3 September 1997
Source: J. Orlin Grabbe

From: KALLISTE@delphi.com
Date: Wed, 03 Sep 1997 03:53:49 -0400 (EDT)
Subject: Michael Riconosciuto on Encryption

            Michael Riconosciuto on Encryption 
                   by J. Orlin Grabbe 
	Michael Riconosciuto is one of the original  
architects of the PROMIS backdoor.  PROMIS was a  
people-tracking software system sold to intelligence  
organizations and government drug agencies worldwide.   
The global dispersion of PROMIS was part of a U.S. plot  
to spy on other spy agencies. 
	Riconosciuto, who was Director of Research for a  
Wackenhut-Cabazon Indian joint venture, oversaw a  
group of several dozen people who worked out of  
business offices in nearby Indio, California.  According to  
the testimony of Robert Booth Nichols, a CIA agent  
associated with Meridian International Logistics and  
connected to Music Corporation of America (MCA),  
Riconosciuto was in frequent contact with Bobby Inman,  
Director of the National Security Agency (NSA) and then  
Deputy Director of the Central Intelligence Agency (CIA),  
during this time. 
	Since intelligence computers are, for security  
reasons, usually not connected to external networks, the  
original backdoor was a broadcast signal.  The PROMIS  
software was often sold in connection with computer  
hardware (such as a Prime computer) using a specialized  
chip.  The chip would broadcast the contents of the  
existing database to monitoring vans or collection  
satellites using digital spread spectrum techniques  
whenever the software was run. 
	Spread spectrum techniques offer a way to mask,  
or disguise, a signal by making it appear as "noise" with  
respect to another signal.  For example, one may  
communicate covertly on the same spectrum as a local TV  
broadcast signal.  From the point of view of a TV  
receiver, the covert communication appears as noise, and  
is filtered out.  From the point of view of the covert  
channel, the TV signal appears as noise.  In the case of the  
PROMIS broadcast channel, the signal was disguised as  
ordinary computer noise--the type of stuff that must be  
reduced for TEMPEST certification in the U.S. 
	In spread spectrum frequency communication,  the  
transmitted spectrum is much wider than what is really  
necessary.  In digital communication, the transmission  
widths of digital signals are expanded so that many "bit  
periods" are needed to represent one bit at  baseband.   
This results in an improvement in the signal-to-noise- 
ratio.  Spread spectrum techniques are used extensively in  
covert military communications and secure satellite  
	The covert communication channel operates off a  
pseudo-random binary sequence, such as a stream cipher.  
Stream ciphers differ from block ciphers such as DES (the  
Data Encryption Standard) widely used in banking.   
	A block cipher applies a static transformation to a  
fixed block of data.  The DES algorithm, for example,  
encrypts a 64-bit block of data using 64-bit keys.  (The  
effective key size is actually 56 bits, since every eighth bit  
is considered a parity bit and is disgarded.)  In DES  
electronic code book (ECB) mode, each 64-bit block of  
data is encrypted separately from every other block.  In  
cipher block chaining (CBC) and cipher feedback (CFB)  
mode, the encryption of the current data block is  
dependent on previous data blocks.  But under any one of  
these three DES modes, the transformation of a given data  
sequence with a given DES key will nevertheless result in  
the same ciphertext, regardless of the time the encryption  
takes place. 
	A stream cipher, by contrast, applies a time- 
varying transformation to individual digits or bits of data.  
"Time-varying" means the same sequence of plaintext  
data bits seen at two different points in time will be  
encrypted to a different sequence of ciphertext data bits.   
	To illustrate this for a simple case, suppose we are  
doing encryption using simple XOR rules of addition,  
adding keybits k to plaintext bits x on a bit by bit basis to  
obtain cipher bits y:  y = x + k.  XOR addition follows the  
0+0 = 0 
0+1 = 1 
1+0 = 1 
1+1 = 0. 
Suppose the plaintext data is "1011".  The current key  
might be "1010".  Then the ciphertext data is 
1011+1010 = 0001. 
The ciphertext "0001" gives no information about the  
original plaintext.  The plaintext could have been any one  
of 2^4 = 16 possible sequences of 0s and 1s.  To restore  
the original plaintext, we XOR the ciphertext "0001"  
again with the key "1010" to obtain 
0001+1010 = 1011. 
In a stream cipher, the keystream will typically be  
different at different points of time.  This the encryption  
of a repeated plaintext "1011" might take the form 
time 1:  1011 + 1010 = 0001 
time 2:  1011 + 1111 = 0100 
time 3:  1011 + 0011 = 1000 
and so on for other times.  In this example, the "time- 
varying transformation" takes the simple form of a time- 
varying keybit stream.  	 
	The most famous stream cipher is the Verdam  
cipher, or "one-time pad", which follows the encryption  
scheme just described.  If the current time is i, the current  
plaintext bit is x(i), and the current key bit is k(i), then the  
ciphertext bit  is y(i) =  x(i) + k(i).  The number of key  
bits, N, must exceed the number of plaintext bits M:  
N>M.  The bits in the keystream sequence k(1), k(2), . . . ,  
k(N) must be independently and uniformly distributed,  
and are used only once and then disgarded (hence "one- 
time pad").  Of course, this scheme--while not breakable  
by cryptanalysis--has other security problems.   It requires  
both parties to have a copy of the current key, and the key  
to be kept secret from all hostile parties. This in turn  
requires that the keys be generated, stored, and  
communicated in a totally secure manner--a massive  
problem in itself.  So one-time pads are typically only  
used in "hot lines", such as the old Red Telephone  
between Moscow and Washington, D.C. that was installed  
with the hope that a little jawboning could help avert  
nuclear war. ("Can we talk?") 
	Practical cryptography for digital and analog  
communication thus uses "keystream generators" which  
typically determine the keystream as some function f of an  
underlying key K, and the current state of the system s(i): 
k(i) =  f(K, s(i)). 
This key stream k(i) can be added to the original bit  
stream to produce a new (encrypted) stream (as is done in  
"direct sequence" spread spectrum systems).  Or the key  
stream can be used to make the carrier frequency hop  
around within the spread sprectrum bandwidth (as is done  
in "frequency hopping" systems).  Many variations and  
combinations are possible. 
	Like many people associated with PROMIS  
(including Earl Brian, the man who sold it around the  
world), Michael Riconosciuto is in jail.  Riconosciuto was  
convicted on charges relating to the construction of a  
methamphetamine lab. 
	Michael Riconosciuto appears in a recent  
manuscript "The Last Circle" by "Carol Marshall" (whose  
real name is Seymour).   Much of the book is based on  
interviews with, and files purloined from, Riconosciuto.  
Part of the subject matter of "The Last Circle" involves  
the West Coast activities of "The Company", a  
paramilitary drug dealing operation using ex-law  
enforcement and ex-intelligence personel that was based  
in Lexington, KY, in the late 70s and early 80s.  However,  
because "The Last Circle" makes extensive use of  
Riconosciuto's files, it is also concerned with many other  
activities, including in particular a biowarfare project  
undertaken by the Wackenhut-Cabazon Indian joint  
venture.  ("The Company" itself is the subject of another  
book entitled "The Bluegrass Conspiracy" by Sally  
	Riconosciuto wrote me in regard to a speech I  
gave to the Libertarian Party of Colorado on digital cash  
on April 20, 1997.  I have added some comments with  
respect to the issues mentioned. 
May 8, 1997 
M. Riconosciuto 
21309-086 Med. A-1 
Box 819 
Coleman, FL 33521 
        "[Name omitted] has been sending me some of  
your published material for some time.  I have some  
questions concerning your talk on digital cash. 
	"First a little of my background.  I started with  
computers when a "laptop" was an IBM porta-punch.  My  
first serious computing experience was on an IBM system  
1620.  I went from there to the IBM 7090/7094 systems  
and from there to the then "new" IBM 360 family.  I  
missed the 370 generations, because during that time my  
responsibilities had me in a position where comp center  
staff handled all my data processing.  I have been on the  
DEC/PDP systems since they first came out (PDP 8, PDP  
10, PDP 11) and stayed with them as they matured into  
the VAX system.  My programming experience runs the  
gamut from absolute coding sheets in unit record type  
systems, to top down/structured programming.  I have  
been at this for awhile.  I am not impressed by the  
Intel/MS standard that has taken over the computing  
world.  Although I might note that Windows NT has  
suspicious similarity to the VAX/VMS operating system. 
	"Up until six months ago I had access to a  
computer and the latest literature because of my inmate  
job assignments in facilities management and prison  
industries.  We had a high end Pentium CAD set up in  
facilities and a network connection on a Data General  
Avion system in Unicor prison industries.  I also had the  
responsibility of maintenance on a Honeywell building  
automation control DDC-HVAC system. 
	"As a direct result of the TV interview with the  
Germans I was pulled off my premium inmate job and re- 
assigned to the duty of picking up cigarette butts in the  
recreation yard for $5 per month.  This was inspite of  
exemplary job assignment reports and no disruptive  
behavior incidents." 
        [Comment:  Riconosciuto is referring here  
        to an interview he gave on the PROMIS  
        backdoor to German television.] 
	"[paragraph omitted] 
	"The point of all this is to make it clear that I am  
not that far out of touch with the current state of the art. 
	"This brings me to the first question that I want to  
ask about your digital cash speech. 
	"1)  In your reference to the "discrete logarithm  
problem" are you taking into consideration the Donald  
Coppersmith work?  Coppersmith developed a  
computationally feasible way to take discrete logarithms  
back in the 80s.  Needless to say, this work has been  
played down, but it has been in the open literature." 
        [Comment:  The discrete log problem is  
        the problem of finding x such that g^x =y  
        mod n, for a given y, g, and n.  Here x is  
        the discrete logarithm of y to the base g.   
        Since this is hard to do, one can form a  
        public/private key system with x as the  
        private (secret) key and y = g^x mod n as  
        the public key.  
        [Of course, the hard-to-do job of taking  
        discrete logarithms may not be the only  
        way to approach a given problem.  The  
        security of  Diffie-Hellman, to which I  
        referred in my speech, is apparently based  
        on discrete logarithms, but is susceptable  
        to a simple attack by a person in the middle  
        of the communication process.  In Diffie- 
        Hellman,  Alice generates x and send Bob  
        g^x mod n.  Bob generates y and sends  
        Alice g^y mod n.  They both then calculate  
        g^(xy) mod n as the session key. (The best  
        an observer can do is calculate g^(x+y),  
        without taking discrete logarithms.)   
        However, if Eve controls all  
        communication between the two, she can  
        substitute her own parameters, and decrypt  
        both sides of the conversation before  
        forwarding the messages.  Be this as it  
        may, Diffie introduced a simple variant of  
        this process--called Station to Station  
        (STS) protocol--which completely  
        eliminates the man-in-the-middle attack. 
        [Riconosciuto refers to the work of  
        Coppersmith [1], [2] in finding discrete  
        logarithms.  Coppersmith greatly increased  
        the efficiency of finding discrete logs in  
        fields of characteristic 2 (which use digits  
        0 and 1, and thus are efficient in  
        programming), so that the modulus has to  
        be of the order of n = 2^1000 to be secure.] 
	"2)  You of course are aware that RSA type  
algorithms are no more secure that the modulus is difficult  
to factor.  Are you aware of the latest  advances in  . . .  
differential cryptanalysis and meet in the middle  
techniques?  Are you aware of the work by Lenstra . . . et  
al with their methods of quadratic sieves etc?" 
        [Comment:  Riconosciuto is refering here  
        are to several types of cryptanalytic attacks.   
        Differential cryptanalysis and meet-in-the- 
        middle generally refer to attacks on DES,  
        while the work of Lenstra is directly  
        relevant to RSA.   
        [The methods of Lenstra [3], Cohen and  
        Lenstra [4], and Pomerance, Rumely, and  
        Adleman [5], use Fermat's Little Theorem  
        (or its analog in extension fields of rational  
        numbers) and Gauss and Jacobi sums to  
        test for primality.   
        [The quadratic sieve for factoring n has  
        running time of the order of exp((ln n ln ln  
        n)^.5).  A slightly faster method is [6] the  
        number field sieve, which has running time  
        of the order of exp((ln n)^(1/3) (ln ln  
	"3) Have you ever heard of the Hilbert spectral  
processing technique and its application to high speed  
factoring systems? 
        [Comment:  I'm not sure exactly what  
        Riconosciuto has in mind here.  But  
        communication signals can be decomposed  
        into addable parts using systems of  
        orthogonal functions such as Fourier series  
        or Walsh functions. 
        [Riconosciuto may be referring to the  
        results of Xiao and Massey [9], who  
        characterize correlation-immune functions  
        in terms of their Walsh transforms.] 
	"4) Are you familiar with fast elliptical encryption  
        [Comment:  I did not refer to these in my  
        speech as they are fairly complex.  Elliptic  
        curve cryptosystems stem from the work of  
        Neal Koblitz [7] and others. Some have  
        alleged that the Skipjack algorithm used in  
        the Clipper Chip is an elliptic curve  
        [The analog of taking a power in modular  
        arithmetic is multiplication on elliptic  
        curves.  So the analog of the Diffie- 
        Hellman problem in the elliptic curve  
        world is to find the interger n such that nB  
        = P, where B and P are points on an elliptic  
        curve.  Here n can be thought of as the  
        "discrete logarithm" of P to the base B.   
        Elliptic curve cryptosystems are believed  
        to offer equal security at shorter key  
	"5) Do you remember the hard knapsack problems  
of Merkle and Hellman and how they fell?" 
        [Comment:  Knapsack problems were so- 
        named because they resemble the problem  
        of fitting a number of items k into a total  
        volume V--like packing a knapsack..  They  
        have the characteristic that they are NP- 
        complete, so that theoretically an  
        encryption scheme could be constructed  
        from them that is not solvable in  
        polynomial time (with respect to k).   
        However, the original Merkle-Hellman  
        knapsack was broken by Shamir. So  
        Riconosciuto is suggesting that  
        implemented discrete log systems may  
        have hidden weaknesses much like the  
        original knapsack encryption systems.   
        There is a knapsack system due to Chor  
        and Rivest that hasn't been broken yet, to  
        my knowledge.] 
	"This should be a good place to start.  Let me  
know if you receive my letter.  [sentence omitted.] 
"Michael Riconosciuto 
        [Comment:  Encryption issues are  
        important.  However, I doubt they will be  
        the deciding security issue in most systems  
        of digital cash.  Ross Anderson [8] has  
        accumulated a lot of evidence from the  
        financial services industry that  
        demonstrates that most security failures  
        involve errors in protocol or in  
        implementation.  Equally important, most  
        current systems that have been called  
        "digital cash" have been designed with  
        deliberate security holes to allow  
        monitoring of transactions at critical  

[1] D. Coppersmith, "Fash Evaluation of logarithms in  
fields of characteristic two," IEEE Transactions on  
Information Theory, 30, 1984, 587-594. 
[2] D. Coppersmith, A. Odlyzko, and R. Schroeppel,  
"Discrete Logarithms in GF(p)," Algorithmica 1, 1986, 1- 
[3] A. Lenstra, "Primality testing," Cryptology and  
Computational Number Theory, Proc. Symp. Appl. Math,  
42, 1990, 13-25. 
[4] H. Cohen and H. W. Lenstra, Jr., "Primality testing  
and Jacobi sums," Math. Comp. 42, 1984, 297-330. 
[5] L.M. Adleman, C. Pomerance, and R.S. Rumely, "On  
Distinguishing prime numbers from composite numbers,"  
Annals of Math. 177, 1983, 173-206. 
[6] A. Lenstra and H. W. Lenstra, Jr., eds. The  
Development of the Number Field Sieve, Springer-Verlag,  
[7] Neal Koblitz, A Course in Number Theory and  
Cryptography, Springer-Verlag, 1994. 
[8] Anderson, Ross, "Why Cryptosystems Fail,"  
Association for Computing Machinery, 1st Conf.- 
Computer and Comm. Security `93, November 1993. 
[9] G. Z. Xiao and J. L. Massey, "A spectral  
characterization of correlation-immune functions," IEEE  
Transactions on Information Theory, 34, 1988, 569-571. 
Posted September 2, 1997 
Web Page: http://www.aci.net/kalliste/