TurboCrypt is the only OTFE (On-The-Fly-Encryption) software on the market featuring a high-speed and ultra-secure Polymorphic Cipher with 1024 bit key- and block length. Compared with AES (Advanced Encryption Standard), 8 times higher block length guarantees optimum attack security against existing as well as against future attacks.
View full paper as PDF here (3.7Mb)
Introduction
With the transition from 32 bit to 64 bit microprocessor architectures, very fast but processor-dependent polymorphic encryption algorithms utilizing a crypto compiler are increasingly perceived as being not sufficiently flexible. Resistance to all known attacks but also the assumption that a cipher can potentially be regarded as vulnerable after some time, a block- and key size of 1024 bit and a DPA proof design appear to be mandatory in the new millennium. It should be noted that classic block ciphers like DES, AES, Twofish, etc. are easily broken with the Differential Power Attack (DPA)[S. Chari, C. Jutla, J.R. Rao, P. Rohatgi. A cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards.http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.38.9312, 1999].
Why block sizes that are significantly larger than what is regarded as being safe for the next millennium?
Orr Dunkelman and Nathan Keller suggest in [Orr Dunkelman, Nathan Keller. A New Criterion for Nonlinearity of Block Ciphers. http://vipe.technion.ac.il/~orrd/crypt/apnp.pdf, 2006] that it’s possible to measure effective linearity of block ciphers using almost perfect nonlinear permutations and to distinguish between them. Complexity O(2n/3) can potentially be sufficient to gain knowledge about a specific cipher. Dunkelman and Keller point out that effective linearity of a block cipher can be approximately computed with complexity O(2n/2). The S-box used in AES comes close to an Almost Perfect Nonlinear Permutation. This feature allows to distinguish AES from other ciphers or from a random permutations and it might even be possible to classify strong and weak keys and thus guess the key.
The potential threat of being able to classify a cipher should be minimized for new designs. In the first place, a three-round Luby Rackoff construction is favourable as effective linearity is, according to Dunkelmann and Keller, approximately 2 (which is the effective linearity of truly random permutations) and for 1024 bit key size there is still sufficient safety margin down to an effective key size of 512 bit if an attack with complexity O(2n/2) might be applicable.
What if an attack was found for AES that cuts attack complexity down to O(2n/2) ?
AES could then be broken instantaneously! As a matter of consequence, wouldn’t it be desirable to have a comfortable security margin? If AES had 256 bit S-boxes, such an attack would still be unpractical. But with the actual 128 bit, an attack with complexity 264 could be mounted very easily – today !
Three-round Luby Rackoff is provably secure. This opens up phantastic possibilities to create highly secure Polymorphic Encryption Algorithms with 8 times the block length of AES and still to outperform AES in terms of encryption speed.
View full paper as PDF here (3.7Mb)
Design Goals for Turbo PMC V3 – 1024 Bit Block Cipher for Storage Device
Block Level Encryption:
Resistance against all known attacks
|
TPMC V3 is even DPA proof, but this is not too important for very complex target machines like modern microprocessors with transistor counts exceeding 100 million transistor equivalents.
|
Can be broken easily by DPA (Differential Power Attack) on small microprocessors and microcontrollers [11]
|
Resistance against future attacks that can even cut effective key size by ½ or even 2/3
|
Cutting of effective key size by ¾ would result in still extremely high complexity of O(2256), which is regarded as totally safe for the next trillion years.
|
Cutting of effective key size by ½ results in an extremely low complexity of O(264). The cipher would be regarded as being broken. [10]
|
Proven security
|
Three round Luby Rackoff features proven security [4]; polymorphic encryption is increasingly popular among experts but it’s probably impossible to prove security.
|
Security is not proven. Extensive peer review indicates that the cipher could be broken in the future:
For 128-bit Rijndael, the problem of recovering the secret key from one single plaintext can be written as a system of 8000 quadratic equations with 1600 binary unknowns. [9]
|
Platform independence
|
Runs on any 32 or 64 bit microprocessor or microcontroller
|
Runs on any 8-, 16-, 32- and 64 bit microprocessor and microcontroller
|
Polymorphism and data dependent selection of functions
|
Both features make TPMC V3 a completely variable cipher with no static weakness.
|
Classic ciphers are static and can thus be thoroughly reverse-engineered and analyzed. Cryptanalysis of a mechanism that does always exactly the same is somewhat easier than for a mechanism that never does the same operation twice.
|
Use of large amounts of resources
|
TPMC V3 with 320kbit internal state requires at least approx. 1.000.000 transistor equivalents to run. This alone makes Brute Force Attack more difficult and much more expensive compared with conventional ciphers.
|
Less than 50.000 transistor functions are required to build an AES block. Approx. 1.000.000 AES blocks can run in parallel on an 8’’ wafer to try and break a code with Brute Force.
|
Extremely long key setup time
|
> 100ms on a modern microprocessor make comparably short keys safe against Brute Force attacks conducted on a few machines. Extremely long key setup time extends energy consumption multiplied by the time needed for Brute Force by factor 2.000.000.
|
<1µs help attackers to try each and every password combination. This is highly dangerous if short passwords are being used to protect data.
|
Attacks need to be expensive for an attacker
|
As TPMC V3 requires a lot of resources and extremely much time for key setup, an attacker requires a “time x resources product” of approx. 2.000.000 times compared with AES Rijndael when using keys with a similar length.
|
Trying different AES keys requires 50.000 transistor equivalents and less than 1µs. This isn’t really all that much. This is a REAL weakness.
|
Possibility to customize the encryption algorithm so that customizations are conceptionally different
|
TPMC V3 can be customized in complexity, polymorphic worker functions can be replaced by conceptionally different functions and block size can be adapted.
|
Not possible at all.
|
High speed
|
Approx. 920 Mbit/s on an Intel Core Duo 6600 (2.4GHz) (64 bit C++ code)
|
Approx. > 730 Mbit/s on an Intel Core Duo 6600 (2.4GHz) (64 bit C++ code)
|
View full paper as PDF here (3.7Mb)
Design Rationale
Unlike conventional designs that are all based on a fixed algorithm, Turbo PMC V3 is based on interpreted crypto code with the result that different keys yield conceptually different encryption algorithms. This design principle makes Turbo PMC V3 an outstanding deterministic 1024 bit block cipher.
In short, the following design criteria were taken into account:
- Complex design
- Resistance against all known attacks
- Huge block size (1024 bit) in order to keep safety margin of factor 4 to ensure resistance against future attacks
- Balancing performance, use of CPU and memory resources, as well as number of operations needed to initialize the crypto context for only one application: OTFE software
- Huge crypto context: approx. 40kbyte (compares with 52 byte for AES)
- Extremely lengthy key setup/key expansion process
- Huge code size: >50kbyte (of 32 bit version; compares with 1135 bytes for AES on a 68HC05 smart card)
- Use of provable concepts (Luby-Rackoff in conjunction with Polymorphic Pseudorandom Functions)
- Cipher differs conceptually with each and every key combination
- High encryption/decryption speed
- Forcing attacker to analyse multiple paths and thus make his task grow exponentially in the number of calls to polymorphic pseudorandom functions