Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From - PowerPoint PPT Presentation

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s ∗ Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer We’ll talk about just one in detail: the one-time pad . Introduction to Cryptography (View the remaining cyptosystems as possible paper topics.) But, we need to mention the system that everyone knows about: September 6, 2018 ∗ The DES block cipher was announced in 1975, the RSA cryptosystem was first published in 1977, and modern cryptography began to take shape. Crypto Late Classical Cryptosystems Crypto Late Classical Cryptosystems Enigma In WWII, used by the Germans, broken by the British. An example of a rotor machine key = plug board settings + init rotor positions number of keys = (init rotor settings) × (rotor orderings) × (init p-board settings) 26 3 × 6 × 100391791500 > 10 15 Weaknesses keys lasted an entire day weather reports started with a standard openning The 1st letter of a message ≈ a subst. cipher Hence, an easy freq. analysis Part of the National Cryptological Musuem’s Enigma Collection Crypto Late Classical Cryptosystems

The One-Time Pad (or the Vernam Cipher, circa 1917) One-Time Pad, Properties Observe Exclusive-Or Provided that keys are uniformly randomly chosen for each message , cracking a ⊕ 0 1 one-time pad is impossible! ( a ⊕ b ) ⊕ b = a ⊕ ( b ⊕ b ) 0 0 1 = a ⊕ 0 That is: 1 1 0 = a . given a particular ciphertext c of length n , given a particular plaintext p of length n , Prob[ c came from p ] = 2 − n . (We’ll prove this shortly.) Example One-time pad The price for this: 00101001 (plaintext) Given a plaintex � p and key � r The keys are very big. ⊕ 10101100 (key) bit-strings with len( � r ) = len( � p ) The keys can be used only once! 10000101 (ciphertext) p ⊕ � k ( � p ) = � encrypt k . � ⊕ 10101100 (key) To analyze this we need a bit more probability theory. c ⊕ � decrypt k ( � c ) = � k . 00101001 (plaintext) � Crypto Late Classical Cryptosystems Crypto Late Classical Cryptosystems Probability, 1 Probability, 2 For the moment, fix a probability distribution, p , on S . Terminology S , a sample space = the possible outcomes an experiment. Terminology X : S → R , a random variable. In the following, 0 < �S� < ∞ . (Recall: � S � = # of elms. of S .) Maps an outcome (an element of S ) to a result (an element of R ). A probability distribution is a p : S → [ 0, 1 ] (an assignment of a probability to each Example 2. element of S ) so that ∑ x ∈S p ( x ) = 1. Roll two 6-sided dice and take the sum of the rolls. Example 1. S = { ( m , n ) : m , n ∈ { 1, . . . , 6 } } X ( m , n ) = m + n . p 1 A uniform distribution on S is x �→ �S� . Example 3 (Assuming a uniform distr.). E.g., p ( heads ) = p ( tails ) = 1 Terminology. The probability that X takes 2 . on value x : Loaded die (a non uniform distr.): p ( 1 ) = p ( 2 ) = 0.1 p X = p X ( x ) = p ( X = x ) p ( 3 ) = p ( 4 ) = p ( 5 ) = p ( 6 ) = 0.2 = Prob [ s ∈ S| X ( s ) = x ] (For the engineering details, see: http: Image from http://en.wikipedia.org/wiki/Dice . //www.straightdope.com/columns/read/2878/how-do-you-load-a-pair-of-dice . ) Crypto Late Classical Cryptosystems Crypto Late Classical Cryptosystems

Probability, 3 Probability, 4 Terminology: The probability that X = x given that Y = y p ( X = x | Y = y ) = p ( X = x , Y = y ) , (assuming p ( Y = y ) � = 0 ) . p ( Y = y ) Terminology p ( X = x , Y = y ) (abbreviated p S ( x , y ) ) Example 5. = the probability that ( X takes on value x ) & ( Y takes on value y ). p ( coin=heads | die=4) = 1 2 . Example 4. p ( die is prime | die is odd) = 2 3 . p ( Die = 4, coin = heads ) = 1 12 . p ( X = x , Y = y ) = p ( X = x | Y = y ) · p ( Y = y ) Fact: = p ( Y = y | X = x ) · p ( X = x ) . p ( Die = an odd number, Die = a prime ) = 1 3 . 1, 2, 3, 4, 5, 6 Bayes Theorem If p ( Y = y ) > 0, then p ( X = x | Y = y ) = p ( X = x ) · p ( Y = y | X = x ) . p ( Y = y ) Abbreviation: p X ( x | y ) = p ( X = x | Y = y ) . Crypto Late Classical Cryptosystems Crypto Late Classical Cryptosystems Probabilities for a Simple-Minded Cipher, I Probabilities for a Simple-Minded Cipher, II e · ( · ) m p P ( m ) p K ( k ) a b c d k The Cipher k 1 W X V U a 0.25 k 1 0.25 Encryption function b 0.3 k 2 W U X V k 2 0.5 P = { a , b , c , d } . Plaintexts e · ( · ) a b c d c 0.15 k 3 X W U V k 3 0.25 d 0.3 Ciphertexts C = { U , V , W , X } . k 1 W X V U k 2 W U X V Keys K = { k 1 , k 2 , k 3 } . Computed Probabilities k 3 X W U V p C ( c ) = prob. the ciphertext is c . Basic Probabilities p C ( U ) = p K ( k 1 ) · p P ( d ) + p K ( k 2 ) · p P ( b ) + p K ( k 3 ) · p P ( c ) = 0.2625. p P ( m ) = prob. the plaintext is m . p K ( k ) = prob. the key is k . Similarly, ... m a b c d k k 1 k 2 k 3 P C ( V ) = 0.2625. p P ( m ) 0.25 0.3 0.15 0.3 p K ( k ) 0.25 0.5 0.25 P C ( W ) = 0.2625. P C ( X ) = 0.2125. We assume that plaintexts and keys are picked independently. Crypto Late Classical Cryptosystems Crypto Late Classical Cryptosystems

Probabilities for a Simple-Minded Cipher, III Probabilities for a Simple-Minded Cipher, IV m p P ( m ) c p C ( c ) p ( C = ·| P = · ) a b c d e · ( · ) a b c d m p P ( m ) k p K ( k ) c p C ( c ) a 0.25 U 0.2625 U 0 0.5 0.25 0.25 a U k 1 W X V U 0.25 k 1 0.25 0.2625 b 0.3 V 0.2625 V 0 0 0.25 0.75 b 0.3 V 0.2625 k 2 W U X V k 2 0.5 c 0.15 W 0.2625 W 0.75 0.25 0 0 k 3 X W U V c 0.15 k 3 0.25 W 0.2625 d 0.3 X 0.2125 X 0.25 0.25 0.5 0 d 0.3 X 0.2125 Computed Probabilities (The one we really care about) Computed Probabilities p ( P = m | C = c ) = prob. the plaintext is m given that the ciphertext is c p ( C = c | P = m ) = prob. the ciphertext is c given that the plaintext is p = p P ( m ) · P ( C = c | P = m ) = ∑ { p K ( k ) : c = e k ( m ) } (Using Bayes Theorem) P C ( c ) p ( C = ·| P = · ) a b c d p ( P = ·| C = · ) U V W X U 0 0.5 0.25 0.25 a 0 0 0.714 0.294 V 0 0 0.25 0.75 b 0.571 0 0.286 0.352 W 0.75 0.25 0 0 c 0.143 0.143 0 0.352 X 0.25 0.25 0.5 0 d 0.286 0.857 0 0 Crypto Late Classical Cryptosystems Crypto Late Classical Cryptosystems Checking Details Checking Details Late Classical Cryptosystems 2018-09-06 1 Verify the calculation that p C ( V ) = 0.2625 Verify the calculation that p ( C = W | P = a ) = 0.75. 2 3 Verify the calculation that p ( P = d | C = V ) = 0.857 Checking Details 1. Verify the calculation that p C ( V ) = 0.2625 Verify the calculation that p C ( V ) = 0.2625 1 p C ( V ) = p K ( k 1 ) · p P ( c ) + p K ( k 2 ) · p P ( d ) + p K ( k 3 ) · p P ( d ) Verify the calculation that p ( C = W | P = a ) = 0.75. = 0.25 · 0.15 + 0.5 · 0.3 + 0.25 · 0.3 2 Verify the calculation that p ( P = d | C = V ) = 0.857 = 0.2625 3 2. Verify the calculation that p ( C = W | P = a ) = 0.75. p ( C = W | P = a ) = p K ( k 1 ) + p K ( k 2 ) = 0.25 + 0.5 = 0.75 3. Verify the calculation that p ( P = d | C = V ) = 0.857 p ( P = d | C = V ) = p P ( d ) · P ( C = V | P = d ) / p C ( V ) = 0.3 · 0.75/0.2625 ≈ 0.857 Crypto Late Classical Cryptosystems

Probabilities for a Simple-Minded Cipher, V Perfect Secrecy Definition 6. U V W X e · ( · ) a b c d A cryptosystem has perfect secrecy when, for all m and all c : a 0 0 0.714 0.294 k 1 W X V U b 0.571 0 0.286 0.352 k 2 W U X V c 0.143 0.143 0 0.352 p ( P = m | C = c ) = p ( P = m ) . k 3 X W U V d 0.286 0.857 0 0 Interpretation: Knowing what the ciphertext, c , is fails to tell you anything new about how likely The ciphertext is very informative. (Which is not what one wants.) a particular plaintext, p , is. If the cipher text is U , the plaintext can’t be a and b is more likely than c and d . Theorem 7 (Shannon). If the cipher text is V , the plaintext can’t be a or b and d is much more likely than c . Etc. Suppose S = ( P , C , K , e k ( · ) , d k ( · )) is a cryptosystem with �P� = �C� = �K� . Then, S has These are bad properties for a cipher. perfect security iff both We want the cipher text to be as uninformative as possible. 1 p K ( k ) = & i �K� �{ k : e k ( m ) = c }� = 1 . for each m and c: ii Crypto Late Classical Cryptosystems Crypto Late Classical Cryptosystems Proof of The Perfect Security Theorem ( ⇐ -direction) Random and Pseudo-Random Bits 1 Suppose: (i) p K ( k ) = �K� and (ii) �{ k : e k ( m ) = c }� = 1, ∀ m , c . For various reasons (that we’ll come back to) using long random bit strings as keys is a pain. 1 By (i): p C ( c ) = ∑ k p K ( k ) · p P ( d k ( c )) = �K� ∑ k p P ( d k ( c )) . Pseudo-random generators are randomness amplifiers By (ii): ∑ k p P ( d k ( c )) = ∑ m ( P = m ) = 1. 01001 → PRG → 10111 ...01 1 So, p C ( c ) = �K� . random bits a long string of pseudo- random bits Let k m , c be the unique k such that c = e k ( m ) . Uniqueness by (ii) Why pseudo? 1 So: p ( C = c | P = m ) = p K ( k m , c ) = �K� . Some PRGs are more pseudo than others So by Bayes Theorem Linear congruential generators p ( P = m ) · p ( C = c | P = m ) p P ( m ) · 1/ �K� Parameters: a , b , m Seed: x 0 p ( P = m | C = c ) = = = p P ( m ) . QED p C ( c ) 1/ �K� x n + 1 = def ( a · x n + b ) mod m NOT cryptographically strong!!! Crypto Late Classical Cryptosystems Crypto Late Classical Cryptosystems