1 / 26

Intro To Encryption Exercise 1

Intro To Encryption Exercise 1. Monoalphabetic Ciphers. Examples: Caesar Cipher At Bash PigPen (Will be demonstrated) …. PigPen CIpher. Replaces letters with symbols What type of cipher is this one? Does it add additional strength ?

dillan
Download Presentation

Intro To Encryption Exercise 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro To EncryptionExercise 1

  2. Monoalphabetic Ciphers • Examples: • Caesar Cipher • At Bash • PigPen (Will be demonstrated) • …

  3. PigPen CIpher • Replaces letters with symbols • What type of cipher is this one? • Does it add additional strength? • What kind of an attack can be preformed on this cipher? • How can we protect against the retrieval of single/double letter words? • How can we protect against trivial statistical approach? • How do we build a stream cipher from this cipher

  4. Common Pairs and combinations • Attack: • Check frequency of letters in cipher text. • Check against language frequency table. • Check groups of repeating letters • Decipher. • Ss,ee,tt,ff,ll,mm,oo • If cipher text contains spaces, try and identify short words:a, of, to, is, and, the …

  5. Language Frequency Table (English)

  6. One Time Pad • Shared Key cipher • Un conditionally secure (why?) • Theoretical (why?)

  7. Attacks (reminder) • Cipher text only • Known Plain Text • Chosen Plain Text

  8. From The Lecture • OTP Cons:“Also requires perfect synchronization to decrypt” • Suggest Ways To Solve…

  9. A possible solution • Modify the transmission protocol • Add a counter • Should we encrypt it? • What if the counter is known? How does it affect the message? • How can we prevent counter sabotage?

  10. Problem • Suggest a way where Alice can transmit 2 messages with one OTP key. • The system should protect each message. • When the 2 messages are intercepted the key can be recovered.

  11. Solution • Let r be a random number (in the size of k) • Ek(M1)=M1(k)||k  r • E’k(M2)=M2 (k)||r • When both messages are intercepted, k is revealed. • Secrecy kept when only one message is intercepted.

  12. Problem • Given the following input domain: • P = {0,1}8 U {0,1}16 U {0,1}24 U {0,1}32i.e. the message can be either byte long, 2 byte long … until 4 bytes long. • Design and prove security for an unconditionally secure cipher, i.e. where an attacker cannot learn anything about the plaintext, including its length, given a ciphertext. • You may assume that the keys are random, and you can generate a key with any needed length, although of course try to be efficient. Your design can be based on OTP.

  13. Solution • All messages shall take 4 bytes + redundancy • Add 2 more redundant bits to designate the number of bytes occupied • For each byte not containing a valid data, randomly choose bits. • Should we encrypt the random bits?

  14. Problem • An idea offered by Professor I.M. Shorter, (from LongTerm University) is given to suggest a shorter key-length implementation for encryption/decryptions in a similar way to the 'classic' OTP. Assuming we have an even-length message, we need a key at only half of the plaintext length.

  15. Cont’ • Given a plaintext: m[1,...,2l], there's the need of a random key, k[1,....,l], provided that instead of using the 'classical' encryption form, e(m ^ k), we use to the following encryption function: e'(m[1,...,2l], k[1,....,l] ) = m[1]  k[1] || m[2]  m[1]  k[1] || || m[3]  k[2] || m[4]  m[3]  k[2] || .... .... || m[2l-3]  k[l-1] || m[2l-2]  m[2l-3]  k[l-1] || || m[2l-1]  k[l] || m[2l]  m[2l-1]  k[l] = c[1,...,2l]

  16. Cont’ • Build a decryption function d', that given a ciphertext and a key, returns the initial plaintext message (m). • What do you think about the Professor's suggestion? Is this cryptosystem (provided that we have a random KG) unconditionally secure ? Please explain (support your answer with definition studied in class if needed, or with a solid example of input/ output etc... that support your argument).

  17. Solution • Lets assume a message m1: 10010110 and a key K:1101 • C=Ek(M)=00100100 • We need a decryption function such that Dk(C)=M. • C = 00 10 01 00 • The Function: • c[1]  k[1] || c[2]  c[1] • … • c[2l-1]  k[l] || c[2l-1]  c[2l] • Any Problems???

  18. Solution Cont’ • No key is needed to decipher Half of the original message.

  19. Problen • Professor I.M. Shorter has decided to make his solution better (after the decrease in stock values). • The following encryption scheme shall be used:e'(m[1,...,2l], k[1,....,l] ) = m[1]  k[1] || m[2]  k[1] || || m[3]  k[2] || m[4]  k[2] || .... .... || m[2l-3]  k[l-1] || m[2l-2]  k[l-1] || || m[2l-1]  k[l] || m[2l]  k[l] = c[1,...,2l]

  20. Problem (additional) • In order to ease the key transmission problem of One-Time Pad, Dr. Trick suggests to use 2 random keys: k1and k2, for 3 messages: m1, m2, m3, in the following form • c1 = m1  k1 • c2 = m2  k2 • c3 = m3  (k1  k2) • Assume that m1, m2, m3, k1, k2 are of the same length (l-bits long).

  21. Cont’ • Are the solutions to both problems unconditionally secure? • If not what kind of attacks should we try?

  22. Solution • They are not unconditionally secure • Why? • In case of a biased text we can uncover key bits and use on M3, M2 or M1 (depends on the biased bits). • Known plaintext attack may uncover information about the key • What additional strength does chosen plaintext attack provide here? • What is a very obvious statistical attack? • In case of a biased plain text, some key bits may be discovered. The cipher bit distribution may no be uniform.Thus: it is NOT unconditionally secured.

  23. Problem • The hardware company TernaryHW has built a computer that does not work with base 2 bits (that store the values 0,1), but is ternary (base-3) based, where each bit may hold the values 0,1 or 2. • The bit-wise XOR operator works with no changes (x  y=1 ↔x≠ y, x  y=0 ↔x= y). The OTP encryption works the same here, and it is referred to as OTP3 (when works on the ternary bits), where: e(m,k) = m^k, as usual.

  24. Problem • Dr. Seller argues that their system (their computer with OTP3) is more secure than the binary based OTP since it is harder to decrypt a ciphertext, c, even if the key, k, is exposed. As he explains: In OTP, since c= m  k, given c and k, it is easy to computer m, since: c  k = m. In OTP3, c= m  k, but c  k != m, therefore it is harder to reveal m when the key, k, is exposed. • Is Dr. Seller right ? Is OTP3 safer than OTP ? • Is it unconditionally secure?

  25. Solution • OTP3 isn’t an encryption system at all • Assuming only 0 and 1 bits are used, then the OTP3 is unconditionally secure i.e. OTP3=OTP. • Using bits other than 1 and 0 suggests it is not unconditionally secure since another algorithm is in use. Can we even get the plaintext message back? • Suggest a better approach where this hardware can be used.

  26. Solution 2 • E(m,k)= m[i] + k[i] mod 3 = c[i] • D(m,k)= c[i] – k[i] mod 3=m[i] • Is this design unconditionally secure?

More Related