[Cryptography] quantum computers & crypto

Ray Dillinger bear at sonic.net
Mon Nov 8 19:22:50 EST 2021 


On 11/7/21 12:34 PM, Peter Gutmann wrote:
>
> That doesn't work either, there's an accompanying string of papers showing
> that all of the obvious traffic-hiding/morphing techniques don't really work.
>
> In a nutshell, defence against traffic analysis is really, really hard.  More
> generally, the more interactive your traffic is - in the case of the CRIME
> attack I referenced the victim's browser is under the control of the attacker
> and does the attacker's bidding - the easier it is for at least some of your
> crypto guarantees to be bypassed.
>

The solution to this is to layer your traffic into an existing encrypted
application which is always going on at "a dull roar" twenty-four hours
and seven days a week. 

So you get on bittorrent, host a big stock of high bandwidth things like
research datasets, CGI animation sequences, preserved Internet archives,
etc, then go out looking for similarly high-bandwidth things to
download, and once bittorrent bandwidth is going at a dull roar you can
start trading encrypted packets.

Bittorrent is UDP, and does its own error checking (signature checks on
the segments).  When something they've received doesn't match,
bittorrent clients assume there was a transmission error, throw it on
the floor, and send another request for that segment.  What's visible
from the outside is an encrypted packet.  It's not visible from the
outside when a packet fails a signature check.  All anyone can see on
the line is that you requested and recieved 231 segments while
downloading a 220-segment object - and if you're sending and recieving
dozens of other objects at the same time, it's going to be a challenge
to even associate which requests correspond to which object.

Your encrypted messages then are simply bittorrent packets that fail the
signature check.  Message padding accomplished and traffic analysis made
at least reasonably difficult assuming you're both talking to 20 other
bittorrent clients at the same time.

And it's not like you need cooperation from the other bittorrent
clients.  If you send them a 'hey are you in on the secret and if so
here's how to acknowledge' message, they never see it.  Any client that
can't decrypt your protocol packet just sees a bittorrent packet that
fails signature check.

Bear

More information about the cryptography mailing list