[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
The return of the IPG Unbreakable System (fwd)
Derek and others,
In view of the anonymous remailer's calim to have broken the simple
system, which as you and others who have had the system for a period
time know, we have had some reservations about.
The effect on the 5600 bit system, and the 12288 bit system, are unkown
at this time. Our tests indicate that there is not any effect at all on
the 12,288 bit system. The 5600 bit system, which is indentical to the
system described in our release, except that the D values, are used as an
index to one, or two tables of random characters, 512 characters, or
2 - 256 characters, may be effected by a known plain text attack, we do
not think so but we are running a battery of tests.
The anonymous remailer may be able to confirm or deny that, since that
person will presumably receive this letter. The addition is trival, that
is the system is identicalin all respects to that set out, which was
described accurately by the remailer, except that instead of XORing
the D value, the D value is used as an index into a table(s) of random
characters, that is the random seed is 5600 bits instead of 1792.
That was one reason for providing large random seeds in our release.
Our analysis as of 3:00pm CST 3-19-96, indicates that the D values are
not recoverable, but we stand to be proven wrong. This system is only
fractionally slower, for obvious reasons, than the simple one directly
using the D values directly, described previously. Incidentally, for
those concerned, it is as you know, the one that the IPG software
in your possesion uses.
Note: There was one error in the description, that is 13568 ANDed to the
8 bit random seed to get starting A values, it is not a C word AND but
the assembly langauge sequnce of moving successive AL values into AX,
where AH is fixed at 35, thus the effect is the same as an add,
(or a byte AND of the random charcter to a zero AL) - the result is
a number in the range of 13,568 to 13,823.
Further, with respect to the simple system described in our release,
we believe that the trimming procedure, that as some of you know, we used
for another purpose - to eliminate the perceived problem of more frequent
close pairs, on the average more 0,0's as opposed to 0,255's, defeats the
plain text attack, though it may require the jump start as we have
described - running the system through a few iterations before commencing
the actual encryption. The effect of this, as has been described to some
of you, is that some of the D's are not used, that portion of each C
value that is not an even multiple of 256, for example 14009 MOD 256
is 185. Thus, those values where A[i] > 13824 are not used to XOR against
the plain text - this is easily done in ASM by simply comparing the high
order 8 bits, of A[i] with the high order 8 bits of C[i], if they are
equal, then the XOR does not take place - thus the 64 interval is not
applicable, it is variable depending upon the randomly selected C values.
Without having the known 64 interval as a constant, I believe that the
system is still solid. As those of you heretofore privy to that
information know, that modification to the system system takes about
10% more time, than the system that was "cracked." Maybe, we need to do
both this and use the 5600 byte system. We will appreciate any input in
this regard.
If we must go to the 12288 byte system, the system will be slower.
However, as many of you know, it is still extremly fast but not as
fast as either of the other two versions. With the 12,288 bit system.
Our tests indicate that nothing but random values, can be obtained by
either known plain text attack or by pattern recognition methodologies,
those of which we are aware, on the 12,288 bit system.
Those of you who have had all of the materials will understand the
foregoing. With the information provided heretofore, you can determine
the effect on the other two systems. Also, those people will know my
expressed fear of a premature announcement, such as that which has
now been made, would have. This was the reason, that I resisted
so strongly the release of the materials to the C'punks list
though a few of you recommended that I do so. Perhaps we should have
released everything? Who knows. However, in any case, that is water
over the dam and IPG must go on from here. It is only another of the many
mistakes that we will undoubtedly make along the way.
Having said that though, we must go back to our prior
evaluation method, a strict confidential mode. However, I believe that we
have added several very good additional people who can help to analyze
the system.
In view of the willful violation of our confidential release, without
knowing everything involved, and putting it out on the Internet, please
be advised that other than those who have heretofore been evaluating the
system, we will make no further releases except on a highly
selective basis. The dozens of you who have requested copies of
the materials,and have not yet received them, please be patient
until we can get back on track. On a selected basis, we will provide then
to you, after discussing it with each of you privately. Obviously, this
breech occurred from yesterdays posting since no mention was made of the 5600
bit or 12,288 bit random seed systems. Therefore, we intend to be very
careful from now on.
Accordingly, this will be the last letter posted to the entire
cypherpunks list for the time being. If any reader posts something to the
entire Cypherpunks list, do not expect any response to from IPG, there
will be none.
Perhaps a battle has been lost, maybe even probably? But the war is not
over, not by a long shot - with minor modifications this system is
absolutely secure as events will prove. However, be assured that we
will not sell our product to anyone until that can be definitively
established. We greatly appreciate the contribution of some of those on
the cypherpunks mailing list, including the anonymous remailer, have
made. We hope that someway can be found for that person to continue
to cooperate with us, since we are herein obviously providing
information that can be evaluated. If that person will communicate with
us privately, in remailer form, including a PGP public key, we will post
our response to the C'Punks list in encrypted form, or suggest an
alternate approach.
To many of you, you will be hearing from us tomorrow - to the remaining
of you, some of whom have objected to our providing you with unsolicited
information, which we mistakenly thought that you would want, you
will hear from us soon, depending upon the findings made by your
C'punk list associates and others.
Thanks kindly,
Ralph