Editing Chaffing and winnowing (section)

== How it works ==

{| class="infobox" style="text-align:center; width:1px"
|
|secure channel
|
|insecure channel
|- style="font-size:150%;"
! valign="bottom"|'''Alice'''
| style="font-size:300%;line-height:0;"|→
! valign="bottom"|'''Charles'''
| style="font-size:300%;line-height:0;"|→
! valign="bottom"|'''Bob'''
|-
| valign="top"|constructs 4 packets, each containing one bit of her message and a valid MAC
|
{| border="1" cellspacing="0"
|-
! Serial !! Bit !! MAC
|-
| '''1''' || '''1''' || '''234'''
|-
| '''2''' || '''0''' || '''890'''
|-
| '''3''' || '''0''' || '''456'''
|-
| '''4''' || '''1''' || '''678'''
|}
| valign="top"|adds 4 chaff packets with inverted bits and invalid MAC, shown in ''italics'' ('''chaffing''')
|
{| border="1" cellspacing="0"
|-
! Serial !! Bit !! MAC
|-
| ''1'' || ''0'' || ''321''
|-
| '''1''' || '''1''' || '''234'''
|-
| '''2''' || '''0''' || '''890'''
|-
| ''2'' || ''1'' || ''987''
|-
| '''3''' || '''0''' || '''456'''
|-
| ''3'' || ''1'' || ''543''
|-
| ''4'' || ''0'' || ''765''
|-
| '''4''' || '''1''' || '''678'''
|}
| valign="top"|discards packets with invalid MAC to recover the message ('''winnowing''')
|-
| colspan=5|<hr />In this example, Alice wishes to send the message "1001" to Bob. For simplicity, assume that all even MAC are valid and odd ones are invalid.
|}

The sender ([[Alice and Bob|Alice]]) wants to send a message to the receiver ([[Alice and Bob|Bob]]). In the simplest setup, Alice enumerates the symbols in her message and sends out each in a separate [[Packet (information technology)|packet]]. If the symbols are complex enough, such as natural language text, an attacker may be able to distinguish the real symbols from poorly faked chaff symbols, posing a similar problem as steganography in needing to generate highly realistic fakes; to avoid this, the symbols can be reduced to just single 0/1 bits, and realistic fakes can then be simply randomly generated 50:50 and are indistinguishable from real symbols. In general the method requires each symbol to arrive in-order and to be authenticated by the receiver. When implemented over networks that may change the order of packets, the sender places the symbol's serial number in the packet, the symbol itself (both unencrypted), and a [[message authentication code]] (MAC). Many MACs use a [[secret key]] Alice shares with Bob, but it is sufficient that the receiver has a method to authenticate the packets.

Rivest notes an interesting property of chaffing-and-winnowing is that third parties (such as an ISP) can opportunistically add it to communications without needing permission or coordination with the sender/recipient. A third-party (dubbed [[Alice and Bob|"Charles"]]) who transmits Alice's packets to Bob, interleaves the packets with corresponding bogus packets (called "chaff") with corresponding serial numbers, arbitrary symbols, and a random number in place of the MAC. Charles does not need to know the key to do that (real MACs are large enough that it is extremely unlikely to generate a valid one by chance, unlike in the example). Bob uses the MAC to find the authentic messages and drops the "chaff" messages. This process is called "winnowing".

An eavesdropper located between Alice and Charles can easily read Alice's message. But an eavesdropper between Charles and Bob would have to tell which packets are bogus and which are real (i.e. to winnow, or "separate the wheat from the chaff"). That is infeasible if the MAC used is secure and Charles does not leak any information on packet authenticity (e.g. via timing).

If a fourth party joins the example (named [[Alice and Bob|Darth]]) who wants to send counterfeit messages to impersonate Alice, it would require Alice to disclose her secret key. If Darth cannot force Alice to disclose an authentication key (the knowledge of which would enable him to forge messages from Alice), then her messages will remain confidential. Charles, on the other hand, is no target of Darth's at all, since Charles does not even possess any secret keys that could be disclosed.