vulcan-cryptanalysis
vulcan-cryptanalysis
vulcan-cryptanalysis
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
to us that it would have made more sense to either have allowed the user to<br />
enter all 138 bits, or to have made Vulcan use a shorter cryptovariable.<br />
As an aside, we also note that the DVP key loader lacks the ability to<br />
generate a random cryptovariable, requiring the user to enter a CV of their own<br />
creation. This is certain to lead to poorly-chosen values, as our experience is<br />
that many users of cryptographic equipment, when allowed to choose their own<br />
CV, will simply enter an easily guessed sequence such as 1234..., etc.<br />
One might intuitively think that limiting the CV to 71 bits greatly reduces<br />
overall security, given that the Vulcan CV is natively 138 bits; however, since the<br />
Vulcan cipher is effectively linear, the length of the CV is of little consequence.<br />
Solving a system of linear equations in 138 unknowns is scarcely more difficult<br />
than solving a system of linear equations in 71 unknowns (or far fewer, for<br />
that matter). Motorola most likely realized this and made their decision on<br />
cryptovariable length accordingly.<br />
Another possibility regarding the length of the cryptovariable is the influence<br />
of external constraints, such as export restrictions. We know that in the 1990s,<br />
the US government would only allow export of cryptography restricted to 40 or<br />
fewer bits of cryptovariable [4]. We do not know what the restrictions were in<br />
the 1970s, but we can safely assume they were no more permissive than they<br />
were in the 1990s, and were likely less so. Again we are left to guess as to what<br />
the true reasons behind Vulcan’s unusual CV length were.<br />
Our second question is why Vulcan is so weak. Admittedly, cryptography<br />
was much less well understood in the early 1970s than it is today; nonetheless,<br />
anyone with an undergraduate education in mathematics would have known at<br />
that time that Vulcan was seriously weak. It would not surprise us if this was<br />
deliberate.<br />
Inspection of the SC76807 IC layout reveals certain clues as to alternatives<br />
the designers might have had in mind. Specifically, the XOR tree has provisions<br />
to accommodate additional bits from the CV shift register, yet this circuitry is<br />
not hooked up. Also, the ciphertext shift register has a provision for insertion<br />
or extraction of bits approximately half-way through its 21 bits, a feature that<br />
was not used and the purpose of which is not clear to us.<br />
Strictly speaking, Vulcan is nonlinear due to the GF (2) multiplications<br />
present in the XOR tree; however, as we have shown, we can linearize Vulcan<br />
by assuming these GF (2) multiplications simply represent bits that must<br />
be solved for via exhaustive search. Since there are only seven unknowns, this<br />
exhaustive search is trivial. The designers could have made exhaustive search<br />
far less fruitful by including more bits from the CV shift register in the GF (2)<br />
multiplications, but they chose not to do so. We are puzzled by this.<br />
Furthermore, even a simple nonlinear operation in the ciphertext mixing<br />
function would have eliminated the simple attack of linear algebra, but the<br />
designers chose not to do this either. We cannot offer a reasonable explanation<br />
why a simple nonlinearity was not included in order to strengthen Vulcan. Our<br />
suspicion is that Vulcan is deliberately weak, although we have no proof of<br />
this. Nonetheless, we prefer this explanation to the alternative possibility that<br />
the designers were simply incompetent. Now that Vulcan has been thoroughly<br />
26