Path: cactus.org!milano!cs.utexas.edu!rutgers!ukma!hsdndev!cmcl2!adm!smoke!
+     gwyn
From: gwyn@smoke.brl.mil (Doug Gwyn)
Newsgroups: sci.crypt

Subject: Re: Braided streams (The Leichter Side)
Message-ID: <16509@smoke.brl.mil>
Date: 23 Jun 91 18:55:18 GMT
References: <1991Jun23.042445.9676@elevia.UUCP>
Organization: U.S. Army Ballistic Research Laboratory, APG, MD.
Lines: 20

In article <1991Jun23.042445.9676@elevia.UUCP> alain@elevia.UUCP (W.A.Simon)
writes:
>	No it doesn't.  I suggest you try an example.  In fact, der Mouse
>	published a convincing demonstration that given any desired target
>	plaintext, there is a key string that will allow you to retrieve
>	it from the ciphertext.  He did this with a 1bm only sample.  I'll
>	let you imagine the rest.  This is not a formal proof of the absolute
>	and perenial truth of this fact, but it is damn convincing.

No, that's not logically correct.  In the known plaintext analysis,
if the key is unique (i.e., if there are not two keys producing the
same ciphertext from the same plaintext), then it can be unambiguously
recovered (given more plaintext than the key size), and the only issue
is how efficiently it can be recovered.  As I understand the proposed
key recovery technique, for key length 100 bits it would have an
expected number of trial encryptions of 1.2x10^18, which is much better
than the brute-force expectation of 5x10^30 but probably still not
computationally feasible.  However, the proposed technique is still a
"brute force" search of the key space, and thus does not represent the
best that could be done.  (For example, it makes no use of the known
underlying plaintext distribution.)