convergent encryption reconsidered

Ludovic Courtès ludo at gnu.org
Mon Mar 31 04:12:08 EDT 2008


Hi,

Sorry for arriving late into this thread...

zooko <zooko at zooko.com> writes:

>    The Learn-Partial-Information Attack
>
>     They extended the confirmation-of-a-file attack into the
>     learn-partial-information attack. In this new attack, the
>     attacker learns some information from the file. This is done by
>     trying possible values for unknown parts of a file and then
>     checking whether the result matches the observed ciphertext.
>     For example, if you store a document such as a form letter from
>     your bank, which contains a few pages of boilerplate legal text
>     plus a few important parts, such as your bank account number
>     and password, then an attacker who knows the boilerplate might
>     be able to learn your account number and password.

I don't see how this would work.  It's different from a dictionary
attack because it looks for partial matches, as opposed to exact
matches.

Suppose you have one (sensitive) file that contains
"<boilerplate><secret>" and another than contains
"<boilerplate><placeholder>".  They have different hashes, hence
different ciphertexts through convergent encryption.  How would one get
access to the plaintext of the former when knowing only the latter?

Now, let's assume that said files were split into two "blocks" before
being convergent-encrypted, namely "<boilerplate>" and "<secret>" for
the former, and "<boilerplate>" and "<placeholder>" for the latter.  The
"confirmation-of-a-file" (or rather "confirmation-of-a-block") attack
does work, but it does not reveal anything about the secret.


I'm not sure about Tahoe, but the scheme I had in mind in my thesis was
to allow anyone to choose whatever encoding is used [0].  This means
that one could choose the algorithm used to split input files into
blocks, whether to compress the input file or individual blocks, what
compression algorithm to use, what hash and cipher algorithm to use,
etc.  With that level of freedom, these two attacks are a lesser threat
(one might argue that, in practice, many people would use the default
settings, which would make them potential victims and attackers of each
other...).

Thanks,
Ludovic.

[0] http://www.fdn.fr/~lcourtes/phd/phd-thesis.pdf, e.g., Section 4.3.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list