Date: Thu, 27 May 1993 11:33:06 -0400 From: "Perry E. Metzger" <lehman.com!pmetzger@cactus.org>
meyer says:
Perry Metzger writes:
Correct me if I'm wrong, but from what I understand, "Dolphin Encrypt" does not use any well examined crypto system -- its something that you guys, without any cryptography credentials, cooked up. On that basis, why should we care about it? Most crypto systems that amateurs come up with are pathetic to say the least, and strong systems, like triple-DES and IDEA, are widely available.
So far the DE method has not been well-examined, except by its developers (who have spent years on this).
In that case, I do not think it is worthy of trust. (See "The Codebreakers" by David Kahn for dozens upon dozens of stories of amateurs who spent long times producing cryptosystems that were essentially junk.)
I am not asking that you take it on trust. If I were I wouldn't be revealing the details of the encryption method and I wouldn't be subjecting the software to critical examination. You omit to point out that Kahn also discusses the cryptosystem invented in the late 18th Century by Thomas Jefferson. I'm not aware that Jefferson was a "professional" cryptologist or that he was "credentialed" in this field. Yet his cryptosystem was sufficiently strong that even after 1922 "other branches of the American government used the Jefferson system, generally slightly modified, and it often defeated the best efforts of the 20th-century cryptanalysts who tried to break it down! To this day the Navy uses it." (Kahn, p.195 of the hardbound edition.) This shows that your distinction between "professionals" (by implication, the experts) and "amateurs" (by implication, the self-deluding fools) is false. There is no such clear-cut distinction. Whether a cryptosystem is strong or not has to be decided by an examination of the system itself, not on the basis of whether its author has attended cryptology classes at M.I.T.
Statistical tests have not revealed any patterns in DE-encrypted ciphertext so far.
Or in 99% of other crypto systems. I can construct completely trivial and easily broken crypto systems that don't reveal any patterns without careful analysis. As an example, it takes mere minutes to break a cryptosystem constructed by XORing the plaintext stream with the output of a linear congruential pseudorandom number generator -- but the output will indeed look random to ordinary statistical tests.
XORing the plaintext with the outcome of a linear congruential PRNG is a very simple-minded way to use a PRNG. Such operations are certainly amenable to mathematical analysis. No doubt you've read your Abraham Sinkov on "Mathematical Cryptanalysis" and other such works, where the solving of simultaneous equations in several (perhaps many) unknowns may yield a solution in some cases. Yet I fail to understand why you assume that someone (even someone "uncredentialed") who uses PRNGs in a cryptosystem will necessarily do so in a simple-minded way. I can't imagine why any intelligent designer of a cryptosystem would commit that error.
Re: disclosure
If I were I wouldn't be revealing the details of the encryption method and I wouldn't be subjecting the software to critical examination.
To my mind, selling the code for the encryption method does not count as revealing the details to a very wide audience. Were it freely available, I would say that you had satisfied that concern. Were it even available on a non-compete covenant basis and free of monetary charge I would be satisfied. Let me see if I can paraphrase. You'll sell me the code, so that I can evaluate it or have someone else do this. This evaluation is much more for your benefit than mine, because where I might use it for myself, this same information accrues much more to the value of the cipher itself, which is yours. Oh, please. Re: An inappropriate historical comparison
You omit to point out that Kahn also discusses the cryptosystem invented in the late 18th Century by Thomas Jefferson. I'm not aware that Jefferson was a "professional" cryptologist or that he was "credentialed" in this field.
The single salient difference that you ignore is fifty years of public and intensive research into cryptography, starting with Shannon. I have seen nothing other than vague claims of security and one statistic of flat byte distribution in the ciphertext (necessary and easy to achieve). I have seen very little awareness of any of this work. In particular, the most sophisticated analysis for ciphers to date has been differential cryptanalysis. I have not seen the results of any such examination of your cipher. To give you a clue as to how good this technique is, Biham and Shamir were able to break FEAL-4 with a few dozen chosen plaintexts, and FEAL-8 with somewhat more. Re: levels of expertise
This shows that your distinction between "professionals" (by implication, the experts) and "amateurs" (by implication, the self-deluding fools) is false. There is no such clear-cut distinction.
The state of cryptography two hundred years ago is not relevant to the current state of knowledge. Today there is much, much more to know about the subject, and there is a lot of relevant prior art. Should you claim that this prior art is not needful to know in order to design new ciphers, I will not imply that your are a self-deluding fool, I will explicitly declaim you as self-deluding fool. Re: arguments _ad authoritatem_
Whether a cryptosystem is strong or not has to be decided by an examination of the system itself, not on the basis of whether its author has attended cryptology classes at M.I.T.
But lacking both criteria, I have no belief at all that your cipher is secure. In fact, given the track record or the uncredentialled in the last twenty years, I have exactly the opposite opinion. Re: cryptanalysis
No doubt you've read your Abraham Sinkov on "Mathematical Cryptanalysis" and other such works,
These and other such works are by no means the state of the art. If you've learned all your cryptography from these, it's time to do some more reading.
where the solving of simultaneous equations in several (perhaps many) unknowns may yield a solution in some cases.
One of the fundamentals of real cryptography is that exact solution techniques are much less powerful than statistical methods of the appropriate form. Techniques of adding in 'noise' prevent exact methods, but that is largely irrelevant. Every useful statistic will come through just as before, except that a larger data set is needed. Eric
participants (2)
-
Eric Hughes -
meyer