From: IPG Sales <ipgsales@cyberstation.net>
Date: Thu, 21 Mar 1996 05:59:51 +0800
To: Derek Atkins <warlord@MIT.EDU>
Subject: The return of the IPG Unbreakable System (fwd)
Message-ID: <Pine.BSD/.3.91.960319162822.11284G-100000@citrine.cyberstation.net>
MIME-Version: 1.0
Content-Type: text/plain



Derek and others, 

In view of the anonymous remailer's calim to have broken the simple 
system, which as you and others who have had the system for a period
time know, we have had some reservations about. 

The effect on the 5600 bit system, and the 12288 bit system, are unkown 
at this time. Our tests indicate that there is not any effect at all on 
the 12,288 bit system. The 5600 bit system, which is indentical to the 
system described in our release, except that the D values, are used as an 
index to one, or two tables of random characters, 512 characters, or 
2 - 256 characters, may be effected by a known plain text attack, we do 
not think so but we are running a battery of tests. 

The anonymous remailer may be able to confirm or deny that, since that 
person will presumably receive this letter. The addition is trival, that 
is the system is identicalin all respects to that set out, which was 
described accurately by the remailer, except that instead of XORing 
the D value, the D value is used as an index into a table(s) of random 
characters, that is the random seed is 5600 bits instead of 1792. 
That was one reason for providing large random seeds in our release. 
Our analysis as of 3:00pm CST 3-19-96, indicates that the D values are 
not recoverable, but we stand to be proven wrong. This system is only 
fractionally slower, for obvious reasons, than the simple one directly
using the D values directly, described previously. Incidentally, for 
those concerned, it is as you know, the one that the IPG software 
in your possesion uses.

Note: There was one error in the description, that is 13568 ANDed to the 
8 bit random seed to get starting A values, it is not a C word AND but 
the assembly langauge sequnce of moving successive AL values into AX, 
where AH is fixed at 35, thus the effect is the same as an add, 
(or a byte AND of the random charcter to a zero AL) - the result is 
a number in the range of 13,568 to 13,823.

Further, with respect to the simple system described in our release, 
we believe that the trimming procedure, that as some of you know, we used 
for another purpose - to eliminate the perceived problem of more frequent
close pairs, on the average more  0,0's as opposed to 0,255's, defeats the 
plain text attack, though it may require the jump start as we have 
described - running the system through a few iterations before commencing 
the actual encryption. The effect of this, as has been described to some 
of you, is that some of the D's are not used, that portion of each C 
value that is not an even multiple of 256, for example 14009 MOD 256 
is 185. Thus, those values where A[i] > 13824 are not used to XOR against 
the plain text - this is easily done in ASM by simply comparing the high 
order 8 bits, of A[i] with the high order 8 bits of C[i], if they are 
equal, then the XOR does not take place - thus the 64 interval is not 
applicable, it is variable depending upon the randomly selected C values.
Without having the known 64 interval as a constant, I believe that the 
system is still solid. As those of you heretofore privy to that 
information know, that modification to the system system takes about 
10% more time, than the system that was "cracked." Maybe, we need to do 
both this and use the 5600 byte system. We will appreciate any input in 
this regard. 

If we must go to the 12288 byte system, the system will be slower. 
However, as many of you know, it is still extremly fast but not as 
fast as either of the other two versions. With the 12,288 bit system. 
Our tests indicate that nothing but random values, can be obtained by 
either known plain text attack or by pattern recognition methodologies, 
those of which we are aware, on the 12,288 bit system.

Those of you who have had all of the materials will understand the 
foregoing. With the information provided heretofore, you can determine  
the effect on the other two systems. Also, those people will know my 
expressed fear of a premature announcement, such as that which has 
now been made, would have. This was the reason, that I resisted 
so strongly the release of the materials to the C'punks list 
though a few of you recommended that I do so. Perhaps we should have 
released everything? Who knows. However, in any case, that is water
over the dam and IPG must go on from here. It is only another of the many 
mistakes that we will undoubtedly make along the way. 

Having said that though, we must go back to our prior 
evaluation method, a strict confidential mode. However, I believe that we 
have added several very good additional people who can help to analyze 
the system.

In view of the willful violation of our confidential release, without 
knowing everything involved, and putting it out on the Internet, please 
be advised that other than those who have heretofore been evaluating the 
system, we will make no further releases except on a highly 
selective basis. The dozens of you who have requested copies of 
the materials,and have not yet received them, please be patient 
until we can get back on track. On a selected basis, we will provide then 
to you, after discussing it with each of you privately. Obviously, this 
breech occurred from yesterdays posting since no mention was made of the 5600 
bit or 12,288 bit random seed systems. Therefore, we intend to be very 
careful from now on. 

Accordingly, this will be the last letter posted to the entire 
cypherpunks list for the time being. If any reader posts something to the 
entire Cypherpunks list, do not expect any response to from IPG, there 
will be none.

Perhaps a battle has been lost, maybe even probably? But the war is not 
over, not by a long shot - with minor modifications this system is 
absolutely secure as events will prove. However, be assured that we 
will not sell our product to anyone until that can be definitively 
established. We greatly appreciate the contribution of some of those on 
the cypherpunks mailing list, including the anonymous remailer, have 
made. We hope that someway can be found for that person to continue 
to cooperate with us, since we are herein obviously providing 
information that can be evaluated. If that person will communicate with 
us privately, in remailer form, including a PGP public key, we will post
our response to the C'Punks list in encrypted form, or suggest an 
alternate approach.

To many of you, you will be hearing from us tomorrow - to the remaining 
of you, some of whom have objected to our providing you with unsolicited 
information, which we mistakenly thought that you would want, you 
will hear from us soon, depending upon the findings made by your 
C'punk list associates and others.

Thanks kindly,

Ralph