[Cryptography] Information. it's the real thing

John Denker jsd at av8n.com
Mon Feb 23 09:30:08 EST 2015 

It is always important to think about the /information/ 
carried by our messages.  This includes the information
available to the intended recipient, as well as the info
available to the adversaries.  This is relevant to what 
John Young wrote on 02/16/2015 10:34 AM:
> "The very encryption used to secure transports is used to hide data 
> exfiltration."
... and relevant to a lot of other recent discussions,
and to crypto and security in general.

Information.  It's the real thing.

Regrettably, in dozens upon dozens of messages recently,
people have tossed around phrases like "indistinguishable
from random" (I-F-R).

Although I-F-R is "close" to the right idea, it is not
exactly the criterion we should be using.  To my astonishment, 
on 01/21/2015 09:17 PM, Jerry Leichter contradicted me on 
this point:

>> the first thing you need to get anywhere in formalization is precise
>> definitions.

>> A common strong definition of semantic security says [....]

The nice thing about formal definitions is that there
are so many to choose from.  Anyone is free to define 
terms however they like, but the result is a choice,
not a law of nature.  There is no guarantee that the 
results will apply to the real world.  Cryptology lives 
within the intersection of fancy math *and* down-to-earth 
engineering.  You need both.

I choose to formalize many things in terms of information.
Often it is appropriate to exclude information that would
be computationally infeasible to obtain.

I do not choose the I-F-R criterion, because it is not 
viable in the real world, and I can prove it.  An example 
suffices to make the point:

  _Message Length_ is one of the many things that can be
  used as a covert channel.  It has been used this way 
  for a long time.  It has been used by both teams, i.e.
  when the sender wants it to be used that way (for
  exfiltration) and when the sender doesn't (but the 
  opponent uses it anyway).

So .... does anybody really think that the message length
needs to be indistinguishable from random?  If so, we are
in big trouble, because message length could be anything
from zero on up, and there does not exist any uniform
random distribution on such a range.  The formal laws of 
probability forbid it.  This is an example of what formality 
can do for you.  Sometimes it tells you that your formalism
is broken.

In the real world, people sometimes do send traffic that
resists traffic analysis.  One option is to send a lot 
of messages, all with the same length.  Consider for 
example ATM cells.  Many trillions of them are sent, all 
with the same size.  You will not have much luck traffic-
analyzing those lengths!  Arguably the first one told 
you something, namely the length, but it didn't tell you 
anything you didn't already know, given that it was an
ATM cell to begin with.  Even if you didn't know a_priori
that it was an ATM cell, after a while the leakage (on a 
per-message basis) goes asymptotically to zero anyway.  
As long as the traffic is indistinguishable from business-
as-usual, the nobody gains any information from it.

There is an extensive literature on this, including
contributions from guys like Shannon, Kullback, and
Leiber, who were not exactly clueless about crypto.
If you think your formal methods are better than theirs, 
that's an extraordinary claim, and will require some
extraordinary proof.  My suggestion: if you want to 
formalize something, in all likelihood your time would
be well spent formulating it in terms of information 
gain and things like that, rather than some notion of
"indistinguishable from random" ... which is no more 
formal, and a lot less viable in the real world.

------------

Speaking of cover traffic:  If you look at the header
of this message, you will probably find a field called
"Quilt" which contains 64 symbols that could convey
6 bits apiece, for a total of 384 bits.  All of my 
outgoing mail has had such a header for a while now.
Maybe it's just random cover traffic ... or maybe it 
is a cleverly-encoded message.  By sending such fields,
I create a forest.  That's a good place to hide a tree,
if I ever need to.

If you are wondering about the name: There is such a
thing as a crazy quilt, in contrast to a patterned 
quilt:
  http://dictionary.reference.com/browse/crazy+quilt

More information about the cryptography mailing list