[2330] in cryptography@c2.net mail archive
RE: Rivest's Chaffing and Winnowing
daemon@ATHENA.MIT.EDU (Dukhovni, Viktor)
Mon Mar 23 17:07:49 1998
From: "Dukhovni, Viktor" <Viktor-Dukhovni@deshaw.com>
To: cryptography@c2.net
Date: Mon, 23 Mar 1998 12:36:48 -0500
> -----Original Message-----
> From: John Young [SMTP:jya@pipeline.com]
> Sent: Sunday, March 22, 1998 9:59 AM
> To: cryptography@c2.net
> Subject: Rivest's Chaffing and Winnowing
>
>
> "Winnowing does not employ encryption, and so does not have
> a 'decryption key,' " Mr. Rivest wrote in his paper. "As
> usual, the policy debate about regulating technology ends
> up being obsoleted by technological innovations."
>
It seems that (at least as described) the system does not support
reuse of the secret (authentication) key, since (for a fixed key) the MAC
depends only on the value and position of a single bit in the data stream.
After a small number of messages one would discern the correct MAC for both
the 0 and the 1 values at each bit offset.
Since real encryption would be required to support per message key
management, one should perturb the keyed MAC for each message sent to
prevent this problem. Adding a non-recurring IV to the secret key may be an
adequate solution.
Does anyone know the details of Shamir's compression scheme?
--
Viktor.
