Intro To Encryption Exercise 1
Monoalphabetic Ciphers Examples: Caesar Cipher At Bash PigPen (Will be demonstrated) …
PigPen CIpher Replaces letters with symbols What type of cipher is this one? Does it add additional strength? What kind of an attack can be preformed on this cipher? How can we protect against the retrieval of single/double letter words? How can we protect against trivial statistical approach? How do we build a stream cipher from this cipher
Common Pairs and combinations Attack: 1. Check frequency of letters in cipher text. 2. Check against language frequency table. 3. Check groups of repeating letters 4. Decipher. Ss,ee,tt,ff,ll,mm,oo If cipher text contains spaces, try and identify short words: a, of, to, is, and, the …
Language Frequency Table (English) Frequency of occurrence in 1000 letters Frequency of occurrence in 1000 words LetterRank E T A O N R I S H D L F C M U G Y P W B V K X J Q25.773Z26
One Time Pad Shared Key cipher Un conditionally secure (why?) Theoretical (why?)
Attacks (reminder) Cipher text only Known Plain Text Chosen Plain Text
From The Lecture OTP Cons: “Also requires perfect synchronization to decrypt” Suggest Ways To Solve…
A possible solution Modify the transmission protocol Add a counter Should we encrypt it? What if the counter is known? How does it affect the message? How can we prevent counter sabotage?
Problem Suggest a way where Alice can transmit 2 messages with one OTP key. The system should protect each message. When the 2 messages are intercepted the key can be recovered.
Solution Let r be a random number (in the size of k) E k (M1)=M1 (k)||k r E’ k (M2)=M2 (k)||r When both messages are intercepted, k is revealed. Secrecy kept when only one message is intercepted.
Problem Given the following input domain: P = {0,1} 8 U {0,1} 16 U {0,1} 24 U {0,1} 32 i.e. the message can be either byte long, 2 byte long … until 4 bytes long. Design and prove security for an unconditionally secure cipher, i.e. where an attacker cannot learn anything about the plaintext, including its length, given a ciphertext. You may assume that the keys are random, and you can generate a key with any needed length, although of course try to be efficient. Your design can be based on OTP.
Solution All messages shall take 4 bytes + redundancy Add 2 more redundant bits to designate the number of bytes occupied For each byte not containing a valid data, randomly choose bits. Should we encrypt the random bits?
Problem An idea offered by Professor I.M. Shorter, (from LongTerm University) is given to suggest a shorter key-length implementation for encryption/decryptions in a similar way to the 'classic' OTP. Assuming we have an even-length message, we need a key at only half of the plaintext length.
Cont’ Given a plaintext: m[1,...,2l], there's the need of a random key, k[1,....,l], provided that instead of using the 'classical' encryption form, e(m ^ k), we use to the following encryption function: e'(m[1,...,2l], k[1,....,l] ) = m[1] k[1] || m[2] m[1] k[1] || || m[3] k[2] || m[4] m[3] k[2] ||.... || m[2l-3] k[l-1]|| m[2l-2] m[2l-3] k[l-1] || || m[2l-1] k[l] || m[2l] m[2l-1] k[l] = c[1,...,2l]
Cont’ Build a decryption function d', that given a ciphertext and a key, returns the initial plaintext message (m). What do you think about the Professor's suggestion? Is this cryptosystem (provided that we have a random KG) unconditionally secure ? Please explain (support your answer with definition studied in class if needed, or with a solid example of input/ output etc... that support your argument).
Solution Lets assume a message m1: and a key K:1101 C=E k (M)= We need a decryption function such that D k (C)=M. C = The Function: c[1] k[1] || c[2] c[1] … c[2l-1] k[l] || c[2l-1] c[2l] Any Problems???
Solution Cont’ No key is needed to decipher Half of the original message.
Problen Professor I.M. Shorter has decided to make his solution better (after the decrease in stock values). The following encryption scheme shall be used: e'(m[1,...,2l], k[1,....,l] ) = m[1] k[1] || m[2] k[1] || || m[3] k[2] || m[4] k[2] ||.... || m[2l-3] k[l-1]|| m[2l-2] k[l-1] || || m[2l-1] k[l] || m[2l] k[l] = c[1,...,2l]
Problem (additional) In order to ease the key transmission problem of One-Time Pad, Dr. Trick suggests to use 2 random keys: k1and k2, for 3 messages: m1, m2, m3, in the following form c1 = m1 k1 c2 = m2 k2 c3 = m3 (k1 k2) Assume that m1, m2, m3, k1, k2 are of the same length (l-bits long).
Cont’ Are the solutions to both problems unconditionally secure? If not what kind of attacks should we try?
Solution They are not unconditionally secure Why? In case of a biased text we can uncover key bits and use on M3, M2 or M1 (depends on the biased bits). Known plaintext attack may uncover information about the key What additional strength does chosen plaintext attack provide here? What is a very obvious statistical attack? In case of a biased plain text, some key bits may be discovered. The cipher bit distribution may no be uniform. Thus: it is NOT unconditionally secured.
Problem The hardware company TernaryHW has built a computer that does not work with base 2 bits (that store the values 0,1), but is ternary (base-3) based, where each bit may hold the values 0,1 or 2. The bit-wise XOR operator works with no changes (x y=1 ↔x≠ y, x y=0 ↔x= y). The OTP encryption works the same here, and it is referred to as OTP3 (when works on the ternary bits), where: e(m,k) = m^k, as usual.
Problem Dr. Seller argues that their system (their computer with OTP3) is more secure than the binary based OTP since it is harder to decrypt a ciphertext, c, even if the key, k, is exposed. As he explains: In OTP, since c= m k, given c and k, it is easy to computer m, since: c k = m. In OTP3, c= m k, but c k != m, therefore it is harder to reveal m when the key, k, is exposed. Is Dr. Seller right ? Is OTP3 safer than OTP ? Is it unconditionally secure?
Solution OTP3 isn’t an encryption system at all Assuming only 0 and 1 bits are used, then the OTP3 is unconditionally secure i.e. OTP3=OTP. Using bits other than 1 and 0 suggests it is not unconditionally secure since another algorithm is in use. Can we even get the plaintext message back? Suggest a better approach where this hardware can be used.
Solution 2 E(m,k)= m[i] + k[i] mod 3 = c[i] D(m,k)= c[i] – k[i] mod 3=m[i] Is this design unconditionally secure?