This is an idea for a scheme where multiple encrypted messages are multiplexed together. At first sight it seems to have some interesting properties, but whilst I’m interested in crypto IANAC, so I thought I’d raise it here and let people who really know what they are talking about feedback on the problems with it, so I can learn from them.
The sender transmits a stream of data comprised of a random mixture of message blocks and “chaff” blocks.
Message blocks are message plaintext, plus a hash of that plaintext, all of which is symmetrically encrypted with a secret key, known to the sender, the recipient, and potentially disclosed to a lawful eavesdropper. Note that the symmetric cipher and hash used are arbitrary to how the scheme works, allowing the potential to support multiple cipher suites and/or to transition between cipher suites over time. If the message is longer than a block it is fragmented over multiple blocks (which the sender may choose to intersperse with chaff blocks or send consecutively).
Chaff blocks are random noise, which has been dutifully encrypted with the same cipher and symmetric key as the message blocks, thus allowing the random noise to be lawfully decrypted ;-) The recipient (or a lawful eavesdropper with escrow access) decrypts each block as it arrives, and checks the hash. If the hash doesn’t match, the block is ignored, otherwise the decrypted result is added to those received so far.
The decision of how likely the next block is to be a chaff block vs a message block is determined randomly by the sender, and the proportion of chaff to message blocks may be varied at will. Similarly the decision as to whether to transmit continuously (with periods of otherwise “dead air” filled with chaff), or sporadically to reduce the overall amount of data transmitted (which they might like to do if they are paying per byte for instance!).
Nothing prevents multiple message steams being sent together, each encrypted with a separate key. Without the key for any of the messages it is not possible to distinguish blocks containing that message from chaff blocks. Therefore the existence of any message can be kept secret, even if the keys for other messages are disclosed. Furthermore, not all valid messages sent need to have any intended recipient at all. For instance you might send the following messages “proceed north”, “proceed south”, “proceed east”, “proceed west”, “remain stationary”, and encode each with a different key, with only one of those keys having been shared with the recipient (the rest being decoys). Anyone brute forcing the key would then find all 5 messages, but would still be non the wiser.
- Increased resistance to brute forcing, as a given key candidate cannot be rejected until you have decrypted and hashed all blocks.
- Whether a key is found by brute forcing, by hacking, or by disclosure, it only reveals a single message. Proving other keys don’t exist requires you to brute force the entire key space.
- A lawful eavesdropper can decode a message with their escrowed key, but cannot determine whether it is the only message included, as chaff packets are actually random data, or whether they are actually another message, encrypted by another key.
- If multiple contradictory “decoy” messages are sent under different keys then even in the event of a message being cracked then it would be hard for the attacker to deduce meaning.
- Somewhat reduces the information available to an attacker through signal analysis. For instance it increases uncertainty of the true size of any message being transmitted. Given a persistent connection it can obfuscate the time that real data is being transmitted. Using a broadcast channel different messages can be sent to different recipients without signal analysis being able to identify which of the potential recipients it is directed to or even how many messages are being sent.
- Chaff blos decrease soverall throughput (however note that this ratio can be varied by the sender at any time to suit their available bandwidth)
- Increased processing at both sender and recipient end
- Without a brute force of the entire key space you can never prove that you’ve disclosed all the keys, even if you want to (e.g. when wishing to disclose keys under duress scenario)
My cryptographic knowledge is limited, so I welcome feedback from those who know more.