[cryptography] Tigerspike claims world first with Karacell for mobile security

Jon Callas jon at callas.org
Wed Dec 26 16:38:35 EST 2012

Hash: SHA1

I took a look at it. Amusing. I didn't spend a lot of time on it. Probably not more than twice what it took me to write this.

It has an obvious problem with known plaintext. You can work backward from known plaintext to get a piece of their "tumbler" and since the tumbler is just a big bitstring, work from there to pull out the whole thing.

The encrypted Karacell file format has 64 bits that must decrypt to zero. Since encryption is an XOR onto a pseudo-one-time-pad, this leaks 64 bits of the tumbler. Similarly, the "checksum" at the end is a bunch of hash blocks of their special hash all XORed together. This doesn't work against malicious modificationp; you can cut-and-paste through XOR, etc.

There are obvious vulnerabilities to linear and differential cryptanalysis. It is a lot of XORing on large-ish fixed longterm secrets with only bit-rotating through the secrets, and between the vulnerabilities of known plaintext as well as the leaks in it, I don't see a lot of long-term strength. I bet that you can use known structure of plaintext (like that it's ASCII/UTF8, let alone things like known headers on XML files) to start prying bits out of the tumblers and you just work backwards. 

But beyond that, it isn't even particularly fast. Since it needs a lot of bit extraction and rotations, I doubt it would be as fast as AES on a processor with AES-NI instructions. The whole thing is based on doing 16-bit calculations and some bit sliding; I don't expect it to be as fast as RC4 or some of the fast estream ciphers.

Obviously, I could be missing something, but there are other errors of art that lead me to think there isn't a lot here. For example, if your basic encryption system is to take a one-time-pad and try to expand that out to more uses, zero constants are errors of art. You should know better. There are similar errors like easily deducible parameters that give more known plaintext. The author discusses using a text string directly as a key, which is very bad with his expansion system. He invented his own "message digest" functions, and they look like complete linear functions to me. They're in uncommented C that's light on indenting and whitespace. Confirmation bias might be making me miss something, but it's not like he made it easy for me.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii


More information about the cryptography mailing list