Intro To EncryptionExercise 1
Monoalphabetic Ciphers
Examples: Caesar Cipher At Bash PigPen (Will be demonstrated) …
PigPen CIpher Replaces letters with symbols What type of cipher is this one? Does it add additional strength? What kind of an attack can be preformed on this cipher? How can we protect against the retrieval of single/double
letter words? How can we protect against trivial statistical approach? How do we build a stream cipher from this cipher
Common Pairs and combinations Attack:
1. Check frequency of letters in cipher text.
2. Check against language frequency table.
3. Check groups of repeating letters
4. Decipher. Ss,ee,tt,ff,ll,mm,oo If cipher text contains spaces, try and identify
short words:a, of, to, is, and, the …
Language Frequency Table (English) RankLetter
Frequency of occurrence in 1000 words
Frequency of occurrence in 1000 letters
1E591131.05
2T473104.68
3A36881.51
4O36079.95
5N32070.98
6R30868.32
7I28663.45
8S27561.01
9H23752.59
10D17137.88
11L15333.89
12F13229.24
13C12427.58
14M11425.36
15U11124.59
16G9019.94
17Y8919.82
18P8919.82
19W6815.39
20B6514.40
21V419.19
22K194.20
23X71.66
24J61.32
25Q51.21
26Z3.77
One Time Pad
Shared Key cipher Un conditionally secure (why?) Theoretical (why?)
Attacks (reminder)
Cipher text only Known Plain Text Chosen Plain Text
From The Lecture
OTP Cons:“Also requires perfect synchronization to decrypt”
Suggest Ways To Solve…
A possible solution
Modify the transmission protocol Add a counter Should we encrypt it? What if the counter is known? How does it affect
the message? How can we prevent counter sabotage?
Problem
Suggest a way where Alice can transmit 2 messages with one OTP key.
The system should protect each message. When the 2 messages are intercepted the
key can be recovered.
Solution
Let r be a random number (in the size of k) Ek(M1)=M1(k)||k r
E’k(M2)=M2 (k)||r When both messages are intercepted, k is
revealed. Secrecy kept when only one message is
intercepted.
Problem
Given the following input domain: P = {0,1}8 U {0,1}16 U {0,1}24 U {0,1}32
i.e. the message can be either byte long, 2 byte long … until 4 bytes long.
Design and prove security for an unconditionally secure cipher, i.e. where an attacker cannot learn anything about the plaintext, including its length, given a ciphertext.
You may assume that the keys are random, and you can generate a key with any needed length, although of course try to be efficient. Your design can be based on OTP.
Solution
All messages shall take 4 bytes + redundancy
Add 2 more redundant bits to designate the number of bytes occupied
For each byte not containing a valid data, randomly choose bits.
Should we encrypt the random bits?
Problem
An idea offered by Professor I.M. Shorter, (from LongTerm University) is given to suggest a shorter key-length implementation for encryption/decryptions in a similar way to the 'classic' OTP. Assuming we have an even-length message, we need a key at only half of the plaintext length.
Cont’
Given a plaintext: m[1,...,2l], there's the need of a random key, k[1,....,l], provided that instead of using the 'classical' encryption form, e(m ^ k), we use to the following encryption function:
e'(m[1,...,2l], k[1,....,l] ) = m[1] k[1] || m[2] m[1] k[1] || || m[3] k[2] || m[4] m[3] k[2] ||
.... ....|| m[2l-3] k[l-1] || m[2l-2] m[2l-3] k[l-1] || || m[2l-1] k[l] || m[2l] m[2l-1] k[l]= c[1,...,2l]
Cont’
Build a decryption function d', that given a ciphertext and a key, returns the initial plaintext message (m).
What do you think about the Professor's suggestion? Is this cryptosystem (provided that we have a random KG) unconditionally secure ? Please explain (support your answer with definition studied in class if needed, or with a solid example of input/ output etc... that support your argument).
Solution
Lets assume a message m1: 10010110 and a key K:1101
C=Ek(M)=00100100 We need a decryption function such that Dk(C)=M. C = 00 10 01 00 The Function:
c[1] k[1] || c[2] c[1] … c[2l-1] k[l] || c[2l-1] c[2l]
Any Problems???
Solution Cont’
No key is needed to decipher Half of the original message.
Problen
Professor I.M. Shorter has decided to make his solution better (after the decrease in stock values).
The following encryption scheme shall be used:e'(m[1,...,2l], k[1,....,l] ) = m[1] k[1] || m[2] k[1] || || m[3] k[2] || m[4] k[2] ||
.... ....|| m[2l-3] k[l-1] || m[2l-2] k[l-1] || || m[2l-1] k[l] || m[2l] k[l]= c[1,...,2l]
Problem (additional)
In order to ease the key transmission problem of One-Time Pad, Dr. Trick suggests to use 2 random keys: k1and k2, for 3 messages: m1, m2, m3, in the following form c1 = m1 k1 c2 = m2 k2 c3 = m3 (k1 k2)
Assume that m1, m2, m3, k1, k2 are of the same length (l-bits long).
Cont’
Are the solutions to both problems unconditionally secure?
If not what kind of attacks should we try?
Solution
They are not unconditionally secure Why?
In case of a biased text we can uncover key bits and use on M3, M2 or M1 (depends on the biased bits).
Known plaintext attack may uncover information about the key
What additional strength does chosen plaintext attack provide here?
What is a very obvious statistical attack? In case of a biased plain text, some key bits may be
discovered. The cipher bit distribution may no be uniform.Thus: it is NOT unconditionally secured.
Problem
The hardware company TernaryHW has built a computer that does not work with base 2 bits (that store the values 0,1), but is ternary (base-3) based, where each bit may hold the values 0,1 or 2.
The bit-wise XOR operator works with no changes (x y=1 ↔x≠ y, x y=0 ↔x= y).
The OTP encryption works the same here, and it is referred to as OTP3 (when works on the ternary bits), where: e(m,k) = m^k, as usual.
Problem
Dr. Seller argues that their system (their computer with OTP3) is more secure than the binary based OTP since it is harder to decrypt a ciphertext, c, even if the key, k, is exposed. As he explains:
In OTP, since c= m k, given c and k, it is easy to computer m, since: c k = m.
In OTP3, c= m k, but c k != m, therefore it is harder to reveal m when the key, k, is exposed.
Is Dr. Seller right ? Is OTP3 safer than OTP ? Is it unconditionally secure?
Solution
OTP3 isn’t an encryption system at all Assuming only 0 and 1 bits are used, then the OTP3
is unconditionally secure i.e. OTP3=OTP. Using bits other than 1 and 0 suggests it is not
unconditionally secure since another algorithm is in use. Can we even get the plaintext message back?
Suggest a better approach where this hardware can be used.
Solution 2
E(m,k)= m[i] + k[i] mod 3 = c[i] D(m,k)= c[i] – k[i] mod 3=m[i] Is this design unconditionally secure?
Top Related