13. Attacks & their likelihood of Success • Exhaustive Search (Brute Force Attack) Try each possible key until message deciphers properly. As shown a key space of at least 128 bits is sufficient. • Chosen Key Try various keys on known plaintext and compare the resulting ciphertext, to try & build the correct key value. The key is more or less the algorithm itself & PMC function comes in different shapes with each key, so the there is no possibility to isolate & work separately on some kind of table.

14. Attacks & their likelihood of Success (Contd..) • Known Plaintext With this kind of attack, one plaintext ciphertext pair contains sufficient information to obtain the content of key data array. In order to identify a key, both the keys have to searched using exhaustive key search. • Chosen Plaintext The weakness to be exploited here usually depends upon the ciphering system. As far as PMC is concerned, there is no static algorithm with known weakness.

15. Attacks & their likelihood of Success (Contd..) • Meet in the Middle Attack With a multi layered structure, given known or defined plaintext, search the top key space to find every possible result, and search the bottom key space to find every possible value. The PMC uses a large key and consequently adds a huge amount of unknown algorithm which multiplies with in the beginning unknown data key space to yield extra complexity.

16. Encryption Speed of PMC The inherent speed limit of most of the common ciphers is O(n2), n being the size of key k. While, the processing time of PMC is only a linear relationship O(n) for a key size of n bits.

17. Conclusion For the presented Encryption • There exists only exhaustive search attack. • No practical ways to reconstruct keys from plain text. • Adds significant amount of possible & equally probable algorithmic keys, thus yielding higher security. • The 512 bit PMC cryptosystem is most probably fastest algorithm in the world!