Public Anonymity (Re: FIPR Release 16/10/2001: EMERGENCY POWERS ALLOW MASS-SURVEILLANCE FOR NON-TERRORIST INVESTIGATIONS

Dave Bird dave at xemu.demon.co.uk
Sat, 20 Oct 2001 17:29:59 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <3BD17837.5020603@skygate.co.uk>, Pete Chown
<Pete.Chown@skygate.co.uk> writes
>George Danezis wrote:
>
>> Richard Clayton and I have done some work along the Chaffing and Winnowing 
>> lines ...
>
>
>I had a thought which might defeat key escrow in a similar way, depending on 
>how 
>the legislation is drafted.
>
>Suppose Alice and Bob want to communicate.  They agree a large number of keys, 
>say 128, and escrow them.  Then when they want to communicate, they choose a 
>128-bit random number in a secure manner.  Each block of plaintext is encrypted 
>repeatedly, using a subset of the escrowed keys.  An escrowed key is used for 
>encryption if the corresponding random bit is 1.
>
>An attacker has access to all the keys which were used for encryption, but 
>still 
>can't decrypt without help.  (This is unless I've missed an obvious attack on 
>this scheme.)

 In this way the escrowed keys have been used as the means of the
 fully secure encryption.  All they have to do is exchange, by 
 secure meeting, a 128 bit number as the real "key" to it (they can 
 destroy plain-text and real "keys" afterwards for complete
 deniability).  

 In that case why don't they just use it as a symmetric cipher key?

 After all, you have just removed the edge given by asymmetric
 public key cryptography:  Alice cannot openly tell Bob a public 
 way to encrypt to her, in a way which only Alice can privately
 decrypt.  Therefore you have reintroduced the key distribution
 problem:  everybody has to have keys got to them by secure means.


 Now it is possible to make a DSS (Digital Signature System?) 
 signing-only key, by some mathematical and programming work,
 into something usable for DH (Diffie Helman, aka El Gamal)
 encryption.  But if such a program is in wide circulation,
 the courts will refuse to believe that DSS keys are exempt
 as for signature only.  

 You could also use it for chaffing and winnowing  like this.
 Groups are like "Af1047adf1"  which means the letter is A,
                  #?''''"""" 
 the number 0xf1 xored with its original sequence number in 
 the plaintext tells you what skip to make within -127 to +128,
 0x1047adf1 is the first 32 bits of digital signature of that
 letter and its original sequence number in the plaintext,
 mix with 90% groups of random signature.  Certain rare possibilities
 would not decrypt correctly so decrypt back and check, re-do the
 bogus group producing error from there on if need be.
 1KByte of final text send 10 characters, 40KB sends 400 characters.
 Hey presto: clumsy, but it's chaffing and winnowing.


In article <aKoV0NSfFY07EAm+@turnpike.com>, Richard Clayton
<richard@highwayman.com> writes
>I think the judge may take the view that the random number (which must
>be shared between Alice and Bob) is also a key and will enquire as to
>why it is not escrowed with the others.

 Exactly.

- -- 
   ^-^-^-@@-^-;-^   http://www.xemu.demon.co.uk/
        (..)__u     news:alt.smoking.mooses

       happy as a clam at high tide -. <_" .-._.-.


-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBO9Gmh38v/Y5zkfRPEQKJwwCfRd8W3s2wIO3pdzSrB9Nye1ZwFmgAoPTp
Bd23DXy+duHUAZK0m+K0MUGS
=Cnvn
-----END PGP SIGNATURE-----