4. Attacking the SAS-ROS Cipher by: saaiqSAS Last Updated: 27/2/2025 1. Frequency Analysis The pure ROS Cipher uses a single substitution table across the input data, which makes it vulnerable to frequency analysis.

To overcome this vulnerability, the SAS-RCS/RBS Encryption utilizes multiple substitution tables by pairing a single Dynamic Key with multiple Static Keys. This ensures that unique substitution tables are used for each encryption step. Further details on this process can be found in Section 10 - SAS-ROS Cipher in SAS-RCS/RBS. 2. Brute Forcing Brute forcing the ROS Cipher can be attempted by iterating through the Sub-Space. This involves testing all Static Keys in S-Space with a single Dynamic Key. However, attempting to reverse the process is ineffective due to ROS-Law-6. While brute forcing may be feasible for very short key lengths, it becomes increasingly difficult for larger key lengths because the keyspace (L!) is extremely large. By default, the SAS-RCS/RBS Encryption supports a maximum key length of 1,050,000 units. 3. Chosen Plaintext Attack (CPA) The pure ROS Cipher is vulnerable to a Chosen Plaintext Attack (CPA). In this attack, part of the substitution table used by the chosen plaintext can easily be reproduced once its corresponding ciphertext is obtained. If the plaintext passed to the encryption oracle contains objects not included in the Dynamic Key, those objects will not be processed, which may cause an error within the oracle. If the oracle successfully returns a ciphertext, all objects within the returned ciphertext belong to the Dynamic Key. Example 4.1: CPA Attack on ROS Cipher Plaintext : hello ( Sent to encryption oracle ) Ciphertext: fbiip ( Returned from the encryption oracle ) Part of the sub-table produced: h → f e → b l → i o → p 4. Chosen Ciphertext Attack (CCA) Similar to CPA, the pure ROS Cipher is also vulnerable to a Chosen Ciphertext Attack (CCA). In this attack, part of the substitution table used by the chosen ciphertext can easily be reproduced once its corresponding plaintext is obtained. If the ciphertext passed to the decryption oracle is generated from the inverse encryption oracle, then all objects within the chosen ciphertext are part of the Dynamic Key. If not, the ciphertext may not be processed correctly, potentially causing an error within the oracle. If the decryption oracle successfully returns a plaintext, then all objects within the returned plaintext are part of the Dynamic Key. However, it is important to note that this may not be the case for the SAS-RCS/RBS Encryption. Example 4.2: CCA Attack on ROS Cipher Ciphertext: fbiip ( Sent to decryption oracle ) Plaintext : hello ( Returned from the decryption oracle ) Part of the sub-table produced: h ← f e ← b l ← i o ← p