Agreeing with all the previous problems and issues put forth; key-escrow, secret algorithms that can't be formally tested, etc... So, let's *assume* that the US Gummint makes all other encryption illegal, except those that use this chip, and they intend to check all messages that look encrypted to verify that they have the correct system key: Well, we can use more than one chip, or use it in ways that were "unanticipated". F'rinstance: Use PGP (or SROT, or some other p.d. crypto package) to encrypt once, and then use a Clipper to put a legal-looking wrapper on the message. The problem with this is that *if* there is a law making all other cryptosystems illegal, then you still do time. Then the gummint says "You can use chips, but ONLY chips. No other encryptation.". Well, how 'bout this: Use three chips. The first two are BOTH fed the message, and the resulting bitstreams are XORed together and then fed to the third chip (to provide a legal-looking "wrapper") The XORing should obscure the serial numbers of the first two chips, meaning that the NSA can not go to a key-escrow authority with a blanket court order and obtain the keys. Rather, assuming the "secret algorithm" is good, the worst-case scenario is either a full search of the keyspace (if the secret algorithm forms a mathematical "group", or an exhaustive search of [issued-keyspace]^2. Yes, the above does not address the issue of decoding (as stated above, you can't recover the plaintext.) But that's soluble, by inserting a known (but secret) string into the start of the bitstream for both the encoding and decoding second chips; the result is that by the time the second decoding chip needs to start knowing what was XORed into the incoming stream, the first decoding chip has already decoded that part of the message, which can be re-encoded using the first encoding chip's keys to provide the continuing bitstream needed for the XOR. Now, the BIG issue is this: is it possible to obtain the serial numbers of a pair of Clipper chips from the XOR of two output streams? How about three? How about N, where N is large? Without knowing the algorithm, this will be difficult to answer... -Bill % ====== Internet headers and postmarks (see DECWRL::GATEWAY.DOC) ====== % Received: by enet-gw.pa.dec.com; id AA02474; Wed, 21 Apr 93 05:13:14 -0700 % Received: from mc by mc.lcs.mit.edu id ak02907; 20 Apr 93 11:15 EDT % Received: from enet-gw.pa.dec.com by mc.lcs.mit.edu id aa02377; 20 Apr 93 10:20 ED % Received: by enet-gw.pa.dec.com; id AA27388; Tue, 20 Apr 93 07:19:42 -0700 % Message-Id: <9304201419.AA27388@enet-gw.pa.dec.com> % Received: from aidev.enet; by decwrl.enet; Tue, 20 Apr 93 07:19:43 PDT % Date: Tue, 20 Apr 93 07:19:43 PDT % From: "Dulce et decorum est pro patria mori. 20-Apr-1993 0950" aidev::yerazunis % To: elbows@mc.lcs.mit.edu % Cc: aidev::yerazunis % Apparently-To: elbows@mc.lcs.mit.edu % Subject: Clipper Chip