
Sarah2 Cipher - mnem
http://laser-calcium.glitch.me/
======
nneonneo
Hmm, I’m not actually convinced this is secure. Good S-boxes are not trivial
to come up with; bad ones are vulnerable to attacks like differential
cryptanalysis or linear cryptanalysis (where the S-box is modeled
approximately as a linear function of its inputs). While the S-box here is
secret, it’s not inconceivable that an attacker could collect enough
ciphertexts (or plaintext/ciphertext pairs) to establish statistical
correlations.

Second, the whole encryption is modeled on a series of identical encryption
rounds (no per-round subkeying). I would not be surprised if this structure
makes it vulnerable to a slide attack - which is an attack that specifically
attacks weak round functions no matter how many times they are iterated.

Although I haven’t spent enough time to be certain these attacks will work,
the design of the cipher does not inspire confidence. The cipher achieves poor
diffusion after log2(n) rounds on highly repetitive text (e.g. “a” repeated 16
times yields “rjrjmlmlskskjbjb” after log2(n)-1=3 rounds), meaning that the
minimum round count feels entirely too low to be safe.

~~~
nneonneo
Also, some thoughts on usability:

\- The key is huge and really unwieldy. Disguising it (for subtle key
distribution) could be hard. Solitaire here has a bit of a better story
(nobody looks twice at a pack of cards), but in general a good key-derivation
function could help. (A bad key derivation function could totally compromise
this scheme - which is why it’d be good to specify one!)

\- There’s no specifies incremental mode of operation (which is a useful
property), which means that you’d have to manually break your ciphertext into
blocks. It’d be good to specify an optimal block size.

\- The creator claims in other places (e.g. Reddit) that certain types of
attacks don’t apply because this is a hand cipher. However a hand cipher
doesn’t mean that _both_ parties must be operating the cipher by hand! It
seems like a common use-case would be for one party to have access to
technology (e.g. a spymaster), in which case a bug could enable automated
attacks on the system.

What I do like about this cipher is the conceptual simplicity; I’m just
bothered by the claim that it is a “strong” cipher without convincing evidence
of that being true.

~~~
tptacek
My intuition on the slide attack vs. human cipher argument is that the cipher
is only ever run by hand; there's no way to generate plaintext/ciphertext
pairs automatically, because no computer system ever runs it. Humans won't
generate enough message pairs to make the attack feasible.

(I haven't though this through carefully, just spitballing).

------
throw0101a
See also the LC4 "low tech" cipher:

* [https://news.ycombinator.com/item?id=16586257](https://news.ycombinator.com/item?id=16586257)

* [http://scienceblogs.de/klausis-krypto-kolumne/2018/05/14/the...](http://scienceblogs.de/klausis-krypto-kolumne/2018/05/14/the-low-tech-cipher-lc4/)

And a tweaked version thereof, LS47:

* [https://gitea.blesmrt.net/exa/ls47](https://gitea.blesmrt.net/exa/ls47)

* [https://weekly-geekly.github.io/articles/352448/index.html](https://weekly-geekly.github.io/articles/352448/index.html)

------
miles
Just found this /r/cryto thread on Sarah2 from a little more than a week ago:

[https://www.reddit.com/r/crypto/comments/ea00yb/sarah2_a_str...](https://www.reddit.com/r/crypto/comments/ea00yb/sarah2_a_strong_penandpaper_cipher/)

and this one on Lobsters from a day or two ago:

[https://lobste.rs/s/yuwgdd/sarah2_strong_pen_paper_cipher](https://lobste.rs/s/yuwgdd/sarah2_strong_pen_paper_cipher)

------
mike_d
This looks like it would be vulnerable to a slide attack
([https://en.wikipedia.org/wiki/Slide_attack](https://en.wikipedia.org/wiki/Slide_attack))

I may have missed it, but there appears to be no instructions on how to
decrypt?

~~~
nneonneo
Pretty sure you just run the encryption algorithm in reverse - unpermute
(split input into two halves and interleave), then reverse-map through the
S-Box.

------
miles
The title itself is a bit of a cipher; perhaps the first sentence would better
serve?

"Sarah2 is a cipher meant to be implemented by hand with only simple tools."

