Path: cactus.org!milano!cs.utexas.edu!rutgers!ukma!hsdndev!cmcl2!adm!smoke! + gwyn From: gwyn@smoke.brl.mil (Doug Gwyn) Newsgroups: sci.crypt Subject: Re: Braided streams (The Leichter Side) Message-ID: <16509@smoke.brl.mil> Date: 23 Jun 91 18:55:18 GMT References: <1991Jun23.042445.9676@elevia.UUCP> Organization: U.S. Army Ballistic Research Laboratory, APG, MD. Lines: 20 In article <1991Jun23.042445.9676@elevia.UUCP> alain@elevia.UUCP (W.A.Simon) writes: > No it doesn't. I suggest you try an example. In fact, der Mouse > published a convincing demonstration that given any desired target > plaintext, there is a key string that will allow you to retrieve > it from the ciphertext. He did this with a 1bm only sample. I'll > let you imagine the rest. This is not a formal proof of the absolute > and perenial truth of this fact, but it is damn convincing. No, that's not logically correct. In the known plaintext analysis, if the key is unique (i.e., if there are not two keys producing the same ciphertext from the same plaintext), then it can be unambiguously recovered (given more plaintext than the key size), and the only issue is how efficiently it can be recovered. As I understand the proposed key recovery technique, for key length 100 bits it would have an expected number of trial encryptions of 1.2x10^18, which is much better than the brute-force expectation of 5x10^30 but probably still not computationally feasible. However, the proposed technique is still a "brute force" search of the key space, and thus does not represent the best that could be done. (For example, it makes no use of the known underlying plaintext distribution.)