General philosophy ================== Pegwit is intended to be simple to understand, in contrast to PGP which in my opinion is over-sophisticated ( too many bells and whistles ). Thus the number of primitives and options has been kept to a minimum, possibly at some cost in convenience. In particular the absence of key-rings etc. means that the only 'state' information is the secret password, which can be memorised ( and easily backed up on paper for people with a poor memory ). Thus it is easy to use pegwit when you do not happen to have your key-ring with you - all that is needed is a copy of pegwit.exe, and knowledge of your password. The drawback is that the responsibility for storing and verifying public keys is left to the user. This means that pegwit in its current form is most suitable for occasional use. A GUI news/email front end for Windows-95, with an integrated address book containing public keys would be a step forward. However I guess this would be a big job. Security ======== The expected security of the public key component is 120 bits, assuming good passwords. Even modest passwords (such as the 6 character challenge password) may require quite a large amount of computing effort to break, since testing a single password takes of the order of 1/10 second on a pentium. The manual recommends a minimum of 10 characters. The security of the block cipher square should be 128 bits. The security of the double-barreled version of SHA1 is expected to be between 80 and 120 bits, assuming that SHA1 has no cryptographic weakness. Note that these 'birthday' attacks require the co-operation of the victim ( he has to be persuaded to sign a document which he has not changed ), and are one-off. Implementation ============== For exact details of implementation it is best to refer to the actual source, but here are some details on how pegwit works internally. The main components are An elliptic curve over GF(2^255) SHA1 The block cipher square Here is an outline of how these components are implemented and used. (1) The elliptic curve The field is represented as polynomials of degree 17 with coefficients which are elements of GF(2^15). In the following, t is used for polynomials in the small field, q is used for the degree 17 polynomials. A reduction trinomial with coefficients in GF(2) is used, viz. t^0.q^0 + t^0.q^3 + t^0.q^17 The primitive polynomial used for multiplying in GF(2^15) is t^0 + t^2 + t^15 The equation of the elliptic curve is y^2 + xy = x^3 + EC_B where EC_B is the polynomial = ( t^0 + t^5 + t^7 ) . q^0 The above constants are all defined in ec_param.h The order of the fixed point on the curve ( curve_point ) is a 241 bit prime ( prime_order ). These constants are both defined at the top of ec_curve.c The Nyberg-Rueppel scheme is used for signatures. (2) SHA1 is used both for generating MAC's (message authentication codes) and for key generation. A double-barreled version is used to generate the MAC, the second SHA1 context is fed an extra 0 after initialisation. A 240 bit MAC is made up of 160 bits from the first context, and the remaining 80 bits from the second context. To generate secret 240 bit multipliers, or for generating 128 bit keys for square, SHA1 is used to repeatedly hash a structure consisting of 32 bit counter and a seed whose form depends on the multiplier being generated. 16 bits are used from each SHA1 application. The counter runs from 1 to 15. For generating a secret key, the seed is the SHA1 hash of the external secret key ( pass-phrase ). For generating a multiplier for encryption, the seed is the SHA1 hash of the random input material, concatenated with the single- barrelled SHA1 hash of the file being encrypted, and the value returned by time(0) For generating a multiplier for a digital signature, the seed is the SHA1 hash of the secret key, concatenated with the double-barreled SHA1 hash of the file being signed. (3) The square block cipher is used to encrypt data. CBC mode is used, i.e. before encryption, the plaintext is xor-ed with the block which has just been encrypted. A new initialisation vector is generated every 4k bytes, to allow the possibility of random access to encrypted files. The IV is generated by encrypting a counter with square. George Barwood