Month: May 2026

Posted on by Leave a comment

Cipher Phrasing

Cipher Phrasing: My New Technique Novel Amplification of Encryption

© 2026 Ashtar Ventura A.K.A. そにいたん A.K.A. admin@笑.wtf

ALL RIGHTS RESERVED

Cipher phrasing is a technique i thought of for multi-layer full-disk encryption in which the cryptographic algorithm used at each layer is not fixed, not stored, and not recoverable from the encrypted device. Instead, it is derived at mount-time from a secret passphrase — the cipher phrase — that exists only in the user’s memory.

The user defines a pool of candidate ciphers and a pool of candidate hash functions. At every mount, the cipher phrase is fed into a SHA-256 derivation function that deterministically assigns one cipher and one hash to each layer. Change a single character of the phrase, and the entire layout changes — every layer gets a different algorithm, a different hash, a different structure.

Nothing about this layout is written anywhere. Not to the encrypted device. Not to a config file. Not to a log. Not to the kernel. It exists for the duration of the mount operation, in locked memory, and is wiped the moment it is no longer needed.

The derivation is simple and auditable:

The "C" and "H" domain separators ensure that even if a single phrase is used for both, the cipher selection and hash selection are entirely independent rotations.

The Problem It Solves

Every existing approach to full-disk encryption has a configuration problem.

LUKS (the dominant Linux standard) stores an on-disk header containing the cipher name, key size, hash algorithm, and magic bytes. Anyone with physical access to the drive immediately knows the complete configuration — and, crucially, immediately knows that the drive is encrypted and what it is encrypted with. The header is intentionally identifiable by design.

Plain dm-crypt (headerless mode) solves the header problem. There are no magic bytes, no metadata, no signature. The entire device surface is ciphertext indistinguishable from random noise. But the parameters — cipher, key size, hash — must still be supplied at mount time, and in any practical system they come from somewhere: a script, a config file, shell history, a sudoers entry, a person’s notes. That somewhere is an attack target.

Multi-layer encryption stacks multiple plain dm-crypt passes. Each layer has its own passphrase, its own cipher, its own hash. The key math works out beautifully — multiple independent secrets multiply the attacker’s workload — but the algorithm assignment at each layer is still a piece of configuration that lives somewhere. An adversary who recovers that configuration, even without a single passphrase, now knows the complete structure of your defences.

Cipher phrasing eliminates this entirely. There is no configuration to recover. The structure of the encryption exists only in the user’s memory. An adversary can gain possession of the device, image it, study it for years, know exactly which tool was used, know the full set of candidate algorithms — and still not know which algorithm is at which layer, because that information does not exist anywhere outside the user’s head.

How Hard Is It to Break?

Let’s be concrete. Consider a modest configuration:

  • 10 encryption layers
  • 3 candidate ciphers (AES, Serpent, Twofish — all in the default pool)
  • 4 candidate hash functions (SHA-256, SHA-512, Whirlpool, RIPEMD-160)
  • 4 independent passphrase groups via multipass (different passphrase for different layer ranges)
  • Each passphrase is a strong diceware phrase — approximately 100 bits of entropy

The layout space alone

With 3 ciphers and 4 hashes, there are 12 possible (cipher, hash) combinations per layer. Over 10 layers: 12¹⁰ ≈ 61 billion possible layouts. No property of the ciphertext distinguishes the correct layout from any other — every wrong guess produces output that looks exactly like every other wrong guess: noise.

The passphrase space

Four independent passphrase groups of ~100 bits each. “Independent” is the key word: the attacker cannot find group 1 and use that to narrow the search for group 2. The search spaces multiply:

Four groups, four separate exhaustive searches, no shortcut between them.

Combined

The total search space is the product of the layout space and all passphrase group spaces:

What about quantum computers?

Grover’s algorithm is the main quantum threat to symmetric encryption. It provides a quadratic speedup — halving the effective bit-strength of a key. So a 100-bit passphrase becomes effectively 50-bit against a quantum attacker. But:

  • Grover does not parallelise across independent keys. Each passphrase group must be broken separately. The quadratic speedup applies individually to each one, but the groups still multiply.
  • Grover has no special advantage against the layout space. Testing a layout candidate requires decrypting all 10 layers and checking for a valid filesystem — there is no fast distinguisher, no oracle, no shortcut. Each wrong layout looks identical to every other wrong layout.
  • Grover’s speedup against the layout reduces 2^37 to 2^18.5 — a factor of roughly 400,000 — which barely registers against the passphrase costs.

Post-quantum total search cost:

ComponentCost
Passphrase group 1 (Grover)2^50
Passphrase group 2 (Grover)2^50
Passphrase group 3 (Grover)2^50
Passphrase group 4 (Grover)2^50
Groups are independent — multiply2^200
Layout space (Grover)×2^18
Per-iteration cost (10 layer decryptions)×10
Total post-quantum lower bound>2^218

What does 2^218 actually mean?

A computer the mass of the observable universe, running at one operation per Planck time (the shortest physically meaningful unit of time, approximately 5.4 × 10⁻⁴⁴ seconds), running continuously for the entire current age of the universe, would complete approximately 2^234 operations.

That is less than a fraction of what it would take to break this configuration.

Not “less if you’re lucky.” Not “less on average.” Less. Guaranteed. By over 16 orders of magnitude in favour of the defender.

And this is the quantum scenario — against a hypothetical fault-tolerant quantum computer with millions of logical qubits that does not currently exist and may never exist. Against classical hardware the margin is larger by another 100+ bits.

One important caveat: none of this protects a weak passphrase. A passphrase with 30 bits of entropy becomes 15 bits under Grover — breakable in minutes. The security of the system is bounded by its weakest passphrase group. Cipher phrasing and multiple layers multiply the strength of strong passphrases; they do not compensate for weak ones.

Invention Specification: Cipher Phrasing

Inventor: Ashtar Ventura A.K.A. そにいたん A.K.A. admin@笑.wtf
Date of first conception: 2026
Date of first public implementation: 2026
Reference implementation: abysscrypt
Document type: Technical Invention Disclosure / Prior Art Establishment

Abstract

This document describes cipher phrasing, a novel technique for multi-layer full-disk encryption in which the per-layer cryptographic algorithm assignment is itself a secret, derived at runtime from a user-held passphrase and never stored on disk, in any configuration file, or in any on-device structure. Combined with headerless plain dm-crypt, a device protected with cipher phrasing is entirely indistinguishable from random noise to any observer who does not hold all secrets — including an adversary who knows which tool was used, knows the full set of candidate algorithms, and has unlimited time to examine the ciphertext. The technique introduces a second independent category of secret alongside traditional key material, multiplying the attacker’s required search space rather than extending it.

1. Field of Invention

Cipher phrasing applies to the field of full-disk encryption, specifically to multi-layer plain-mode symmetric block cipher encryption using the Linux device-mapper (dm-crypt) subsystem or equivalent. It is applicable to any system in which multiple encryption passes are applied sequentially to a block device or container file, and in which the selection of cryptographic algorithm at each layer has traditionally been fixed, configured, or stored.

2. Background and Prior Art

2.1 LUKS (Linux Unified Key Setup)

LUKS is the dominant full-disk encryption standard on Linux. It stores an on-disk header containing the cipher name, key size, hash algorithm, UUID, and key slots. This header is readable without any passphrase. An adversary with physical access immediately learns:

  • Which cipher is in use
  • The key size and hash algorithm
  • That the volume is LUKS-encrypted (the magic bytes LUKS\xba\xbe are in the header)
  • The number of active key slots

LUKS volumes have identifiable header metadata by design. There is no plausible deniability about the existence or nature of the encryption.

2.2 Plain dm-crypt (headerless mode)

Plain dm-crypt applies block-level encryption with no on-disk header. The entire device surface is ciphertext; there is no magic number, no metadata, no key slot, no signature of any kind. All parameters — cipher, key size, hash, sector offset — are supplied at mount time and never persisted. A plain dm-crypt volume is computationally indistinguishable from a device filled with random data by any test that does not involve decryption with the correct key.

Plain dm-crypt eliminates header leakage but creates a new problem: the user must remember every parameter exactly, or store them somewhere outside the device. In common usage, the cipher is fixed, the key size is fixed, the hash is fixed — these become known quantities that represent a static, predictable configuration.

2.3 Multi-layer encryption

Multi-layer encryption applies multiple independent dm-crypt passes sequentially, each with its own passphrase, cipher, and key derivation. Each layer’s key must be independently recovered; the work factors multiply rather than add. This is a significant security improvement over single-layer encryption.

In all known prior multi-layer implementations, the cipher and hash at each layer are either:

  • Fixed and identical across all layers — predictable
  • Specified per-layer on the command line — visible in shell history, process listings, and system logs
  • Stored in a configuration file — an additional attack target

In every case, the per-layer algorithm assignment is configuration data that lives somewhere recoverable. An adversary who obtains that configuration — without a single passphrase — knows the complete structure of the encryption.

No prior art is known to the inventor in which the per-layer algorithm assignment in a multi-layer plain dm-crypt stack is treated as an independently derived secret.

3. Problem Statement

Given a multi-layer headerless encrypted volume, the following information leakage problems exist in all prior approaches:

1. Configuration disclosure. If an adversary recovers the command line, a config file, a wrapper script, or shell history, they learn the complete per-layer cipher and hash assignment. The brute-force problem reduces to a pure key-material search with a fully known structure.

2. Tool-disclosure amplification. If the adversary identifies which tool was used — from binary artifacts, logs, or the user’s own testimony — and the tool uses fixed or documented defaults, the configuration may be entirely inferred without any additional recovered material.

3. No layout uncertainty for the attacker. Even without the passphrase, knowing the algorithm at each layer allows the adversary to structure their attack optimally — targeting the weakest layer, applying algorithm-specific cryptanalytic techniques, or partitioning the search space by layer.

4. Configuration artifacts outlive the device. Shell history, sudoers entries, scripts, and config files survive wiping of the encrypted volume. A capable adversary may reconstruct the layout from artifacts with no connection to the device itself.

The unsolved problem: how can the per-layer algorithm assignment be kept secret without storing it anywhere, while remaining reliably reproducible by the legitimate user?

4. The Invention

4.1 Core concept

Cipher phrasing treats the per-layer cipher and hash assignment as a secret computed in memory at mount time from a user-supplied passphrase — the cipher phrase — using a deterministic derivation function. The mapping is:

  • Never written to disk
  • Never stored in any configuration file
  • Never passed in process arguments
  • Never persisted in any form outside the duration of the mount operation
  • Computed only at mount time, held in locked memory, wiped immediately after use

The cipher phrase is a second independent secret, entirely separate from the encryption passphrase(s). Losing the cipher phrase makes the volume unrecoverable. Knowing the cipher phrase without the passphrase(s) does not unlock the volume.

4.2 The algorithm pool

The user specifies a pool of candidate ciphers and a pool of candidate hash functions. The reference implementation ships with the following defaults:

The pools may be modified by the user. Neither the pools nor their sizes need to be secret (though they may be). What is secret is which member of each pool is assigned to each layer.

4.3 The derivation function

For each layer N (1-indexed), the cipher and hash indices are derived as:

Where denotes concatenation and "C" / "H" are single-byte domain separators. The separators ensure that cipher and hash rotation are independent even when a single phrase is reused for both. N is the layer number, encoded as a single byte (extended for large layer counts). The derivation is stateless: each layer’s assignment depends only on the phrase and the layer index, not on any prior layer’s result.

4.4 Two independent phrases

The user may supply:

  • A cipher phrase — determines which cipher is used at each layer
  • A hash phrase — determines which hash function is used at each layer

If only one phrase is supplied, it is reused for hash derivation with the "H" domain separator providing independence. Supplying separate phrases makes the two layout dimensions independently secret.

4.5 Reproducibility without storage

The derivation is deterministic. The same cipher phrase, the same pool, and the same number of layers always produce the same layout. The user needs only to remember (or securely hold) the cipher phrase. No stored configuration, no lookup table, no on-disk or off-device record of any kind is required for correct reproduction.

5. What an Adversary Cannot Determine

An adversary who possesses all of the following:

  • Physical possession of the encrypted device
  • Complete knowledge of which tool was used
  • Complete knowledge of all candidate cipher and hash pools
  • The exact number of encryption layers
  • The sector offset
  • All passphrase groups (in the strongest possible attack model)

…still cannot determine, without the cipher phrase:

  • Which cipher is used at any specific layer
  • Which hash is used at any specific layer
  • The relationship between cipher and hash at any layer
  • Whether the pools are in their default or modified state
  • Any structural property that distinguishes one layout candidate from another

Without the cipher phrase, the correct layout is one of (len(cipher_pool) × len(hash_pool))^N equally plausible assignments. For a default pool over 10 layers this is approximately 61 billion candidates. No quantum algorithm provides a useful speedup because there is no efficient oracle — testing a layout candidate requires full decryption of all N layers against a known-valid output, and every wrong candidate produces output that is computationally indistinguishable from every other wrong candidate.

6. Security Properties

6.1 Three independent secret categories

CategorySecretWhat is protected
Layout secretCipher phraseWhich cipher is at which layer
Layout secretHash phrase (optional)Which KDF hash is at which layer
Key materialPassphrase(s)The encryption key at each layer

These categories are orthogonal. Recovering any strict subset provides no advantage in recovering the remainder. An adversary who obtains all passphrases but not the cipher phrase knows none of the layer structure and cannot begin decryption. An adversary who obtains the cipher phrase but no passphrases knows the structure but has no key material.

6.2 Absence of a layout oracle

An oracle is a function that returns a true/false signal for “is this guess correct?” Efficient brute-force attacks are only possible when an oracle exists.

In LUKS: the oracle is “does the header decrypt to a valid LUKS structure?” — one hash comparison, cheap and unambiguous.

In plain dm-crypt with a known layout: the oracle is “does decryption with the known cipher and hash produce a valid filesystem?” — still one hash comparison per passphrase candidate.

In plain dm-crypt with cipher phrasing: the oracle is “does this candidate cipher phrase, applied to produce this layout, combined with this candidate for every passphrase group, decrypt all N layers in the correct order, and produce a valid filesystem at the deepest level?” Every oracle query costs N full-sector block-cipher decryptions in sequence, and the layout dimension must be correct before the passphrase dimension can be evaluated at all. There is no decomposition of this test into independent subtests.

6.3 Total indistinguishability from random noise

A device protected with cipher phrasing and plain dm-crypt presents no information to an observer without the secrets:

  • No headers. No magic bytes, no metadata, no key slots, no version markers.
  • No configuration. Cipher phrasing stores nothing on disk or in any file.
  • Ciphertext indistinguishability. AES-XTS, Serpent-XTS, and Twofish-XTS in plain mode are computationally indistinguishable from a pseudorandom permutation under all known attacks when the key is unknown.
  • No wrong-key signal. An incorrect passphrase or incorrect cipher phrase produces a different block device — not an error. There is no checksum, no integrity tag, no decryption-failure signal of any kind.

The device is practically identical to a device filled with random bytes.

6.4 Multiplicative rather than additive security

In conventional multi-layer encryption with a single passphrase, the brute-force cost scales roughly as 2^k — the passphrase entropy — with a small constant multiplier per additional layer. Adding layers under one passphrase is marginally useful at best.

Cipher phrasing, combined with multiple independent passphrase groups, changes the cost structure:

All factors are independent and multiply. There is no shortcut: a correct passphrase guess applied to the wrong layout produces noise indistinguishable from every other wrong guess. The attacker cannot find the layout first and then search passphrases, nor find one passphrase group and use it to narrow the search for another. Every dimension of the search must be completed simultaneously.

7. Quantum Resistance Analysis

7.1 Applicable quantum algorithms

Shor’s algorithm breaks integer factorisation and discrete logarithm problems. It does not apply to symmetric ciphers or hash functions. Cipher phrasing uses no asymmetric primitives. Shor’s algorithm is irrelevant.

Grover’s algorithm provides a quadratic speedup for unstructured brute-force search, reducing an N-bit key search from 2^N to 2^(N/2) quantum operations. NIST has certified AES-256 as post-quantum secure on this basis: 2^128 quantum operations remain infeasible by all credible estimates.

7.2 Effect of Grover on cipher phrasing

Passphrase groups: Grover reduces each group’s effective bit-strength by half. However, Grover does not parallelise across independent keys — each group must be broken in a separate Grover search. The groups continue to multiply:

Four groups of 100-bit entropy passphrases: 2^(100/2 × 4) = 2^200.

Layout space: Grover reduces (C×H)^L to (C×H)^(L/2). For default pools over 10 layers this is approximately 2^18 — a reduction from ~61 billion to ~350,000 candidates. This is trivially searchable. However, each candidate requires N full block-cipher decryptions with no fast distinguisher, and this dimension cannot be separated from the passphrase search — they must be correct simultaneously.

Combined post-quantum lower bound:

For 10 layers, default pools, 4 passphrase groups of 100-bit entropy:

7.3 Physical interpretation

2^218 quantum operations.

A computer with the mass of the entire observable universe, executing one operation per Planck time — the smallest physically meaningful time interval, approximately 5.4 × 10⁻⁴⁴ seconds — running continuously for the entire current age of the universe, would complete approximately 2^234 operations.

That is less than 2^218 by a factor of roughly 2^16 — 65,536 times less. Against this configuration, even a universe-scale quantum computer running since the Big Bang would not have finished.

This analysis holds against the quadratic quantum speedup. Against classical hardware the margin is wider by over 100 bits in every dimension.

8. Novel Contributions

The following aspects of cipher phrasing are, to the inventor’s knowledge, without precedent in published prior art as of the date of this disclosure:

1. The treatment of the per-layer algorithm assignment in a multi-layer dm-crypt stack as a cryptographic secret derived from a user-held passphrase, rather than as a stored or fixed configuration parameter.

2. The combination of this technique with headerless plain dm-crypt to produce a volume in which nothing on the device surface conveys any information about the cryptographic configuration — not the algorithm, not the key size, not the hash, not the number of layers, not the passphrase structure, not the existence of encryption at all.

3. The SHA-256-based derivation scheme with domain separation ("C" and "H" byte prefixes) enabling independent rotation of cipher and hash assignments from a single shared phrase, with optionally independent phrases for each dimension.

4. The security model in which the layout is an independent secret category alongside passphrase(s), such that recovering any strict subset of secrets provides no advantage in recovering the remainder.

5. The multiplicative interaction between the layout secret space, independent passphrase group spaces, and the absence of any oracle — producing a total attack cost that is the product of all independent search spaces, with no known classical or quantum algorithm capable of decomposing the product efficiently.

9. Reference Implementation

The reference implementation is abysscrypt, an open-source C binary for Linux.

  • abysscrypt
  • License: abysscrypt Source License v1.0 (free for personal/research/educational use; attribution required; commercial and government use requires written permission)
  • Language: C11, single source file, no third-party dependencies
  • Secret handling: cipher phrase held in mlock()‘d anonymous memory, wiped via explicit_bzero on all exit paths, never written to disk, never passed in argv

The implementation of abysscrypt with Cipher Phrasing has been publicly available since may 2026 and constitutes prior art establishing the earliest known date of the cipher phrasing technique.

This document is a public technical disclosure establishing the priority date and inventorship of the cipher phrasing technique. It is published to establish prior art and preserve the inventor’s rights. Reproduction is permitted with attribution to hairetikos. Commercial use of the technique described herein requires written permission.