Xref: utzoo comp.compression:227 sci.crypt:4422
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!bellcore!epic!karn
From: karn@epic.bellcore.com (Phil R. Karn)
Newsgroups: comp.compression,sci.crypt
Subject: Re: Security of PKZIP's encryption
Message-ID: <1991Apr3.212713.18209@bellcore.bellcore.com>
Date: 3 Apr 91 21:27:13 GMT
References: <1991Mar26.150049.20882@athena.cs.uga.edu> <1991Apr2.070810.10812@maverick.ksu.ksu.edu> <1991Apr3.041950.20991@bellcore.bellcore.com> <1991Apr3.070045.22296@nntp-server.caltech.edu>
Sender: usenet@bellcore.bellcore.com (Poster of News)
Reply-To: karn@thumper.bellcore.com
Organization: Packet Communications Research Group (Bellcore)
Lines: 34

In article <1991Apr3.070045.22296@nntp-server.caltech.edu>, madler@nntp-server.caltech.edu (Mark Adler) writes:
|> 
|> >> At first glance, it doesn't look all that strong to me since all of
|> >> the operations appear to be linear.
|> 
|> Linear?  In what field?

Well, most of the operations seem to be additions and CRC calculations.
CRCs are certainly linear, as are additions. I don't see any nonlinear
substitutions and permutations going on.

I am only a layman cryptographer, but I am familiar with many of the
design principles of ciphers: nonlinearity and non-affineness are
essential properties for the building blocks, repeated permutation and
substitution operations are much stronger than the individual
operations themselves, and so on. This cipher does not seem to follow
those principles. I'll shut up on this point and let the experts
comment further if they want.

|> Sounds pretty secure.  Then again, I'm not sure I'd trust any encryption
|> method that was approved by the NSA.  Especially since they will not say
|> how the various arbitrary-looking bit flipping was derived.

At the risk of stirring up an old debate, I can say that I personally
believe DES to be well designed, at least for a cipher with only 56
bits in the key. The "Differential Cryptanalysis of DES" paper from
last year's Crypto conference sheds a lot of light on this subject.

I also take some heart from the NSA's strong resistance to the lifting
of export controls on DES. One might claim that this was merely a ploy
on their part to make us trust a cipher that they have cracked, but I
think that gives them too much credit.

Phil