throbber
4/14/2019
`
`people.csail.mit.edu/rivest/chaffing-980701.txt
`
`Chaffing and Winnowing: Confidentiality without Encryption
`
`
`
`
`
`
`
`
`
`
`
`Ronald L. Rivest
`MIT Lab for Computer Science
`March 18, 1998 (rev. July 1, 1998)
`http://theory.lcs.mit.edu/~rivest/chaffing.txt
`
`
`
`
`
`
`
`
`
` A
`
` major goal of security techniques is ``confidentiality''---ensuring that
`adversaries gain no intelligence from a transmitted message. There are
`two major techniques for achieving confidentiality:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`This paper introduces a new technique, which we call ``chaffing and
`winnowing''---to winnow is to ``separate out or eliminate (the poor
`or useless parts),'' (Webster's Dictionary), and is often used when
`referring to the process of separating grain from chaff.
`
`Novel techniques for confidentiality are interesting in part because
`of the current debate about cryptographic policy as to whether law
`enforcement should be given when authorized surreptitious access to
`the plaintext of encrypted messages. The usual technique proposed for
`such access is ``key recovery,'' where law enforcement has a ``back
`door'' that enables them to recover the decryption key.
`
`Winnowing does not employ encryption, and so does not have a
```decryption key.'' Thus, the usual arguments in favor of ``key
`recovery'' don't apply very well for winnowing. As usual, the policy
`debate about regulating technology ends up being obsoleted by
`technological innovations. Trying to regulate confidentiality by
`regulating encryption closes one door and leaves two open
`(steganography and winnowing).
`
`We now explain how a confidentiality system based on winnowing works.
`There are two parts to sending a message: authenticating (adding
`MACs), and adding chaff. The recipient removes the chaff to obtain
`the original message.
`
`The sender breaks the message into packets, and authenticates each
`packet using a secret authentication key. That is, the sender appends
`to each packet a ``message authentication code'' or ``MAC'' computed
`as a function of the packet contents and the secret authentication
`key, using some standard MAC algorithm, such as HMAC-SHA1 (see
`Krawczyk et al. (1997)). We have the transformation of appending a
`MAC thus:
`
`
`
`
`-- Steganography: the art of hiding a secret message within a
`
`larger one in such a way that the adversary can not
`
`discern the presence or contents of the hidden message.
`
`For example, a message might be hidden within a picture
`
`by changing the low-order pixel bits to be the message bits.
`
`(See Wayner (1996) for more information on steganography.)
`
`-- Encryption: transforming the message to a ciphertext such that
`
`an adversary who overhears the ciphertext can not determine
`
`the message sent. The legitimate receiver possesses a secret
`
`decryption key that allows him to reverse the encryption
`
`transformation and retrieve the message. The sender may have
`
`used the same key to encrypt the message (with symmetric
`
`encryption schemes) or used a different, but related key
`
`(with public-key schemes). DES and RSA are familiar
`
`examples of encryption schemes.
`
`packet --> packet, MAC
`
`people.csail.mit.edu/rivest/chaffing-980701.txt
`
`1/8
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00886 (US 8,539,047)
`Exhibit 2018
`
`

`

`people.csail.mit.edu/rivest/chaffing-980701.txt
`4/14/2019
`The packet is still ``in the clear''; no encryption has been
`performed. We note that software that merely authenticates messages
`by adding MACs is automatically approved for export, as it is deemed
`not to encrypt.
`
`There is a secret key shared by the sender and the receiver to
`authenticate the origin and contents of each packet---the legitimate
`receiver, knowing the secret authentication key, can determine that a
`packet is authentic by recomputing the MAC and comparing it to the
`received MAC. If the comparison fails, the packet and its MAC are
`automatically discarded. The sender and the receiver can initially
`create and agree upon the secret authentication key with any standard
`technique, such as authenticated Diffie-Hellman.
`
`We note that it is typical for each packet to contain a serial number
`as well. For example, when a long file is transmitted it is broken up
`into smaller packets, and each packet carries a unique serial number.
`The serial numbers help the receiver to remove duplicate packets,
`identify missing packets, and to correctly order the received packets
`when reassembling the file. The MAC for a packet is computed as a
`function of the serial number of the packet as well as of the packet
`contents and the secret authentication key. As an example, we might
`have a sequence of the form:
`
`(1,Hi Bob,465231)
`
`(2,Meet me at,782290)
`
`(3,7PM,344287)
`
`(4,Love-Alice,312265)
`of triples of sequence number, message, and MAC.
`
`The second process involved in sending a message is ``adding chaff'':
`adding fake packets with bogus MACs. The chaff packets have the
`correct overall format, have reasonable serial numbers and reasonable
`message contents, but have MACs that are not valid. The chaff packets
`may be randomly intermingled with the good (wheat) packets to form the
`transmitted packet sequence. Extending the preceding example, chaff
`packets might make the received sequence look like:
`
`(1,Hi Larry,532105)
`
`(1,Hi Bob,465231)
`
`(2,Meet me at,782290)
`
`(2,I'll call you at,793122)
`
`(3,6PM,891231)
`
`(3,7PM,344287)
`
`(4,Yours-Susan,553419)
`
`(4,Love-Alice,312265)
`In this case, for each serial number, one packet is good (wheat) and
`one is bad (chaff). Instead of randomly intermingling the chaff with
`the wheat, the packets can also be output in sorted order, sorting
`first by serial number, and then by message contents.
`
`To obtain the correct message, the receiver merely discards all of the
`chaff packets, and retains the wheat packets. But this is what the
`receiver does anyway! In a a typical packet-based communication
`system the receiver will automatically discard all packets with bad
`MACs. So the ``winnowing'' process is a normal part of such a system.
`(Receiving a packet with a bad MAC could conceivably trigger more of a
`response from the receiver, but not normally; the detection of a
`missing packet is determined at a different level of the protocol
`stack, rather than upon receipt of a bad packet, since the packet may
`have been transmitted more than once and been received OK already.)
`
`Let us verb a word, and let ``chaffing'' mean the process of adding
`chaff to a sequence of packets. As above, ``winnowing'' is the (usual)
`process of discarding all packets with bad MACs. We call the good
`packets ``wheat'' for consistency of metaphor.
`
`
`people.csail.mit.edu/rivest/chaffing-980701.txt
`
`2/8
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00886 (US 8,539,047)
`Exhibit 2018
`
`

`

`people.csail.mit.edu/rivest/chaffing-980701.txt
`4/14/2019
`How much confidentiality does chaffing provide? This depends on the
`MAC algorithm, on how the original message is broken into packets, and
`on how the chaffing is done.
`
` A
`
` typical MAC algorithm (such as HMAC-SHA1) will appear to act like a
```random function'' to the adversary, and in such a case the adversary
`will not be able to distinguish wheat from chaff. It is possible in
`principle, however, to have an unfortunate MAC algorithm that
```leaks'' information about the message being MAC'ed, allowing the
`adversary to gain an advantage in distinguishing wheat from chaff.
`For example, one could define a LEAKY-HMAC-SHA1 MAC algorithm to have
`an output that is the concatenation of the output of the HMAC-SHA1
`algorithm together with the low-order bit of the message being MAC'ed.
`However, in practice (and in theory) one looks for MAC algorithms that
`are indistinguishable from random functions, and such algorithms
`also work fine in a chaffing and winnowing application.
`
`Note that the problem of providing confidentiality by chaffing and
`winnowing is based on the difficulty (for the adversary) of
`distinguishing the chaff from the wheat. It is *not* based on the
`difficulty of breaking an encryption scheme, since there is no
`encryption being performed (although confidentiality may be obtained
`nonetheless, just as for steganography).
`
`If the adversary sees only one packet with a given serial number, then
`that packet is probably wheat, and not chaff. So a good chaffing
`process will add at least one chaff packet for each packet serial
`number used by the message.
`
`The adversary may also distinguish wheat from chaff by the contents of
`each packet. If the wheat packets each contains an English sentence,
`while the chaff packets contain random bits, then the adversary will
`have no difficulty in winnowing the wheat from the chaff himself.
`
`On the other hand, if each wheat packet contains a single bit, and
`there is a chaff packet with the same serial number containing the
`complementary bit, then the adversary will have a very difficult
`(essentially impossible) task. Being able to distinguish wheat from
`chaff would require him to break the MAC algorithm and/or know the
`secret authentication key used to compute the MACs. With a good MAC
`algorithm, the adversary's ability to winnow is nonexistant, and the
`chaffing process provides perfect confidentiality of the message
`contents. To make this clearer with an example, note that the adversary
`will see triples of the form:
`
`(1,0,351216)
`
`(1,1,895634)
`
`(2,0,452412)
`
`(2,1,534981)
`
`(3,0,639723)
`
`(3,1,905344)
`
`(4,0,321329)
`
`(4,1,978823)
`
`...
`and so on.
`
` I
`
` stress that the sending process for chaffing and winnowing is not
`encryption; it is authentication (adding MACs) followed by adding
`chaff.
`
`Let us assume that the original message is broken into very short
`(one-bit) packets, and that MACs have been added to each such packet
`to create the wheat packets. (There is some obvious inefficiency
`here, since each wheat packet may end up being, say about 100 bits
`long, but only transmits one bit. Here each MAC might be 64 bits in
`length, and each serial number 32 bits long. Additional bits might
`
`people.csail.mit.edu/rivest/chaffing-980701.txt
`
`3/8
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00886 (US 8,539,047)
`Exhibit 2018
`
`

`

`people.csail.mit.edu/rivest/chaffing-980701.txt
`4/14/2019
`also be present to identify sender, receiver, etc.)
`
`Such a message sequence is not encrypted, and the process for creating
`such a message sequence would presumably not be export-controlled, since
`the message bits are ``in the clear'' and nicely labelled with serial
`numbers.
`
`The process of creating chaff is also easy: just create a chaff packet
`with whatever serial number and packet contents you may like, and
`include a random 64-bit MAC value. This MAC value is overwhelmingly
`likely to be bad, and thus the packet created is overwhelmingly likely
`to be chaff. (The chances of creating a good packet are one in
`2**64---approximately one in 10**19---which is effectively
`negligible.) The person creating the chaff (the ``chaffer'') would do
`so having seen the wheat packets, and would make chaff packets up that
`have the same serial numbers as the wheat packets do, but with
`complementary packet contents. Again, it is assumed here that an
`adversary, not knowing the secret authentication key, can not
`distinguish a good (wheat) packet from a bad (chaff) one.
`
`It is especially intriguing to now observe that creating chaff does
`not require knowledge of the secret authentication key! That is,
`creating chaff is done by creating bogus packets with bogus randomly
`guessed (and thus bad) MACs; to randomly guess a MAC requires no
`knowledge of the secret authentication key.
`
`We could thus have the following intriguing scenario: Alice is
`communicating with Bob using a standard packet-based communication
`scheme. Each packet is authenticated with a MAC created using a
`secret authentication key known only to Alice and Bob. (In practice,
`they might use a different key for packets in each direction, although
`this is not necessary if the packet contents identify sender and
`receiver.) Furthermore, each packet happens to contain only a single
```message bit.'' (Alice wrote their software, and it contained a bug
`that caused this unusual behavior.)
`
`So far, Alice and Bob are not encrypting anything, and are using
`standard messaging techniques that would not be considered as
`encryption and that would not be export-controlled. Alice and Bob
`have no intention of achieving confidentiality of their messages from
`an eavesdropper.
`
`Now, Alice's packets to Bob may be routed from her computer through
`the computer of her Internet service provider, run by Charles, on
`another floor of her building, before being sent on to more major
`trunks of the Internet and then on to Bob.
`
`Charles' computer, for whatever reason, then adds ``chaff'' packets to
`the packet sequence from Alice to Bob. All of sudden, Charles'
`activities provide a very high degree of confidentiality for the
`communications between Alice and Bob! Alice's and Bob's software have
`not been modified in the least to achive this confidentiality!
`Charles does not know the secret authentication key used between Alice
`and Bob! Alice and Bob did not even want or care to have confidential
`communications! Charles is not using encryption and does not know
`any encryption key! Amazing!
`
`Clearly, the cause of the confidentiality is Charles's activities, but
`Charles has no encryption key or decryption key that he could give to
`law enforcement. Alice and Bob share an authentication key, but do
`not perform any encryption, and have no encryption or decryption keys.
`
`Law enforcement may be able to tap the (unencrypted) line from Alice
`to Charles, but that might be difficult to arrange without Alice's
`knowledge, as Alice and Charles are in the same building, and may even
`
`people.csail.mit.edu/rivest/chaffing-980701.txt
`
`4/8
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00886 (US 8,539,047)
`Exhibit 2018
`
`

`

`people.csail.mit.edu/rivest/chaffing-980701.txt
`4/14/2019
`be friendly or colluding. While Charles' chaffing activities may be
`suspicious, they don't consitute encryption and don't involve any
`knowledge of keys on his part; there is no key information he could
`give to any law enforcement agency.
`
`In a variation on the above scenario, Charles is not ``adding chaff''
`but merely multiplexing the stream of packets from Alice to Bob with
`another stream of packets (say from David to Elaine). To Bob, the
`stream of packets from David to Elaine looks like chaff, and is
`discarded. But to Elaine, the converse holds, and she discards the
`stream of packets from Alice to Bob as chaff. What is wheat to one
`pair of communicants is chaff to the other pair, and vice versa. Such
`a situation could arise where Charles is managing a broadcast channel
`such as a satellite link; here both parties naturally receive the
`stream of intermingled packets. If the only way to distinguish one stream
`from another is by the correctness of the MACs, then an adversary will have
`a hard time separating the streams. (Of course, if there are exactly two
`streams being multiplexed, then Alice and Bob can read the stream from
`David to Elaine, and vice versa.)
`
`In such a scenario, the obvious tack for law enforcement to take would
`be to demand to have access to the secret authentication key shared by
`Alice and Bob. But access to authentication keys is one thing that
`government has long agreed that they don't want to have. Having such
`access would allow the government to forge authentic-looking packets
`for any pair of parties that are communicating. This is way beyond
`mere access to encrypted communications, as loss of such
`authentication keys could wreak massive havoc to the structure and
`integrity of the entire Internet, allow hackers not only to overhear
`private messages, but to actually control computers, perhaps to shut
`down power systems or to airline traffic control systems, etc. The
`power to authenticate is in many cases the power to control, and
`handing all authentication power to the government is beyond all
`reason, even if it were for well-motivated law-enforcement reasons;
`the security risks would be totally unacceptable.
`
`One could imagine that Alice and Bob are merely authenticating their
`packets to each other, and that it is not Charles but instead a rogue
`law enforcement agent who is introducing the chaff, and then
`introducing the authenticated and chaffed message as potential
`justification to a judge for demanding the authentication key shared
`by Alice and Bob. If law enforcement had unrestricted right to
`plaintext, then it could demand surreptitious access to all
`authentication keys, even when confidentiality techniques were not
`being used by the participants! Again, such risks are too great to be
`accepted.
`
`Similarly, a rogue law enforcement agent could introduce the chaff to
`Alice and Bob's authenticated packet stream, and then attempt to bring
`Alice and Bob to court for violating some anti-encryption or
`anti-confidentiality law. How can Alice and Bob defend themselves
`against this framing attack? They did nothing but send authenticated
`packets to each other! Again, this shows the difficulty (or
`impossibility) of drafting any kind of reasonable law restricting
`encryption or confidentiality technology.
`
`It is possible to make the chaffing and winnowing technique much more
`efficient, allowing many bits per packet instead of just one. Here is
`one approach. Suppose Alice has a one-megabit message. She might
`pre-process the message using an ``all-or-nothing'' or ``package
`transform'' (Rivest 1997)---this is a keyless (non-encryption)
`transform that takes the message and produces a ``packaged message''
`with the property that the recipient (Bob) can't produce the original
`message unless he has received the entire packaged message. The
`packaging operation can be undone by anyone who receives the packaged
`
`people.csail.mit.edu/rivest/chaffing-980701.txt
`
`5/8
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00886 (US 8,539,047)
`Exhibit 2018
`
`

`

`people.csail.mit.edu/rivest/chaffing-980701.txt
`4/14/2019
`message; as noted, packaging is not encryption and there are no shared
`secret keys involved in the packaging operation. Alice might want to
`do so because she wants to ensure that Bob either sees all of the
`message or none of it; he doesn't ever see just part of it. Unless
`the entire packaged message is received, the parts received
`effectively look like random noise.
`
`Alice then breaks her packaged message into 1024-bit blocks,
`authenticates each block with a MAC, and transmits the result to Bob.
`This message is packaged and authenticated, but not encrypted: an
`eavesdropper can easily reconstruct the message given all of the
`blocks.
`
`However, Charles can add 1024-bit chaff blocks, where each chaff block
`has 1024 bits of random data and a random (and presumably wrong) MAC.
`Again, adding the chaff provides extremely strong confidentiality,
`since an eavesdropper can not distinguish the chaff from the wheat.
`Other transforms, besides the packaging transform, might work as well.
`
`For an adversary, the difficulty of separating the wheat blocks from
`the chaff will be proportional to the number of ways a subsequence of
`blocks can be picked as and tested for being wheat; this will be
`exponential in the total number of blocks, assuming that the fraction
`of chaff blocks is guaranteed not to be close to zero or close to one.
`We note that when packaging is used, it is not necessary to have as
`many chaff packets as wheat packets, since the adversary must identify
`the wheat packets precisely (with no omissions or deletions) in order
`to retrieve the message. Thus, for long messages, the relative number
`of chaff packets needed can be quite small, and the extra bandwidth
`required for transmitting chaff might be insignificant in practice.
`
`Chaffing and winnowing bear some relationship to steganography. I am
`reminded of the steganographic technique of sending an
`innocuous-looking letter whose letters are written in two different,
`but very similar fonts. By erasing all letters in one font, the
`hidden message written in the other font, remains. For this technique
`(as with most steganographic techniques), security rests on the
`assumption that the adversary will not notice the use of two fonts.
`With chaffing and winnowing, the adversary may know (or suspect) that
`there are two different kinds of packets, but he is unable to
`distinguish them because he does not possess the secret authentication
`key.
`
`Chaffing and winnowing also bear some resemblance to encryption
`techniques. Indeed, the process of authenticating packets and then
`adding chaff achieves confidentiality, and so qualifies as encryption
`by anyone who uses a definition of encryption that is so broad as to
`include all techniques for achieving confidentiality. But this fails
`to note the special structure here, wherein a non-encrypting
`key-dependent first step (adding authentication) followed by a
`non-encrypting keyless second step (adding chaff) achieves
`confidentiality. Since the second step can be performed by anyone
`(e.g. Charles in our example), and since the first step (adding
`authentication) may be performed for other good reasons, we see
`something novel, where strong confidentiality can even be obtained
`without the knowledge and permission of the original sender.
`(Variations on chaffing and winnowing, such as omitting the plaintext
`bits altogether and letting the receiver infer them from the MAC's, destroy
`these nice properties.)
`
` I
`
` note that the use of MAC's can be replaced by digital signatures.
`Not the ordinary kind of digital signatures, since then anyone would
`be able to distinguish wheat from chaff. But the recent ``designated
`verifier signatures'' of Jakobsson, Sako, and Impaglizazzo (Jakobsson
`et al '96), which can only be verified by those the signer designates,
`
`people.csail.mit.edu/rivest/chaffing-980701.txt
`
`6/8
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00886 (US 8,539,047)
`Exhibit 2018
`
`

`

`people.csail.mit.edu/rivest/chaffing-980701.txt
`4/14/2019
`would work fine. (Chaum has also independently invented the
`same concept.)
`
` I
`
` note that it is possible for a stream of packets to contain more
`than one subsequence of ``wheat'' packets, in addition to the chaff
`packets. Each wheat subsequence would be recognized separately using
`a different authentication key. One interesting consequence of this
`is that if law enforcement were to demand to see an authentication key
`so it could identify the wheat, the sender could yield up one such key
`that identifies a wheat subsequence containing an innocuous message as
`the wheat, and leaving everything else as ``chaff''. The real message
`would still be buried in the chaff. This is reminiscent of the
`technique of ``deniable encryption'' proposed by Canetti et
`al. (1997).
`
`In the chaffing and winnow approach, Alice and Bob use standard
`authentication techniques, and then someone adds chaff to the sequence
`of authenticated packets. It is worth observing that Alice and Bob
`can obtain a covert or subliminal channel by replacing a portion of
`each MAC for an ordinary message by a portion of the ciphertext for a
`hidden message. Without an authentication key, law enforcement cannot
`detect this channel. But this is outside our model.
`
`It is also worth noting that the ability to bootstrap from
`authentication techniques to confidentiality mechanisms is not new.
`For example, two parties can use authenticated Diffie-Hellman to agree
`upon an encryption key. In such a case, the parties initially have
`only each other's signature verification keys. After the protocol is
`over, they have a secret shared key that they can use for encryption
`purposes. Chaffing and winnowing differ in that the two parties
`involved may not even explicitly take any steps to achieve
`confidentiality (if someone else is adding the chaff).
`
`Another example of using authentication to achieve confidentiality
`occurs in baseball--a coach will signal to a runner by giving a
`sequence of signals, but the real signal is the one immediately
`following a previously agreed-upon authenticator signal.
`
` A
`
` final example of using authentication to achieve confidentiality
`occurs in the Rex Stout's novel ``The Doorbell Rang.'' Two men wish to
`communicate privately, but fear that the FBI has bugged the room.
`They agree when the speaker raises a finger, his statements are to be
`disregarded. Of course, the FBI's bugs can't tell if the speaker has
`his finger raised or lowered!
`
`In summary, we have introduced a new technique for confidentiality,
`called ``chaffing and winnowing''. This technique can provide
`excellent confidentiality of message contents without involving
`encryption or steganography. As a consequence of the existence of
`chaffing and winnowing, one can argue that attempts by law enforcement
`to regulate confidentiality by regulating encryption must fail, as
`confidentiality can be obtained effectively without encryption and
`even sometimes without the desire for confidentiality by the two
`communicants. Law enforcement would have to seek access to all
`authentication keys as well, a truly frightening prospect.
`
`Mandating government access to all communications is not a viable
`alternative. The cryptography debate should proceed by mutual
`education and voluntary actions only.
`
`
`Acknowledgments
`---------------
`
`Thanks to my dad for suggesting the term ``winnowing,'' to Mark Lomas
`
`people.csail.mit.edu/rivest/chaffing-980701.txt
`
`7/8
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00886 (US 8,539,047)
`Exhibit 2018
`
`

`

`people.csail.mit.edu/rivest/chaffing-980701.txt
`4/14/2019
`for noting that multiplexing two streams may allow each to serve as
`chaff for the other, and to Peter Wayner for suggesting the
`relationship to deniable encryption. Thanks to Adi Shamir and David
`Gifford for suggesting the basic idea underlying the more efficient
`implementation of chaffing and winnowing; Aaron Gifford first noted
`that the number of chaff packets might be small in this case. Thanks
`also to Matt Blaze and Markus Jakobsson for comments on the original
`write-up. And finally thanks to Bruce Balden and Enzo Michelangeli for
`bringing the Rex Stout reference to my attention.
`
`
`References
`----------
`
`Canetti, Ran, Cynthia Dwork, Moni Naor, and Rafail Ostrovsky, "Deniable
`
`Encryption", Proceedings CRYPTO '97 (Springer 1997), 90--104.
`
`ftp://theory.lcs.mit.edu/pub/tcryptol/96-02r.ps
`
`Jakobsson, Markus, Kazue Sako, and Russell Impagliazzo, ``Designated
`
`Verifier Proofs and Their Applications'', Proceedings
`
`Eurocrypt '96 (Springer 1996), 143--154.
`
`http://www.bell-labs.com/user/markusj/dvp.ps
`
`Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message
`
`Authentication", RFC2104, February 1997.
`
`(Available at ftp://ds.internic.net/rfc/rfc2104.txt)
`
`Rivest, R. ``All-Or-Nothing Encryption and the Package Transform,''
`
`Proceedings of the 1997 Fast Software Encryption Conference
`
`(Springer, 1997). Also on http://theory.lcs.mit.edu/~rivest/fusion.ps.
`
`Stout, Rex. The Doorbeel Rang: A Nero Wolfe Novel. (Viking Press, 1965).
`
`Wayner, Peter. Disappearing Cryptography: Being and Nothingness on the Net.
`
`Academic Press, 1996.
`
`
`people.csail.mit.edu/rivest/chaffing-980701.txt
`
`8/8
`
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00886 (US 8,539,047)
`Exhibit 2018
`
`

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket