Winnowing Wheat from Chaff (Rivest at it again)

Rohit Khare (
Sun, 22 Mar 1998 14:56:32 -0800

[Sorry that many of you will haveheard this through other channels already]

Ron posted a new scheme at
it's already been in the NYT and all that.

Essentially, don't encrypt anything. Send packets with a MAC at the end
(hash together the message and a secret key -- hashing is legally not
encryption, just authentication). Also send the complement of the packet --
noise along with signal, with bad MACs. Just pick out the good MACs at the
receiving end.

The nifty spin is that adding "chaff" takes zero intelligence, and can
even be injected by 3rd parties.

I wonder, though, if these ideas weren't bruited around way back in the
beginnings of the Internet when they applied to packet networks with
bit-error links and valid/invalid CRCs. Not that I begrudge Ron in any way
the novelty of the work.

I will say that the lasting contribution, though, may well be the wheat



New Method To Veil Data Could Upstage Export Policy


<Picture: S>AN FRANCISCO -- One of the nation's leading computer scientists has proposed a novel technique for scrambling data that could circumvent Government export policies aimed at limiting the foreign sale of encryption technology.

The technique, which was described this week in an Internet discussion among computer researchers, was introduced by Ronald L. Rivest, a computer scientist at the Massachusetts Institute of Technology and one of the inventors of the most widely used commercial encryption scheme, RSA.

The new approach, which is described in a short technical paper that has been posted to Mr. Rivest's M.I.T. Web site, is described as "chaffing and winnowing" digital information instead of encrypting it.

According to Mr. Rivest's paper, it is possible to hide a message by breaking it into packets that are then secretly identified as good information, or "wheat," and gibberish, or "chaff," in such a way that an eavesdropper cannot distinguish the two.

Because the individual packets would not be encrypted, Mr. Rivest said, such a system would circumvent current export restrictions.

The two principal ways of communicating in secret are encryption and steganography. Steganography uses computer techniques to embed a secret message in a document like a digital image. In encryption, secret information is encoded using functions that require difficult mathematical tasks to decode, and it has become the standard way of transmitting secret information electronically.

There are no restrictions on the domestic use of this technology, but the Government has been trying to force the industry to adopt standards that would permit law-enforcement officials to have mathematical keys allowing them to decode messages without the knowledge of the sender or receiver. The Clinton Administration says the standards are needed to fight crime and terrorism. Opponents argue that the Government decoding keys, to be stored in computers, could easily be stolen, compromising privacy and the security of credit card numbers and other personal information.

In terms of exports, with few exceptions the Government limits the software to codes that can be easily broken.

"Winnowing does not employ encryption, and so does not have a 'decryption key,'g technology ends up being obsoleted by technological innovations."

Peter Neumann, an SRI International computer scientist who has read Mr. Rivest's paper, said that although "there is still no certainty that this is a practical idea," if it works, "it throws another clinker at the Justice Department."

Other cryptography experts said they were uncertain whether it would be possible to skirt Government export restrictions in this way, but that the idea was an impressive new approach that might have valuable commercial applications.

"He's a very clever guy," said George Spix, a Microsoft researcher who specializes in cryptography policy issues. "It goes to show that for all the technological wizardry in the world, there's nothing like an intellect."

One of the potential limitations of the new method is that the total information transmitted might need to be hundreds of times larger than the actual message.

Mr. Rivest said, however, that he had discussed the idea with Adi Shamir, an Israeli cryptographer, and that Mr. Shamir had proposed compression methods that would reduce the total transmission to only about twice the actual message size.

The strength of the idea for chaffing and winnowing is that it is possible to prove mathematically that a message cannot be decoded, Mr.

Rivest said.

He said he had come up with the idea recently while teaching an undergraduate computer course.

In addition to his role as associate director of the Laboratory of Computer Science at M.I.T., Mr. Rivest is a consultant and shareholder in RSA Data Security Inc., a company that develops encryption software.

"I put the winnowing and chaffing idea out there to stimulate debate,"' Mr. Rivest said. "I hope it will help clear up some of the issues that have been raised in the policy discussion."'