From: Jim Gillogly <jim@acm.org>
Date: Fri, 29 Sep 95 15:26:06 PDT
To: cypherpunks@toad.com
Subject: Re: worldwide announce: New OTP Mail/FTP apps
In-Reply-To: <doug-9508291335.AA00652565@netman.eng.auburn.edu>
Message-ID: <199509292225.PAA25735@mycroft.rand.org>
MIME-Version: 1.0
Content-Type: text/plain



> Doug Hughes <Doug.Hughes@Eng.Auburn.EDU> writes:
> It seems to be a OTP/stream cipher of some kind.. subsequent number depending
> on previous numbers. I don't know if its possible to prove that the sequence
> will never repeat, having not seen the algorithm. But if it did not, it would
> seem to be strong enough. Too many questions, too few answers.

It does seem to be a stream cipher of some kind.  Subsequent numbers
depending on previous numbers means that it's an autokey cipher.  That
most assuredly does <not> make it a one time pad, no matter whether it
ever repeats or not (which it presumably wouldn't).

Here's an easy way to demonstrate that the strength of this system is less
than a one time pad.  Let's give the attacker all the breaks: he knows the
initial secret key, he has watched the key exchange from both sides by
monitoring all keystrokes, and has access to all the keying information
and plaintext and ciphertext that has happened from day 0 until now, day
30, but none of the plaintext or other keying information thereafter.

Case one: the system you're flogging.  He can keep reading the mail.
Case two: a true one time pad.  He immediately loses touch with the system
          as soon as they go to the first unknown byte of the one time
          pad.

I sympathize with their desire to call it a one time pad, since that has
obvious marketing cachet.  But it isn't -- can't they simply say they
think it's a nice strong cipher?

	Jim Gillogly
	Sterday, 8 Winterfilth S.R. 1995, 22:21