Newsgroups: sci.crypt
Path: msuinfo!caen!zaphod.mps.ohio-state.edu!qt.cs.utexas.edu!yale.edu!yale!mintaka.lcs.mit.edu!bloom-picayune.mit.edu!athena.mit.edu!tytso
From: tytso@athena.mit.edu (Theodore Y. Ts'o)
Subject: Re: PRNG encryption (was Re: Encrypting with MZT sequences?)
In-Reply-To: cme@ellisun.sw.stratus.com's message of 28 Jan 92 15: 54:49 GMT
Message-ID: <TYTSO.92Jan28232242@SOS.mit.edu>
Sender: news@athena.mit.edu (News system)
Nntp-Posting-Host: sos.mit.edu
Organization: Massachusetts Institute of Technology
References: <10587@lectroid.sw.stratus.com> <1992Jan28.051922.1257rcain@netcom.COM>
	<10643@lectroid.sw.stratus.com>
Date: Wed, 29 Jan 1992 04:22:49 GMT
Lines: 23

In article <10643@lectroid.sw.stratus.com> cme@ellisun.sw.stratus.com (Carl Ellison) writes:

>>It was stated some time back that xor'ing a pseudo random sequence with
>>plain text was vulnerable regardless of the PRNG employed.  Please
>>elaborate.                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>This is not quite true.
>
>Assuming a known plaintext attack, XOR yields the PRNG sequence itself.
>The enemy is assumed to know the algorithm.  The question then is whether
>the PRNG algorithm can be inverted to yield the state from the outputs.

I suspect that the vulerability which the first writer meant was that
assuming a known plaintext attack, an active attacker can XOR away the
message, leaving the PRN sequence, and then XOR in a message of the
attacker's choice.  In many cases, this can be disastrous.

I will leave to the reader's imagination the results if the order "Fall
back at once" were transmuted to "Full frontal attack".
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Theodore Ts'o				bloom-beacon!mit-athena!tytso
308 High St., Medford, MA 02155		tytso@athena.mit.edu
   Everybody's playing the game, but nobody's rules are the same!
