Hmm, I’m not actually convinced this is secure. Good S-boxes are not trivial to come up with; bad ones are vulnerable to attacks like differential cryptanalysis or linear cryptanalysis (where the S-box is modeled approximately as a linear function of its inputs). While the S-box here is secret, it’s not inconceivable that an attacker could collect enough ciphertexts (or plaintext/ciphertext pairs) to establish statistical correlations.<p>Second, the whole encryption is modeled on a series of identical encryption rounds (no per-round subkeying). I would not be surprised if this structure makes it vulnerable to a slide attack - which is an attack that specifically attacks weak round functions no matter how many times they are iterated.<p>Although I haven’t spent enough time to be certain these attacks will work, the design of the cipher does not inspire confidence. The cipher achieves poor diffusion after log2(n) rounds on highly repetitive text (e.g. “a” repeated 16 times yields “rjrjmlmlskskjbjb” after log2(n)-1=3 rounds), meaning that the minimum round count feels entirely too low to be safe.
See also the LC4 "low tech" cipher:<p>* <a href="https://news.ycombinator.com/item?id=16586257" rel="nofollow">https://news.ycombinator.com/item?id=16586257</a><p>* <a href="http://scienceblogs.de/klausis-krypto-kolumne/2018/05/14/the-low-tech-cipher-lc4/" rel="nofollow">http://scienceblogs.de/klausis-krypto-kolumne/2018/05/14/the...</a><p>And a tweaked version thereof, LS47:<p>* <a href="https://gitea.blesmrt.net/exa/ls47" rel="nofollow">https://gitea.blesmrt.net/exa/ls47</a><p>* <a href="https://weekly-geekly.github.io/articles/352448/index.html" rel="nofollow">https://weekly-geekly.github.io/articles/352448/index.html</a>
Just found this /r/cryto thread on Sarah2 from a little more than a week ago:<p><a href="https://www.reddit.com/r/crypto/comments/ea00yb/sarah2_a_strong_penandpaper_cipher/" rel="nofollow">https://www.reddit.com/r/crypto/comments/ea00yb/sarah2_a_str...</a><p>and this one on Lobsters from a day or two ago:<p><a href="https://lobste.rs/s/yuwgdd/sarah2_strong_pen_paper_cipher" rel="nofollow">https://lobste.rs/s/yuwgdd/sarah2_strong_pen_paper_cipher</a>
This looks like it would be vulnerable to a slide attack (<a href="https://en.wikipedia.org/wiki/Slide_attack" rel="nofollow">https://en.wikipedia.org/wiki/Slide_attack</a>)<p>I may have missed it, but there appears to be no instructions on how to decrypt?
The title itself is a bit of a cipher; perhaps the first sentence would better serve?<p>"Sarah2 is a cipher meant to be implemented by hand with only simple tools."