[Cryptography] deniable symmetric ciphers?

Jon Callas jon at callas.org
Sat Dec 28 14:13:39 EST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Dec 28, 2013, at 9:53 AM, ianG <iang at iang.org> wrote:

> Leaving aside the rather delicious trap of deniability in cryptography... this part here:
> 
> 
> On 28/12/13 19:48 PM, Jon Callas wrote:
> 
>>  it's hard to hide data that's indistinguishable from random.
> 
> 
> On the other hand, if we all hide all our data as indistinguishable from random, it becomes easier.

Maybe.

The output of a fixed key and ECB mode is indistinguishable from random (from an information theory point of view), but bad security engineering. Mistakes in IV, nonces, etc. are all still indistinguishable from random, even though they are massive security flaws that in many cases can even let a passive adversary distinguish *traffic*.

Even successes in this area have side effects. If everything's truly indistinguishable from random, then it's also impossible to distinguish a signal from noise (without credentials, of course). This includes spam from legit messages, DDoS packets from wanted ones, and so on. There are many legit scenarios where this cure could be considered worse than the disease.

There's also the underlying issue that there's no such thing as "security" as an abstract quality. There's protection against a class of adversaries under a class of conditions. If I'm willing to accept a vulnerability as a consequence of a type of protection, I win. For example, it's unlikely someone will DDoS me, but I know that nation states passively want my traffic. If that's not true, then I'm playing tradeoffs, and my tradeoffs might not be someone else's. Worst of all is a case where the same adversary will adaptively attack based on my observed defenses.

And of course, we're assuming that it's *possible* for all of us to hide all our data as indistinguishable from random.

But yes, the basic principle you're citing is the Tor motto -- anonymity loves company. It's true, it's just not so true that it's an overriding principle as opposed to a good rule of thumb.

	Jon



-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: iso-8859-1

wj8DBQFSvyLssTedWZOD3gYRAvBUAKDcb79oQNMJrBVF3ut/8xdkTR+sggCfdDGS
KyuF0MRapG+posNM/iWtKbM=
=Lwfl
-----END PGP SIGNATURE-----


More information about the cryptography mailing list