00100		This  program  is  for  enciphering  files  in a time-sharing
00200	system in order to ensure privacy.  It is entirely based on the  open
00300	cryptographic literature.
00400	
00500		A running key, which is a string of characters as long as the
00600	message, is generated, and each character of  the  message  is  XORed
00700	with  the  corresponding  character  of  the  running  key  to  get a
00800	character of  the  cryptogram.        If  the  running  key  were  an
00900	equi-distributed  independent  sequence of characters, the cryptogram
01000	would be unbreakable, because the a posteriori probabilities  of  the
01100	various  messages  given  the cryptogram would be the same as their a
01200	priori probabilities.  In this case, the  running  key  would  either
01300	have  to be stored in the file system or it would have to be supplied
01400	by the user each time he used  the  program.    Either  of  these  is
01500	impractical,  so  the  running  key  is  generated by a pseudo-random
01600	process from a starting  key  each  time  a  file  is  enciphered  or
01700	deciphered.   This gives rise to a number of pitfalls that have to be
01800	avoided:
01900	
02000		1. It  is  essential  not  to  encipher  two  files  or  even
02100	successive  versions  of  the  same  file  with the same running key.
02200	Given two files enciphered by the same key, they can be decrypted  by
02300	guessing  successive  characters  of the running key so as to produce
02400	"English"  from  both  cryptograms.   Given  the  statistics  of  the
02500	"English",  the process can be automated. We avoid this difficulty by
02600	incorporating the time  as  read  from  the  computer  clock  in  the
02700	starting  key so that even if the same nominal key is used twice, the
02800	actual starting keys and so the running keys will be different.   The
02900	time  is  stored in plain text with the file and is combined with the
03000	nominal key supplied by the user for deciphering the file.
03100	
03200		2.    The  cryptographer  will  often  be  able  to  guess  a
03300	substantial  part  of  the  cryptogram from his knowledge of what the
03400	user has to say. Our goal is that even if the cryptographer  has  the
03500	whole of the plain-text except a single character, he still will not
03600	be able to get that character.   Therefore,  we  have  to  avoid  the
03700	possibility   that   the  cryptographer  will  guess  a  sequence  of
03800	characters of the message, combine this with a sequence of characters
03900	of the cryptogram to get a sequence of characters of the running key,
04000	and continue the running key by its law of formation.  If the running
04100	key  were  simply  the  set  of  numbers produced by one of the usual
04200	random number generators, it would  be  subject  to  this  method  of
04300	attack.      The  solution to this problem is to make the running key
04400	uncontinuable.   Thus we would like it to be such  that  if  all  the
04500	characters  of  the  running  key  but one were known, that remaining
04600	character still could not be obtained. Our way of accomplishing  this
04700	is  to use three congruential random number generators with different
04800	moduli.   The corresponding characters generated by two of  them  are
04900	XORed,  and  the  third  is used to determine which characters of the
05000	resulting sequence are used to make up the running key.
05100	
05200		3.  The cryptographer should not be able to crack the message
05300	simply by trying nominal keys in turn using a digital computer.  This
05400	requires that the nominal keys be selected from  a  population  large
05500	enough  so  that  it can't be scanned in an amount of work reasonable
05600	for the cryptographer.  We leave this up to the user.  He provides  a
05700	sequence  of  characters  of  arbitrary  length.        Even  if  the
05800	cryptographer  has  parallel  very  high  speed  computing  equipment
05900	designed  for the purpose, a population of 10↑15 potential keys seems
06000	adequate and could be supplied by a 15 digit randomly chosen  nominal
06100	key.      In  compensation  for  the  labor  of memorizing a 15 digit
06200	sequence, the user can use the same nominal key on all  his  messages
06300	without  danger  of  repeating  the same starting key provided no two
06400	messages are enciphered at the same time.