[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
EFF misstatements in DeCSS brief
>From the EFF's legal brief in the DVD encryption case, viewable at
> The Plaintiff is using an encryption scheme to distribute large
> quantities of data in a known format, and is providing alongside
> the encrypted data a file consisting of a large number of decryption
> keys, one of which is guaranteed to work at decrypting any given disk.
> Under such circumstances, with large samples of encrypted data and valid
> decryption keys provided, the task of determining what decryption process
> will give back the original data is simple for those skilled in the art
> of cryptanalysis.
It is hard to imagine how two sentences could contain more errors and
In the first place, consider the claim that the data format consists
of an encrypted data file, alongside a large number of decryption keys.
This is absurd. It would be utterly pointless to include the decryption
key alongside the ciphertext. It would be equally pointless to include
a large number of other decryption keys which don't work.
What is actually done is that the single decryption key for the disk is
separately encrypted using each of the keys reserved for each different
family of DVD players. Then, each player knows which entry it can
decrypt in order to recover the decryption key for the disk.
So we see that it is false that the file consists of a large number of
decryption keys; instead, it consists of ENCRYPTED decryption keys, another
matter entirely and highly relevant in considering the security of the
We also see that it is totally misleading to say with these keys, "one
of which is guaranteed to work at decrypting any given disk." In fact
each and every one of the encrypted decryption keys is guaranteed to
work at decrypting that disk.
Even if these complete misstatements of the facts were correct, we are
then presented with the claim that given large samples of encrypted
data and valid decryption keys, "the task of determining what decryption
process will give back the original data is simple for those skilled in
the art of cryptanalysis."
Even if we were given ciphertext and decryption keys (which we're not),
determining the "decryption process" (i.e. the decryption algorithm) and
recovering the original data would be a highly difficult and uncertain
task. Without knowing the algorithm, without knowing the plaintext,
given only some ciphertext and keys, the cryptanalyst faces a steep
Most academic cryptanalysis is done with knowledge of the algorithm,
often knowledge of the plaintext, with the goal of recovering keys.
Here we have a key and want to recover the algorithm. But there is far
more variation possible in algorithms than keys; and without knowing
the algorithm there is no way to analyze it and know what weaknesses to
look for. The best that can be done is to start doing blind statistical
tests on the ciphertext in the desperate hope that some pattern or
correlation to the plaintext will show up to give the analyst a foothold.
What was actually done, of course, is that the algorithm was derived
in some other way, probably through reverse engineering of one of the
decrypting players. Once that was done the cryptographers were able
to study and analyze the algorithm and find weaknesses which they could
exploit. This is familiar ground for modern cryptanalysts. It would
be absurd to attempt what EFF calls the "simple" process of deducing the
algorithm just from the data and keys. (And they didn't have the keys,
We see that virtually every part of the excerpt above from the EFF
brief is mistaken and misleading. It is astonishingly bad given that
they had advice and support from a number of people knowledgeable about
cryptography. If the judge is relying on the EFF and its supporters as
technical experts on cryptography, he's having the wool pulled over his
eyes. Hopefully cypherpunks who know better will have the objectivity to
speak up when the EFF as well as the DVD-CCA makes misleading technical