10

Suppose one wants to setup a cryptographic protocol in which 2 parties communicate using an encryption scheme that produces encrypted messages indistinguishable from random data (the desired property) given that the adversary does NOT KNOW the key to decrypt the data. (end goals are undetectability and plausible deniability)

Which component of the chosen cryptosystem provides this property?

Is it the choice between using symmetric key encryption or public-key encryption?

Or is it the choice of which block cipher operation mode you use that determines this property?

This answer on a steganography seems to imply that choosing symmetric key encryption that gives you this property. Does this imply that if you choose public-key encryption you cannot achieve the desired property? https://security.stackexchange.com/a/44295/26338

My research has led me to believe that it is your choice of block cipher operation mode that gives you this property (choosing AES-GCM gives you this property for example).

Which design choices do I have to make in order to achieve the desired property?

Community
  • 1
dandroid
  • 325
  • 1
  • 6

1 Answers1

9

Let's first be clearer about "random noise". This is not defined in general. What you may have is a sequence of random values within a specific domain. For instance, you want to have a sequence of bits that is indistinguishable from uniformly random bits.

If you want pseudo-random bits, then you will be happier with symmetric than asymmetric encryption. Asymmetric encryption uses mathematical objects with a lot of structure, which tends to show up as biases in encoding. One can still do some asymmetric encryption which "looks like" random bits, but, in the long run, this requires some effort (e.g. Diffie-Hellman key exchange can be "unbiased" by using an elliptic curve and its twist, assuming that both are suitable for cryptography, i.e. have an order multiple of a large enough prime).

When using symmetric encryption with a block cipher, the random-looking appearance is normally obtained -- that is, if the output does not "look randomish" then that is considered to be a weakness. Indeed, the classic penguin picture illustrates that ECB is weak because it fails at ensuring such randomness of appearance. Good modes will achieve the kind of property that you are after. However, there are ways to botch it. For instance, while AES-GCM is, by all measures, a very fine encryption mode, is uses an Initialization Vector which must be known to the receiver; since the IV is not secret, it is usually chosen by the sender and encoded along with the raw GCM output. The IV from successive messages may be biased; indeed, one great point of GCM is that it tolerates non-random IV (it just needs successive IV to be distinct from each other). Therefore, the IV may betray the presence of non-noise in your output data.

Such "hiding" property is not usually desired (it is not actively avoided either), therefore existing protocols make no effort in that direction. Hiding data in such a way that observers don't even suspect its presence is, indeed, the whole point of steganography, and encryption can help, but only with some care.

guntbert
  • 1,825
  • 2
  • 18
  • 21
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • I don't think that this is factually correct. See https://en.m.wikipedia.org/wiki/Distinguishing_attack – Awn May 03 '17 at 13:32