UsingMegabitSizedBitTorrentObjects(andtheBitTorrentProtocol,and

LibTorrent)
toSecurelyRelayGigabitsofData
OveranInternetWith90%ProbablePacketInterception
Abstract
ItispossibletotransfergigabitsofdatawithnearperfectsecrecyusingtheBitTorrentProtocolsandBitTorrentObjects
providingoneconcatenatesthemtogetherinawaytoprovideessentiallyconcatenatedencryption(assinglestep
encryptiondoesnotfullyhidepredictableplaintexts).
However,eachBitTorrentobjectmustbepartiallywashedofitsoriginalvalueatthenibble(orbyte)level,soasto
createmeaningfulintermediatecyphertext.
Itisbestthatallofthisbedonebyreprogramming(bycommand)LibTorrent,butwithaseparatefunctionlibrary
calledsayRotorSecure_LibTorrent.
Atleastinitiallythiscircumventedlibraryshouldhave2operatingmodes:OutboundServerorInboundServer.The
rolesshouldbechangeablebyaCAPCHAinterfaceforsecurereversemessaging.Someeffortsmustbemadetohide
thisencryptionfunctionlibrary,butnothingtoodifficulttodebug.
Tohideasecretintheopen,apublicdomainopensourceversionofthistechnologyshouldbeavailableontheopen
internet.Branchcodeversions(forsayindividualIntelligenceAgencyuse)shouldbemaintainedseparately.
Theoutboundtransmission(includinganykeyingstatenegotiations,inboundoroutbound)shouldappearasperfectly
blandandordinaryBitTorrentencryptedfiletransfersofnospecialimportance.
HowitWorks
Vocabularyandfunctionalitynotes
ATorrentFileisjustasinglefileencodedasunitarysingletorrentobject,theFileNameitselfischangeable.
TorrentObjectsaremultiplefiles(possiblyinadirectorystructure)encodedbeginningtoend.TheFileNames
(andDirectoryNames)arechangeable.
Thestreamofbits(orbytes)inaTorrentObject(orTorrentFile)isinvariant.
EachBitTorrentObject(oncedownloadedandfullyinspectedforcorrectness)isessentiallyastreamofbytes(alsoread
bits)usableforOneTimePadlikecryptography.
AtworsteveryBitTorrentObjectisaverylong"RunningKey"formorepedestrianencryptionforthelazy
cryptographer.
EachBitTorrentObjectessentiallyisagiantrotoroforderedbits,liketheonesusedintheclassicalLorenzcipher
machine.
However,aweak"OneTimePad"likedatastreammustbecreatedfromaprogrammablestatemachinetowhitenthe
bitsfromtheoriginatingcleartextBitTorrentobject.BitTorrentobjectsarepubliclyavailablesharedsecrets,sotheuse
ofdatawhitenerismandatory.
IftheBitTorrentobjectisavideofile,ithasliterallythousandsofpredictableMPEGpacketsbutLinuxISOdisk

imagesarenotmuchbetter.XORingobjectslikethesetogethermayproduceausablenearinfiniteonetimepadlike
datastream,butcleartextswillleakthru.Thisisnotpermissible,soitmustnotbedone.
Essentiallybycreating2setsofwhitenedbytesatatimefrom"Mega"Rotorsand"OneTimePadlikedatastreams"
andXORingthemtogetheryougetsomeprettyrandombits.Theserandombits,inawelldesignedsystemare
practicallyinexhaustible.
KnownProblems&Fixes
ALL"KeyingStates"and"InitializationStates"willhavetobesettledonbeforeanyobjectsorfilesaretransmitted,and
thehugetorrentobjectswillhavetobecheckedforintegrity.
Thesenderandreceivermusthaveidenticaltorrents,fullyverified.Ifthisconditionisnottrue,notransmissionscan
takeplace.
TheBitTorrentObjectsshouldchangemonthly,dependingonuploadvolume.IntheAmericas,mostinternet
providershavea200GiBdatatransferlimit.ThisisenoughforafullsetofSR71schematicseachmonth(assuming
thesourcefilesareimagecodedPDFsandIGESorAutocadfiles).
HugeenoughBitTorrentobjectscanprovideupto14GiBofscramblerreadycleartext,like:
45312FB818238B67537F0BC724804A865C839C0F.BitTorrentobjectsasbigas100GiBareusablebutunwieldy.
Usingjustahashsumonecanidentifyanddownloadatorrentfileortorrentobject.Thereisawebsite"Torrent
Cache"thatallowsonetodojustthat.Keyingdatacanbeveryparsimonious,under1kper20GiBworstcase.Keying
fragmentsshouldbenolargerthenaTorrentHashsum,andequivalentlycoded.
ThestartingbytesinTorrents(Primary,Secondary)mustnotbethesame,butamechanismonagreeingonthemis
unclearatthisearlystage
Startingstatesforthe1/4ratebitflippersshouldbebasedonadecentrandomnumbergeneratorfullyoutsideany
CPUinstructionsoroperatingsystemcall.Theinitializationofthissubsystemmustbe100%selfcontained.
TRANSMISSIONCLOAKING
ThekeyingnegotiationmustbedonetotallyoutsideofBitTorrent,eitherbyapreprogrammedkeyingtableor
negotiatedoverasecureconnection.
The"pointtopoint"or"pointtomultipoint"transmissionmustappearasaratherordinaryBitTorrenttransmission,so
LibTorrentmustbeusedtofillinthevoids.
TheRotorBasednear"OneTimePad"likedatastramshouldjustappearasanordinarypacketofencryptedBitTorret
datatoaveryboringtorrent,LinuxISOvolumesweremadetomeetthisrequirement.
ThereshouldbetheappearanceofmorerekeyingoftheLibTorrentClient,butnotahugeamountmore.
ToescapethesuspicionofDeepPacketanalysis,therekeingrateshouldonlybe5%aboveaverage.Thisrekeying
shouldgivetheappearanceofshoddyprogrammingoftheClient,ortheappearanceoflurkingdodgyroutercode.
LibTorrentmustbereprogrammed(atthesourcecodeorlibrarycodelevel)toimpersonatedeadcommonBitTorrent
clients.Aslittlesourcecodemeddlingaspossibleshouldbedone.
Ifthesynchronizationstateisnotmaintainedproperly(duetobadprogramming,orabadconnection),the
renegotiationprocessmustappearasblandandordinaryaspossible.
Thereisoneessentialusagerestriction:neverencrypttwodifferentmessageswiththesamepseudorandomdata,or

eventhesametrulyrandomdata.
Using
Pforplaintext
Cforciphertext
Rfor(pseudo)random
and fortheXORoperation
Thismakestheencryption:
C1=P1
C2=P2

R
R

Theenemycaninterceptbothciphertexts,sohedoes:
X=C1

C2=P1

P2

NOTE:TheRscancelout!
Thisisextremelygoodfortheattackerwhonowhas:
X=P1

P2

Thisisveryweakindeed.
BecausetheRscancelout,theattackergetsthesameresultnomatterwhatRisused,sotheencryptionnolonger
hasanyrealeffectandthequalityoftherandomnumbersbecomesirrelevant.
Fromthatpointon,anyattackerneedsnotworryabouttheencryptiononlyaboutpropertiesoftheplaintexts.
Iftheattackerknowsorcanguesspartofeitherplaintext,thentheattackercanimmediatelyinferthecorresponding
partoftheother.
AzerobyteinXmeansthecorrespondingbytesinP1andP2areequal.Othersimplerelationsexistandcan
readilybeexploited.
Anyattackercanalsoplayasortofpingpongmakesomeinferencesorguessesaboutonetext,seewhatthat
tellsthemabouttheother,makesomeinferencesthere,seewhatthattellshimaboutthefirsttext,andsoon.
ProposedArchitectureI
Thisarchitectureonlyrequires2rotorsand2programmablestatemachinecapableofrandomnibble(readbyte)
generation.Therandombytegeneratorsshouldonlyproduce2binary1'sper8bitswith1bitpernibble.These
programmablestatemachinesareneededtowhitenthepredictabledataofthecleartextBitTorrentobjects.
RotorNumberorProduct

Type,typically...

ACollectionofVideoFiles

AProgrammablestatemachine:(1/4)bitflipper

1x2

Notarotor,buttheXORproductof1and2

ALinuxOSBinary,"ISO"diskimage

Notes
Oneof4bitsisabinary1

AProgrammablestatemachine(1/4)bitflipper

3x4

Notarotor,buttheXORproductof3and4

Oneof4bitsisabinary1

EncodingAlgorithm(Decodingistheinverseofthis)
StartingatbyteoffsetA1{rotor1}andB3{rotor3}
SetRotors1&3toseparateinitializationstates
SetinitializationstatesforProgrammableStateMachines(1/4ratebitflippers)2&4
Verifysynchronizationstate(optional)
Dountil"EndofFile"or"EndorTorrentStructure"(forMultiFileTransfers)
Execute1x2,incrementbytepointerr1
Execute3x4,incrementbytepointerr3
XORBitwise1x23x4andstoreintermediateByte"iB"forencodingordecoding
Takebyte1offile(ortorrentstructure,ortorrentsector)tobetransmittedandXORitwithiBandstore
result,incrementbytepointer
Whenatorrentsectorisfull,transmit
ProposedArchitectureII
Knownweaknesses
Streamciphers(includingonetimepads)areinherentlyvulnerabletoarewriteattack.Ifanattackerknowssome
plaintextandhasinterceptedthematchingciphertext,thenhecandiscoverthatportionofthepseudorandomdata.
Thisdoesnotmatteriftheattackerisjustapassiveeavesdropper.Itgiveshimnoplaintexthedidn'talreadyknowand
wedon'tcarethathelearnssomepseudorandomdata.Wewillneverreusethatdata,forreasonsgivenintheprevious
section.Foraonetimepad,havingaportionofthetrulyrandomkeytellshimabsolutelynothingabouttherestofthe
key.Forastreamcipher,havingsomeofpseudorandomgenerator'soutputdoesnotallowanyeffectiveattackifthe
generatoriswelldesigned.
However,anactiveattackerwhoknowstheplaintextcanrecoverthepseudorandomdata,thenuseittoencode
whateverhechooses.Ifhecangethisversiondelivered,andacceptedasgenuinebytherecipient,thisisadisaster.If
yousend"attacktarget372",thedeliveredmessagecanbeanythingthesamelengthperhapstheenemywouldprefer
"withdrawEastnow".Anactiveattackerwithonlyareasonableguessattheplaintextcantrythesameattack.Ifthe
guessiscorrect,thisworksandtheattacker'sbogusmessageisdelivered.Iftheguessiswrong,agarbledmessageis
delivered.
Theattackiscompletelyblockedifaneffectivecryptographicauthenticationmechanismisusedateitherpacketor
messagelevel.Thatmechanismdetectsthebogusmessageandeitherdiscardsitorwarnstheuser.Note,however,that
whileauthenticatingtheplayersatchannelsetuptimeisarequiredsteptopreventmaninthemiddleattacks,itdoes
notpreventthisattack.Tostoprewriteattacks,youneedauthenticationlateron,atpacketormessagelevel.
Evenignoringwhateverauthenticationisused,thisattackisgenerallynotpracticalagainsthighspeedsystemswitha
goodsynchronisationmechanism,suchasmilitaryradiosystemsornetworkencryptionboxes.Performingtheattackin
realtimefastenoughtogetabogusmessagedeliveredwithoutlosingsynchronizationwouldbeverydifficult.
SystemssuchasTLSthatuseastreamcipherforaslowerandlesssynchronizedconnectionaremorevulnerablethey
definitelyneedauthentication.SystemssuchasMicrosoftWordencryptionwhichapplystreamcipherstostaticdataare
evenmorevulnerable.

Implementationweaknesses
Thiskindofmegarotorimplementationshouldbemalleable.Eventhebestthoughtthruimplementationcanbeshown
tohavefatalweaknessesalltooeasilyintheopensourceenvironment.
Aftereach"OneTimePad"likeencryption,thecontenttobetransmittedmustbeencryptedagainusingtheBitTorrent
method.Thisisnotaperfectsolution,butanyproblemsinthedatastramwillbeatleastpartlywashedawaybythe
existing40bitencryptionBitTorrentuses.SomeversionsofBitTorrentusemoreadvancedencryptionsystemswith
largerbitkeys.Thesearepreferredbydefault,butthetransmissionsystemshouldusewhateversecondlayerof
cryptographyithasaccessto.
An"Entropy"maximizer,sortofpartlybasedonusingziporzlibcompressionfindapointinthepublictorrent
objectthathasbetterentropy.Thisentropymaximizermustalsosectoroutareaswherethereisjusttoomuch
predictableplaintextlikethebeginning(andend)ofvideofiles.Inmanycasesa500mbobjectmayonlycontain
498MBofusableentropy.

Stepsintherightdirection
Itisnotperfect,butBitTorrentSyncsystemandAPIhasalotofthepropertiesthatonewouldexpectinabulkdata
transfersystemthatis"pointtopoint"or"pointtonetwork"initsdesign.
http://www.bittorrent.com/sync(BetaTestwebsite,willprobablybeoutofBetabySummer2014)
http://www.bittorrent.com/sync/developers/api(theDeveloperAPI)

==BitTorrentSyncAPI,notableandquotable==
TheseelementsoftheBitTorrentSyncAPIaremostnotableforbeingapplicabletothesecure"bulkdatatransfer
technology"possiblewithmegarotors.
PleaseconsiderthisentireAPItobeaprototypeforthekindofbulksecuretransfersystemthatisenvisionedinthis
research.Itmustbenotedthatthekindoftransmissionschemeenvisionedisstrictlypointtopoint,orpointtonetwork
multipoint.TheBitTorrentSyncAPIusestheJSONinterface,butotherinterfaceslikeRPCorevenvariationsonthe
AutomaticIdentificationSystem(AIS)maybeusable.
Getsecrets
Generatesreadwrite,readonlyandencryptionreadonlysecrets.Ifsecretparameterisspecified,willreturn
secretsavailableforsharingunderthissecret.
TheEncryptionSecretisnewfunctionality.Thisisasecretforareadonlypeerwithencryptedcontent(thepeer
cansyncfilesbutcannotseetheircontent).
Oneexampleuseisifauserwantedtobackupfilestoanuntrusted,insecure,orpubliclocation.Thisissetto
disabledbydefaultforallusersbutincludedintheAPI.
{
"read_only":"ECK2S6MDDD7EOKKJZOQNOWDTJBEEUKGME",
"read_write":"DPFABC4IZX33WBDRXRPPCVYA353WSC3Q6",
"encryption":"G3PNU7KTYM63VNQZFPP3Q3GAMTPRWDEZ
}
USE:http://[address]:[port]/api?method=get_secrets[&secret=(secret)&type=encryption]secret(required)must
specifyfoldersecrettype(optional)iftype=encrypted,generatesecretwithsupportofencryptedpeer
Andmostimportantlyforfolderanddrivespecification...

Getfolderpreferences
Returnspreferencesforthespecifiedsyncfolder.
{
"search_lan":1,
"use_dht":0,
"use_hosts":0,
"use_relay_server":1,
"use_sync_trash":1,
"use_tracker":1
}
USE:http://[address]:[port]/api?method=get_folder_prefs&secret(secret)secret(required)mustspecifyfolder
secret
Getfiles
Returnslistoffileswithinthespecifieddirectory.Ifadirectoryisnotspecified,willreturnlistoffilesandfolders
withintherootfolder.NotethattheSelectiveSyncfunctionisonlyavailableintheAPIatthistime.
[
{
"name":"images",
"state":"created",
"type":"folder"
},
{
"have_pieces":1,
"name":"index.html",
"size":2726,
"state":"created",
"total_pieces":1,
"type":"file",
"download":1//onlyforselectivesyncfolders
}
]
USE:http://[address]:[port]/api?method=get_files&secret=(secret)[&path=(path)]secret(required)mustspecify
foldersecretpath(optional)specifypathtoasubfolderofthesyncfolder.
References
RotorMachines
Lorenzcipher(notableforitsbinarycomplication)
ComputerMaths(randomnumbers)
Listofrandomnumbergenerators
Randomnumbergeneration
Pseudorandomnumbergenerator
Hardwarerandomnumbergenerator
Randomnumbergenerationsystems

BlumBlumShub
Complementarymultiplywithcarry
Mersennetwister
Multiplywithcarry
FeedbackwithCarryShiftRegisters
WellEquidistributedLongperiod_Linear
FunctionLibraries
http://en.wikipedia.org/wiki/Libtorrent
http://www.rasterbar.com/products/libtorrent/
Someapplicationsthatuselibtorrent:
aDownloaderandaDownloaderNew,AndroidBitTorrentclient
ArcticTorrent,WindowsBitTorrentclient
BitRocket,MacOSXBitTorrentclient
BitSlug,MacOSXBitTorrentclient
BTG,LinuxBitTorrentclient
RutrackerDownloader,AndroidBitTorrentclient
Deluge,crossplatformBitTorrentclient
ElectricSheepscreensaver,BitTorrentclientforscreensaver
FreeDownloadManager,Windowsopensourcedownloadmanager
FatRat,LinuxQt4baseddownload/uploadmanager
Halite,WindowsBitTorrentclient
hrktorrent,LinuxBitTorrentclient
LeechCraft,C++/Qt4crossplatformmultiprotocolperformanceconcernedclient
LimeWire,multiplatformfilesharingclient
Linkage,LinuxBitTorrentclient
Miro,acrossplatformInternettelevisionapplication
MooPolice,WindowsBitTorrentclient
qBittorrent,C++/Qt4BitTorrentclient
Lince,C++/GTKBitTorrentclient
p2ptube,Programtostreammoviesontheinternet
SharkTorrent,Qt4crossplatformBitTorrentclient
tvitty,BitTorrentclientpluginformediacenter
ZipTorrent,WindowsBitTorrentclient
Otherapplicationsthatuselibtorrent
RunesofMagic,anMMORPGwhoseFOGdownloaderuseslibtorrentforupdatingthegameclient.

Initialidea

Initial
Document

LastRevision

15June
2013

01October
2013

02December
2015

LastChange
Thistable,doc
spelling

Version

RevisionState

v0.16

Revisable,Stateful
Debug