More on Rivest's Chaff and Winnow

This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10-year archives of 35,000 files from June 1996 to June 2006 (~3.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost.

11 May 1998

Date: Mon, 11 May 1998 15:02:59 +0000
From: "Jesús Cea Avión" <jcea@argo.es>
To: cypherpunks@toad.com, cryptography@c2.net,
        hacking@argo.es, teleco-vigo@argo.es, cert-es@listserv.rediris.es
Subject: Chaffing & winnowing without overhead

You can have chaffing & winnowing without bandwidth overhead, but the
resulting scheme hasn't the original "elegance" anymore. In particular,
you don't send the plaintext on the clear.

The new schema is useful to cypher a document using any standard
signature library, exportable by definition. Very nice :), since you can
use, at last, strong crypto :).

a) When the connection starts, negociate an initial sequence number.
   The sequence number mustn't be reused. We assume a ordered delivery,
   like TCP.

b) Calculate the signature for:

   [sequence]0  ->  MAC0

   and

   [sequence]1  ->  MAC1

c) Compare both MACs and locate the first "different" bit,
   from high to low bit or viceversa.

d) Send that bit from MAC0 if you want to send a "0" or from
   MAC1 if you want to send a "1".

-- 
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea@argo.es http://www.argo.es/~jcea/ _/_/    _/_/  _/_/    _/_/  _/_/
                                      _/_/    _/_/          _/_/_/_/_/
PGP Key Available at KeyServ   _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibnitz

Date: Mon, 11 May 1998 12:04:36 -0400
From: "Mordechai Ovits" <movits@syndata.com>
To: "Jesús Cea Avión" <jcea@argo.es>
CC: coderpunks@toad.com, cypherpunks@toad.com, cryptography@c2.net,
        hacking@argo.es, teleco-vigo@argo.es, cert-es@listserv.rediris.es
Subject: Re: Chaffing & winnowing without overhead

Jesús Cea Avión wrote:

[Snip]

On the contrary, it has an elegance all it's own :-).
Since this idea has gone through several iterations, starting from Ron's original paper, I wanted to
summarize in one place Jesus Cea Avion's idea.  All credit for the following technique goes to him.

Alice does this:
Mreal = MAC(serial number, message bit, key)
Mfake = MAC(serial number, complement of message bit, key)
In english:  She MACs both the bit she means, and then MACs the bit she does NOT mean.  She then compares
the two MACs to find the first different bit.  Then she sends to Bob the bit from Mreal in the position of
difference.

When Bob gets the bit, he does this:
Ma = MAC(serial number, 0, key)
Mb = MAC(serial number, 1, key)
He then compares Ma to Mb and finds the first difference.  The bit in the position of difference is the one
that was sent to him by Alice.  He then knows whether Ma or Mb is correct.  If Ma is the correct one then
the plaintext bit is 0, if Mb is the correct one then the plaintext bit is 1.
Remember that there is no need to send the serial number, but you MUST use it in the MAC.  If you are using
a reliable protocol like TCP, or storing it in a file, the serial number is implied by the order it was
received/stored.

However clever this technique is (and it *is* clever), it defeats the original purpose of Ron's idea.  The
original reason Ron created chaffing and winnowing was to show that encryption laws are useless.  He
demonstrated that you can use authentication technologies to create privacy.  Even more, even if the
government demands that the plaintext be in the open, his original paper was set up to pass even that
egregious requirement.  Think of what the govenrnment would see with this latest chaffing and winnowing. 
Two people are send a bitstream that is unreadable without a secret key.  No plaintext is visible.  In
fact, it bears very little resemblance to the name "chaffing and winnowing."  It would not matter to them
wether you were using DES, IDEA, or C&W.  If it looks like a duck, walks like a duck, and quacks like a
duck...
Another point of Ron's paper was that any technique the government tried to impose on C&W would create
unacceptable problems.  I dont think these problems would exist in this version of C&W.  Anyone know
better?

-- 
o Mordy Ovits
o Programmer / Cryptographer
o SynData Technologies Inc.
o Download A Free Copy Of Our Software At:
o http://www.syncrypt.com