Matt Thomlinson (mattt@microsoft.com)
Mon, 23 Mar 1998 17:40:53 -0800
you miss the point. Just use winnowing chaffing for what it is best at:
bootstrapping a secure channel from an authenticated one. After that, resume
normal crypto usage.
Exchanging a 128-bit key (and then assuming your 200x blowup) = 26000 bits/8
~= 3kbytes. Large, but not undoable in terms of bootstapping a new channel.
mattt
-----Original Message-----
From: Philicious [mailto:philen@monkey.org]
Sent: Monday, March 23, 1998 2:45 PM
To: Matt Blaze
Cc: Bill Stewart; CodherPlunks@toad.com; cryptography@c2.net
Subject: Re: GeeK: Re: Rivest's Chaffing and Winnowing
On Sun, 22 Mar 1998, Matt Blaze wrote:
> It's a cute idea. While it's not clear that it's especially
> practical as described, it does provide a nice proof-of-concept
> that traditional encryption isn't the only way to achieve message
> secrecy. It also illustrates a basic internal conflict in government
Highly impractical, if you ask me. Chaffing single bit packets results in
a message 200 times larger than the original ('each wheat packet may end
up being, say about 100 bits long, but only transmits one bit' -Rivest).
Not only that, but how cheaply can one generate all those wheat packet
MACs, not to mention believeable chaff packet MACs.
Perhaps chaffing half-byte packets would be secure enough (only
quadrupling the size of the message), but I am skeptical.
Still, it is a nifty idea with interesting legal implications.
-phil
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:12 ADT