[148799] in cryptography@c2.net mail archive
Re: [Cryptography] deniable symmetric ciphers?
daemon@ATHENA.MIT.EDU (Jon Callas)
Sat Dec 28 11:50:30 2013
X-Original-To: cryptography@metzdowd.com
From: Jon Callas <jon@callas.org>
In-Reply-To: <20131228041824.GA32378@BlackPatchPanel.com>
Date: Sat, 28 Dec 2013 08:48:49 -0800
To: Paul Elliott <pelliott@blackpatchpanel.com>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>,
Jon Callas <jon@callas.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Dec 27, 2013, at 8:18 PM, Paul Elliott <pelliott@blackpatchpanel.com> wr=
ote:
> * PGP Signed by an unknown key
> =
> =
> Call a symmetric ciphers deniable if it is computationaly
> difficult to distinguish it's output from random data
> even if it's plaintext is highly ordered or even known.
> =
> Are there any strong published deniable ciphers?
Under your definition, pretty much they all are. If ciphertext is distingui=
shable from random, then that's a flaw in the cipher. It may not be one wor=
th worrying about, but ideally, ciphertext should be indistinguishable from=
random.
Known plaintext happens all the time. For example, the known plaintext '<?x=
ml version=3D"1.0" encoding=3D"utf-8"?>' or '\n<!DOCTYPE HTML>\n<html lang=
=3D"' are very common. If a cipher leaks an that XML header is an XML heade=
r, then it's just not a very good cipher.
I have to ask why you'd call this property "deniable." There are lots of th=
ings that produce data indistinguishable from random, but most of them carr=
y metadata along with it. For example, compression functions ideally are in=
distinguishable from random, too, but they have metadata hints about that d=
ata. Compression functions *want* to be decoded.
If an adversary sees bare-ass nekkid "deniable" data, the first hypothesis =
about it is that it's ciphertext. A denial of that has to have a reasonable=
counter-hypothesis. If the na=EFve attacker just assumes that more-or-less=
random data is cipher text, they win against this model. Yes, they get fal=
se positives, too, but they may not care.
If you want to have a model of deniability, that model has to create or enc=
ourage counter-hypotheses. Those counter-hypotheses are more important than=
the raw output because it's hard to hide data that's indistinguishable fro=
m random.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: iso-8859-1
wj8DBQFSvwD4sTedWZOD3gYRAqDVAKDtpA5h0WnS5GACRhEQ1JedK1WB8gCfb7yJ
44TAY1Oifum2cfY3soSiwkY=3D
=3DVLDa
-----END PGP SIGNATURE-----
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
