really undetectable crypto

Jim Miller jim at suite.suite.com
Fri Sep 13 19:01:18 PDT 1996 


> Your assumptions are correct.  Applied Cryptography by
> Schneier discusses this method, referring to it as a
> "subliminal channel".

Why am I not surprised.  :-)


> Because of the very (VERY) slow transmission times (on
> the order of 1 bit/message), he notes it primarily as a
> secure method of exchanging keys. 

> 


I would think you could do better than 1 bit per message.  Using just  
hashes, I would think you could get at least 4-8 bits per message using a  
standard Pentium-class machine.  Maybe more, I haven't actually run any  
tests to see how long it would take to generate innocent messages that  
produces hashes with specific bits in certain positions.


> In his discussion, he also incorporated a bit in the
> signature, thus assuring the communication is
> travelling to the intended recipient unmolested.

I don't see why this is necessary.  If the hidden message is encrypted  
using a key (or key pair) known only to Alice and Bob, then Walter should  
not be able to fool Bob.  Walter could disrupt the communications in any  
number of ways, but he wouldn't be able to generate innocent messages that  
produce hashes that contain bits that combine to form a message encrypted  
using a key (or key pair) known only to Alice and Bob.


> However, to be "extremely sublime", your method could be
> incorporated with otherwise signed messages: while the
> signature appearing with your message includes an MD5
> hash, the real "stego bit" is the first bit of an RC4 hash of
> the same file, as computed by an external program on the
> receiver's end. 

> 


The above paragraph has given me an idea:  You don't need to send hashes  
or digital signatures to send hidden encrypted messages.  All Alice needs  
to send is the carefully constructed plaintext.  Bob can generate the  
hashes himself, extract the proper bits and attempt to decrypt the hidden  
message.  If the hidden message does not decrypt, then either the  
plaintext was tampered with, it was forged, or not all of the plaintext  
arrived.

That being the case, then I think we have a very simple proof that any  
communications channel, even one that allows only unsigned plaintext  
messages, can be used to send arbitrary encrypted messages (if a bit  
slowly).  So much for Clipper.

Jim_Miller at suite.com

More information about the cypherpunks-legacy mailing list