[2311] in cryptography@c2.net mail archive
Re: Encryption without encryption - from Ron Rivest
daemon@ATHENA.MIT.EDU (Anonymous)
Mon Mar 23 11:58:38 1998
Date: Sun, 22 Mar 1998 20:25:08 +0100 (MET)
From: Anonymous <nobody@REPLAY.COM>
To: cypherpunks@cyberpass.net, cryptography@c2.net
Rivest's idea is a very clever attempt to circumvent the export
regulations. It's not clear that it will succeed in this.
The idea is very simple (as many good ideas are, once someone has created
them!). A MAC (message authentication code) is the secret-key equivalent
of a public key signature. Both parties share a secret key, which is
hashed along with the message to produce the MAC. The recipient checks
the MAC by hashing his copy of the secret key along with the message,
and comparing with the MAC value. Only those possessing the secret
key can create a MAC. Outsiders can't create them, so they can't forge
signed messages.
U.S. export regulations specifically allow software for creating and
verifying MACs, because MACs are used for authentication, not secrecy.
Rivest has discovered that they can easily be used for secrecy as well.
Simply intersperse real packets which have good MACs and fake packets
which have bad MACs. Make the packets 1 bit of data long, and include
a serial number identifying the message bit being sent. For each bit of
the message, send one packet with a data bit of 0 and one with a data bit
of 1 (both with the same serial number). Make the MAC good in the packet
with the correct data bit, and put a random MAC in the other packet.
Eavesdroppers can't tell which packets have good MACs and which have
bad, so for each bit of the message they can't tell which one is real.
The message is perfectly hidden as long as outsiders can't verify MACs.
The result is secret communication "without encryption".
Individually, the pieces of this technology are exportable. You can
send packets with MACs, you can ship software which creates and verifies
MACs, you can send junk packets, and your software can even reject and
ignore packets with bad MACs (must be noise, right?).
The problem is that once it is put together in a system like this, you
have a secret key crypto program. Each side inputs a key, some data
is sent across, and only the recipient can receive the valid data. The
fact that the individual pieces being sent were legal does not change
the fact that the system as a whole is not.
After all, any encryption program comes down at the lowest level to
sending bits across a wire. There is no law against sending a 0, and no
law against sending a 1. Can we conclude therefore that all encryption
programs are legal because that's all they do? Unfortunately, no.
The law is smarter than that. It looks at the purpose of the program,
how it is used, and what it accomplishes.
By that analysis, Rivest's technique is an encryption program,
irrespective of the specific technology used to achieve secrecy. It is
unlikely to be exportable.
