Chaffinch: Confidentiality in the Face of Legal Threats

  • Richard Clayton
  • George Danezis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2578)


We present the design and rationale of a practical system for passing confidential messages. The mechanism is an adaptation of Rivest’s “chaffing and winnowing”, which has the legal advantage of using authentication keys to provide privacy.We identify a weakness in Rivest’s particular choice of his “package transform” as an “all-or-nothing” element within his scheme. We extend the basic system to allow the passing of several messages concurrently. Only some of these messages need be divulged under legal duress, the other messages will be plausibly deniable. We show how this system may have some resilience to the type of legal attack inherent in the UK’s Regulation of Investigatory Powers (RIP) Act.


Authentication Scheme Block Cipher Stream Cipher Authentication Data Brute Force Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    R. Anderson and E. Biham: Two practical and provably secure block ciphers: BEAR and LION. In Fast Software Encryption (proceedings Third International Workshop), 1996, Springer. 76Google Scholar
  2. [2]
  3. [3]
    Lord Bassam: Hansard, 13 July 2000, column 434. 78Google Scholar
  4. [4]
    D. Beaver: Plausible deniability. In Advances in Cryptology-PraguoCrypt’ 96 Proceedings, Prague, Czech Republic, 1996. pp. 272–288, GC UCMP, ISBN 80-01-01502-5. 83Google Scholar
  5. [5]
    M. Bellare and A. Boldyreva: The security of chaffing and winnowing. ASIACRYPT 2000, LNCS 1976, Springer-Verlag 2000, pp. 517–530. 72, 74CrossRefGoogle Scholar
  6. [6]
    M. Blaze, W. Diffie, R.L. Rivest, B. Schneier, T. Shimomura, E. Thompson and M. Wiener: Minimal key lengths for symmetric ciphers to provide adequate commercial security. A report by an ad hoc group of cryptographers and computer scientists. 1996 79
  7. [7]
    A. Desai: The security of all-or-nothing encryption: Protecting against exhaustive key search. CRYPTO 2000, LNCS 1880, Springer-Verlag 2000, pp. 359–375. 72CrossRefGoogle Scholar
  8. [8]
    A. McDonald and M.G. Kuhn: StegFS: A Steganographic File System for Linux. In A. Pfitzmann (Ed.) Information Hiding, Third InternationalWorkshop, IH’99, Dresden 1999, LNCS 1768, Springer Verlag 2000, pp. 463–477. 84CrossRefGoogle Scholar
  9. [9]
    J. McHugh: Chaffing at the Bit: Thoughts on a Note by Ronald Rivest. In A. Pfitzmann (Ed.) Information Hiding, Third International Workshop, IH’99, Dresden 1999, LNCS 1768, Springer Verlag 2000, pp. 395–404. 77Google Scholar
  10. [10]
    R. L. Rivest: Chaffing and winnowing: Confidentiality without encryption. RSA Laboratories CryptoBytes 4(1) 1998. 70, 71Google Scholar
  11. [11]
    R.L. Rivest: All-or-nothing encryption and the package transform. Fast Software Encryption 1997, LNCS 1267, E. Biham, Ed., Springer-Verlag, 1997, pp210–218. 71, 72CrossRefGoogle Scholar
  12. [12]
    B. Sussman and K. Fogel: Chaffwin. 71
  13. [13]
    UK Stationery Office Ltd: Regulation of Investigatory Powers Act 2000. ISBN 0-10-542300-9. 70, 73Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Richard Clayton
    • 1
  • George Danezis
    • 1
  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUK

Personalised recommendations