From: "Communism is like MS-DOS: It doesn't work, and you wouldn't want to use it even if it did.  21-Apr-1993 1120" <yerazunis@aidev.enet.dec.com>
Date: Wed, 21 Apr 93 08:48:35 PDT
To: cypherpunks@toad.com
Subject: Making Clippers More Secure
Message-ID: <9304211548.AA29737@enet-gw.pa.dec.com>
MIME-Version: 1.0
Content-Type: text/plain


Agreeing with all the previous problems and issues put forth; key-escrow,
secret algorithms that can't be formally tested, etc...

So, let's *assume* that the US Gummint makes all other encryption illegal,
except those that use this chip, and they intend to check all messages
that look encrypted to verify that they have the correct system key:

Well, we can use more than one chip, or use it in ways that were
"unanticipated".

F'rinstance:

Use PGP (or SROT, or some other p.d. crypto package) to encrypt 
once, and then use a Clipper to put a legal-looking wrapper on the
message.  The problem with this is that *if* there is a law making
all other cryptosystems illegal, then you still do time.
                                                        
Then the gummint says "You can use chips, but ONLY chips.  No other
encryptation.".

Well, how 'bout this: Use three chips.  The first two are BOTH fed the message,
and the resulting bitstreams are XORed together and then fed to the third
chip (to provide a legal-looking "wrapper")  The XORing should obscure 
the serial numbers of the first two chips, meaning that the NSA can not
go to a key-escrow authority with a blanket court order and obtain the keys.  
Rather, assuming the "secret algorithm" is good, the worst-case scenario
is either a full search of the keyspace (if the secret algorithm forms a 
mathematical "group", or an exhaustive search of [issued-keyspace]^2.

Yes, the above does not address the issue of decoding (as stated above, 
you can't recover the plaintext.)  But that's soluble, by inserting a known
(but secret) string into the start of the bitstream for both the encoding 
and decoding second chips; the result is that by the time the second decoding 
chip needs to start knowing what was XORed into the incoming stream, the 
first decoding chip has already decoded that part of the message, which can 
be re-encoded using the first encoding chip's keys to provide the continuing 
bitstream needed for the XOR.  

Now, the BIG issue is this: is it possible to obtain the serial numbers of 
a pair of Clipper chips from the XOR of two output streams?  How about three?
How about N, where N is large?

Without knowing the algorithm, this will be difficult to answer...

	-Bill

% ====== Internet headers and postmarks (see DECWRL::GATEWAY.DOC) ======
% Received: by enet-gw.pa.dec.com; id AA02474; Wed, 21 Apr 93 05:13:14 -0700
% Received: from mc by mc.lcs.mit.edu id ak02907; 20 Apr 93 11:15 EDT
% Received: from enet-gw.pa.dec.com by mc.lcs.mit.edu id aa02377; 20 Apr 93 10:20 ED
% Received: by enet-gw.pa.dec.com; id AA27388; Tue, 20 Apr 93 07:19:42 -0700
% Message-Id: <9304201419.AA27388@enet-gw.pa.dec.com>
% Received: from aidev.enet; by decwrl.enet; Tue, 20 Apr 93 07:19:43 PDT
% Date: Tue, 20 Apr 93 07:19:43 PDT
% From: "Dulce et decorum est pro patria mori. 20-Apr-1993 0950" <aidev::yerazunis>
% To: elbows@mc.lcs.mit.edu
% Cc: aidev::yerazunis
% Apparently-To: elbows@mc.lcs.mit.edu
% Subject: Clipper Chip