Investigating Chaﬃng and Winnowing: …mdv/courses/CM30082/projects.bho/2006...Investigating...

Investigating Chaffing and Winnowing: Confidentiality

Without Encryption

James Daniel Smith

Batchelor of Science in Computer Science with HonoursThe University of Bath

May 2007

This dissertation may be made available for consultation within the Uni-versity Library and may be photocopied or lent to other libraries for thepurposes of consultation.

Signed:

Investigating Chaffing and Winnowing:

Confidentiality Without Encryption

Submitted by: James Daniel Smith

COPYRIGHT

Attention is drawn to the fact that copyright of this dissertation rests with its author. TheIntellectual Property Rights of the products produced as part of the project belong to theUniversity of Bath (see http://www.bath.ac.uk/ordinances/#intelprop).This copy of the dissertation has been supplied on condition that anyone who consults itis understood to recognise that its copyright rests with its author and that no quotationfrom the dissertation and no information derived from it may be published without theprior written consent of the author.

Declaration

This dissertation is submitted to the University of Bath in accordance with the requirementsof the degree of Batchelor of Science in the Department of Computer Science. No portion ofthe work in this dissertation has been submitted in support of an application for any otherdegree or qualification of this or any other university or institution of learning. Exceptwhere specifcally acknowledged, it is the work of the author.

Signed:

Abstract

Chaffing and winnowing is a new technique to keep data confidential, without using en-cryption. Several chaffing and winnowing schemes are researched and implemented and anew hybrid scheme is devised. Experiments are performed to compare these techniqueswith traditional encryption techniques. It is found that chaffing and winnowing could bean alternative to these techniques.

Contents

1 Introduction 1

1.1 What is Chaffing and Winnowing? . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 Why do we need Chaffing and Winnowing? . . . . . . . . . . . . . . . . . . 2

1.3 Project Aim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.4 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Literature Survey 4

2.1 Chaffing and Winnowing Implementations . . . . . . . . . . . . . . . . . . . 4

2.1.1 Bit-by-bit Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1.2 All-Or-Nothing Transform . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2 All-Or-Nothing Transforms . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2.1 Package Transform . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2.2 Optimal Asymmetric Encryption Padding . . . . . . . . . . . . . . . 6

2.2.3 BEAR Preprocessor . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.3 Message Authentication Codes . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.4 Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.5 Belare and Boldyreva’s New Chaffing and Winnowing Scheme . . . . . . . . 8

2.6 Hybrid Encryption Techniques . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.7 Endianness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3 Requirements 10

3.1 Functional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

ii

CONTENTS iii

3.1.1 Message Authentication Code . . . . . . . . . . . . . . . . . . . . . . 10

3.1.2 Symmetric Chaffing and Winnowing Schemes . . . . . . . . . . . . . 10

3.1.3 Hybrid Chaffing and Winnowing Scheme . . . . . . . . . . . . . . . . 11

3.2 Non-functional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.2.1 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.2.2 Portability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.2.3 Extensibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.2.4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.2.5 Language Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.2.6 Maintainability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4 Design 13

4.1 Language Choice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4.2 High Level Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.2.1 Symmetric Chaffing and Winnowing Schemes . . . . . . . . . . . . . 14

4.2.2 Hybrid Chaffing and Winnowing Schemes . . . . . . . . . . . . . . . 15

4.3 Modular Decomposition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.3.1 MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17


4.3.3 OAEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4.3.4 Mask Generation Function . . . . . . . . . . . . . . . . . . . . . . . 18

4.4 Public-key Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . 19

4.5 Experiment Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4.5.1 What will Chaffing and Winnowing schemes be compared to? . . . . 20

4.5.2 What will the tests measure? . . . . . . . . . . . . . . . . . . . . . . 20

4.5.3 Expected outcomes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4.6 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4.6.1 Chaffing and Winnowing Schemes . . . . . . . . . . . . . . . . . . . 20

4.6.2 Chaffing and Winnowing Library . . . . . . . . . . . . . . . . . . . . 21

5 Implementation 22

CONTENTS iv

5.1 Chaffing and Winnowing Library . . . . . . . . . . . . . . . . . . . . . . . . 22

5.1.1 Global Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

5.1.2 HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22



5.1.5 Mask Generation Function . . . . . . . . . . . . . . . . . . . . . . . 25

5.2 Chaffing and Winnowing Schemes . . . . . . . . . . . . . . . . . . . . . . . 26

5.2.1 Symmetric Package Transform Scheme . . . . . . . . . . . . . . . . . 26

5.2.2 Symmetric Optimal Asymmetric Encryption Padding Scheme . . . . 26

5.2.3 Hybrid Package Transform Scheme . . . . . . . . . . . . . . . . . . . 26

5.2.4 Hybrid Optimal Asymmetric Encryption Padding Scheme . . . . . . 27

6 Testing 28

6.1 Component Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

6.1.1 HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28



6.1.4 Global Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6.2 System Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

6.2.1 Chaffing and Winnowing Schemes . . . . . . . . . . . . . . . . . . . 30

6.2.2 Cross Platform Compatibility . . . . . . . . . . . . . . . . . . . . . . 30

7 Experiment and Results 31

7.1 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

7.1.1 Execution Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

7.1.2 Ciphertext Expansion . . . . . . . . . . . . . . . . . . . . . . . . . . 32

7.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

7.2.1 Execution Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32


7.3 Analysis of the Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

7.3.1 Execution Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

CONTENTS v


8 Conclusion 39

8.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

8.2 Positive Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

8.3 Things That Could Be Improved . . . . . . . . . . . . . . . . . . . . . . . . 40

8.4 Further Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

8.5 Personal Reflection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

A Design Diagrams 44

B Code 46

B.1 File: hmac.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

B.2 File: aont.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

B.3 File: oaep.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

B.4 File: cw lib.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

B.5 File: cw aont pt.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

B.6 File: cw aont oaep.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

B.7 File: cw hybrid pt.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

B.8 File: cw hybrid oaep.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

List of Figures

5.1 The construction of data block DB . . . . . . . . . . . . . . . . . . . . . . . 24

5.2 The deconstruction of data block DB . . . . . . . . . . . . . . . . . . . . . . 25

7.1 A graph to show the time taken for each scheme to encrypt a file. . . . . . . 34

7.2 A scaled graph to show the time taken for each scheme to encrypt a small file. 35

7.3 A graph to show the data expansion of each scheme. . . . . . . . . . . . . . 36

7.4 A graph to show the data expansion of each scheme for very small files. . . 37

A.1 The modular design of the chaffing and winnowing schemes. . . . . . . . . . 45

vi

List of Algorithms

4.1 Chaffing and Winnowing AONT Scheme Encryption . . . . . . . . . . . . . . 14

4.2 Chaffing and Winnowing AONT Scheme Decryption . . . . . . . . . . . . . . 15

4.3 Chaffing and Winnowing Hybrid Scheme Encryption . . . . . . . . . . . . . . 16

4.4 Chaffing and Winnowing Hybrid Scheme Decryption . . . . . . . . . . . . . . 16

4.5 OAEP Encoding Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4.6 OAEP Decoding Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.1 Mask Generation Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

vii

List of Tables

7.1 Exact file sizes of those used in the experiments . . . . . . . . . . . . . . . . 31

7.2 The mean execution times of all the schemes for each file size . . . . . . . . 32

7.3 The expansion size of all the schemes for each file size . . . . . . . . . . . . 33

viii

Acknowledgements

I would like to thank Dr Russell Bradford for his help and supervision of this project. Iwould also like to thank Dr Alwyn Barry for his lectures and guidance on final year projects.Finally I would like to thank Michelle and my family for their constant support, especiallythis year.

ix

Chapter 1

Introduction

1.1 What is Chaffing and Winnowing?

The two main ways to achieve confidentiality are called steganography and encryption.Steganography plays on the integrity of data. It literally means “hidden writing” in Greek.It is an ancient method of hiding a message in such a way that only the recipient knowsa message actually exists. A steganographic message will appear to be something else likea picture or an uninteresting message - the “covertext”. Examples include invisible inkunderlining, concealing messages in the lowest bits of a picture or sound file and embeddedpictures in a video sequence.

Encryption transforms data into a “ciphertext” to make it unreadable unless you know thedecryption key needed to retrieve the original message, the “plaintext”.

Rivest (Rivest, 1998) introduced a new technique to provide confidentiality called “chaffingand winnowing”. This method uses the integrity of data like steganography does, but ina different way. He explains that it is possible to hide a message by splitting it up intopackets (the wheat) and mixing in fake data (the chaff). The idea is that only the intendedrecipient can separate the wheat from the chaff, by knowing the key to authenticate thepackets.

The sender splits the message into packets and authenticates each packet by attaching a“message authentication code” or “MAC”. A MAC is computed from a function of thepacket contents and a secret authentication key. The secret key is shared by the senderand recipient. The recipient can therefore calculate the MAC for each packet he receivesand compare it to the MAC held in the packet. If they match then he knows he has anauthentic part of the message, if they don’t he can simply throw it away.

Each message has a serial number to help the receiver remove duplicate packets, identifymissing packets and to order the packets.

Rivest uses the following example of triples of serial number, message and MAC to illustrate

1

CHAPTER 1. INTRODUCTION 2

Chaffing and Winnowing:

(1, Hi Bob, 465231)(2, Meet me at, 782290)(3, 7PM, 344287)(4, Love-Alice, 312265)

The second stage is adding the Chaff, the fake data with bad MACs:

(1, Hi Larry, 532105)(1, Hi Bob, 465231)(2, Meet me at, 782290)(2, I’ll call you at, 793122)(3, 6PM, 891231)(3, 7PM, 344287)(4, Yours-Susan, 553419)(4, Love-Alice, 312265)

Unless you know the secret authentication key you can not distinguish the wheat from thechaff!

Rivest argues that since chaffing and winnowing is a keyless operation and the process ofadding chaff can be done by anyone, it is not encryption in the traditional sense.

1.2 Why do we need Chaffing and Winnowing?

Rivest’s reason for investigating a new way to impose confidentiality is political. The USgovernment were introducing new laws to restrict the use of encryption at the time ofRivest’s paper. It was a concern that encrypted messages that the government could notread were aiding criminals and terrorists.

The most interesting thing about this new technique is highlighted by Rivest. He notes thatfuture law enforcement policies are likely to demand access to the plaintext of encryptedmessages. Rivest suggests that since chaffing and winnowing does not require a decryptionkey, there is none to give to the authorities. It seems that the way Rivest describes his newtechnique coupled with his definition of encryption may avoid encryption laws in the US.

“Trying to regulate confidentiality by regulating encryption closes one door andleaves two open (steganography and winnowing).” (Rivest, 1998)

(Clayton and Danezis, 2003) analysed the legitimacy of chaffing and winnowing in theface of the UK Regulatory of Investigatory Powers (RIP) Act 2000 (UK Stationary OfficeLtd, 2000). The RIP Act gives UK law enforcement the power to demand a key to read the

CHAPTER 1. INTRODUCTION 3

plaintext of encrypted messages. Although chaffing and winnowing sends messages “in theclear” without using encryption you still need to know where to look to find the plaintext.Rivest stresses that his technique is not encryption and does not have an encryption keyto hand over to law enforcement. Chaffing and winnowing does use authentication keysand it could be considered an encryption system by someone with little knowledge ofcryptography. It could be argued that the government could categorise the scheme withtraditional encryption schemes purely because they would disregard the technicalities andjust see a technique for confidentiality that uses some secret key.

1.3 Project Aim

The aim of this project is to implement one or more chaffing and winnowing schemes andcompare them to existing techniques for confidentiality in order to assess whether or notchaffing and winnowing could be a viable alternative.

1.4 Objectives

• Research different chaffing and winnowing schemes and find out which traditionalencryption techniques they should be compared to

• Implement one or more of the chaffing and winnowing schemes found from the research

• Design and conduct experiments to compare the implementations to the traditionalencryption algorithms

• Using the results of the experiments, conclude whether or not chaffing and winnowingcould be used as an alternative to traditional encryption techniques if they were tobe outlawed.

Chapter 2

Literature Survey

The purpose of this literature survey is to research the different chaffing and winnowingschemes that already exist. We also want to find out what makes each of them differentand how we might develop a new chaffing and winnowing scheme of our own.

2.1 Chaffing and Winnowing Implementations

2.1.1 Bit-by-bit Scheme

Rivest’s bit-by-bit chaffing and winnowing scheme is proven to provide a level of privacyas high as traditional encryption systems in (Bellare and Boldyreva, 2000). Here, thewheat packets are individual bits and there is a chaff packet with the same serial numbercontaining the complementary bit. There must be a chaff packet for every valid packet inorder to sustain security. Being able to distinguish the wheat from the chaff now requiresthe MAC algorithm or know the secret authenticating key.

(1, 0, 351216)(1, 1, 895634)(2, 0, 452412)(2, 1, 534981)(3, 0, 639723)(3, 1, 905344)...

The bit-by-bit scheme is, however, very inefficient. The size of the message after authenti-cating the valid packets and adding the chaff will be more than double. If F is the MACfunction then

4

CHAPTER 2. LITERATURE SURVEY 5

“For a message of m bits 2m(1+p+l) bits are transmitted, where p is the lengthof a serial and l is the length of output of F.” (Bellare and Boldyreva, 2000)

When transmitting large messages this would be very impractical.

2.1.2 All-Or-Nothing Transform

Rivest’s suggestion to improve upon his bit-by-bit scheme is to use an “all-or-nothingtransform.” (Rivest, 1997) An all-or-nothing transform (AONT) is

“a key-less (non-encryption) transfer that takes the message and produces apackaged message with the property that the recipient can’t produce the originalmessage unless he has received the entire packaged message.” (Rivest, 1998)

The key property of an AONT, for our purposes, is that unless the entire packaged messageis received, the parts received effectively look like random noise. This means that if youapply an AONT to a message and then encrypt each packet, an adversary can not gain anyinformation from the message unless they can decrypt each and every part of the ciphertext.By using an AONT in a chaffing and winnowing scheme, there is no longer any need tosend a chaff packet for each and every valid packet. This will dramatically reduce the sizeof the overall packaged message that will be transmitted whilst still upholding a very gooddegree of confidentiality.

Three AONTs will be presented in this literature review.

2.2 All-Or-Nothing Transforms

2.2.1 Package Transform

Rivest’s AONT called the package transform (Rivest, 1997) would be a suitable transformto use in a chaffing and winnowing implementation. The package transform works asfollows. Consider the message, split into blocks, m1,m2,. . . ,ms, an encryption function Eand a random key K′ for the package transform cipher. Then the transformed blocks mi

are given by:

mi = mi⊕

E(K′, i) for i = 1, 2, . . . , s.

K ′i is transmitted to the recipient by sending the extra value M :

M = K′ ⊕h1

⊕h2

⊕. . .

⊕hs,


where

hi = E(K0, mi′ ⊕

i) for i = 1, 2, . . . , s.

and K0 is a fixed, publically-known key.

The security of the package transform was analysed by Anand Desai (Desai, 2000) and alsobriefly by Mihir Bellare and Alexandra Boldyreva (Bellare and Boldyreva, 2000) and VictorBoyko (Boyko, 1999). In these papers and others, alternative (and more secure) AONTshave been developed.

2.2.2 Optimal Asymmetric Encryption Padding

Optimal Asymmetric Encryption Padding (OAEP) was introduced by Bellare and Rog-away (Bellare and Rogaway, 1995) to construct semantically secure and plaintext-awarepublic-key encryption schemes given an arbitrary trapdoor permutation and a hash func-tion.

The scheme makes use of a generator G : {0, 1}k0 → {0, 1}n and a hash function H :{0, 1}n → {0, 1}k0 where n is the length of the message and k0 is the security parameter.The transform OAEP : {0, 1}n × {0, 1}k0 → {0, 1}n

′for n′ = n + k0, is defined as:

εG,H(x,r) = x⊕

G(r) ‖ r⊕

H (x⊕

G(r))

where ‖ denotes concatenation, x is the message and r is a random string.

Bellare and Rogaway go on to prove OAEP semantically secure, assuming an ideal hashfunction and arbitrary trapdoor permutation is used.

Boyko (Boyko, 1999) presents a very strong formal definition of security for AONTs andshows that not only does OAEP as a candidate of AONT satisfy the definition, but showsthat

“no AONT construction can achieve substantially better bound than one wehave shown for OAEP” (Boyko, 1999)

2.2.3 BEAR Preprocessor

Chaffinch (Clayton and Danezis, 2003) uses an AONT scheme based on BEAR (Andersonand Biham, 1996). It is argued that Rivest’s package transform uses a session key thatmay be viewed as encryption in a court of law so decided to use BEAR instead.

BEAR is a block cipher with variable length blocks to transform messages of varyinglengths. It encrypts a message using a keyed hash function H(k) for some key k and astream cipher S :


L = L⊕

H(k1,R)R = R

⊕S(L)

L = L⊕

H(k2,R)

where L is the left hand side of the message with length equal to the length of the outputof the hash function and R is the right hand side of the message and has arbitrary length.The hash function can be any standard hash function such as MD5 (Rivest, 1992), SHA-1 (Eastlake and Jones, 2001) or RIPEMD-160 (Dobbertin, Bosselaers and Preneel, 1996).

Clayton and Danezis drop k to just obtain a sea of random bits:

L = L⊕

H(R)R = R

⊕S(L)

L = L⊕

H(R)

2.3 Message Authentication Codes

There are four types of Message Authentication Codes: unconditionally secure MAC, keyed-hash MAC (or HMAC) (Bellare, Krawczyk and Canetti, 1996), stream cipher-based (Lai,Rueppel and Woollven, 1992) or block cipher-based (National Institute of Standards andTechnology (NIST), 1985). An unconditionally secure MAC is based on encryption with a“one-time pad” (Stinson, 2005) and block cipher-based MAC encrypts the message blocksusing DES CBC and outputs the final block in the ciphertext as the checksum.

Rivest’s original chaffing and winnowing proposal stressed the use of an authentication keyand purposely chose a hash function based MAC algorithm to avoid any kind of encryption.

HMAC can use any iterative cryptographic hash function such as SHA-1 (Eastlake andJones, 2001) as suggested by Rivest or MD5 (Kaliski Jr. and Robshaw, 1995). The crypto-graphic strength of the HMAC depends on the underlying hash function. An advantage ofusing a HMAC is that if a new cryptographic hash function that is faster or proved moresecure is developed, it requires little effort to substitute it for the existing hash function.

HMAC requires an input x of arbitrary length and a random key k of length l and worksas follows:

HMACk(x ) = F (k⊕

opad ‖ F (k⊕

ipad ‖ x ))

where the inner pad, ipad, consists of the byte 0x36 repeated as many times as needed toget a b-bit block and the outer pad, opad, consists of the byte 0x5c repeated as many timesas needed to get a b-bit block.

(Bellare et al., 1996) analysed the security of HMAC and showed that setting the lengthof the hash output to greater or equal to 128 renders birthday attacks “totally infeasible”.


2.4 Symmetric Encryption

Chaffing and winnowing is a symmetric scheme for confidentiality - it uses the same keyto encrypt a message as it does to decrypt a message. Therefore chaffing and winnowingschemes should be comparable to symmetric encryption schemes.

Data Encryption Standard (DES) (National Institute of Standards and Technology (NIST),1999) is an iterated block cipher that was derived from a symmetric cipher called Lucifer. Itwas selected as an official Federal Information Processing Standard (FIPS) for the UnitedStates in 1976. The cipher has a block length of 64 bits and a key length of 56 bits. DESuses 16 iterations of a keyed round function to encrypt a message. It has since been foundinsecure and the standard has been updated to Triple-DES (or TDES) which applies DESthree times, each with a different key.

In January 1997, the US National Institute of Standards and Technology (NIST) an-nounced an international competition to develop a new encryption standard to replaceDES and TDES. The winner of the competition was, surprisingly, a submission calledRijndael (Daemen and Rijmen, 1998). AES is fast, is relatively easy to implement, andrequires little memory. It is a key-iterated block cipher because it repeatedly applies around transformation.

Chaffing and winnowing techniques would be similar in speed to symmetric schemes becausethey “encrypt” a message using a hash function which is generally very fast, similar tosymmetric schemes.

2.5 Belare and Boldyreva’s New Chaffing and WinnowingScheme

Belare and Boldyreva proposed a new chaffing and winnowing scheme that has lower dataexpansion compared to the bit-by-bit scheme and uses an AONT (Bellare and Boldyreva,2000). However, this method defies Rivest’s intentions of chaffing and winnowing notbeing viewed as a traditional encryption technique because it uses a public-key encryptionalgorithm.

This new technique applies OAEP as an AONT to the message, encrypts the first blockand authenticates the remaining part. If the last encryption is done by a chaffing andwinnowing scheme such as bit-by-bit, they argue that the whole scheme is a chaffing andwinnowing scheme, since the AONT is keyless.

“The savings in bandwidth comes from the fact that the number of bits en-crypted using the bit-by-bit scheme is independent of the length of the mes-sage.” (Bellare and Boldyreva, 2000)

Therefore there will only be a fixed overhead, no matter how big the message is.


2.6 Hybrid Encryption Techniques

Most public key algorithms take longer to encrypt and decrypt a message compared tomany symmetric key algorithms of apparently equal security.

Hybrid encryption systems use a fast high quality symmetric-key encryption algorithm toencrypt the message itself, while the relevant symmetric key is sent with the message, butencrypted using a public-key algorithm (Lu, 2006).

One important advance in hybrid cryptography is the development of a new model forthe development of hybrid encryption algorithms (Cramer and Shoup, 2003). This modelseparates a hybrid encryption scheme into two parts: an asymmetric key encapsulationmechanism (KEM) and a symmetric data encapsulation mechanism (DEM). It allows theuser to generate a random bit string (the symmetric key) and send it to another user afterencrypting it using the recipient’s public key.

2.7 Endianness

Chaffing and winnowing schemes that will be implemented in this project should run onboth UNIX and Windows platforms so the endianness of each should be taken into account.Endianness is the ordering in which data is stored as bytes in the computer memory of agiven machine. Big-endian machines store the most significant byte value of a piece of dataat the memory location with the lowest address whereas little-endian machines store theleast significant byte value at the lowest address. SPARC platforms are big-endian andIntel machines are little-endian.

2.8 Conclusion

In this chapter we researched existing chaffing and winnowing techniques and investigatedthe individual components needed to implement them. We found that the speed of chaffingand winnowing “encryption” should be similar to that of symmetric encryption techniqueshowever the data expansion will be greater, due to amount of authentication data.

It was also found that some traditional techniques for confidentiality combine public-keyencryption and symmetric encryption to create hybrid schemes that enjoy the benefits ofthe two techniques. As a result, in the next chapter a new hybrid chaffing and winnowingscheme will be devised.

Chapter 3

Requirements

The aim of this chapter is to use the literature survey to determine the requirements of theproject. The requirements for the components of the schemes that are to be implementedwill be derived. Some non-functional requirements for the project as a whole will also bederived.

3.1 Functional Requirements

3.1.1 Message Authentication Code

A message authentication code algorithm will be implemented. It will make use of a cryp-tographic hash function on which it relies upon for its security. The MAC will be designedso that if a faster or more secure hash function becomes known, it can be substituted forthe existing hash function with minimal effort.

The MAC algorithm must have the property that a MAC of the same input must yield acompletely different output with two different keys.

3.1.2 Symmetric Chaffing and Winnowing Schemes

As seen in the literature review, applying an AONT to a message before encrypting it makesit more difficult for an adversary to recover the plaintext. Two All-or-Nothing Transformswill be produced in this project. They must have the property that unless every part ofthe message is received it looks like a random sea of bits. The design of the AONT chaffingand winnowing scheme must allow the two AONT implementations to interchange so thatcommon code can be reused.

10

CHAPTER 3. REQUIREMENTS 11

3.1.3 Hybrid Chaffing and Winnowing Scheme

In the literature review it was found that many cryptography techniques combine symmetricand public key encryption to benefit from the advantages of each.

A new chaffing and winnowing scheme will be produced to do the same using the techniquesresearched in the literature review. The technique will improve the data expansion of theciphertext and have a faster encryption time than the AONT chaffing and winnowingschemes.

3.2 Non-functional Requirements

3.2.1 Performance

If traditional encryption systems were to be outlawed by the government, chaffing andwinnowing may well be a viable alternative. Therefore we must ensure that our imple-mentations perform as well as they can to give a fair comparison against other encryptionsystems. The speed of encryption and decryption and the expansion of ciphertext producedby our chaffing and winnowing schemes must be kept to a minimum.

3.2.2 Portability

Windows and UNIX environments are available to the author for testing purposes. Allimplementations must run on both available platforms. As well as this, an encryptionprocess performed on the Windows platform followed by a decryption process on the UNIXplatform must yield the original plaintext, and vice versa.

3.2.3 Extensibility

Implementation must consider future growth of the software. As already stated, the MACimplementation must be implemented so that if a more suitable hash function becomesavailable it could easily be integrated. In a similar nature, the AONT chaffing and win-nowing schemes must consider future AONT techniques. Upholding this kind of designarchitecture will avoid early obsolescence.

3.2.4 Security

We want to implement our schemes to provide similar levels of security as other encryptionmethods. The security of chaffing and winnowing was researched in the literature reviewand the information that was found must be followed.

CHAPTER 3. REQUIREMENTS 12

3.2.5 Language Requirements

The language chosen to implement the chaffing and winnowing schemes must be familiarto the author and be freely available to use. The language must support bitwise operationsand file input and output.

3.2.6 Maintainability

The system must be written in accordance to published coding standards of the program-ming language to encourage further enhancements.

Chapter 4

Design

This chapter outlines the design decisions made so that the components of the schemes andthe schemes themselves satisfy the requirements set out in the Requirements chapter. Theexperiments to compare our schemes to traditional techniques and the expected outcomesare also discussed

4.1 Language Choice

The first major decision of the design was to choose a suitable programming language toimplement the chaffing and winnowing schemes. There seemed no great benefit for theauthor to learn a new language so this left Java and C as the only suitable languages.

Java is an object-oriented programming language developed by Sun Microsystems in theearly 1990s which aimed to allow the same program to be executed on multiple operatingsystems and provides programmers with an automatic garbage collector. It also has a set ofpackages that provide implementations for encryption, key generation and key agreement,and MAC algorithms called The Java Cryptography Extension (JCE).

C is a procedural language that is often used to write compilers and interpreters of otherhigher-level languages and cryptographic tools because it is efficient, portable and haslow-level access to memory.

Although Java does meet the language requirements devised earlier, C will be used toimplement this project because many free cryptographic tools that we may want to compareour schemes to are written in C.

13

CHAPTER 4. DESIGN 14

4.2 High Level Design

4.2.1 Symmetric Chaffing and Winnowing Schemes

The “scattering scheme” as described in (Bellare and Boldyreva, 2000) will be implementedbut with one minor alteration.

(Bellare and Boldyreva, 2000) first applies an AONT to the message and splits the resultinto blocks of equal size. The positions of the wheat packets are then calculated at random.However we will calculate the position of chaff packets instead. The number of chaffpackets will be fixed at 128 so that calculating the chaff positions will be more efficientthan calculating the wheat positions for large files. Next, for each block of the transformedmessage if its index is one of the chaff positions then a randomly calculated fake blockand MAC is written to the output file, otherwise the block and its MAC is written to theoutput file. To “winnow” a file, the file is split into blocks and for each block its MAC iscalculated. If the calculated MAC matches the MAC read with the block then it is kept,otherwise it is thrown away. When every block has been processed, those remaining areinverted and the original message is revealed.

Algorithm 4.1: Chaffing and Winnowing AONT Scheme Encryption

Algorithm εF (K,·)(M)M ′ ← AONT(M)Parse M ′ as m1 ‖m2 ‖· · · ‖ms where mi = nPick S ⊆ {1, . . . , s + s′} at randomsubject to |S| = sj ← 0for i = 1, . . . , s + s′ do

if i ∈ S then

dt[i] R← {0, 1}n

tg[i] R← {0, 1}lPkt[i]← (dt[i], tg[i])

elsej ← j + 1tg[i]← F (K, mj)Pkt[i]← (mj , tg[i])

endendReturn Pkt[1], Pkt[2], . . ., Pkt[s + s′]

For each block we must attach a MAC therefore we notice that the data expansion willincrease according to the number of blocks in the message.


Algorithm 4.2: Chaffing and Winnowing AONT Scheme Decryption

Algorithm DF (K,·)(Pkt1, . . ., Pkts+s′)for i = 1, . . . , s + s′ do

Parse Pkti as (dt, tg)if F (K, dt) = tg then

mi ← dtend

endM ← AONT−1(m1 ‖m2 ‖· · · ‖ms)Return M

4.2.2 Hybrid Chaffing and Winnowing Schemes

At first, the author thought to apply an AONT to the input file, parse the message blocksjust as in the symmetric schemes but encrypt the first block. Doing this would increase thesecurity of the scheme because effectively, due to the definition of an AONT, an adversarywould need to intercept and decipher the RSA encrypted block as well as recover the otherblocks inorder to read the whole message. However this method would still require a MACfor each block. We would have a greater data expansion than the AONT scheme due to theextra information we would need to transmit and execution time would increase becauseof the extra encryption.

It seems that the key to both reduce data expansion and execution time is to remove thenecessity for MACs.

The hybrid scheme will apply an AONT to the message, choose a random set of chaffpositions, encrypt this data and output it along with the transformed message. In doingso, we no longer need to attach a MAC to each block because we are transmitting the chaffpositions.

Enlen is the length of the encryption output and s is the number of chaff packets.

Not only will this scheme reduce the data expansion compared to our AONT scheme butit no longer depends on the size of the message. We expect that whatever the size of theplaintext, the data expansion will be constant.

4.3 Modular Decomposition

The chaffing and winnowing schemes will be split up into modules as shown in FigureA.1. This type of system architecture helps to increase the performance, robustness, dis-tributability and maintainability of a system (Somerville, 2004). Critical operations arelocalised to a small number of subsystems, with as little amount of communication betweenthem as possible. Designing the subsystems as fine-grain, self-contained components enablethem to be readily changed. The call-return control model (Somerville, 2004) will be used


Algorithm 4.3: Chaffing and Winnowing Hybrid Scheme EncryptionAlgorithm ε(M)M ′ ← AONT(M)Parse M ′ as m1 ‖m2 ‖· · · ‖ms where mi = nPick S ⊆ {1, . . . , s + s′} at randomsubject to |S| = sS′ ← E(publickey, S)j ← 0for i = 1, . . . , s + s′ do

i ∈ S j ← j + 1Pkt[i]← mj

dt[i] R← {0, 1}nPkt[i]← (dt[i])

endReturn S′, Pkt[1], Pkt[2], . . . , Pkt[s + s′]

Algorithm 4.4: Chaffing and Winnowing Hybrid Scheme DecryptionAlgorithm D(M ′)Parse M ′ as S′, Pkt[1], Pkt[2], · · · , Pkt[s + s’]where|S′| = EnlenS ← D(privatekey, S′)j ← 0for i = 1, . . . , s + s′ do

if i ∈ S thenj ← j + 1

elsemi ← Pkt[i]

endendM ← AONT−1(m1 ‖m2 ‖· · · ‖ms)Return M


to design a system controller, the root node of the model, which will control the sequentialexecution of the subsystems.

4.3.1 MAC

The MAC that will be implemented is Hash based MAC as suggested by Rivest (Rivest,1998). HMAC was chosen because it is the simplest MAC to implement, is faster than blockciphers in software implementation and does not violate Rivest’s definition of chaffing andwinnowing because it does not use an encryption key.

The hash function that will be used is Rivest’s MD5 (Rivest, 1992). Recently MD5 hasthought to be susceptible to a birthday attack and collisions; however (Bellare et al.,1996) show such attacks are “inapplicable against our MAC construction where the outerapplication of the hash function prevents the extension attacks.” SHA-1 (Eastlake andJones, 2001) could have been used but it produces a longer output than MD5 and will notbe more secure in this context.

We will follow the HMAC-MD5 algorithm from (Bellare et al., 1996) because it is proved tobe secure if the underlying cryptographic hash function has some reasonable cryptographicstrengths. The MD5 implementation made available by RSA Data Security, Inc.1

“A correct implementation, the choice of random (or cryptographically pseudorandom)keys, a secure key exchange mechanism, frequent key refreshments and good secrecy pro-tection of keys are all essential ingredients for the security of the integrity verificationmechanism provided by HMAC” (Bellare et al., 1996).

We also note that HMAC uses the underlying hash functions as a “black-box” (i.e. byapplying the hash function without any modifications) and therefore permits the use ofany existing library code that implements these functions.


The package transform is the AONT Rivest suggests using in (Rivest, 1998). It will beimplemented as written in (Rivest, 1997).

The scheme uses a fixed public key K0 and uses a randomly chosen key K ′.

Rivest’s RC5 block cipher (Rivest, 1994) will be used for the package transform becauseit is the one that Rivest suggests. Other block ciphers like Blowfish (Schneier, 1994), orAES (Daemen and Rijmen, 1998) could be used but RC5 is freely available.

1Available at http://theory.lcs.mit.edu/ rivest/md5.c


4.3.3 OAEP

The OAEP will be implemented as described in (RSA Data Security, Inc., 1998). It is adesign based on (Bellare and Rogaway, 1995) that uses a mask generation function (MGF)to compute a random string of any required length. The OAEP implementation and MGFwill both use the MD5 hash algorithm because it is being used throughout this project.

The OAEP parameters include the desired length of the transformed file, emLen. Toencode a message M , a data block will be constructed by concatenating the hash of thepassphrase, P , with the message and padding it out with zeroes. The data block will thenbe XOR’d with a random string of the same length, generated by the MGF using a randomseed. Another random string is generated using the masked data block as the seed. Thisis XOR’d with the first seed and the result is written to the output file before the maskeddata block is written to the output file too.

The decoding process checks the structure of the input file and will output “decoding error”if the correct structure is not present. The seed is recovered by extracting the masked datablock, using it to generate a random string and XORing the result with the first hLenbytes of the input. The original data block can then be revealed by calculating the datablock mask and XORing it with the masked data block. Finally the hash of the recoveredmessage is checked against the hash carried in the data block. If the hashes match, thedecoding process has been successful, otherwise it has failed.

Algorithm 4.5: OAEP Encoding Operation

Algorithm εH(·),MGF (seed,length)(M,P, emLen)if |M | > emlen− 2hLen− 1 then

Print “message too long”Return

endPS ← {0}emLen−|M |−2hLen−1

pHash = H(P )DB ← pHash ‖PS ‖ 01‖Mseed

R← {0, 1}hLen

dbMask ←MGF (seed, emLen− hLen)maskedDB ← DB

⊕dbMask

seedMask ←MGF (maskedDB, hLen)maskedSeed← seed

⊕seedMask

EM = maskedSeed ‖maskedDBReturn EM

4.3.4 Mask Generation Function

A mask generation function takes a string and the desired output length as input andgenerates a pseudorandom string of the desired length. It should be infeasible to distinguish


Algorithm 4.6: OAEP Decoding Operation

Algorithm DH(·),MGF (seed,length)(EM, P )if |EM | < 2hLen + 1 then

Print “decoding error”Return

endParse EM as maskedSeed, maskedDB where |maskedSeed| = hLen and|maskedDB| = |maskedDB| − hLenseedMask ←MGF (maskedDB, hLen)seed← maskedSeed

⊕seedmask

dbMask ←MGF (seed, |EM | − hLen)DB ← maskedDB

⊕dbMask

pHash← H(P )Parse DB as pHash′, PS, 01, M where |pHash′| = hLen and PS ∈{0}∗if pHash′ 6= pHash then

Print “decoding error”Return

endReturn M

the output from a truly random string unless the seed of the function is known.

4.4 Public-key Encryption Algorithms

The hybrid chaffing and winnowing scheme will need to use a public-key encryption algo-rithm that has low data expansion and a good speed of encryption and decryption.

RSA (R. Rivest and Adleman, 1978) is a public-key encryption algorithm that was inventedby Rivest, Shamir and Adleman. It’s security is based on the problem of factoring largeprime numbers.

Elgamal (ElGamal, 1984) is based on Diffie-Hellman key agreement. Its security dependsupon the difficulty of computing discrete logarithms.

RSA will be used, not Elgamal, due to its better performance for our needs; namely a lowerdata expansion and quicker encryption and decryption times.

Due to the time constraint on this project, an RSA algorithm will not be implemented,instead it will be acquired from a cryptographic library called XySSL2. XySSL is an opensource cryptographic library written in C and can be used for free.

2Available at http://xyssl.org/


4.5 Experiment Design

4.5.1 What will Chaffing and Winnowing schemes be compared to?

Our four chaffing and winnowing schemes will be compared to AES and TDES. Both ofthese algorithms are symmetric key block ciphers and, when chosen with a suitable lengthkey, should give comparable security to our chaffing and winnowing schemes.

GnuPG3 is a free implementation of the Open PGP standard which allows users to encryptand sign data and communication. It is a command line tool which supports severalencryption algorithms including AES and TDES. GnuPG will be used to encrypt test datausing AES and 3DES in our experiments.

4.5.2 What will the tests measure?

The tests will measure the data expansion of the ciphertext and the encryption speed ofeach algorithm. The timing will be done using the time command in UNIX.

To measure the data expansion, a file will be encrypted and the size of it will be comparedto the size of the original plaintext message. This will be done for different sized filesbecause we know that the expansion of the symmetric schemes is not constant.

4.5.3 Expected outcomes

We have already stated that we expect the hybrid chaffing and winnowing schemes toencrypt a message faster and have a smaller ciphertext than our AONT chaffing and win-nowing schemes.

It is expected that the symmetric schemes will have significantly poorer ciphertext expan-sion than the traditional schemes because of the high amount of authentication data. Alsothe execution time will be higher too since the hash algorithm is executed lots of times andwill prove to be costly. We hope that the hybrid technique can reduce the number of callsto the hash function and reduce the amount of authentication data so that it will be ofsimilar speed and data expansion as AES and TDES.

4.6 Objectives

4.6.1 Chaffing and Winnowing Schemes

• A symmetric AONT scheme will be implemented using the package transform.

• A symmetric AONT scheme will be implemented using OAEP.3Available at http://www.gnupg.org/


• A hybrid chaffing and winnowing scheme will be produced using the package trans-form and RSA library.

• A hybrid chaffing and winnowing scheme will be produced using OAEP and RSAlibrary.

4.6.2 Chaffing and Winnowing Library

• HMAC-MD5 will be produced as described in (Bellare et al., 1996).

• The package transform as described in (Rivest, 1997) will be produced.

• OAEP will be implemented as described in (RSA Data Security, Inc., 1998) usingthe MGF and MD5 libraries.

• MGF will be implemented as described in (RSA Data Security, Inc., 1998) using theMD5 library.

Chapter 5

Implementation

In this chapter the implementation decisions are reviewed and we discuss how the schemeswere implemented. The source code of the schemes produced and their components canbe found in appendix D of this document and all the source code can be found on theaccompanying CD.

5.1 Chaffing and Winnowing Library

5.1.1 Global Module

It was clear that some functions would need to be shared between all the chaffing andwinnowing schemes therefore a shared library was created. This library mainly holds themethods to calculate the positions of the chaff blocks. This was relatively straightforwardhowever before a random number can be added to our array of chaff indices we must ensureit does not already exist. Therefore a check is made for duplicate entries before addingthe number to the array. The array must be sorted before returned to the chaffing andwinnowing scheme, so a quicksort function also resides in the global library. A functionto test the endianness of the platform was implemented. It simply initialises a two byteinteger 0x1234 and a pointer, pointing at the first byte of the integer. If the pointer ispointing at 0x12 we know the platform is big-endian, otherwise it is little-endian.

5.1.2 HMAC

The HMAC module was easy to implement. The only changes needed to the implementationdescribed in (Bellare et al., 1996) was the substitution of bcopy function for memcpy sincebcopy is outdated and may be withdrawn. The HMAC MD5 transform looks like:

MD5(K XOR opad, MD5(K XOR ipad, text))

22

CHAPTER 5. IMPLEMENTATION 23

where K is an n byte key, ipad is the byte 0x36 repeated 64 times, opad is the byte 0x5c

repeated 64 times and text is the data being protected.


The package transform was implemented using the RC5 block cipher. RC5-32/12/16 de-scribed in (Rivest, 1994) was used. 32 is the block size, 12 is the number of rounds and 16is the number of bytes in the key. The only alteration to Rivest’s code was to enable morethan one key to be used simultaneously, as needed in the package transform but this wastrivial.

The package transform block size was set to 8 to coincide with the block size of RC5.

The RC5 implementation produces a ciphertext that is split between two 4 byte words. Asa result exclusive ORing the ciphertext with a block of data took some time to implement.Eventually, it was found that each half of the block had to be calculated in turn and thateach byte had to be shifted into position and masked off by ANDing with one.

Listing 5.1: XORing each half of the RC5 ciphertext with a block of datafor ( j = 0 , k = 24 ; j < 4 ; j++){

outputblock [ j ] = cur r entb lock [ j ] ˆ ( ( c t [ 0 ] >> k ) & 0xFF) ;k −= 8 ;

}for ( j = 4 , k = 24 ; j < 8 ; j++){

outputblock [ j ] = cur r entb lock [ j ] ˆ ( ( c t [ 1 ] >> k ) & 0xFF) ;k −= 8 ;

}

The hardest thing encountered when implementing the package transform was XORingthings of different sizes because the XOR operation in C is a bitwise operation, howeverthe tutorial at www.cprogramming.com was invaluable.

The key size for the package transform was set at 16 bytes (128 bits) as specified by Rivestin order to provide the maximum security the package transform can provide. The randompublic key was fixed whereas the private key is randomly generated each time the packagetransform is executed.

When implementing the inverse transform function the number of blocks needs to be cal-culated so that we can loop through the correct number of blocks of the inverted file. Todetermine the number of blocks the size of the file must first be calculated. To calculatethe file size, an online forum thread was found that showed how to fast forward to the endof a file, retrieve a pointer to the end of the file and then rewind back to the beginning.The number of blocks in the file can now be found:

Listing 5.2: The construction of data block DBt o t a l n o o f b l o c k s = f l o o r ( f i l e s i z e / BLOCKSIZE) ;


Figure 5.1: The construction of data block DB

key b locks = KEYSIZE / BLOCKSIZE;no o f b l o c k s = t o t a l n o o f b l o c k s − key b locks ;

where key blocks is the number of blocks that hold the scrambled up key.


Different to the package transform, the intended size of the transformed message is aparameter to the OAEP transform function. In order to construct the data block, DB(shown in figure 5.1), the correct size of memory needs to be allocated first. The size of DBis the intended length of the transformed message minus the length of the hash function’soutput. With this known, the memory for DB can be allocated and set to zero. DB is thenconstructed as shown in listing 5.3.

Listing 5.3: How we parsed the data blockDB = malloc ( s izeof (char ) ∗ (emLen − HASHOUTLEN) ) ;memset (DB, 0 , (emLen − HASHOUTLEN) ) ;

for ( i = 0 ; i < HASHOUTLEN; i++){

DB[ i ] |= mdContext . d i g e s t [ i ] ;}

DB[ emLen − f i l e s i z e − HASHOUTLEN − 1 ] = 255 ;

for ( i = 0 ; i < f i l e s i z e ; i++){

DB[ i + emLen − f i l e s i z e − HASHOUTLEN] |= message [ i ] ;}

To invert the transform, DB must be separated into the original hash, the string of zeroes,the ‘1’ and the original message. To find the ‘1’ a pointer is incremented up the length of


Figure 5.2: The deconstruction of data block DB

zeroes until the one is found, this means the message must span from where the pointer isup to the size of the transformed file minus the size of the hash output. The separation ofDB is shown in figure 5.2.

5.1.5 Mask Generation Function

The mask generation function that was implemented was MGF1 (RSA Data Security,Inc., 1998) which is based on a hash function. MD5 was used as the hash function forMGF1 because it is being used throughout the project. Z is the seed from which the maskis generated and l is the intended length in octets of the mask.

Algorithm 5.1: Mask Generation FunctionAlgorithm MGF1(Z, l)Let hLen denote the length in octets of the hash function outputif l > hLen then

Print “mask too long”Return

endLet T be the empty octet stringfor i = 1, . . . , dl/hLene − 1 do

C ← (string)iT ← T ‖Hash(Z ‖C)

endReturn T

Converting the integer counter to a string (shown in listing 5.4) was similar to the methodimplemented in the package transform to XOR a counter with a block of data.


Listing 5.4: Converting an integer to stringcounter [ 0 ] = (unsigned char ) ( ( i >> 24) & 255) ;counter [ 1 ] = (unsigned char ) ( ( i >> 16) & 255) ;counter [ 2 ] = (unsigned char ) ( ( i >> 8) & 255) ;counter [ 3 ] = (unsigned char ) ( i & 255) ;

5.2 Chaffing and Winnowing Schemes

5.2.1 Symmetric Package Transform Scheme

Once the library modules had been implemented the Symmetric Package Transform Schemewas easy to implement.

To “encrypt” a file it is transformed using the package transform and stored in a temporaryfile. The chaff positions are then calculated using the chaff indices () function in the globallibrary. For each output block, if the index is a chaff position then a fake block and MACis calculated and written to the output file otherwise the next block of input data and theMAC of the block is written to the output file.

To “decrypt” a file each block is read and its MAC is calculated. If the calculated MACand the MAC supplied are equal, the block is written to a temporary file. When all theblocks have been processed the temporary file is inverted to reveal the original message.

5.2.2 Symmetric Optimal Asymmetric Encryption Padding Scheme

The Symmetric OAEP Scheme was implemented similarly to the Symmetric Package Trans-form Scheme except that it uses the OAEP module instead. OAEP needs a parameter tospecify the intended length of the transformed message which was set equal to the size ofthe input file plus 128.

5.2.3 Hybrid Package Transform Scheme

The hybrid package transform scheme was fairly easy to implement. The most difficult partwas ensuring that data affected by the endianness of the machine is stored in big-endianorder on both platforms. The technique to do this is shown in listing 5.5.

Listing 5.5: The chaff positions are stored in big-endian order no matter which platformthe scheme is ran oni f ( endian ( ) == LITTLEENDIAN) {

for ( i = 0 ; i < NUMCHAFFS; i++) {newcha f f po s i t i on s [ i ] = cha f f a r r ay [ i ] ;SWAP( newcha f f po s i t i on s [ i ] ) ;

}}


When winnowing a file, the number of blocks needs to be determined. This was done byretrieving the size of the chaffed file, reading the encrypted authentication data and readingthe position the file pointer is now at, and then dividing the difference by the block size.

5.2.4 Hybrid Optimal Asymmetric Encryption Padding Scheme

The hybrid OAEP scheme was implemented much the same way as the hybrid packagetransform scheme.

Chapter 6

Testing

Testing occurred throughout the implementation because the success of the chaffing andwinnowing schemes is mostly based on their underlying modules so they needed to beworking in order to implement the schemes correctly.

In this chapter we show the testing performed on each library module that was implementedand each chaffing and winnowing scheme. The portability of the schemes produced was animportant requirement therefore we also perform tests to show cross platform compatibility.

All tests were performed on the amos server provided by Bath University Computing Ser-vice and the author’s personal computer. Amos is a Sun Ultra E480 with four 900 MhzUltraSparc III CPUs and 16 Gbytes RAM. The author’s PC is an AMD XP +2200 with1Gbyte of RAM.

6.1 Component Testing

6.1.1 HMAC

To test the HMAC module the test cases for HMAC-MD5 in (Cheng and Glenn, 1997)were applied and the results of our implementation were compared to the digest given.

All the computed digests matched on both test platforms.


There is no standard for the package transform and therefore no test vectors like for HMAC-MD5 exist. To test the package transform implementation, a file must be transformed,inverted back again and the result must be identical to the original file to pass the test.

The UNIX command cmp calculates whether two files differ at all. If the files being comparedare different, a message is printed to the command line.

28

CHAPTER 6. TESTING 29

Listing 6.1: A test to show that a file that is transformed and inverted is the same as theoriginal filemidge $ gcc −o aon t t e s t aont . c −lm r c 5 r e f . cmidge $ aon t t e s t trans form t e s t . bin transformed . binmidge $ aon t t e s t i nv e r t transformed . bin inve r s e t rans f o rmed . binmidge $ cmp t e s t . bin inve r s e t rans f o rmed . binmidge $

Another requirement of the package transform was that each two transformed files of thesame message are different. The rand() function in C was used to generate random numberswhen the private key is generated, this is what differentiates transformed files. The cmp

command in UNIX was used to verify that twentyfive transformed files appeared to bedifferent.

Listing 6.2: A test to show that two transformed files are not the samemidge $ cmp transformed . bin inve r s e t rans f o rmed . bin

transformed . bin inve r s e t rans fo rmed . bin d i f f e r : char 1 , l i n e 1

The ‘cmp’ command can only be used to tell us if the resulting “chaffed” files differ at allhowever we would like to determine if an adversary could possibly tell that two chaffed filescame from the same message. To do this we would need to investigate different randomnumber generators which is beyond the scope of this project therefore we will say that ourpackage transform implementation is correct assuming a good random number generator.


The OAEP implementation was tested in a similar manor to the package transform. Theoutcomes also confirm that a transformed file is identical to the original file and that severaltransformed files appear to be completely different.

6.1.4 Global Module

The functions that are shared between all the chaffing and winnowing schemes were tested.

A test was performed to check that the chaff packets generated by chaff indices () weredifferent each time and that there were no repeated chaff indices. Originally this testfailed. When rand() is called it takes the difference between the current time and the timewhen it was seeded and uses this to generate a new number. So when rand() was seededinside chaff indices () this time difference was the same each time it is executed. Seeding therandom number generator at the start of the program, before some reading and writingto disk, varies the time difference and therefore completely different random numbers aregenerated.

The test must also check that the chaff indices are sorted in ascending order and there areno repeated indices. This test passed on both platforms.

CHAPTER 6. TESTING 30

The last test checked that the “endianess” of the platform was correctly identified and thatthe macro to swap the “endianess” of an integer is successful. The swap macro must swapthe bytes of an integer and a second application must yield the original integer. This waseasy to test. The test printed big endian on the UNIX platform and little endian on theWindows machine. The swap macro passed its test on both platforms.

6.2 System Testing

6.2.1 Chaffing and Winnowing Schemes

Once the individual modules had been tested, the chaffing and winnowing schemes mustbe tested.

6.2.2 Cross Platform Compatibility

A test was performed to verify that a file chaffed on one platform and winnowed on anotherplatform using the same scheme gives us the original file. This test was performed on boththe Windows and UNIX platform for every scheme that was implemented. Every schemepassed this test.

Chapter 7

Experiment and Results

In this chapter we perform experiments to compare our chaffing and winnowing schemeswith similar encryption tools used in the world today.

7.1 Experiments

We will perform two experiments here; one to measure the time it takes our schemes, andthe methods they are being compared to, to encrypt different sized files and one to measurethe expansion of the ciphertexts produced.

Both the experiments will be performed on the BUCS server as described in the Implemen-tation chapter of this report.

The exact sizes of the files used in the experiments is shown in table 7.1.

Approximate size (mb) Exact Size (bytes)0.02 200440.05 506730.1 1027290.25 2558610.5 5143751 10355385 5125659

Table 7.1: Exact file sizes of those used in the experiments

31

CHAPTER 7. EXPERIMENT AND RESULTS 32

7.1.1 Execution Time

For this experiment all four of our schemes were measured for how long they took to“encrypt” files. The approximate sizes of the files used were 20kb, 50kb, 100kb, 250kb,500kb, 1mb and 5mb.

The schemes were compiled using GCC’s maximum optimisation flag to make sure the codeperforms as efficiently as it can on the platform it is being tested on.

The UNIX lstinline—time— command was used to measure the time. The command willreport how long it took to execute in terms of user CPU time, system CPU time, and realtime. The system CPU time was recorded for our purposes and this is accurate to onehundredth of a second.

Each scheme “encrypted” each sized file twenty five times and the mean execution timewas recorded.

7.1.2 Ciphertext Expansion

The ciphertext expansion experiment was performed in a similar way to the previous ex-periment except that each scheme was only tested once per file size. This was because theexpansion will be the same every time.

7.2 Results


Table 7.2 shows the mean execution times of all the schemes for each file size.

Table 7.2: The mean execution times of all the schemes for each file sizeFile Size CW PT CW

OAEPHybridCW PT

HybridCWOAEP

AES 3DES

20044 0.0230 0.0368 0.0356 0.0434 0.0112 0.021650673 0.0540 0.0604 0.0418 0.0546 0.0180 0.0264102729 0.1460 0.1186 0.0508 0.0656 0.0248 0.0404255861 0.2534 0.2756 0.0752 0.1023 0.0452 0.0684514375 0.4808 0.5172 0.1228 0.1528 0.0808 0.12201035538 0.9728 1.0428 0.1864 0.2586 0.1416 0.22645125659 4.7556 4.7968 0.7708 0.9808 0.6824 1.0459



Table 7.3 shows the ciphertext expansion of all the schemes for each file size.

Table 7.3: The expansion size of all the schemes for each file sizeFile Size CW PT CW

OAEPHybridCW PT

HybridCWOAEP

AES 3DES

20044 43220 43532 3540 3620 82 4850673 104487 104799 3543 3615 81 47102729 208599 208911 3543 3615 86 54255861 514851 515163 3539 3619 86 54514375 1031873 1032185 3537 3617 86 541035538 2074214 2074526 3542 3614 84 525125659 10252841 10255512 3542 3619 86 54

7.3 Analysis of the Results


It can be seen from the graph in Figure 7.2 that for very small files, the chaffing andwinnowing schemes encrypt a file in about the same time as AES and 3DES. For fileslarger than 50kb our symmetric chaffing and winnowing will encrypt data slower than ourhybrid chaffing and winnowing schemes and also AES and 3DES. For very small files wealso see that AES and 3DES both encrypt quicker than our hybrid chaffing and winnowingschemes.

When we look at larger files though (Figure 7.1), we can see that for files larger than about2mb the hybrid OEAP scheme and for files larger than about 400kb the hybrid PackageTransform outperform DES.

We can see that the hybrid Package Transform scheme is the quickest of all the chaffingand winnowing at encrypting all sizes of files but it will not be quicker than AES.


We can see from the data expansion graphs that the ciphertext from the symmetric chaffingand winnowing schemes gets larger as the size of the original file gets larger. The hybridchaffing and winnowing schemes have a fixed expansion across all file sizes. This waspreviously expected. A fixed overhead instead of a variable overhead is a much betterresult as the hybrid schemes get more efficient as the original file gets larger. We can see


0 1 2 3 4 5 6

x 106

0

0.2

0.4

0.6

0.8

1

Filesize in bytes

Exe

cuti

on

tim

e in

sec

on

ds

CW PTCW OAEPCW PK PTCW PK OAEPGPG AESGPG DES

Figure 7.1: A graph to show the time taken for each scheme to encrypt a file.


0 2 4 6 8 10

x 104

0

0.05

0.1

Filesize in bytes

Exe

cuti

on

tim

e in

sec

on

ds

CW PTCW OAEPCW PK PTCW PK OAEPGPG AESGPG DES

Figure 7.2: A scaled graph to show the time taken for each scheme to encrypt a small file.


0 1 2 3 4 5 6

x 106

0

0.5

1

1.5

2x 10

7

Filesize in bytes

Exe

cuti

on

tim

e in

sec

on

ds

CW PTCW OAEPCW HYBRID PTCW HYBRID OAEPGPG AESGPG DES

Figure 7.3: A graph to show the data expansion of each scheme.


0 1 2 3 4 5

x 104

0

1

2

3

4

5x 10

4

Filesize in bytes

Exe

cuti

on

tim

e in

sec

on

ds

CW PTCW OAEPCW HYBRID PTCW HYBRID OAEPGPG AESGPG DES

Figure 7.4: A graph to show the data expansion of each scheme for very small files.


that the difference in fixed overhead between the hybrid chaffing and winnowing schemesand AES and 3DES is very small.

Chapter 8

Conclusion

This chapter reflects upon the project as a whole to identify the good points and the badpoints and suggesting work that could be done in the future.

8.1 Conclusion

During this project four chaffing and winnowing schemes were produced. Two were sym-metric schemes identified in the literature survey and two were new hybrid schemes devisedby the author. They were compared to traditional encryption techniques and it was shownthat the chaffing and winnowing schemes are a viable alternative to the techniques theywere compared to, although some compare more favourably than others.

The hybrid Package Transform scheme was found to be the fastest scheme; it was fasterthan DES too. The hybrid OAEP scheme was almost as fast and its data expansion wasvery similar too. Both of the hybrid schemes had a fixed overhead whereas the symmetricschemes’ ciphertext gets increasingly larger as the plaintext gets larger.

The security of the Package Transform was questioned in the literature review whereasOEAP was found to be provably secure. For this reason it would seem that the hybridOAEP scheme would be the best alternative out of our chaffing and winnowing schemes.

The schemes were compared to traditional methods AES and 3DES that were implementedin GnuPG. Our schemes had similar exectution speeds as AES and 3DES. The ciphertextexpansion of the hybrid techniques mean the get more efficient as the size of the file in-creases. Therefore the hybrid schemes would be a better alternative but the symmetricones may not be.

This project has not compared the chaffing and winnowing schemes with traditional hybridencryption systems. We found in the literature review that most cryptosystems take theadvantages of both symmetric and public key encryption. Hybrid techniques for chaffingand winnowing have not been discussed previous to this project. These new techniques

39

CHAPTER 8. CONCLUSION 40

could encourage further development in this area of cryptography, however it is not knownif these techniques “keep to the rules” of chaffing and winnowing. MACs are not used,instead some encryption takes place, however the message is still transmitted in the clearand only the authentication data is encrypted.

8.2 Positive Aspects

The aim of this project was to to implement one or more chaffing and winnowing schemesand compare them to existing techniques for confidentiality in order to assess whether ornot chaffing and winnowing could be a viable alternative. We managed to identify the use ofhybrid techniques in the literature survey which was an important discovery. The schemesproduced were found to be viable alternatives which is a good achievement. We havehopefully encouraged further research into chaffing and winnowing, especially if encryptionalgorithms were to outlawed.

8.3 Things That Could Be Improved

As the system testing highlighted, the correctness of our implementations could not beverified completely. Although we believe the schemes to be secure, more exhaustive testscould be devised to ensure a message is chaffed and winnowed back again successfully.

Our project did not include comparisons of different hash functions that could be used ina chaffing and winnowing scheme. In the symmetric scheme and OAEP, the hash functionis used many timestherefore an increase in performance of te hash algorithm will increasethe performance of some of the chaffing and winnowing schemes.

8.4 Further Work

Some further work could be carried out to investigate chaffing and winnowing.

The chaffing and winnowing techniques implemented in this project did not employ anykind of compression to the data before encrypting it. Gnu Privacy Guard does compressdata before encrypting it, although this option was turned off to give a fair comparisonwith our schemes.

We have only implemented the core algorithms for chaffing and winnowing techniques buta user will want a complete cryptosystem with a user interface. Such a system could beused for secure electronic mail and include key management techniques. The problem oflost data in transmission may need to be addressed. If data blocks are lost in transmissiona protocol to ask them to be re-sent would need to be implemented because asking forjust the blocks that are missing will give information to a man-in-the-middle attack. Anadversary will be able to gain information about the message if a recipient only asks for

CHAPTER 8. CONCLUSION 41

data blocks he requires to reconstruct the plaintext - the “wheat”. One solution might beto send a hash of all the blocks along with the message and re-request all the blocks if thehash is not correct.

8.5 Personal Reflection

This project has also improved the author’s C programming skills, time management andpreparation skills. Time constraints prevented more in-depth exploration of some ideas butthese have been included in the further work section.

This project has been very interesting to carry out. The author has gained a lot of knowl-edge about how cryptosystems work and what makes one better than another.

Bibliography

Anderson, R. and Biham, E. (1996), Two Practical and Provably Secure Block Ciphers:BEAR and LION, in ‘IWFSE: International Workshop on Fast Software Encryption,LNCS’.

Bellare, M. and Boldyreva, A. (2000), ‘The Security of Chaffing and Winnowing’, LectureNotes in Computer Science 1976, 517–530.

Bellare, M., Krawczyk, H. and Canetti, R. (1996), HMAC: Keyed-hashing for messageauthentication, in ‘CRYPTO ’96: Advances in Cryptology’, Springer-Verlag.

Bellare, M. and Rogaway, P. (1995), ‘Optimal Asymmetric Encryption - How to encryptwith RSA’, Lecture Notes in Computer Science 950, 92–111.

Boyko, V. (1999), On the Security Properties of OAEP as an All-or-Nothing Transform,in ‘CRYPTO ’99: Proceedings of 19th Annual International Cryptology Conference’,Springer-Verlag, pp. 503–518.

Cheng, P. and Glenn, R. (1997), ‘Test Cases for HMAC-MD5 and HMAC-SHA-1’.

Clayton, R. and Danezis, G. (2003), ‘Chaffinch: Confidentiality in the Face of LegalThreats’, Revised Papers from the 5th International Workshop on Information Hidingpp. 70–86.

Cramer, R. and Shoup, V. (2003), ‘Design and analysis of practical public-key encryptionschemes secure against adaptive chosen ciphertext attack’, SIAM J. of Computing33, 167–226.

Daemen, J. and Rijmen, V. (1998), The Design of Rijndael, Springer-Verlag.

Desai, A. (2000), The Security of All-or-Nothing Encryption: Protecting against Exhaus-tive Key Search, in ‘CRYPTO ’00: Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology’, Springer-Verlag, pp. 359–375.

Dobbertin, H., Bosselaers, A. and Preneel, B. (1996), ‘RIPEMD-160: A StrengthenedVersion of RIPEMD’, Fast Software Encryption, Lecture Notes in Computer Science1039, 71–82.

42

BIBLIOGRAPHY 43

Eastlake, D. and Jones, P. (2001), ‘US Secure Hash Algorithm (SHA-1)’, Internet Engi-neering Task Force .

ElGamal, T. (1984), A Public-Key Cryptosystem and a Signature Scheme Based on DiscreteLogarithms, in ‘CRYPTO ’84: Advances in Cryptology’, Springer-Verlag, pp. 10–18.

Kaliski Jr., B. and Robshaw, M. (1995), ‘Message authentication with MD5’, RSA Labo-ratories CryptoBytes 1(1), 5–8.

Lai, X., Rueppel, R. and Woollven, J. (1992), A fast cryptographic checksum algorithmbased on stream ciphers, in ‘Auscrypt ’92: Advances in Cryptology’, Springer-Verlag,pp. 339–348.

Lu, X. (2006), ‘An efficient hybrid encryption in standard model’.

National Institute of Standards and Technology (NIST) (1985), ‘Fips Publication 113:Computer data authentication’.

National Institute of Standards and Technology (NIST) (1999), ‘FIPS Publication 46-3:Data Encryption Standard (DES)’.

R. Rivest, A. S. and Adleman, L. (1978), ‘A Method for Obtaining Digital Signatures andPublic-Key Cryptosystems’, Communications of the ACM 21, 120–126.

Rivest, R. (1992), ‘The MD5 Message-Digest Algorithm’.

Rivest, R. L. (1994), The RC5 Encryption Algorithm, in ‘Second International Workshopon Fast Software Encryption (FSE)’, pp. 86–96.

Rivest, R. L. (1997), ‘All-or-Nothing Encryption and the Package Transform’, Lecture Notesin Computer Science 1267, 210–218.

Rivest, R. L. (1998), ‘Chaffing and Winnowing: Confidentiality without Encryption’, RSALaboratories CryptoBytes 4(1), 12–17.

RSA Data Security, Inc. (1998), PKCS #1: RSA Encryption Standard. Version 2.0.

Schneier, B. (1994), ‘Description of a New Variable-Length Key, 64-Bit Block Cipher (Blow-fish)’, Fast Software Encryption, Cambridge Security Workshop Proceedings pp. 191–204.

Somerville, I. (2004), Software Engineering, 7 edn, Addison-Wesley.

Stinson, D. (2005), ‘Cryptography Theory and Practice’.

UK Stationary Office Ltd (2000), ‘Regulation of Investigatory Act’.

Appendix A

Design Diagrams

44

APPENDIX A. DESIGN DIAGRAMS 45

Figure A.1: The modular design of the chaffing and winnowing schemes.

Appendix B

Code

46

AP

PE

ND

IXB

.C

OD

E47

B.1 File: hmac.c

#include <s t d i o . h>#include <s t d l i b . h>#include <s t r i n g . h>#include ”md5 . h”

/∗∗∗ Function : hmac md5∗∗ unsigned char∗ t e x t ; po in t e r to data

stream∗∗ i n t t e x t l e n ; l en g t h o f data

stream∗∗ unsigned char∗ key ; po in t e r to

au then t i c a t i on key∗∗ i n t k ey l en ; l en g t h o f

au t hen t i c a t i on key∗∗ unsigned char d i g e s t ; c a l l e r d i g e s t to

be f i l l e d in∗/

void hmac md5(unsigned char∗ text , int t e x t l en ,unsigned char∗ key , int key len , unsigned chard i g e s t [ 1 6 ] )

{MD5 CTX context ;unsigned char k ipad [ 6 5 ] ; /∗ inner padding −

∗ key XORd with ipad∗/

unsigned char k opad [ 6 5 ] ; /∗ outer padding −∗ key XORd with opad∗/

unsigned char tk [ 1 6 ] ;int i ;

/∗ i f key i s l onger than 64 by t e s r e s e t i t tokey=MD5( key ) ∗/

i f ( key l en > 64) {MD5 CTX tctx ;

MD5Init(&tc tx ) ;MD5Update(&tctx , key , key l en ) ;MD5Final ( tk , &tc tx ) ;

key = tk ;key l en = 16 ;

}

/∗∗ the HMACMD5 transform look s l i k e :∗∗ MD5(K XOR opad , MD5(K XOR ipad , t e x t ) )∗∗ where K i s an n by te key∗ ipad i s the by te 0x36 repeated 64 times∗ opad i s the by te 0x5c repeated 64 times∗ and t e x t i s the data be ing pro t e c t ed∗/

/∗ s t a r t out by s t o r i n g key in pads ∗//∗ bzero ( k ipad , s i z e o f k ipad ) ; ∗//∗ bzero ( k opad , s i z e o f k opad ) ; ∗//∗ bcopy ( key , k ipad , k ey l en ) ; ∗//∗ bcopy ( key , k opad , k ey l en ) ; ∗/

/∗ use memset and memcpy ins t ead − bcopy and bzero areoutdated ∗/

memset ( k ipad , 0 , s izeof ( k ipad ) ) ;memset ( k opad , 0 , s izeof ( k opad ) ) ;memcpy( k ipad , key , key l en ) ;memcpy( k opad , key , key l en ) ;

/∗ XOR key with ipad and opad va lue s ∗/for ( i =0; i <64; i++) {

k ipad [ i ] ˆ= 0x36 ;k opad [ i ] ˆ= 0x5c ;

}

/∗∗ perform inner MD5∗/

MD5Init(&context ) ;

/∗ i n i t con tex t f o r 1 s t pass ∗/MD5Update(&context , k ipad , 64) ; /∗ s t a r t wi th

inner pad ∗/MD5Update(&context , text , t e x t l e n ) ; /∗ then t e x t o f

datagram ∗/MD5Final(&context ) ; /∗ f i n i s h up 1 s t pass ∗/

AP

PE

ND

IXB

.C

OD

E48

/∗∗ perform outer MD5∗/

MD5Init(&context ) ; /∗ i n i t con tex tf o r 2nd

∗ pass ∗/MD5Update(&context , k opad , 64) ; /∗ s t a r t wi th

outer pad ∗/MD5Update(&context , context . d ige s t , 16) ; /∗ then

r e s u l t s o f 1 s t∗ hash ∗/

MD5Final(&context ) ; /∗ f i n i s h up 2ndpass ∗/

for ( i = 0 ; i < 16 ; i++){d i g e s t [ i ] = context . d i g e s t [ i ] ;

}

}

B.2 File: aont.c

#include <s t d l i b . h>#include <s t d i o . h>#include <time . h>#include <math . h>#include ”aont . h”#include ” r c 5 r e f . h”

#define BLOCKSIZE 8 /∗ f o l l ow s u i t o f RC5 implementation∗/

#define KEYSIZE 16

/∗ randomly chosen pu b l i c key ∗/unsigned char publ i ckey [ ] =

”\x6a\x51\x9d\xd1\x0d\x3c\xb6\xbb\ xf0 \xd4\xcd\x71\x56\ xf9 \x9a\x8a” ;

void trans form (FILE ∗ in , FILE ∗out ){

int i , j , k ;long int f i l e s i z e ;unsigned char key [KEYSIZE] ,

cu r r en tb l ock [BLOCKSIZE] ,outputblock [BLOCKSIZE] , l a s t b l o c k [KEYSIZE ] ;

WORD pt [ 2 ] , c t [ 2 ] = {0 ,0} ;WORD pub l i c S [ t ] ; /∗ expanded key t a b l e f o r

pu b l i c key ∗/WORD pr i va t e S [ t ] ; /∗ expanded key t a b l e f o r

p r i v a t e key ∗/

/∗ crea t e a key ∗/c rea tekey ( key ) ;

/∗ c a l c u l a t e the l eng t h o f the input f i l e ∗/f i l e s i z e = g e t f i l e s i z e ( in ) ;

/∗ se tup RC5 encrypt ion fo r p r i v a t e key ∗/RC5 SETUP( key , p r i va t e S ) ;

/∗ se tup RC5 encrypt ion fo r pu b l i c key ∗/RC5 SETUP( publ ickey , pub l i c S ) ;

/∗ l a s t b l o c k = the key ∗/memcpy( l a s tb l o ck , key , KEYSIZE) ;

i = 0 ;while ( ! f e o f ( in ) ){

/∗ read in the next b l o c k ∗/memset ( currentb lock , 0 , BLOCKSIZE) ;f r ead ( currentb lock , s izeof (char ) , BLOCKSIZE, in ) ;

/∗ I n i t i a l i z e pt ∗/pt [ 0 ] = i ;pt [ 1 ] = 0 ;

/∗ encrypt counter with p r i v a t e key ∗/RC5 ENCRYPT( pt , ct , p r i va t e S ) ;

/∗ ou tpu t b l o ck = current b l o c k XOR the c i p h e r t e x t∗/

for ( j = 0 , k = 24 ; j < 4 ; j++){

outputblock [ j ] = cur r en tb lock [ j ] ˆ ( ( c t [ 0 ]>> k ) & 0xFF) ;

k −= 8 ;}

AP

PE

ND

IXB

.C

OD

E49

for ( j = 4 , k = 24 ; j < 8 ; j++){

outputblock [ j ] = cur r en tb lock [ j ] ˆ ( ( c t [ 1 ]>> k ) & 0xFF) ;

k −= 8 ;}

/∗ wr i t e t h i s to output f i l e ∗/fw r i t e ( outputblock , s izeof (char ) , BLOCKSIZE, out ) ;

/∗ c a l c u l a t e hash by conver t ing counter to s t r i n gand XOR i t with ou tpu t b l o ck ∗/

/∗ pt [ 0 ] = f i r s t h a l f o f ou tpu t b l o c k ∗//∗ pt [ 1 ] = second h a l f o f ou tpu t b l o ck ∗/pt [ 0 ] = 0 ;pt [ 1 ] = 0 ;for ( j = 0 , k = 24 ; j < 4 ; j++){

pt [ 0 ] = pt [ 0 ] | ( ( outputblock [ j ] ˆ ( ( i >>k ) & 0xFF) ) << k ) ;

k −= 8 ;}for ( j = 4 , k = 24 ; j < 8 ; j++){

pt [ 1 ] = pt [ 1 ] | ( outputblock [ j ] << k ) ;k −= 8 ;

}

ct [ 0 ] = 0 ;c t [ 1 ] = 0 ;

RC5 ENCRYPT( pt , ct , pub l i c S ) ;

/∗ l a s t b l o c k = l a s t b l o c k XOR c i p h e r t e x t −l a s t b l o c k i s b i g g e r than normal b l o c k ∗/

for ( j = 0 , k = 24 ; j < 4 ; j++){

l a s t b l o c k [ j ] = l a s t b l o c k [ j ] ˆ c t [ 0 ] >> k ;l a s t b l o c k [ j +8] = l a s t b l o c k [ j +8] ˆ ct [ 0 ] >>

k ;k = k − 8 ;

}for ( j = 4 , k = 24 ; j < 8 ; j++){

l a s t b l o c k [ j ] = l a s t b l o c k [ j ] ˆ c t [ 1 ] >> k ;l a s t b l o c k [ j +8] = l a s t b l o c k [ j +8] ˆ ct [ 1 ] >>

k ;k = k − 8 ;

}

/∗ increment the counter ∗/i++;

} /∗ end o f wh i l e loop ∗/

/∗ wr i t e l a s t b l o c k to output f i l e ∗/fw r i t e ( l a s tb l o ck , s izeof (char ) , KEYSIZE, out ) ;

}

void i nv e r s e t r an s f o rm (FILE ∗ in , FILE ∗out ){

int i , j , k ;WORD pt [ 2 ] , c t [ 2 ] = {0 ,0} ;WORD pub l i c S [ t ] ;WORD pr i va t e S [ t ] ;

int blocks , key in fo , f i l e s i z e , t r a v e r s e ;unsigned char hash [BLOCKSIZE] ,

cu r r en tb l ock [BLOCKSIZE] , key [KEYSIZE ] ,l a s t b l o c k [KEYSIZE] , outputblock [BLOCKSIZE ] ;

/∗ c a l c u l a t e the l eng t h o f the input f i l e ∗/f i l e s i z e = g e t f i l e s i z e ( in ) ;

memset ( key , 0 , KEYSIZE) ;

/∗ se tup RC5 encrypt ion fo r pu b l i c key ∗/RC5 SETUP( publ ickey , pub l i c S ) ;

b locks = ( int ) f l o o r ( (double ) f i l e s i z e / BLOCKSIZE) ;key in fo = KEYSIZE / BLOCKSIZE;t r av e r s e = b locks − key in fo ;

i = 0 ;while ( i < t r a v e r s e ){

/∗ read in the next b l o c k ∗/memset ( currentb lock , 0 , BLOCKSIZE) ;

AP

PE

ND

IXB

.C

OD

E50

f r e ad ( currentb lock , s izeof (char ) , BLOCKSIZE, in ) ;

/∗ crea t e hash ∗/pt [ 0 ] = 0 ;pt [ 1 ] = 0 ;for ( j = 0 , k = 24 ; j < 4 ; j++){

pt [ 0 ] = pt [ 0 ] | ( ( cu r r en tb lo ck [ j ] ˆ ( ( i >> k ) &0xFF) ) << k ) ;

k −= 8 ;}for ( j = 4 , k = 24 ; j < 8 ; j++){

pt [ 1 ] = pt [ 1 ] | ( cu r r en tb lock [ j ] << k ) ;k −= 8 ;

}

ct [ 0 ] = 0 ;c t [ 1 ] = 0 ;

RC5 ENCRYPT( pt , ct , pub l i c S ) ;

/∗ XOR with running p r i v a t e key − key i s tw icethe s i z e o f a b l o c k ∗/

for ( j = 0 , k = 24 ; j < 4 ; j++){

key [ j ] = key [ j ] ˆ c t [ 0 ] >> k ;key [ j +8] = key [ j +8] ˆ ct [ 0 ] >> k ;k = k − 8 ;

}for ( j = 4 , k = 24 ; j < 8 ; j++){

key [ j ] = key [ j ] ˆ c t [ 1 ] >> k ;key [ j +8] = key [ j +8] ˆ ct [ 1 ] >> k ;k = k − 8 ;

}

i++;}

/∗ read l a s t b l o c k o f input f i l e ∗/memset ( l a s tb l o ck , 0 , KEYSIZE) ;f r ead ( l a s tb l o ck , s izeof (char ) , KEYSIZE, in ) ;

/∗ f i n a l l y r e v ea l the key ∗/

for ( j = 0 ; j < KEYSIZE; j++){

key [ j ] = key [ j ] ˆ l a s t b l o c k [ j ] ;}

/∗ −−−−−−−−−−−−−−−−−−−−−−−− ∗//∗ transform back us ing key ∗//∗ −−−−−−−−−−−−−−−−−−−−−−−− ∗/

/∗ ’ rewind ’ input f i l e ∗/f s e e k ( in , 0 , SEEK SET) ;

/∗ se tup RC5 encrypt ion fo r p r i v a t e key ∗/RC5 SETUP( key , p r i va t e S ) ;

i = 0 ;while ( i < t r a v e r s e ){

/∗ read in the next b l o c k ∗/memset ( currentb lock , 0 , BLOCKSIZE) ;f r ead ( currentb lock , s izeof (char ) , BLOCKSIZE, in ) ;

/∗ I n i t i a l i z e pt ∗/pt [ 0 ] = i ;pt [ 1 ] = 0 ;

/∗ I n i t i a l i z e c t ∗/ct [ 0 ] = 0 ;c t [ 1 ] = 0 ;

/∗ encrypt counter with p r i v a t e key ∗/RC5 ENCRYPT( pt , ct , p r i va t e S ) ;

/∗ ou tpu t b l o ck = current b l o c k XOR the c i p h e r t e x t∗/

for ( j = 0 , k = 24 ; j < 4 ; j++){

outputblock [ j ] = cur r en tb lock [ j ] ˆ ( ( c t [ 0 ] >>k ) & 0xFF) ;

k −= 8 ;}for ( j = 4 , k = 24 ; j < 8 ; j++){

outputblock [ j ] = cur r en tb lock [ j ] ˆ( ( c t [ 1 ] >> k ) & 0xFF) ;

AP

PE

ND

IXB

.C

OD

E51

k −= 8 ;}

/∗ wr i t e t h i s to output f i l e ∗/fw r i t e ( outputblock , s izeof (char ) , BLOCKSIZE, out ) ;

i++;

}

}

/∗ crea t e a random key o f s i z e KEYSIZE ∗/void c rea tekey (unsigned char ∗key ){

int i ;unsigned char car ;for ( i = 0 ; i < KEYSIZE; i++){

car = rand ( ) % 255 ;key [ i ] = car ;

}}

/∗∗∗ ge t the s i z e o f a f i l e − thanks to t h i s forum thread :∗∗ h t t p ://www. t h e s c r i p t s . com/forum/ thread506204 . html∗/long int g e t f i l e s i z e (FILE ∗ f i l e ){

long int f i l e s i z e ;

i f ( f i l e == NULL){

p r i n t f ( ”Error : can ’ t i d e n t i f y f i l e s i z e \n” ) ;return −1;

}f s e e k ( f i l e , 0 , SEEK END) ;f i l e s i z e = f t e l l ( f i l e ) ;f s e e k ( f i l e , 0 , SEEK SET) ;return f i l e s i z e ;

}

/∗i n t main( i n t argc , char ∗∗ argv )

{FILE ∗ in ;FILE ∗out ;i n t i ;

i f ( argc != 4){

p r i n t f (”Type : %d [ transform | i n v e r t ] <input f i l e ><output f i l e >\n” , argv [ 0 ] ) ;

e x i t (−1) ;}e l s e {

in = fopen ( argv [ 2 ] , ” rb ”) ;i f ( in == NULL) {

p r i n t f (” Error : can ’ t open input f i l e .\n”) ;re turn 1 ;

}

out = fopen ( argv [ 3 ] , ”wb”) ;i f ( out == NULL) {

p r i n t f (” Error : can ’ t open output f i l e .\n”) ;re turn 1 ;

}

srand ( ( unsigned i n t ) time (NULL) ) ;

i f ( strcmp ( argv [ 1 ] , ” transform ”) == 0){

p r i n t f (” Transforming input f i l e . . . \ n”) ;transform ( in , out ) ;p r i n t f ( ” . . . done .\n”) ;

}

i f ( strcmp ( argv [ 1 ] , ” i n v e r t ”) == 0){

p r i n t f (” Inve r t i n g transformed f i l e . . . \ n”) ;inver se t rans fo rm ( in , out ) ;p r i n t f ( ” . . . done .\n”) ;

}

}

}∗/

AP

PE

ND

IXB

.C

OD

E52

B.3 File: oaep.c

#include <s t d i o . h>#include <s t d l i b . h>#include <math . h>#include ”md5 . h”

#define BLOCKSIZE 128#define HASHOUTLEN 16

/∗ encoding parameter ∗/char ∗Passphrase = ” james smith” ;

void trans form (FILE ∗ in , FILE ∗out , int emLen){

int i = 0 ;long f i l e s i z e ;unsigned char ∗temp , ∗message , ∗PS , seed [HASHOUTLEN] ,

dbMask [ emLen − HASHOUTLEN] , ∗DB, maskedDB [ emLen −HASHOUTLEN] , seedMask [HASHOUTLEN] ,maskedSeed [HASHOUTLEN] , ∗EM;

MD5 CTX mdContext ;

/∗ ge t s i z e o f f i l e ∗/f s e e k ( in , 0 , SEEK END) ;f i l e s i z e = f t e l l ( in ) ;f s e e k ( in , 0 , SEEK SET) ;

/∗ I f | |M| | > emLen−2hLen−1 then output ”message toolong ” and s top ∗/

i f ( f i l e s i z e > emLen − 2∗HASHOUTLEN − 1){

p r i n t f ( ”Error : message i s too long .\n” ) ;e x i t (1 ) ;

}

/∗ read in message ∗/message = mal loc ( s izeof (char ) ∗ f i l e s i z e ) ;f r ead ( message , s izeof (char ) , f i l e s i z e , in ) ;

/∗ Let pHash = Hash(P) , an oc t e t s t r i n g o f l en g t h hLen∗/

MD5Init(&mdContext ) ;MD5Update(&mdContext , Passphrase , s t r l e n ( Passphrase ) ) ;

MD5Final(&mdContext ) ;

/∗∗∗ Concatenate pHash , PS, the message M, and other

padding to form a∗∗ data b l o c k DB as : DB = pHash | | PS | | 01 | | M∗/DB = malloc ( s izeof (char ) ∗ (emLen − HASHOUTLEN) ) ;memset (DB, 0 , (emLen − HASHOUTLEN) ) ;for ( i = 0 ; i < HASHOUTLEN; i++){

DB[ i ] |= mdContext . d i g e s t [ i ] ;}DB[ emLen − f i l e s i z e − HASHOUTLEN − 1 ] = 255 ;for ( i = 0 ; i < f i l e s i z e ; i++){

DB[ i + emLen − f i l e s i z e − HASHOUTLEN] |= message [ i ] ;}

/∗ Generate a random oc t e t s t r ing , seed , o f l en g t hhLen ∗/

for ( i = 0 ; i < HASHOUTLEN; i++){

seed [ i ] = rand ( ) % 255 ;}

/∗ Let dbMask = MGF( seed , emLen−hLen) ∗/MGF1(dbMask , seed , emLen − HASHOUTLEN) ;

/∗ Let maskedDB = DB \ xor dbMask ∗/for ( i = 0 ; i < emLen − 1 ; i++){

maskedDB [ i ] = DB[ i ] ˆ dbMask [ i ] ;}

/∗ Let seedMask = MGF(maskedDB , hLen) ∗/MGF1( seedMask , maskedDB , HASHOUTLEN) ;

/∗ Let maskedSeed = seed \ xor seedMask ∗/for ( i = 0 ; i < HASHOUTLEN; i++){

maskedSeed [ i ] = seed [ i ] ˆ seedMask [ i ] ;}

/∗ Output : maskedSeed | | maskedDB ∗/

AP

PE

ND

IXB

.C

OD

E53

fw r i t e ( maskedSeed , s izeof (char ) , HASHOUTLEN, out ) ;fw r i t e (maskedDB , s izeof (char ) , emLen − HASHOUTLEN,

out ) ;}

void i nv e r s e t r an s f o rm (FILE ∗ in , FILE ∗out ){

unsigned char maskedSeed [HASHOUTLEN] , ∗maskedDB ,seedMask [HASHOUTLEN] , seed [HASHOUTLEN] , ∗dbMask ,∗DB, pHashDash [HASHOUTLEN] , ∗M;

int i , f i l e s i z e , ptr , sizeOfM ;MD5 CTX mdContext ;

/∗ ge t s i z e o f f i l e ∗/f s e e k ( in , 0 , SEEK END) ;f i l e s i z e = f t e l l ( in ) ;f s e e k ( in , 0 , SEEK SET) ;

/∗ Let maskedSeed be the f i r s t hLen o c t e t s o f EM ∗/f r e ad ( maskedSeed , s izeof (char ) , HASHOUTLEN, in ) ;

/∗ l e t maskedDB be the remaining | |EM | | − hLen o c t e t s∗/

maskedDB = malloc ( s izeof (char ) ∗ ( f i l e s i z e −HASHOUTLEN) ) ;

f r ead (maskedDB , s izeof (char ) , f i l e s i z e − HASHOUTLEN,in ) ;

/∗ Let seedMask = MGF(maskedDB , hLen) ∗/MGF1( seedMask , maskedDB , HASHOUTLEN) ;

/∗ Let seed = maskedSeed \ xor seedMask ∗/for ( i = 0 ; i < HASHOUTLEN; i++){

seed [ i ] = maskedSeed [ i ] ˆ seedMask [ i ] ;}

/∗ Let dbMask = MGF( seed , | |EM | | − hLen) ∗/dbMask = mal loc ( s izeof (char ) ∗ ( f i l e s i z e −

HASHOUTLEN) ) ;MGF1(dbMask , seed , f i l e s i z e − HASHOUTLEN) ;

/∗ Let DB = maskedDB \ xor dbMask ∗/DB = malloc ( s izeof (char ) ∗ ( f i l e s i z e − HASHOUTLEN) ) ;for ( i = 0 ; i < f i l e s i z e − HASHOUTLEN; i++)

{DB[ i ] = maskedDB [ i ] ˆ dbMask [ i ] ;

}

/∗ Let pHash = Hash( Passphrase ) , an o c t e t s t r i n g o fl en g t h hLen ∗/

MD5Init(&mdContext ) ;MD5Update(&mdContext , Passphrase , s t r l e n ( Passphrase ) ) ;MD5Final(&mdContext ) ;

/∗∗∗ Separate DB in to an oc t e t s t r i n g pHash ’ c on s i s t i n g

o f the f i r s t∗∗ hLen o c t e t s o f DB, a ( p o s s i b l y empty ) o c t e t s t r i n g

PS con s i s t i n g o f∗∗ consecu t i v e zero o c t e t s f o l l ow i n g pHash ’ , and a

message M as :∗∗ DB = pHash ’ | | PS | | 01 | | M∗/for ( i = 0 ; i < HASHOUTLEN; i++){

pHashDash [ i ] = DB[ i ] ;}

/∗ I f pHash ’ does not equa l pHash , output ” decodingerror ” and s top ∗/

i f (memcmp(mdContext . d i ge s t , pHashDash , HASHOUTLEN) !=0)

{p r i n t f ( ”Decoding Error !\n” ) ;e x i t (1 ) ;

}

/∗ f i nd the ’01 ’ ∗/for ( i = HASHOUTLEN; i < f i l e s i z e − HASHOUTLEN; i++){

i f (DB[ i ] == 255)ptr = i ;

}

/∗ Output M ∗/sizeOfM = f i l e s i z e − ptr − HASHOUTLEN − 1 ;M = malloc ( s izeof (char ) ∗ ( sizeOfM ) ) ;for ( i = 0 ; i < ( sizeOfM ) ; i++){

AP

PE

ND

IXB

.C

OD

E54

ptr++;M[ i ] = DB[ ptr ] ;

}fw r i t e (M, s izeof (char ) , sizeOfM , out ) ;

}

int MGF1(unsigned char ∗T, unsigned char Z [HASHOUTLEN] ,int l )

{long i , out l en = 0 ;unsigned char counter [ 4 ] ;MD5 CTX mdContext ;

MD5Init(&mdContext ) ;

for ( i = 0 ; out l en < l ; i++){

/∗ conver t counter to s t r i n g o f l en g t h 4 ∗/counter [ 0 ] = (unsigned char ) ( ( i >> 24) & 255) ;counter [ 1 ] = (unsigned char ) ( ( i >> 16) & 255) ;counter [ 2 ] = (unsigned char ) ( ( i >> 8) & 255) ;counter [ 3 ] = (unsigned char ) ( i & 255) ;

/∗ f i nd hash o f Z | |C ∗/MD5Update(&mdContext , Z , HASHOUTLEN) ;MD5Update(&mdContext , counter , 4) ;MD5Final(&mdContext ) ;

/∗ T = T | | hash ∗/i f ( out l en + 16 <= l ){

memcpy(T + outlen , mdContext . d ige s t , HASHOUTLEN) ;out l en += 16 ;

}else{

memcpy(T + outlen , mdContext . d ige s t , l − out l en ) ;out l en = l ;

}

}

}

/∗i n t main( i n t argc , char ∗∗ argv ){

FILE ∗ in ;FILE ∗out ;i n t i ;

i f ( argc != 4){

p r i n t f (”Type : ’ oaep t e s t [ transform | i n v e r t ] <inputf i l e > <output f i l e >’\n”) ;

e x i t (1) ;}e l s e {

srand ( ( unsigned i n t ) time (NULL) ) ;

in = fopen ( argv [ 2 ] , ” rb ”) ;i f ( in == NULL) {

p r i n t f (” Error : can ’ t open input f i l e .\n”) ;re turn 1 ;

}

out = fopen ( argv [ 3 ] , ”wb”) ;i f ( out == NULL) {

p r i n t f (” Error : can ’ t open output f i l e .\n”) ;re turn 1 ;

}

i f ( strcmp ( argv [ 1 ] , ” transform ”) == 0){

p r i n t f (” Transforming input f i l e . . . \ n”) ;transform ( in , out , 2048) ;p r i n t f ( ” . . . done .\n”) ;

}

i f ( strcmp ( argv [ 1 ] , ” i n v e r t ”) == 0){

p r i n t f (” Inve r t i n g transformed f i l e . . . \ n”) ;inver se t rans fo rm ( in , out ) ;p r i n t f ( ” . . . done .\n”) ;

}

}

}

AP

PE

ND

IXB

.C

OD

E55

∗/

B.4 File: cw lib.c

#include ” cw l i b . h”#include <s t d l i b . h>

void c h a f f i n d i c e s ( int numchaff , int numblocks , intc h a f f i n d i c e s [ ] )

{int i , j , seed ;

srand ( ( unsigned int ) time (NULL) ) ;

/∗ ge t a new random number ∗/c h a f f i n d i c e s [ 0 ] = rand ( ) % numblocks ;for ( i = 1 ; i < numchaff ; i++){

mylabel :seed = rand ( ) % numblocks ;for ( j = 0 ; j < i ; j++){

/∗ i f t h i s number i s a l ready in the array ge t anew one ∗/

i f ( seed == ch a f f i n d i c e s [ j ] ){

goto mylabel ;}

}c h a f f i n d i c e s [ i ] = seed ;

}

/∗ s o r t the array in to ascending order ∗/qu ickSort ( c h a f f i n d i c e s , numchaff ) ;

}

/∗ qu i c k s o r t a l gor i thm taken fromh t t p :// l i nux . wku . edu/˜lamonml/ a l go r / so r t / qu ick . html∗/

int qu ickSort ( int numbers [ ] , int a r r a y s i z e ){

q s o r t ( numbers , 0 , a r r a y s i z e − 1) ;

return 1 ;}

int q s o r t ( int numbers [ ] , int l e f t , int r i g h t ){

int pivot , l ho ld , r ho ld ;

l h o l d = l e f t ;r ho ld = r i gh t ;p ivot = numbers [ l e f t ] ;

while ( l e f t < r i g h t ){

while ( ( numbers [ r i g h t ] >= pivot ) && ( l e f t < r i g h t ) )r i ght −−;

i f ( l e f t != r i gh t ){

numbers [ l e f t ] = numbers [ r i g h t ] ;l e f t ++;

}while ( ( numbers [ l e f t ] <= pivot ) && ( l e f t < r i g h t ) )

l e f t ++;i f ( l e f t != r i gh t ){

numbers [ r i g h t ] = numbers [ l e f t ] ;r i ght −−;

}}numbers [ l e f t ] = p ivot ;p ivot = l e f t ;l e f t = l h o l d ;r i g h t = r ho ld ;i f ( l e f t < p ivot )

q s o r t ( numbers , l e f t , pivot −1) ;i f ( r i g h t > p ivot )

q s o r t ( numbers , p ivot +1, r i g h t ) ;

return 1 ;}

int endian (void ){

short d = 0x1234 ;

AP

PE

ND

IXB

.C

OD

E56

char ∗p = (char ∗)&d ;

i f (∗p == 0x12 ){

return BIGENDIAN;}else {

return LITTLEENDIAN;}

}

B.5 File: cw aont pt.c

#include <s t d l i b . h>#include <s t d i o . h>#include <math . h>

#include ”aont . h”#include ” cw l i b . h”

#define NUMCHAFFS 128

cha f f (FILE ∗ in , FILE ∗out , unsigned char∗ MACkey){

int i , j , numblocks , c ha f f a r r ay [NUMCHAFFS] , ar ray index ;long int f i l e s i z e ;FILE ∗ t emp f i l e ;unsigned char cu r r en tb l ock [BLOCKSIZE] ,

f akeb lock [BLOCKSIZE + 1 6 ] ;unsigned char d i g e s t [ 1 6 ] ;

/∗ app ly aont to the f i l e ∗/t emp f i l e = tmp f i l e ( ) ;t rans form ( in , t emp f i l e ) ;

/∗ ge t the s i z e o f the f i l e ∗/f s e e k ( tempf i l e , 0 , SEEK END) ;f i l e s i z e = f t e l l ( t emp f i l e ) ;f s e e k ( tempf i l e , 0 , SEEK SET) ;

numblocks = ( int ) f l o o r ( (double ) f i l e s i z e / BLOCKSIZE) ;

/∗

∗ compute where the cha f f packe t s are going to go(random ind i c e s between 0

∗ and number b l o c k s in transformed f i l e ) − norepeated va lue s

∗/memset ( cha f f a r ray , 0 , NUMCHAFFS) ;c h a f f i n d i c e s (NUMCHAFFS, numblocks , c ha f f a r r ay ) ;

ar ray index = 0 ;for ( i = 0 ; i < ( numblocks + NUMCHAFFS) ; i++){

i f ( i == cha f f a r r ay [ ar ray index ] ) {/∗ wr i t e a fake cha f f b l o c k and MAC to output f i l e

∗/for ( j = 0 ; j < BLOCKSIZE + 16 ; j++){

f akeb lock [ j ] = rand ( ) % 255 ;}fw r i t e ( fakeb lock , s izeof (char ) , BLOCKSIZE + 16 ,

out ) ;ar ray index++;

}else {

/∗ read in the next b l o c k ∗/memset ( currentb lock , 0 , BLOCKSIZE) ;f r ead ( currentb lock , s izeof (char ) , BLOCKSIZE,

t emp f i l e ) ;

/∗ wr i t e the b l o c k from the transformed f i l e tothe output f i l e ∗/

fw r i t e ( currentb lock , s izeof (char ) , BLOCKSIZE, out ) ;

/∗ compute b l o c k ’ s MAC ∗/hmac md5( currentb lock , BLOCKSIZE, MACkey,

s t r l e n (MACkey) , d i g e s t ) ;

/∗ wr i t e the MAC to the output f i l e ∗/fw r i t e ( d ige s t , s izeof (unsigned char ) , 16 , out ) ;

}}

}

winnow(FILE ∗ in , FILE ∗out , unsigned char∗ MACkey){

AP

PE

ND

IXB

.C

OD

E57

unsigned char cu r r en tb l ock [BLOCKSIZE] , currentMAC [ 1 6 ] ;unsigned char d i g e s t [ 1 6 ] ;int i , j ;double f i l e s i z e ;FILE ∗ t emp f i l e ;

t emp f i l e = tmp f i l e ( ) ;

i = 0 ;while ( ! f e o f ( in ) ) {

/∗ read in next b l o c k o f input f i l e ∗/memset ( currentb lock , 0 , BLOCKSIZE) ;f r ead ( currentb lock , s izeof (char ) , BLOCKSIZE, in ) ;

/∗ compute the MAC of t h i s b l o c k ∗/hmac md5( currentb lock , BLOCKSIZE, MACkey,


/∗ read MAC from f i l e and compare with what has beenca l c u l a t e d ∗/

memset ( currentMAC , 0 , 16) ;f r ead ( currentMAC , s izeof (unsigned char ) , 16 , in ) ;

i f (memcmp( d ige s t , currentMAC , 16) == 0) {/∗ wr i t e the decent b l o c k to output f i l e ∗/fw r i t e ( currentb lock , s izeof (char ) , BLOCKSIZE,

t emp f i l e ) ;}i++;

}

/∗ i n ve r s e transform the temporary f i l e ∗/f s e e k ( tempf i l e , 0 , SEEK SET) ;i nv e r s e t r an s f o rm ( tempf i l e , out ) ;

}

int main ( int argc , char ∗∗ argv ){

int i ;FILE ∗ in , ∗out ;unsigned char∗ MACkey;

srand ( (unsigned int ) time (NULL) ) ;

i f ( argc != 5)

{p r i n t f ( ”Type : ’ cw [ cha f f | winnow ] <passkey> <input

f i l e > <output f i l e > ’\n” ) ;e x i t (1 ) ;

}else {

in = fopen ( argv [ 3 ] , ” rb” ) ;i f ( in == NULL) {

p r i n t f ( ”Error : can ’ t open input f i l e .\n” ) ;return 1 ;

}

out = fopen ( argv [ 4 ] , ”wb” ) ;i f ( out == NULL) {

p r i n t f ( ”Error : can ’ t open output f i l e .\n” ) ;return 1 ;

}

MACkey = argv [ 2 ] ;

i f ( strcmp ( argv [ 1 ] , ” c h a f f ” ) == 0){

p r i n t f ( ” Chaf f ing f i l e . . . \ n” ) ;c h a f f ( in , out , MACkey) ;

} else i f ( strcmp ( argv [ 1 ] , ”winnow” ) == 0){

p r i n t f ( ”Winnowing f i l e . . . \ n” ) ;winnow( in , out , MACkey) ;

}else {

p r i n t f ( ”Type : ’ cw [ cha f f | winnow ] <passkey> <inputf i l e > <output f i l e > ’\n” ) ;

e x i t (1 ) ;}

}

}

B.6 File: cw aont oaep.c

#include <s t d l i b . h>#include <s t d i o . h>

AP

PE

ND

IXB

.C

OD

E58

#include <math . h>

#include ” cw l i b . h”

#define NUMCHAFFS 128

cha f f (FILE ∗ in , FILE ∗out , unsigned char∗ MACkey){

int i , j , numblocks , c ha f f a r r ay [NUMCHAFFS] , ar ray index ;double f i l e s i z e ;FILE ∗ t emp f i l e ;unsigned char cu r r en tb l ock [BLOCKSIZE] ,

f akeb lock [BLOCKSIZE + 1 6 ] ;unsigned char d i g e s t [ 1 6 ] ;

/∗ ge t the s i z e o f the f i l e ∗/f s e e k ( in , 0 , SEEK END) ;f i l e s i z e = f t e l l ( in ) ;f s e e k ( in , 0 , SEEK SET) ;

/∗ app ly aont to the f i l e ∗/t emp f i l e = tmp f i l e ( ) ;t rans form ( in , t empf i l e , ( int ) f i l e s i z e + 128) ;

/∗ ge t the s i z e o f the temp f i l e ∗/f s e e k ( tempf i l e , 0 , SEEK END) ;f i l e s i z e = f t e l l ( t emp f i l e ) ;f s e e k ( tempf i l e , 0 , SEEK SET) ;


/∗∗ compute where the cha f f packe t s are going to go

(random ind i c e s between 0∗ and number b l o c k s in transformed f i l e ) − no

repeated va lue s∗/

memset ( cha f f a r ray , 0 , NUMCHAFFS) ;c h a f f i n d i c e s (NUMCHAFFS, numblocks , c ha f f a r r ay ) ;

ar ray index = 0 ;for ( i = 0 ; i < ( numblocks + NUMCHAFFS) ; i++){

i f ( i == cha f f a r r ay [ ar ray index ] ) {/∗ wr i t e a fake cha f f b l o c k and MAC to output f i l e

∗/for ( j = 0 ; j < BLOCKSIZE + 16 ; j++){

f akeb lock [ j ] = rand ( ) % 255 ;}fw r i t e ( fakeb lock , s izeof (char ) , BLOCKSIZE + 16 ,

out ) ;ar ray index++;

}else {


t emp f i l e ) ;



/∗ compute b l o c k ’ s MAC ∗/hmac md5( currentb lock , BLOCKSIZE, MACkey,


/∗ wr i t e the MAC to the output f i l e ∗/fw r i t e ( d ige s t , s izeof (unsigned char ) , 16 , out ) ;

}}

}

winnow(FILE ∗ in , FILE ∗out , unsigned char∗ MACkey){

unsigned char cu r r en tb l ock [BLOCKSIZE] , currentMAC [ 1 6 ] ;unsigned char d i g e s t [ 1 6 ] ;int i , j ;double f i l e s i z e ;FILE ∗ t emp f i l e ;

t emp f i l e = tmp f i l e ( ) ;

i = 0 ;while ( ! f e o f ( in ) ) {


AP

PE

ND

IXB

.C

OD

E59

/∗ compute the MAC of t h i s b l o c k ∗/hmac md5( currentb lock , BLOCKSIZE, MACkey,


/∗ read MAC from f i l e and compare with what has beenca l c u l a t e d ∗/

memset ( currentMAC , 0 , 16) ;f r ead ( currentMAC , s izeof (unsigned char ) , 16 , in ) ;

i f (memcmp( d ige s t , currentMAC , 16) == 0) {/∗ wr i t e the decent b l o c k to output f i l e ∗/fw r i t e ( currentb lock , s izeof (char ) , BLOCKSIZE,

t emp f i l e ) ;}i++;

}


}


int i ;FILE ∗ in , ∗out ;unsigned char∗ MACkey;


i f ( argc != 5){


e x i t (1 ) ;}else {



}



}

MACkey = argv [ 2 ] ;


p r i n t f ( ” Chaf f ing f i l e . . . \ n” ) ;srand ( (unsigned int ) time (NULL) ) ;c h a f f ( in , out , MACkey) ;


p r i n t f ( ”Winnowing f i l e . . . \ n” ) ;winnow( in , out , MACkey) ;

}else {


e x i t (1 ) ;}

}

}

B.7 File: cw hybrid pt.c


#include ” cw l i b . h”#include ”aont . h”#include ”XySSL/ rsa . h”

#define NUMCHAFFS 60#define PTLEN 24#define CTLEN 128

r s a con t ex t p r i v a t e c on t ex t ;r s a c on t ex t pub l i c c on t ex t ;

AP

PE

ND

IXB

.C

OD

E60

cha f f (FILE ∗ in , FILE ∗out ){

int i , j , numblocks , arrayindex , check ;int cha f f a r r ay [NUMCHAFFS] ,

n ewcha f f po s i t i on s [NUMCHAFFS] ;long int f i l e s i z e ;FILE ∗ t empf i l e , ∗ c h a f f f i l e , ∗ r s a f i l e ;unsigned char cu r r en tb l ock [BLOCKSIZE] ,

f akeb lock [BLOCKSIZE ] ;unsigned char r s a p l a i n t e x t [PTLEN] ;unsigned char r sa dec rypted [PTLEN] ;unsigned char r s a c i p h e r t e x t [CTLEN] ;

c h a f f f i l e = tmp f i l e ( ) ;r s a f i l e = tmp f i l e ( ) ;

/∗ app ly aont to the f i l e ∗/t emp f i l e = tmp f i l e ( ) ;t rans form ( in , t emp f i l e ) ;

/∗ ge t the s i z e o f the f i l e ∗/f s e e k ( tempf i l e , 0 , SEEK END) ;f i l e s i z e = f t e l l ( t emp f i l e ) ;f s e e k ( tempf i l e , 0 , SEEK SET) ;




repeated va lue s∗/

memset ( cha f f a r ray , 0 , NUMCHAFFS) ;c h a f f i n d i c e s (NUMCHAFFS, numblocks , c ha f f a r r ay ) ;

/∗ s t o r e the cha f f a r ray in b i g endian order ∗/i f ( endian ( ) == LITTLEENDIAN) {


}fw r i t e ( newcha f fpo s i t i on s , s izeof ( int ) , NUMCHAFFS,

c h a f f f i l e ) ;

} else {fw r i t e ( cha f f a r ray , s izeof ( int ) , NUMCHAFFS,

c h a f f f i l e ) ;}

f s e e k ( c h a f f f i l e , 0 , SEEK SET) ;

/∗ encrypt au then t i c a t i on data ∗/for ( i = 0 ; i < NUMCHAFFS ∗ 4 / PTLEN; i++){

f r ead ( r s a p l a i n t e x t , s izeof (char ) , PTLEN,c h a f f f i l e ) ;

check = r sa pkc s1 enc ryp t (&pr i va t e con t ex t ,r s a p l a i n t e x t , PTLEN, r s a c i ph e r t e x t , CTLEN) ;

i f ( check != 0){

p r i n t f ( ”Encryption f a i l e d \n” ) ;return (1 ) ;

}

fw r i t e ( r s a c i ph e r t e x t , s izeof (char ) , CTLEN, out ) ;}

array index = 0 ;for ( i = 0 ; i < ( numblocks + NUMCHAFFS) ; i++){

i f ( i == cha f f a r r ay [ ar ray index ] ) {/∗ wr i t e a fake cha f f b l o c k to output f i l e ∗/for ( j = 0 ; j < BLOCKSIZE; j++){

f akeb lock [ j ] = rand ( ) % 255 ;}fw r i t e ( fakeb lock , s izeof (char ) , BLOCKSIZE, out ) ;ar ray index++;

}else {


t emp f i l e ) ;



AP

PE

ND

IXB

.C

OD

E61

}}

}

winnow(FILE ∗ in , FILE ∗out ){

unsigned char cu r r en tb l ock [BLOCKSIZE] , temp [PTLEN / 4 ] ;int cha f f a r r ay [NUMCHAFFS] ;int len , i , j , k , check , numblocks ;int array index = 0 ;double f i l e s i z e , l o c a t i o n ;FILE ∗ t empf i l e , ∗ r s a f i l e ;unsigned char r s a p l a i n t e x t [PTLEN] ;unsigned char r sa dec rypted [PTLEN] ;unsigned char r s a c i p h e r t e x t [CTLEN] ;

l en = s izeof ( r sa dec rypted ) ;r s a f i l e = tmp f i l e ( ) ;t emp f i l e = tmp f i l e ( ) ;


/∗ decrypt au then t i c a t i on data ∗/for ( i = 0 ; i < NUMCHAFFS ∗ 4 / PTLEN; i++){

f r e ad ( r s a c i ph e r t e x t , s izeof (char ) , CTLEN, in ) ;

check = r sa pkc s1 dec ryp t (&pr i va t e con t ex t ,r s a c i ph e r t e x t , CTLEN, rsa decrypted , &len ) ;

i f ( check != 0){

p r i n t f ( ”Decryption f a i l e d \n” ) ;return (1 ) ;

}

/∗ wr i t e to r s a f i l e ∗/fw r i t e ( r sa decrypted , s izeof (char ) , PTLEN, r s a f i l e ) ;

}

l o c a t i o n = f t e l l ( in ) ;

f s e e k ( r s a f i l e , 0 , SEEK SET) ;f r ead ( cha f f a r ray , s izeof ( int ) , NUMCHAFFS, r s a f i l e ) ;

i f ( endian ( ) == LITTLEENDIAN) {for ( i = 0 ; i < NUMCHAFFS; i++) {

SWAP( cha f f a r r ay [ i ] ) ;}

}

numblocks = ( int ) f l o o r ( (double ) ( f i l e s i z e − l o c a t i o n ) /BLOCKSIZE) ;

i = 0 ;while ( i < numblocks ) {

/∗ read in next b l o c k o f input f i l e ∗/memset ( currentb lock , 0 , BLOCKSIZE) ;f r ead ( currentb lock , s izeof (char ) , BLOCKSIZE, in ) ;i f ( i == cha f f a r r ay [ ar ray index ] ) {

array index++;}else{

fw r i t e ( currentb lock , s izeof (char ) , BLOCKSIZE,t emp f i l e ) ;

}i++;

}


}


int i ;FILE ∗ in , ∗out ;

srand ( ( unsigned int ) time (NULL) ) ;

memset ( &pr iva t e con t ex t , 0 , s izeof ( p r i v a t e c on t ex t ) ) ;

p r i v a t e c on t ex t . l en = 128 ;

AP

PE

ND

IXB

.C

OD

E62

mpi read ( &pr i v a t e c on t ex t .N ,”9292758453063D803DD603D5E777D788” \

”8ED1D5BF35786190FA2F23EBC0848AEA”\

”DDA92CA6C3D80B32C4D109BE0F36D6AE”\

”7130B9CED7ACDF54CFC7555AC14EEBAB”\

”93A89813FBF3C4F8066D2D800F7C38A8”\

”1AE31942917403FF4946B0A83D3D3E05”\

”EE57C6F5F5606FB5D4BC6CD34EE0801A”\

”5E94BB77B07507233A0BC7BAC8F90F79” ,16 ) ;

mpi read ( &pr i v a t e c on t ex t .E , ”10001” , 16 ) ;mpi read ( &pr i v a t e c on t ex t .D ,

”24BF6185468786FDD303083D25E64EFC” \”66CA472BC44D253102F8B4A9D3BFA750”

\”91386C0077937FE33FA3252D28855837”

\”AE1B484A8A9A45F7EE8C0C634F99E8CD”

\”DF79C5CE07EE72C7F123142198164234”

\”CABB724CF78B8173B9F880FC86322407”

\”AF1FEDFDDE2BEB674CA15F3E81A1521E”

\”071513A1E85B5DFA031F21ECAE91A34D” ,

16 ) ;

mpi read ( &pr i v a t e c on t ex t .P ,”C36D0EB7FCD285223CFB5AABA5BDA3D8” \

”2C01CAD19EA484A87EA4377637E75500”\

”FCB2005C5C7DD6EC4AC023CDA285D796”\

”C3D9E75E1EFC42488BB4F1D13AC30A57” ,16 ) ;

mpi read ( &pr i v a t e c on t ex t .Q ,”C000DF51A7C77AE8D7C7370C1FF55B69” \

”E211C2B9E5DB1ED0BF61D0D9899620F4”\

”910E4168387E3C30AA1E00C339A79508”\

”8452DD96A9A5EA5D9DCA68DA636032AF” ,16 ) ;

mpi read ( &pr i v a t e c on t ex t .DP,”C1ACF567564274FB07A0BBAD5D26E298” \

”3C94D22288ACD763FD8E5600ED4A702D”\

”F84198A5F06C2E72236AE490C93F07F8”\

”3CC559CD27BC2D1CA488811730BB5725” ,16 ) ;

mpi read ( &pr i v a t e c on t ex t .DQ,”4959CBF6F8FEF750AEE6977C155579C7” \

”D8AAEA56749EA28623272E4F7D0592AF”\

”7C1F1313CAC9471B5C523BFE592F517B”\

”407A1BD76C164B93DA2D32A383E58357” ,16 ) ;

mpi read ( &pr i v a t e c on t ex t .QP,”9AE7FBC99546432DF71896FC239EADAE” \

”F38D18D2B2F0E2DD275AA977E2BF4411”\

”F5A3B2A5D33605AEBBCCBA7FEB9F2D2F”\

”A74206CEC169D74BF5A8C50D6F48EA08” ,16 ) ;

memset(&pub l i c contex t , 0 , s izeof ( r s a c on t ex t ) ) ;

memcpy(&pub l i c c on t ex t .N, &pr i v a t e c on t ex t .N,s izeof ( p r i v a t e c on t ex t .N) ) ;

memcpy(&pub l i c c on t ex t .E, &pr i v a t e c on t ex t .E,s izeof ( p r i v a t e c on t ex t .E) ) ;

memcpy(&pub l i c c on t ex t . len , &p r i v a t e c on t ex t . len ,s izeof ( p r i v a t e c on t ex t . l en ) ) ;

i f ( argc != 4){

p r i n t f ( ”Type : ’ cw [ cha f f | winnow ] <input f i l e ><output f i l e > ’\n” ) ;

AP

PE

ND

IXB

.C

OD

E63

e x i t (1 ) ;}else {



}



}


p r i n t f ( ” Chaf f ing f i l e . . . \ n” ) ;srand ( (unsigned int ) time (NULL) ) ;c h a f f ( in , out ) ;


p r i n t f ( ”Winnowing f i l e . . . \ n” ) ;winnow( in , out ) ;

}else {


e x i t (1 ) ;}

}

}

B.8 File: cw hybrid oaep.c


#include ” cw l i b . h”#include ”XySSL/ rsa . h”

#define NUMCHAFFS 120#define PTLEN 24#define CTLEN 128

r s a con t ex t p r i v a t e c on t ex t ;r s a c on t ex t pub l i c c on t ex t ;

c h a f f (FILE ∗ in , FILE ∗out ){

int i , j , numblocks , arrayindex , check ;unsigned int cha f f a r r ay [NUMCHAFFS] ,

n ewcha f f po s i t i on s [NUMCHAFFS] ;long int f i l e s i z e , i n s i z e ;FILE ∗ t empf i l e , ∗ c h a f f f i l e , ∗ r s a f i l e ;unsigned char cu r r en tb l ock [BLOCKSIZE] ,

f akeb lock [BLOCKSIZE ] ;unsigned char r s a p l a i n t e x t [PTLEN] ;unsigned char r sa dec rypted [PTLEN] ;unsigned char r s a c i p h e r t e x t [CTLEN] ;

c h a f f f i l e = tmp f i l e ( ) ;r s a f i l e = tmp f i l e ( ) ;

/∗ ge t the s i z e o f the input f i l e ∗/f s e e k ( in , 0 , SEEK END) ;i n s i z e = f t e l l ( in ) ;f s e e k ( in , 0 , SEEK SET) ;

/∗ app ly oaep to the f i l e ∗/t emp f i l e = tmp f i l e ( ) ;t rans form ( in , t empf i l e , i n s i z e + 100) ;

/∗ ge t the s i z e o f the temporary f i l e ∗/f s e e k ( tempf i l e , 0 , SEEK END) ;f i l e s i z e = f t e l l ( t emp f i l e ) ;f s e e k ( tempf i l e , 0 , SEEK SET) ;




repeated va lue s

AP

PE

ND

IXB

.C

OD

E64

∗/memset ( cha f f a r ray , 0 , NUMCHAFFS) ;c h a f f i n d i c e s (NUMCHAFFS, numblocks , c ha f f a r r ay ) ;

/∗ s t o r e the cha f f a r ray in b i g endian order ∗/i f ( endian ( ) == BIGENDIAN) {


}fw r i t e ( newcha f fpo s i t i on s , s izeof ( int ) , NUMCHAFFS,

c h a f f f i l e ) ;} else {

fw r i t e ( cha f f a r ray , s izeof ( int ) , NUMCHAFFS,c h a f f f i l e ) ;

}

f s e e k ( c h a f f f i l e , 0 , SEEK SET) ;

/∗ encrypt au then t i c a t i on data ∗/for ( i = 0 ; i < NUMCHAFFS ∗ 4 / PTLEN; i++){

f r e ad ( r s a p l a i n t e x t , s izeof (char ) , PTLEN,c h a f f f i l e ) ;

check = r sa pkc s1 enc ryp t (&pr i va t e con t ex t ,r s a p l a i n t e x t , PTLEN, r s a c i ph e r t e x t , CTLEN) ;

i f ( check != 0){

p r i n t f ( ”Encryption f a i l e d \n” ) ;return (1 ) ;

}

fw r i t e ( r s a c i ph e r t e x t , s izeof (char ) , CTLEN, out ) ;}

array index = 0 ;for ( i = 0 ; i < ( numblocks + NUMCHAFFS) ; i++){

i f ( i == cha f f a r r ay [ ar ray index ] ) {/∗ wr i t e a fake cha f f b l o c k to output f i l e ∗/for ( j = 0 ; j < BLOCKSIZE; j++){

f akeb lock [ j ] = rand ( ) % 255 ;}

fw r i t e ( fakeb lock , s izeof (char ) , BLOCKSIZE, out ) ;ar ray index++;

}else {


t emp f i l e ) ;



}}

}

winnow(FILE ∗ in , FILE ∗out ){

unsigned char cu r r en tb l ock [BLOCKSIZE] , temp [PTLEN / 4 ] ;int len , i , j , k , check , numblocks ;unsigned int cha f f a r r ay [NUMCHAFFS] ;int array index = 0 ;double f i l e s i z e , l o c a t i o n ;FILE ∗ t empf i l e , ∗ r s a f i l e ;unsigned char r s a p l a i n t e x t [PTLEN] ;unsigned char r sa dec rypted [PTLEN] ;unsigned char r s a c i p h e r t e x t [CTLEN] ;

l en = s izeof ( r sa dec rypted ) ;r s a f i l e = tmp f i l e ( ) ;t emp f i l e = tmp f i l e ( ) ;


/∗ decrypt au then t i ca t i on data ∗/for ( i = 0 ; i < NUMCHAFFS ∗ 4 / PTLEN; i++){

f r ead ( r s a c i ph e r t e x t , s izeof (char ) , CTLEN, in ) ;

check = r sa pkc s1 dec ryp t (&pr i va t e con t ex t ,

AP

PE

ND

IXB

.C

OD

E65

r s a c i ph e r t e x t , CTLEN, rsa decrypted , &len ) ;i f ( check != 0){

p r i n t f ( ”Decryption f a i l e d \n” ) ;return (1 ) ;

}

/∗ wr i t e to r s a f i l e ∗/fw r i t e ( r sa decrypted , s izeof (char ) , PTLEN, r s a f i l e ) ;

}

l o c a t i o n = f t e l l ( in ) ;

f s e e k ( r s a f i l e , 0 , SEEK SET) ;

f r ead ( cha f f a r ray , s izeof ( int ) , NUMCHAFFS, r s a f i l e ) ;

i f ( endian ( ) == BIGENDIAN) {for ( i = 0 ; i < NUMCHAFFS; i++) {

SWAP( cha f f a r r ay [ i ] ) ;}

}

numblocks = ( int ) f l o o r ( (double ) ( f i l e s i z e − l o c a t i o n ) /BLOCKSIZE) ;

i = 0 ;while ( i < numblocks ) {


i f ( i == cha f f a r r ay [ ar ray index ] ) {array index++;

}else{

fw r i t e ( currentb lock , s izeof (char ) , BLOCKSIZE,t emp f i l e ) ;

}i++;

}

/∗ i n ve r s e transform the temporary f i l e ∗/f s e e k ( tempf i l e , 0 , SEEK SET) ;

i nv e r s e t r an s f o rm ( tempf i l e , out ) ;}


int i ;FILE ∗ in , ∗out ;


memset ( &pr iva t e con t ex t , 0 , s izeof ( p r i v a t e c on t ex t ) ) ;

p r i v a t e c on t ex t . l en = 128 ;

mpi read ( &pr i v a t e c on t ex t .N ,”9292758453063D803DD603D5E777D788” \

”8ED1D5BF35786190FA2F23EBC0848AEA”\

”DDA92CA6C3D80B32C4D109BE0F36D6AE”\

”7130B9CED7ACDF54CFC7555AC14EEBAB”\

”93A89813FBF3C4F8066D2D800F7C38A8”\

”1AE31942917403FF4946B0A83D3D3E05”\

”EE57C6F5F5606FB5D4BC6CD34EE0801A”\

”5E94BB77B07507233A0BC7BAC8F90F79” ,16 ) ;

mpi read ( &pr i v a t e c on t ex t .E , ”10001” , 16 ) ;mpi read ( &pr i v a t e c on t ex t .D ,

”24BF6185468786FDD303083D25E64EFC” \”66CA472BC44D253102F8B4A9D3BFA750”

\”91386C0077937FE33FA3252D28855837”

\”AE1B484A8A9A45F7EE8C0C634F99E8CD”

\”DF79C5CE07EE72C7F123142198164234”

\”CABB724CF78B8173B9F880FC86322407”

\”AF1FEDFDDE2BEB674CA15F3E81A1521E”

AP

PE

ND

IXB

.C

OD

E66

\”071513A1E85B5DFA031F21ECAE91A34D” ,

16 ) ;

mpi read ( &pr i v a t e c on t ex t .P ,”C36D0EB7FCD285223CFB5AABA5BDA3D8” \

”2C01CAD19EA484A87EA4377637E75500”\

”FCB2005C5C7DD6EC4AC023CDA285D796”\

”C3D9E75E1EFC42488BB4F1D13AC30A57” ,16 ) ;

mpi read ( &pr i v a t e c on t ex t .Q ,”C000DF51A7C77AE8D7C7370C1FF55B69” \

”E211C2B9E5DB1ED0BF61D0D9899620F4”\

”910E4168387E3C30AA1E00C339A79508”\

”8452DD96A9A5EA5D9DCA68DA636032AF” ,16 ) ;

mpi read ( &pr i v a t e c on t ex t .DP,”C1ACF567564274FB07A0BBAD5D26E298” \

”3C94D22288ACD763FD8E5600ED4A702D”\

”F84198A5F06C2E72236AE490C93F07F8”\

”3CC559CD27BC2D1CA488811730BB5725” ,16 ) ;

mpi read ( &pr i v a t e c on t ex t .DQ,”4959CBF6F8FEF750AEE6977C155579C7” \

”D8AAEA56749EA28623272E4F7D0592AF”\

”7C1F1313CAC9471B5C523BFE592F517B”\

”407A1BD76C164B93DA2D32A383E58357” ,16 ) ;

mpi read ( &pr i v a t e c on t ex t .QP,”9AE7FBC99546432DF71896FC239EADAE” \

”F38D18D2B2F0E2DD275AA977E2BF4411”\

”F5A3B2A5D33605AEBBCCBA7FEB9F2D2F”\

”A74206CEC169D74BF5A8C50D6F48EA08” ,16 ) ;

memset(&pub l i c contex t , 0 , s izeof ( r s a c on t ex t ) ) ;

memcpy(&pub l i c c on t ex t .N, &pr i v a t e c on t ex t .N,s izeof ( p r i v a t e c on t ex t .N) ) ;

memcpy(&pub l i c c on t ex t .E, &pr i v a t e c on t ex t .E,s izeof ( p r i v a t e c on t ex t .E) ) ;

memcpy(&pub l i c c on t ex t . len , &p r i v a t e c on t ex t . len ,s izeof ( p r i v a t e c on t ex t . l en ) ) ;

i f ( argc != 4){


e x i t (1 ) ;}else {



}



}


srand ( (unsigned int ) time (NULL) ) ;c h a f f ( in , out ) ;


winnow( in , out ) ;}else {


e x i t (1 ) ;}

}

}

Investigating Chaﬃng and Winnowing: …mdv/courses/CM30082/projects.bho/2006...Investigating...

Documents

Transcript of Investigating Chaﬃng and Winnowing: …mdv/courses/CM30082/projects.bho/2006...Investigating...