IPG Algorith Broken!

eli+ at gs160.sp.cs.cmu.edu eli+ at gs160.sp.cs.cmu.edu
Sat Nov 23 22:26:07 PST 1996 

Dale Thorn writes:
>Is the concept here that:  Whereas conventional crypto generates/hashes
>a *key* with which to encode the text, IPG generates a *pad* from a key,
>more or less the length of the text, with which to encode the text??

A cryptosystem is given a key by the user.  A block cipher uses it to
encrypt chunks of plaintext, perhaps 8 bytes long.  (This is an
oversimplification.)  A stream cipher uses it to generate a pseudorandom
sequence that is combined with the plaintext.  IPG's product is a stream
cipher.

>It seems to me they're putting an additional layer of stuff ("OTP") between
>the key generation and the actual encoding, so what's the problem with that,
>as a concept?

The first problem is the name "OTP".  A one-time pad is a well-defined
thing, and this isn't it; they'd like to be associated with the term
because the one-time pad is in fact provably secure.

So they have a stream cipher.  Is it a good stream cipher?  Well, nobody
knows, because no cryptanalysts have taken the time to attack it.  There
aren't all that many who publish in the open literature, and there are
thousands of amateur proprietary schemes out there -- who has the time?
If it were designed by someone known to be competent (RC4), or if it
were widely used (pkzip), somebody might think it worth looking at.

If you're not a cryptanalyst yourself (and I'm not, but at least I know
it!), all you have to go on is the history of similar schemes.  This is
not encouraging; there are outfits which for a moderate fee will crack
the proprietary encryption offered by dozens of popular products.  IPG's
history is even less encouraging

Maybe this one's different from all of those.  How valuable a secret
would you like to wager on that?  If IPG wants credibility, they should
retain a respected cryptographer, or several, to attack their scheme.

(Or just publish Don's proof of unbreakability.  Since the scheme is
provably _not_ information-theoretically secure, this must be a proof of
computational security, presumably a superpolynomial lower bound.  And
as the scheme is trivially breakable in NP time, Mr. Wood is sitting on
a _major_ result, a resolution to the central problem in computational
complexity theory: a proof that P != NP.  Do publish, sir.)

-- 
   Eli Brandt
   eli+ at cs.cmu.edu

More information about the cypherpunks-legacy mailing list