*The SHADO encryption protocol has been developed by Keganzo in order to have a simple, fast and secure protocol to protect communications over an insecure channel, i.e. internet.*

SHADO Encryption Protocol by Keganzo Srl is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

**The SHADO encryption procotol is a brand-spanking new strong synchronous stream cipher ^{1}.**

A stream cipher can be used to generate serially many keystreams^{2} from the same random initialization vector (IV)^{3}.

Each keystream can be used to encrypt a message by XOR-ing^{4} it with the plaintext digits to form the ciphertext.

The stream cipher can be viewed as approximating a theoretically unbreakable cipher, the *One-Time Pad* encryption system^{5}, proved to be secure by Shannon in 1949 but very cumbersome to implement in practice.

The main difference with stream ciphers is that one-time pads keystreams are generated completely at random with at least the same length as the plaintext and they aren't used more than once.

**For a stream cipher to be secure, its pseudo-random numbers generator (PRNG) must have both a large period and at least a 256-bit length IV to make impossible to recover the cipher’s internal state from the keystreams. Moreover, keystreams must be free of even subtle biases that would let attackers distinguish a stream from random noise.**

An outstanding feature of a synchronous stream cipher is that the sender and receiver must be exactly in step for decryption to be successful. If message digits are added, changed or removed during transmission, synchronisation is lost and tampering is detected.

**The Mersenne-Twister (MT) PRNG is a good candidate to be the core of a stream cipher since it provides fast generation of high-quality pseudo-random integers, it has a vastly longer period (2 ^{19937} - 1) and its IV can be up to 2048 bits long. Moreover, it passes numerous tests for statistical randomness as the Diehard tests^{6,7}.**

However, since MT is based on a linear recursion and the whole, huge sequence can be predicted with only a small sub-sequence of 624 numbers^{8}, **a secure hashing of the output must be achieved to make MT cryptographically secure ^{9,10}.**

At the beginning of a communication session the two interacting parts generate unique cryptographically secure random 1600-bit length IVs on-the-fly (achieving *perfect forward secrecy*^{11}). They negotiate those IVs by means of the Diffie-Hellman (DH)^{12} with ElGamal Authentication (EA)^{13} protocol, whose parameters are choosen accordingly to scientific literature (e.g. 10^{100}-order random prime numbers). The ElGamal component ensures that the two parts authenticate and trust each other against tampering and a possible Man-in-the-Middle (MitM) attack, which would be the only vulnerability of a DH protocol.

Each interacting part is provided with a stream cipher as the one outlined below. It is made of two Mersenne-Twister PRNGs whose interaction gives rise to a ciphertext encrypted with cryptographically secure pseudo-random keystreams.

The first half of the exchanged IV is used to seed with an 800-bit length key a Mersenne-Twister PRNG (we called Keystream MT or KMT). The task of the KMT is to generate one-time keystreams for encrypting each message exchanged between the two parts at runtime (e.g., symmetric key cryptography), then reproducing the one-time pad behaviour. The KMT output is input in a multiplier, whose task is to compress information about the MT sequence iteratively and make it criptographically secure.

For the purpose of making the KMT cryptographically secure, one more MT (we called Poisoning MT or PMT) is seeded at the beginning of the session with the second half of the exchanged IV. The PMT determines the amounts of the KMT extractions to multiply iteratively. Only the most significative 8 bits of the resulting number are taken at each iteration. However, our PMT multiplies a random amount (in the range 8-32) of KMTs extractions, in place of taking a fixed sequence of 8 extractions, as done by Matsumoto et al.^{14}. This way, the compressed sub-sequence which gives rise to the final PRNG output number is unpredictable enough against the 624-sequence exploit. Even more: if the pseudo-random sequence generated by the KMT should run out of steam, next cycle would generate different *poisoned* numbers, that is, a completely new pseudo-random sequence, and so on for any further cycle with period (2^{19937} - 1).

*To decrypt a SHADO message or file you need to know either the KMTs and PMTs IVs and the exact one-time keystreams extracted by the KMTs poisoned by the PTMs. Any deviation from the right MT pseudo-random sequences would determine a decryption error which can be detected by the two parts as an attempt to hack the communication. Moreover, because of the perfect forward secrecy, guessing the right sequence of a session doesn’t enable you to decrypt past or future communications.*

Because of the mathematical properties of one-time keystreams cryptography SHADO cannot be defeated by a brute-force attack.

For the attack to be successful, the attacker must be in control of the input to the hashing function. This can’t be achieved in SHADO because the hashing function is seeded randomly with the secure Diffie-Hellman key exchange. Moreover, SHADO is secure against cryptanalysis attacks (known plaintext, chosen plaintext, chosen ciphertext) because of both the vastly longer period of the KMTs and the random poisoning performed by PMTs on the one-time keystream extractions.

SHADO is immune to a replay attack since any deviation from the synchronised KMTs sequences poisoned by the PMTs would determine a decryption error. Playbacking an encrypted message would only bring to detect the hack.

SHADO is immune to a man-in-the-middle attack because it uses an ElGamal asymmetric key encryption algorithm^{18} for mutual authentication and detection of genuine vs. rogue interacting parts.

*Stream Cipher*, Wikipedia.*Keystream*, Wikipedia.*Initialization Vector*, Wikipedia.*Exclusive OR (XOR)*, Wikipedia.*One-Time Pad*, Wikipedia.*Mersenne-Twister Pseudo-Random Number Generator*, Wikipedia.- Makato Matsumoto and Takuji Nishimura,
*Mersenne Twister: A 623-Dimensionally Equidistributed Uniform Pseudo-Random Number Generator*. ACM Transactions on Modeling and Computer Simulation, Vol. 8, pp 3-30, 1998. - James Roper,
*Cracking number generators - Part 3*, Blog, September 2010. *Cryptographically Secure Pseudo-Random Number Generator*, Wikipedia.- Makato Matsumoto,
*Frequently asked questions on the Mersenne-Twister PRNG*, Dept.Mathematics, Hiroshima University, 2002. *Perfect Forward Secrecy*, Wikipedia.*Diffie-Hellman Key Exchange*, Wikipedia.*ElGamal Asymmetric Encryption*, Wikipedia.- Makato Matsumoto, Takuji Nishimura, Mariko Hagita and Mutsuo Saito,
*Cryptographic Mersenne Twister and Fubuki Stream/Block Cipher*. Cryptology ePrint Archive, 2005. *Brute-Force Attack*, Wikipedia.*Collision Attack*, Wikipedia.*Cryptanalysis Attacks*, Wikipedia.*Replay Attack*, Wikipedia.*Man-in-the-Middle Attack*, Wikipedia.