Re: Tristrata / Breaking PAL?

Mok-Kong Shen (mok-kong.shen@stud.uni-muenchen.de)
Mon, 12 Apr 1999 18:39:47 +0200

• Next message: Henry Spencer: "FreeS/WAN press release"
• Previous message: Robert Hettinga: "DCSB: Chris Wysopal, L0pht; Client Security in Digital Commerce"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"

Thomas Roessler wrote:
>
> Niels Ferguson, Bruce Schneier, and Dave Wagner have an unpublished
> paper on a model of what Tristrata's Random Key Stream may look
> like. Their model is as follows: There are M pointers t_1, ..., t_M
> into a pool of random bytes of size S. The key stream is then:
>
> k_i = Xor_{j = 1}^{M} pool[(t_j + i) mod (S - j + 1)]
>
> One of the attacks described in this paper relates to finding the
> pool from known keystream and know pointers. They note that each
> known byte of key stream is an equation in five elements of the
> pool. Given a sufficient amount of known key stream for known
> pointers, the pool can be reconstructed by solving a large system of
> linear equations.

I am entirely unfamiliar with the way of functioning of the system
of Tristrata. Hence my naive question: If a key stream is to be
constructed from a pool of random bits, why shouldn't the M pointers
be derived in someway from a secret session key which is unknown
to the analyst? Or were the intention of the system to free the users
from the burden of having to deal with session keys themselves at all?
Another question: what is the speed of encryption as a function
of the number of pointers chosen?

M. K. Shen

• Next message: Henry Spencer: "FreeS/WAN press release"
• Previous message: Robert Hettinga: "DCSB: Chris Wysopal, L0pht; Client Security in Digital Commerce"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"