Date: Sat, 16 Apr 94 21:26:24 -0700 From: hughes@ah.com (Eric Hughes) Message-Id: <9404170426.AA28904@ah.com> To: cypherpunks@toad.com In-Reply-To: Anonymous's message of Fri, 15 Apr 1994 12:53:16 -0400 <Added.shfgNum00UdZ0OvU4M@andrew.cmu.edu> Subject: Dolphin Encryption Tutorial Precedence: bulk Status: R
Eric Hughes quotes "Anonymous":
Are you somehow implying the Dolphin Encrypt withstands critical examination? Be real.
Real? "Anonymous" here reveals that he has not been keeping up with the literature. DE was examined critically by Prof. Cipher Deavours in the October 1993 issue of Cryptologia, who (after studying the C source code for the encryption algorithm) wrote: "The diffusion process employed in the ciphering of data is fairly complex for an inexpensive system such as this one." Eric then allows as how:
Last time Dolphin Encrypt reared its insecure head in this forum, these same issues came up. The cipher that DE uses is not public and was not designed by a person of known cryptographicc competence. It should therefore be considered extremely weak.
However, in Peter Meyer's article we read:
The encryption algorithm used in Dolphin Encrypt is defined by the C source code for the encryption and decryption functions, and this source code is part of a publicly available C function library (the Dolphin Encryption Library). The method is not secret and its full details are available for examination to anyone who purchases the library.
Perhaps the DE cipher is not "public" in the sense that it is widely available on unix sites, but it is "publicly available". Perhaps the source code is not posted on sites such as soda because the publisher does not wish to expose himself to the the charge of making a strong crypto system available for export. Eric again quotes "Anonymous":
The comparison, fairly useless as it is, is even more useless without this further information.
Agreed.
For all we know Eric himself posted that "anonymous" message, so he could quote him out of context. As I recall, Anonymous seemed to have (deliberately?) misunderstood the part about the statistical test (and Eric agrees with him).
I repeat my recommendation of before: Do not use Dolphin Encrypt if you want secrecy. If you want something on the scale of a secret decoder ring, fine.
Eric
By his own admission Eric is ignorant of the DE cipher and is ignorant of the cryptographic competence of the author (or authors) of DE. Yet, rather than withholding judgment until more information is available, he makes a strong negative recommendation (and adds an insult). I would imagine that, in the opinion of most people, recommendations based upon ignorance such as this are worthless. Eric seems to have a burr up his ass regarding either DE or its author(s). His misrepresentation (e.g. that the DE cipher is not public) and lack of logic (e.g. we don't know that X is true therefore X is false) suggest that there is an emotional basis to his "recommendation". Apparently as regards DE Eric is not capable of anything except smear tactics. The astute readers of this list are not likely to be fooled by this.