Re: Tristrata - worth another look?

Enzo Michelangeli (em@who.net)
Fri, 2 Apr 1999 18:49:00 +0800

• Next message: Robert Hettinga: "Cryptography Short Course"
• Previous message: Alex Alten: "Re: Tristrata - worth another look?"
• In reply to: Bruce Schneier: "Re: Tristrata - worth another look?"

-----Original Message-----
From: Alex Alten <Alten@Home.Com>
To: Bruce Schneier <schneier@counterpane.com>; CodherPlunks@toad.com
<CodherPlunks@toad.com>
Date: Friday, April 02, 1999 5:47 PM
Subject: Re: Tristrata - worth another look?

[...]
>It occurs to me that you and I are saying the same thing, but disagreeing
>about the definition of what a "Vernam cipher" means. So let me precisely
>define what I mean when I say it. To me the core enciphering operation of
>one is the following:
>
> X[i] + Y[i] = Z[i]
>
>Where X[i] is a random byte, Y[i] is the cleartext byte, and Z[i] is
>the cipher text byte. And i goes from 0 to n-1 bytes (n = message length).
>In practice the "+" is ones complement addition, i.e. an exclusive OR
>operation.
>
>For each byte i then you have a simple algebraic equation with two
>unknowns, X and Y. The essence of a Vernam cipher is constructing
>the random sequence of X[i] bytes properly in order to compute the
>equation, i.e. encipher the Y[i] into the Z[i] bytes.
>
>Since RC4 is constructing X[i] byte by byte from a randomly shuffled 256
>byte array of numbers (which is reshuffled over time), I consider it to be
>a type of Vernam cipher. RKS uses a different technique to construct
>the sequence of random X[i] bytes. So it too, I consider to be a type
>of Vernam cipher.

Gilbert Vernam would disagree. When, in 1917/18, he defined the One Time
Pad, he made it clear that, in order to achieve unbreakability, X[i] must be
*truly* random, and must be discarded after being used once. If N is length
of the sequence, you may choose among 2 ** N pads. But if you produce a
pseudo-random stream starting from a key L bit long, you can't get more than
2 ** L pads, and if L < N you just can't generate all the possible N-bit
pads - opening the door to a possibly successful cryptanalysis. That's why
the OTP's required by Vernam enciphering cannot be produced by keyed PRNG's,
no matter if based on RC4, on secure hashes like SHA-1 or whatever. Shannon,
about thirty year later, would have noted that the entropy of a PRNG can't
be higher than the number of bits defining its internal state.

Of course, using a Vernam cipher presents nightmarish problems of key
management, which is why the Germans in WW2 decide to use, instead, the pads
produced by the Lorenz SZ42 machines: thinking that, with an estimated
complexity of 10^19, they were good enough. Well, they weren't :-)

Enzo

• Next message: Robert Hettinga: "Cryptography Short Course"
• Previous message: Alex Alten: "Re: Tristrata - worth another look?"
• In reply to: Bruce Schneier: "Re: Tristrata - worth another look?"