Quote from: nomodeset on July 21, 2012, 06:37 pmQuote from: LouisCyphre on July 21, 2012, 05:26 pmIf you are concerned that law enforcement might try to use an argument along these lines to "prove" that an encrypted file contains your address, then get a cryptanalyst as your expert witness.Not that using it as an evidence in the court. Rather to gather some intelligence. Ok, let me be DEA for a minute ;) Say, I intercepted the letter with drugs coming to eJ3k1. Now I found out that namely pine was selling a kilo of coke on Silk Road and nobody else. I read the address on the letterMr Privacy42th Cypher roadEncryptopolis, GPG 13371and encrypt it using pine's public key:gpg -a --output encryptedbyDEA --encrypt --recipient nosuchemail@nowhere.nada address && wc -m encryptedbyDEAIt gives me 803 characters in the file. Now I wc -m the encryptedbyeJ3k1 message, intercepted earlier:...and see that it is 807 characters length. Remembering what you told me:"Adding one character of whitespace added 4 bytes to the ciphertext"I could assume that it was a whitespace in the end or beginning of the address. Now I found out that, likely, eJ3k1 bought a kilo of coke on SR from pine, what helps me narrow in on evidence later.Ah, but you cannot guarantee that the address wasn't for:Ms Private6969 Crypto roadEncryptopolis, PGP 31337Unless the encrypted address that you intercepted earlier was also encrypted with the buyer's key (which is easily hidden[1]) or signed with the buyer's key (which would be stupid to do with an address), you've got something that is extremely circumstantial and you can't prove diddly squat.If you've already intercepted a shipment then you've got the buyer and there's no point wasting effort on something which really won't stand up in court. If you've compromised the vendor's account in order to intercept the messages or compromised their computer then you've got them dead to rights and you don't need to do any of this because you either already have or can get the decrypted data, as well as seeing the account of the buyer (if the order is active when LE have their interception in place).Plus, you can't assume that an extra character is whitespace, adding a character to my alternate address with a different suburb above could make it:Mrs X Bondage666 Hades St.Encryptopolis, PGP 31337There you go, same city and suburb as my first example, still different from your example, but a different person and address. Once again, assumptions based on the size of ciphertext are unlikely to be valid. Especially if the message has been encrypted with one or more hidden keys since you won't know for sure which keys they are unless you have the right keys available to decrypt with.1) http://dkn255hz262ypmii.onion/index.php?topic=29235.0