From: meyer <wixer!wixer.bga.com!meyer@cactus.org>
Date: Fri, 28 May 93 21:32:21 PDT
To: cypherpunks@toad.com
Subject: Trust, Amateur/Professional, use of PRNGs
Message-ID: <9305280750.AA07434@wixer>
MIME-Version: 1.0
Content-Type: text/plain


>Date: Thu, 27 May 1993 11:33:06 -0400
>From: "Perry E. Metzger" <lehman.com!pmetzger@cactus.org>
>
>meyer says:
>>
>> Perry Metzger writes:
>>
>> >Correct me if I'm wrong, but from what I understand, "Dolphin Encrypt"
>> >does not use any well examined crypto system -- its something that you
>> >guys, without any cryptography credentials, cooked up. On that basis,
>> >why should we care about it? Most crypto systems that amateurs come up
>> >with are pathetic to say the least, and strong systems, like
>> >triple-DES and IDEA, are widely available.
>>
>> So far the DE method has not been well-examined, except by its
>> developers (who have spent years on this).
>
>In that case, I do not think it is worthy of trust. (See "The
>Codebreakers" by David Kahn for dozens upon dozens of stories of
>amateurs who spent long times producing cryptosystems that were
>essentially junk.)

I am not asking that you take it on trust.  If I were I wouldn't
be revealing the details of the encryption method and I wouldn't
be subjecting the software to critical examination.

You omit to point out that Kahn also discusses the cryptosystem
invented in the late 18th Century by Thomas Jefferson.  I'm not
aware that Jefferson was a "professional" cryptologist or that he
was "credentialed" in this field.  Yet his cryptosystem was
sufficiently strong that even after 1922 "other branches of the
American government used the Jefferson system, generally slightly
modified, and it often defeated the best efforts of the 20th-century
cryptanalysts who tried to break it down!  To this day the Navy
uses it."  (Kahn, p.195 of the hardbound edition.)

This shows that your distinction between "professionals" (by
implication, the experts) and "amateurs" (by implication, the
self-deluding fools) is false.  There is no such clear-cut
distinction.  Whether a cryptosystem is strong or not has to be
decided by an examination of the system itself, not on the basis of
whether its author has attended cryptology classes at M.I.T.

>> Statistical tests have not revealed any patterns in DE-encrypted
>> ciphertext so far.
>
>Or in 99% of other crypto systems. I can construct completely trivial
>and easily broken crypto systems that don't reveal any patterns
>without careful analysis. As an example, it takes mere minutes to
>break a cryptosystem constructed by XORing the plaintext stream with
>the output of a linear congruential pseudorandom number generator --
>but the output will indeed look random to ordinary statistical tests.

XORing the plaintext with the outcome of a linear congruential PRNG
is a very simple-minded way to use a PRNG.  Such operations are
certainly amenable to mathematical analysis.  No doubt you've read
your Abraham Sinkov on "Mathematical Cryptanalysis" and other such
works, where the solving of simultaneous equations in several
(perhaps many) unknowns may yield a solution in some cases.  Yet I
fail to understand why you assume that someone (even someone
"uncredentialed") who uses PRNGs in a cryptosystem will necessarily
do so in a simple-minded way.  I can't imagine why any intelligent
designer of a cryptosystem would commit that error.