Red Pike cipher
Alfonso De Gregorio
adg at crypto.lo.gy
Thu Feb 27 17:04:40 PST 2014
Le limited information available on the Red Pike cipher are quite
consistent with the code below: an ARX block cipher, no look-up
tables, virtually no key schedule, and requiring only few lines of
code [1].
With a 64 bit key size the Alleged Red Pike (ARP) is insecure by
modern standards. But it was possibly insecure also in the 1990s.
ARP suffers from a large number of semi-weak keys. Actually, each key
is a semi-weak key. A pair of ARP keys (K1, K2) is said to be
semi-weak if E_K1(E_K2(M)) = M (i.e., encryption with K1 operates as
does decryption with K2). With ARP Feistel structure and its key
schedule,there are 2^63 such pairs, reducing the size of the key space
to 2^63.
The relationship between each semi-weak pairs is:
K2_L = K1_R - 2^32/phi * 17
K2_R = K1_L + 2^32/phi * 17
where phi is the golden ratio.
Being semi-weak keys a large fraction of the ARP key space,
implementations cannot apply the standard countermeasures against this
undesirable property. Picking a semi-weak key is inevitable.
The question remains: Is the Alleged Red Pike the cipher designed by the GCHQ?
[1] Anderson, Ross; Kuhn, Markus, "Low Cost Attacks on Tamper
Resistant Devices", in M. Lomas et al. (ed.), Security Protocols, 5th
International Workshop, Paris, France, April 7{9, 1997, Proceedings,
Springer LNCS 1361, pp 125-136, ISBN 3-540-64040-1,
http://www.cl.cam.ac.uk/~rja14/Papers/tamper2.pdf
On Thu, Feb 27, 2014 at 1:08 PM, Anonymous Remailer (austria)
<mixmaster at remailer.privacy.at> wrote:
>
> /* Red Pike cipher source code */
>
> #include <stdint.h>
>
> typedef uint32_t word;
>
> #define CONST 0x9E3779B9
> #define ROUNDS 16
>
> #define ROTL(X, R) (((X) << ((R) & 31)) | ((X) >> (32 - ((R) & 31))))
> #define ROTR(X, R) (((X) >> ((R) & 31)) | ((X) << (32 - ((R) & 31))))
>
> void encrypt(word * x, const word * k)
> {
> unsigned int i;
> word rk0 = k[0];
> word rk1 = k[1];
>
> for (i = 0; i < ROUNDS; i++)
> {
> rk0 += CONST;
> rk1 -= CONST;
>
> x[0] ^= rk0;
> x[0] += x[1];
> x[0] = ROTL(x[0], x[1]);
>
> x[1] = ROTR(x[1], x[0]);
> x[1] -= x[0];
> x[1] ^= rk1;
> }
>
> rk0 = x[0]; x[0] = x[1]; x[1] = rk0;
> }
>
> void decrypt(word * x, const word * k)
> {
> word dk[2] =
> {
> k[1] - CONST * (ROUNDS + 1),
> k[0] + CONST * (ROUNDS + 1)
> };
>
> encrypt(x, dk);
> }
>
More information about the cypherpunks
mailing list