Re: On the Construction of Pseudo-OTP

Jim Gillogly (jim@acm.org)
Fri, 08 Jan 1999 10:04:17 -0800

• Next message: bram: "Re: Short blocksize ciphers"
• Previous message: Mok-Kong Shen: "On the Construction of Pseudo-OTP"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: mgraffam@idsi.net: "Re: On the Construction of Pseudo-OTP"
• Reply: mgraffam@idsi.net: "Re: On the Construction of Pseudo-OTP"
• Reply: Ben Laurie: "Re: On the Construction of Pseudo-OTP"
• Reply: Mok-Kong Shen: "Re: On the Construction of Pseudo-OTP"
• Reply: Mok-Kong Shen: "Re: On the Construction of Pseudo-OTP"
• Reply: Mok-Kong Shen: "Re: On the Construction of Pseudo-OTP"
• Reply: Mok-Kong Shen: "Re: On the Construction of Pseudo-OTP"

Mok-Kong Shen writes some text on how to construct stream ciphers
that may or may not have useful cryptological properties. However,
calling them Pseudo-OTP immediately puts the discussion into disrepute,
because this is an attempt to carry the authority of OTP into a region
where it doesn't apply.

You're designing stream ciphers. These are not OTPs. Feel free to
describe clever ways to come up with the keying material, but calling
it anything to do with a OTP is -- sorry to be so blunt -- fatuous.
That's the thing about a OTP: either it's a OTP or it's not. There's
no such thing as a pseudo-OTP, a nearly-OTP, an almost-OTP, or any
other qualifier.

There's nothing wrong with designing stream ciphers and evaluating
their properties, and I applaud the effort... as long as they aren't
being flogged as snake-oil.

On a separate issue, he goes on to say:
> I should appreciate your opinions on that
> and suggestions of other ways of advantageously generating such for
> applications in the future 56-bit environment.

My opinion is that it has no bearing on the 56-bit environment, to
the extent that the latter is actually going to happen; with the
regs changing monthly, planning a long coding project based on today's
regs would be poor time management. In any case, if the crypto presents
NSA with a work factor greater than 2^56 it won't (today) get an
export license from BXA, no matter how many weak components it contains.
On the other hand, I'm working and developing as if there won't be a
restrictive environment by the time my stuff is ready for prime time.
Even if I put my stuff up on a controlled site, it won't be long
before it gets overseas, thanks to anonymous remailers.

Which reminds me, perhaps another good project would be a source code
whitener, to sand off the characteristic coding fingerprints of known
crypto export offenders.

-- 
	Jim Gillogly
	Trewesday, 17 Afteryule S.R. 1999, 17:48
	12.19.5.15.2, 2 Ik 15 Kankin, Fifth Lord of Night

• Next message: bram: "Re: Short blocksize ciphers"
• Previous message: Mok-Kong Shen: "On the Construction of Pseudo-OTP"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: mgraffam@idsi.net: "Re: On the Construction of Pseudo-OTP"
• Reply: mgraffam@idsi.net: "Re: On the Construction of Pseudo-OTP"
• Reply: Ben Laurie: "Re: On the Construction of Pseudo-OTP"
• Reply: Mok-Kong Shen: "Re: On the Construction of Pseudo-OTP"
• Reply: Mok-Kong Shen: "Re: On the Construction of Pseudo-OTP"
• Reply: Mok-Kong Shen: "Re: On the Construction of Pseudo-OTP"
• Reply: Mok-Kong Shen: "Re: On the Construction of Pseudo-OTP"