bram (bram@gawth.com)
Wed, 3 Feb 1999 12:33:01 -0800 (PST)
On Wed, 3 Feb 1999, Jim Gillogly wrote:
> > I have the problem to optimize the volume of chaff without loosing
> > security. Has anyone thought about it?
>
> Yes. Take an N-bit message and use an all-or-nothing transform on it
> (another Rivest invention -- see his web site). This transform is
> unkeyed, and therefore in itself is not crypto-controlled. Send N-k
> bits of this as a normal message. The remaining k bits are sent in
> individually authenticated chaff/data pairs of 1-bit messages. In the
> limit for large messages this gives virtually no bandwidth overhead and
> provides 2^k protection (OK, it has a constant overhead of k * (1 +
> hash-size + packet-overhead) independent of length).
For any real-world implementation I think it's highly advisable to not be
explicit about the exact algorithm which is used to send the chaff, but
rather to simply add it in random places, preferably even by third
parties. If a connection has an intermediary in the middle, that
intermediary can add the chaff without the originator even knowing. The
lack of absolute certainty of security when no specific algorithm is used
by the sender isn't all that big a deal in many contexts - any security is
better than no security.
Putting messages through an all-or-nothing transform is actually worthwile
in and of itself, since it makes eavesdropping trickier on a technical
level, since it makes any individual packet by itself worthless.
> Whether the crypto police will find this a convincing circumvention will
> depend on the quality of your lawyer and the technical sophistication of
> the court.
That, I think, is the real problem - if something has an obvious
'crypto-shaped hole' in it, the law might not much care about whatever
thought experiments you come up with.
-Bram
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:25