Bill Stewart (bill.stewart@pobox.com)
Thu, 26 Mar 1998 09:40:24 -0800
At 04:27 PM 3/25/98 -0500, Ron Rivest wrote:
>the revised version of my "chaffing and winnowing" paper
> http://theory.lcs.mit.edu/~rivest/chaffing.txt
>contains a more efficient implmentation, in the sense that you can
>have packets with large amounts of information per packet...
If I understand the method correctly, it works like this
- there are algorithms which let you read a message only
if you have received the entire message, and prevent reading
it otherwise. They're not keyed, so they're not crypto,
though they're cryptographically strong.
(I'll have to print the PostScript to read the reference :-)
- Encode the message with one of those algorithms
- split the message up into blocks of, say, 1KB
- add HMAC codes to each block, send along with chaff
- mix with other messages
It's an interesting approach, but it can only be used for long messages.
If the message is short, e.g. a 4KB email message, with 4KB chaff,
the Bad Guys can just try all combinations of blocks to find the
right ones. If they're sent in pairs, that's 2**4 tries.
If there are 64 blocks of wheat and 64 of chaff, 2**64 is
pretty hard, and mixing in more traffic makes it much harder.
Unlike the earlier chaff algorithm, which was appropriate for
continuous stream applications like speech, the efficient chaffing
inherently works only for messages with definite sizes known before
encoding, and it's harder to justify mixing blocks from different
messages together in that environment, though it still can be plausible
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:19 ADT