[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EFF misstatements in DeCSS brief



On Sun, Jan 09, 2000 at 06:16:27PM -0800, David Wagner wrote:
> By the way, I'd also like to suggest that we shouldn't be too quick
> to dismiss the possibility that the CSS was revealed and broken using
> a purely cryptanalytic attack.  In other words, I'd like to suggest
> that the CSS may have been discovered using just black-box access to
> the cipher implementation (no disassembly or `reverse engineering').
> 
> Looking at the cipher, it appears that it may be possible to discover
> much of its structure with many millions bytes of known text.  Here's
> the mathematical analysis.  Get many streams of known text, and derive
> the corresponding keystream output for each stream.  The internal state
> of the cipher is only 40 bits wide, so by the birthday paradox, there
> is a good chance of a `collision', i.e., an overlap in some pair of
> keystream sequences.  This overlap is easily detected if you only think
> to look for it, and it tells you a lot about the cipher.
> 
> Obviously, obtaining millions of bytes of known text for CSS should be
> straightforward, given access to a DVD player (especially one in software).

	I was unaware that there were any legal, licensed DVD players in
software that provided open public interfaces to the decoded data
streams off the disk.   It is my impression that getting ones hands on
the decoded bitstream would require reverse engineering the player
software of the same possibly illegal sort as reverse engineering the
cipher contained in the player would.   Certainly the stated  purpose of
CSS was to prevent customers from getting their hands on decoded MPEG
and AC3 streams and it seems astonishing that commercial software would
allow any kind of straightforward access to such things.

	It is I guess technically true that one could,  with considerable
difficulty and effort, take the decoded video and re-encode it to yeild
the original, but for cryptanalytic attack this would be a nightmare since
there are so many unknowns about the encoding process and the relationship
of specific decoded image components to specific packets or frames
in the encoded data stream.

	I defer to your (vastly greater) expertise as to how easy it
is to attack the cipher given plaintexts and matching ciphertexts...

-- 
	Dave Emery N1PRE,  [email protected]  DIE Consulting, Weston, Mass. 
PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2  5D 27 BD B0 24 88 C3 18