[2675] in cryptography@c2.net mail archive
Re: Chaffing & winnowing without overhead
daemon@ATHENA.MIT.EDU (Bill Stewart)
Tue May 12 22:48:37 1998
Date: Tue, 12 May 1998 18:02:31 -0700
To: "Mordechai Ovits" <movits@syndata.com>,
=?iso-8859-1?Q?=22Jes=FAs_Cea_Avi=F3n=22?= <jcea@argo.es>
From: Bill Stewart <bill.stewart@pobox.com>
Cc: coderpunks@toad.com, cypherpunks@toad.com, cryptography@c2.net,
hacking@argo.es, cripto-foro@fi.upm.es
In-Reply-To: <35574C41.816CA545@syndata.com>
By the way, instead of transmitting the first bit for which
MAC(sequence,0) differs from MAC(sequence,1), as Jes=FAs suggests,
you can get the same effect by transmitting a 0 or 1 depending on
MAC(sequence,0) < MAC(sequence,1)
(This assumes a big-endian system and unsigned comparisons;
little-endians will have to calculate it the hard way.) =20
If you're willing to be wrong 1 time out of 2**33,=20
you can just use the top 32 bits.
Earlier in this discussion:
>> In the Rivest's paper you transmit, indeed, all the 2^n plaintexts for a
>> n bit length };-).
>Not so. In his paper (before the package tranform stuff), he had the=
following expansion.
>Assuming a 32 bit serial number and a 160 bit MAC, n bits would expand to=
388n.
>>To make this clearer with an example, note that the adversary=20
>>will see triples of the form:
>> (1,0,351216)
>> (1,1,895634)
>> (2,0,452412)
>> (2,1,534981)
But that _does send the 2^n plaintexts, which are 0 and 1, and n=3D1.
Thanks!=20
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
