� Lecture 3 Encryption Suggested Readings: • Chs 3 & 4 in KPS (recommended) • Ch 3 in Stinson (optional) � � � A cryptosystem has (at least) five ingredients: � Plaintext � Secret Key � Ciphertext � Encryption Algorithm � Decryption Algorithm � Security usually depends on the secrecy of the key, not the secrecy of the algorithms Enc r yp tio n Princ iples
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
��
Lecture3
Encryption
SuggestedReadings:
• Chs3&4inKPS(recommended)• Ch3inStinson(optional)
��
��
� Acryptosystemhas(atleast)fiveingredients:� Plaintext� SecretKey� Ciphertext� EncryptionAlgorithm� DecryptionAlgorithm
� Securityusuallydependsonthesecrecyofthekey,notthesecrecyofthealgorithms
Encryption Principles
��
��
Crypto Basics
��
Average Time Required for Exhaustive Key Search (for Brute Force Attacks)
KeySize(bits)
NumberofAlternativeKeys
Timerequiredat106Decr/µs
32 232=4.3x109 2.15milliseconds
56 256=7.2x1016 10hours
128 2128=3.4x1038 5.4x1018years
168 2168=3.7x1050 5.9x1030years
��
��
Types of Attainable Security
� Perfect,unconditionalor“informationtheoretic”:thesecurityisevidentfreeofany(computational/hardness)assumptions� Reducibleor“provable”:securitycanbeshowntobebasedonsomecommon(oftenunproven)assumptions,e.g.,theconjectureddifficultyoffactoringlargeintegers� Adhoc:thesecurityseemsgoodoften->“snakeoil”…Takealookat: http://www.ciphersbyritter.com/GLOSSARY.HTM
��
Computational Security � Encryptionschemeiscomputationallysecureif
� costofbreakingit(viabruteforce)exceedsthevalueoftheencryptedinformation;or
� timerequiredtobreakitexceedsusefullifetimeoftheencryptedinformation
� Mostmodernschemeswewillseeareconsideredcomputationallysecure� Usuallyrelyonverylargekey-space,impregnabletobruteforce
� Mostadvancedschemesrelyonlackofknowledgeofeffective
algorithmsforcertainhardproblems,notonaproveninexistenceofsuchalgorithms(reduciblesecurity)!� Suchas:factoring,discretelogarithms,etc.
��
��
Cryptosystems
Classifiedalongthreedimensions:� Typeofoperationsusedfortransformingplaintextinto
ciphertext� Binaryarithmetic:shifts,XORs,ANDs,etc.
� Typicalforconventional(orsymmetric)encryption� Integerarithmetic
� Typicalforpublickey(orasymmetric)encryption
� Numberofkeysused� Symmetricorconventional(singlekeyused)� Asymmetricorpublickey(2keys:1toencrypt,1todecrypt)
� Howplaintextisprocessed:� Onebitatatime� Astringofanylength� Ablockofbits
Conventional (Symmetric) Cryptography
� AliceandBobshareakeyKABwhichtheysomehowagreeupon(how?)� keydistribution/keymanagementproblem� ciphertextisroughlyaslongasplaintext� examples:Substitution,VernamOTP,DES,AES
��
plaintextciphertext
KAB
encryptionalgorithm
decryptionalgorithm
KAB
plaintextm
K(m)AB
K(m)ABm=K()
AB
��
Uses of Conventional Cryptography
� MessageTransmission(confidentiality):� Communicationoverinsecurechannels
� SecureStorage:cryptonUnix� StrongAuthentication:provingknowledgeofasecretwithoutrevealingit:� Seenextslide� Evecanobtainchosen<plaintext,ciphertext>pair� Challengeshouldbechosenfromalargepool
� IntegrityChecking:fixed-lengthchecksumformessageviasecretkeycryptography� SendMACalongwiththemessageMAC=H(m,K)
��
Challenge-Response Authentication Example
���
KAB
challenge
KAB
ra
KAB(ra) challengereply
rb
KAB(rb)
challenge
challengereply
��
���
Conventional Cryptography
Ø Advantagesl highspeed(throughput)l relativelyshortkeysizel canbeusedtoconstructvariouscryptographicmechanisms
Ø Disadvantagesl keymustbesecretatbothendsl keymustbedistributedsecurelyandefficientlyl relativelyshortkeylifetime
l efficiency/securitytradeoff?
� akaAsymmetricCryptography
� Inventedin1974-1978� Merkle,Diffie-HellmanandRivest-Shamir-Adleman
� Twokeys:private(SK),public(PK)� Encryption:withpublickey;� Decryption:withprivatekey� DigitalSignatures:Signingbyprivatekey;Verificationbypublickey.i.e.,“encrypt”messagedigest/hash--h(m)--withprivatekey� Authorship(authentication)� Integrity:SimilartoMAC
� Non-repudiation:cannotdowithsecretkeycryptography
� Muchslower(~1000x)thanconventionalcryptography� Oftenusedtogetherwithconventionalcryptography,e.g.,toencryptsessionkeys
���
Public Key Cryptography
��
���
Genesis of Public Key Cryptography: Diffie- Hellman Paper
Public Key Cryptography
���
plaintextmessage,m
ciphertextencryptionalgorithm
decryptionalgorithm
Bob’spublickey
plaintextmessagePK(m)
B
PKB
Bob’sprivatekey
SKB
m=SK(PK(m))BB
��
Uses of Public Key Cryptography
�DataTransmission(confidentiality):� AliceencryptsmausingPKB,BobdecryptsittoobtainmausingSKb.
�SecureStorage:encryptwithownpublickey,laterdecryptwithownprivatekey�Authentication:� Noneedtostoresecrets,onlyneedpublickeys.� Secretkeycryptography:needtosharesecretkeyforeverypersononecommunicateswith
�DigitalSignatures(authentication,integrity,non-repudiation)
���
���
Ø Advantagesl onlytheprivatekeymustbekeptsecretl relativelylonglifetimeofthekeyl moresecurityservicesl relativelyefficientdigitalsignaturesmechanisms
Ø Disadvantagesl lowdatathroughputl muchlargerkeysizesl distribution/revocationofpublickeysl securitybasedonconjecturedhardnessofcertaincomputationalproblems
Public Key Cryptography
��
���
Ø PublicKeyl Encryption,signatures(esp.,non-repudiation)andkeymanagement
Ø Conventionall Encryptionandsomedataintegrityapplications
Ø KeySizesl Keysinpublickeycryptomustbelarger(e.g.,2048bitsforRSA)thanthoseinconventionalcrypto(e.g.,112bitsfor3-DESor256bitsforAES)• mostattackson“good”conventionalcryptosystemsareexhaustivekeysearch(bruteforce)
• publickeycryptosystemsaresubjectto“short-cut”attacks(e.g.,factoringlargenumbersinRSA)
Comparison Summary
“Modern” Block Ciphers
Data Encryption Standard (DES)
���
Generic Example of Block Encryption
���
Feistel Cipher Structure
� Virtuallyallconventionalblockencryptionalgorithms,includingDES,haveastructurefirstdescribedbyHorstFeistelofIBMin1973
� SpecificrealizationofaFeistelNetworkdependsonthechoiceofthefollowingparametersandfeatures:
���
���
Feistel Cipher Structure
� BlockSize:largerblocksizesmeangreatersecurity
� KeySize:largerkeysizemeansgreatersecurity
� NumberofRounds:multipleroundsofferincreasingsecurity
� SubkeyGenerationAlgorithm: greatercomplexityleadstogreaterdifficultyofcryptanalysis
���
���
Classic Feistel Network
“RoundKeys”aregeneratedfromoriginalkeyvia
subkeygenerationalgorithm
���
Block Ciphers
���
� Originatedwithearly1970'sIBMefforttodevelopbankingsecuritysystems
� FirstresultwasLucifer,mostcommonvarianthas128-bitkeyandblocksize
� Wasnotsecureinanyofitsvariants
� CalledaFeistelorproductcipher
� F()-functionisasimpletransformation,doesnothavetobereversible
� Eachstepiscalledaround;themorerounds,thegreaterthesecurity(toapoint)
� MostfamousexampleofthisdesignisDES
Conventional Encryption Standard
DataEncryptionStandard(DES)� Mostwidelyusedencryptionmethod
� ThoughAESisprobablytakingoverbynow� Blockcipher(innativeECBmode)� Plaintextprocessedin64-bitblocks� Keyis56bits
���
���
� 64bitinputblock� 64bitoutputblock� 16rounds� 64(effective56)bitkey� Keyschedulecomputedatstartup� Aimedatbulkdata� >16roundsdoesnothelp� >56bitkeydoesnothelp� OtherS-boxesusuallyhurt…
Data Encryption Standard (DES)
���
���
Basic Structure of DES
���
���
Encryption vs Decryption in DES
64BitPlaintext
InitialPermutation
32BitL0 32BitR0
F(R0,K1)+
32BitL1 32BitR1
32BitL15 32BitR15
F(R15,K16)+
32BitL16 32BitR16
FinalPermutation
64BitCiphertext
EncryptionProcess DES System 64BitKey
PermutationChoice1
56BitKey
28BitC0 28BitD0
LeftShift RightShift
C1 D1
BuildingBlocks
PermutedChoice2
K1(48bits)
C16 D16
PermutedChoice2
KeySchedule
K16(48bits)
27
���
Li-132bits
Ri-1
32bits
S-BoxSubstitutionchoses32bits
P-boxPermutation
Li32bits
Ri
32bits
56bitsKeyPermutedChoice
48bits
Function F
Expansion(E)Permutation48bits
28
���
DES Substitution Boxes Operation
29
���
���
Operation Tables of DES (IP, IP-1, E and P)
30
��� 31
���
��� 32
Breaking DES (Cryptanalysis)
DESKeysize=56bits• Bruteforce=255attemptsonavg• Differentialcryptanalysisè247chosenplaintexts• Linearcryptanalysisè247knownplaintexts
� Longerthan56bitkeysdonotmakeitanystronger� Morethan16roundsdonotmakeitanystronger� DESKeyProblems:� Weakkeys(all0s,all1s,afewothers)� Keysize=56bits=8*7-bitASCII� Alphanumeric-onlypasswordconvertedtouppercase
8*~5-bitchars=40bits33
���
Breaking DES (Cryptanalysis) DifferentialCryptanalysis
� LooksforcorrelationsinF()-functioninputandoutput
LinearCryptanalysis
� Looksforcorrelationsbetweenkeyandcipherinputandoutput
Related-keyCryptanalysis
� Looksforcorrelationsbetweenkeychangesandcipherinput/output
Differentialcryptanalysisdiscoveredin1990;virtuallyallblockciphersfrombeforethattimearevulnerable...
...exceptDES.IBM(andtheNSA)knewaboutit15yearsearlier34
Modes of Operation (not just for DES, for any block cipher)
…
ENCRYPTION
…
…
…
P1 P2 Pi Pi+1 Pn-1 Pn
C1 C2 Ci Ci+1 Cn-1 Cn
http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation35
���
"Native” ECB Mode ElectronicCode-Book(ECB)Mode� Inputtoencryptionalgorithmiscurrentplaintextblock:
Ci=E(K,Pi)Pi=D(K,Ci)
� Duplicateplaintextblocks(patterns)visibleinciphertext� WhatifAliceencryptsonewordper plaintextblock?
� Ciphertextblockrearrangementispossible� Todetectit,needexplicitblocknumberinginplaintext
� Parallelencryptionanddecryption(randomaccess)� Errorinoneciphertextblockèone-blockloss� One-blocklossinciphertext?
36
CBC Mode Cipher-BlockChaining(CBC)Mode� InputtoencryptionalgorithmistheXORofcurrentplaintextblockandprecedingciphertextblock:
Ci=E(K,PiXORCi-1)C0=IV
Pi=D(K,Ci)XORCi-1
� Duplicateplaintextblocks(patterns)NOTexposed� Blockrearrangementisdetectable� Noparallelencryption� Howaboutparalleldecryption?
� Errorinoneciphertextblockètwo-blockloss� One-blockciphertextloss? 37
39
OFB ModeOutput Feedback (OFB) Mode• Key-stream is produced by repeated encryption of V
o:
Ci = E ( K, V
i-1 ) XOR P
i V
0=IV
Pi = E ( K, V
i-1 ) XOR C
i
• Duplicate plaintext blocks (patterns) NOT exposed
• Block rearrangement is detectable
• Key-stream is independent of plaintext • How does that affect speed of encryption? Parallelism?
• Bit error in one ciphertext block ➔ one-bit error in plaintext
• Can encrypt less than block size
39
CFB ModeCipher Feedback (CFB) Mode•Key-stream is produced by re-encryption of preceding ciphertext -- C
i-1:
Ci = P
i XOR E (K, C
i-1) C
0=IV
Pi = E ( K, C
i-1 ) XOR C
i•Duplicate plaintext blocks (patterns) NOT exposed
•Block rearrangement is detectable
•Key-stream is dependent on plaintext •How does that affect speed of encryption? Parallelism?
•Bit error in one ciphertext block ➔ one-bit + one-block loss in plaintext •Adversary can still selectively flip/change bits
•One-block ciphertext loss ➔ 1-extra-block loss
•Can encrypt less than block size
40
CTR ModeCounter (CTR) Mode•Key-stream is produced by encryption increasing counter:
Ci = E ( K, CTR ) XOR P
i CTR
++
Pi = E ( K, CTR
) XOR C
i
•Duplicate plaintext blocks (patterns) NOT exposed, unless?
•Block rearrangement is detectable
•Key-stream is independent of plaintext
•Parallel encryption and decryption (random access)
•Bit error in one ciphertext block ➔ one-bit error in plaintext
•Can encrypt less than block size
41
���
MAC Mode MessageAuthenticationCode(MAC)Mode� EncryptionisthesameasinCBCmode,but,ciphertextisNOTsent!
Ci=E (K,PiXORCi-1)C0=IV
Whatissentorstored:P1,...,Pn,Cn=MAC
ReceiverrecomputesCnwithKandcompares
� AnychangeinplaintextresultsinunpredictablechangesinMAC
42
How to strengthen DES: the case of double DES
� 2DES:C=DES(K1,DES(K2,P))
� Seemstobehardtobreakby“bruteforce”,approx.2111trials
� AssumeEveistryingtobreak2DESandhasasingle(P,C)pair
Meet-in-the-middle(orRendesvouz)ATTACK:
I. ForeachpossibleK’i(where0<i<256)1. ComputeC’i=DES(K’i,P)2. Store:[K’i,C’i]intableT(sortedbyC’i)
II. ForeachpossibleK”i(where0<i<256)1. ComputeC”i=DES-1(K”i,C)2. LookupC”iinTçnotexpensive!3. Iflookupsucceeds,output:K1=K’i,K2=K”i
TOTALCOST:O(256)operations+O(256)storage 43
���
DES Variants � 3-DES(TripleDES)
� C=E(K1,D(K2,E(K1,P)))à112effectivekeybits
� C=E(K3,D(K2,E(K1,P)))à168effectivekeybits
� DESx
� C=K3XORE(K2,(K1XORP))àseemslike184keybits
� Effectivekeybitsàapprox.118
� 2-DES:
� C=E(K2,E(K1,P))àrendezvous(meet-in-the-middleattack)
� Anothersimplevariation:
� C=K1XORE(K1’,P)àweak!
NOTE:Thesamevariantscanbeconstructedoutofanycipher
44
DES Variants
Whydoes3-DES(orgenerallyn-DES)work?
Because,asafunction,DESisnotagroup…
A“group”isanalgebraicstructure.Oneofitspropertiesisthat,takingany2
elementsofthe group (a,b)andapplyinganoperatorF()yieldsanotherelementc
inthegroup.
Suppose:C=DES(K1,DES(K2,P))
ThereisnoK,suchthat:
foreachpossibleplaintextP,DES(K,P)=C
45
���
DES Summary
� Permutation/substitutionblockcipher
� 64-bitdatablocks
� 56-bitkeys(8paritybits)
� 16rounds(shifts,XORs)
� Keyschedule
� S-boxselectionsecret…
� DES“aging”
� 2-DES:rendezvousattack
� 3-DES:112-bitsecurity
� DESx:118-bitsecurity
46
Skipjack� ClassifiedalgorithmoriginallydesignedfortheNSA-sponsoredClipperchip� declassifiedin1998� 32rounds,breakablewith31rounds� 80bitkey,inadequateforlong-termsecurityGOST� GOST28147,RussiananswertoDES� 32rounds,256bitkey� Incompletelyspecified
Other Old Symmetric Ciphers
47
���
� IDEA(X.ILai,J.Massey,ETH)� DevelopedasPES(proposedencryptionstandard),� adaptedtoresistdifferentialcryptanalysis� GainedpopularityviaPGP,128bitkey� Patented(AscomCH)
� Blowfish(B.Schneier,Counterpane)� Optimizedforhigh-speedexecutionon32-bitprocessors� 448bitkey,relativelyslowkeysetup� FastforbulkdataonmostPCs/laptops� Easytoimplement,runsinca.5Kofmemory
Other Symmetric Ciphers
48
� RC4(Ron’sCipher#4)StreamCipher:
� Optimizedforfastsoftwareimplementation
� Characterstreaming(notbit)
� 8-bitoutput
� FormertradesecretofRSADSI,
� Reverse-engineeredandpostedtothenetin1994:
� 2048-bitkey
� Usedinmanyproductsuntilabout1999-2000
Other Symmetric Ciphers
49
���
x=y=0;
while(length--)
{/*state[0-255]containskeybytes*/
sx=state[++x&0xFF];
y+=sx&0xFF;
sy=state[y];
state[y]=sx;
state[x]=sy;
*data++^=state[(sx+sy)&0xFF];
}
Takesaboutaminutetoimplementfrommemory
Other Symmetric Ciphers (RC4)
50
Other Symmetric Ciphers � RC5(Ron’sCipher#5)� Suitableforhardwareandsoftware� Fast,simple� Adaptabletoprocessorsofdifferentwordlengths� Variablenumberofrounds� Variable-lengthkey(0-256bytes)� Verylowmemoryrequirements� Highsecurity(noeffectiveattacks,yet…)� Data-dependentrotations
52
���
Other Symmetric Ciphers
� RC5singleroundpseudocode:
52
Advanced Encryption Standard (AES): The Rijndael Block Cipher
55
���
� NationalInstituteofScienceandTechnology(NIST)regulatesstandardizationintheUS
� Bymid-90s,DESwasanagingstandardthatnolongermettheneedsforstrongcommercial-gradeencryption
� Triple-DES:EndorsedbyNISTasa“defacto”standard
� But…slowinsoftwareandlargefootprint(codesize)� AdvancedEncryptionStandard(AES)
� Finalizedin2001� GoalistodefinetheFederalInformationProcessingStandard(FIPS)byselectinganewencryptionalgorithmsuitableforencrypting(non-classifiednon-military)governmentdocuments
� Candidatealgorithmsmustbe:� Symmetric-keycipherssupporting128,192,and256bitkeys� Royalty-Free� Unclassified(i.e.,publicdomain)� Availableforworldwideexport
Introduction and History
56
Introduction and History � AESRound-3FinalistAlgorithms:� MARS
� CandidateofferingfromIBMResearch
� RC6� ByRonRivestofMIT&RSALabs,creatorofthewidelyusedRC4/RC5algorithmand“R”inRSA
� Twofish� FromCounterpaneInternetSecurity,Inc.(MN)
� Serpent� byRossAnderson(UK),EliBiham(ISR)andLarsKnudsen(NO)
� Rijndael� byJoanDaemenandVincentRijmen(B)
57
���
TheWinner:Rijndael� JoanDaemen(ofProtonWorldInternational)andVincentRijmen(of
KatholiekeUniversiteitLeuven).� Pronounced“Rhine-doll”� Allowsonly128,192,and256-bitkeysizes(unlikeothercandidates)� Variableinputblocklength:128,192,or256bits.Allninecombinationsofkey-blocklengthpossible.� Ablockisthesmallestdatasizethealgorithmwillencrypt
� VastspeedimprovementoverDESinbothhwandswimplementations� 8,416bytes/secona20MHz8051� 8.8Mbytes/secona200MHzPentiumPro
Rijndael
58
P r1
Key
r2 Rn-1 rnr3 CRn-2
k1 k2 Kn-1 knk3 Kn-2
K
KE KeyExpansion
RoundKeys
EncryptionRoundsr1…rn
� Keyisexpandedtoasetofnroundkeys� InputblockPputthrunrounds,eachwithadistinctroundsub-key.� Strengthofalgorithmreliesondifficultyofobtainingintermediateresults(or
state)ofroundifromroundi+1withouttheroundkey.
Rijndael
59
���
Rijndael
Detailedviewofroundn
� Eachroundperformsthefollowingoperations:� Non-linearLayer:Nolinearrelationshipbetweentheinputandoutputofaround� LinearMixingLayer:Guaranteeshighdiffusionovermultiplerounds
� Verysmallcorrelationbetweenbytesoftheroundinputandthebytesoftheoutput
� KeyAdditionLayer:BytesoftheinputaresimplyXOR’edwiththeexpandedroundkey
ByteSub ShiftRow MixColumn AddRoundKey
Kn
Resultfromroundn-1
Passtoroundn+1
60
Rijndael � Threelayersprovidestrengthagainstknowntypesofcryptographicattacks:Rijndaelprovides“fulldiffusion”afteronlytworounds
� Immuneto:� Linearanddifferential cryptanalysis� Related-keyattacks� Squareattack� Interpolationattacks� Weakkeys
� Rijndaelhasbeen“shown”secure:� Nokeyrecoveryattacksfasterthanexhaustivesearchexist� Noknownsymmetrypropertiesintheroundmapping� Noweakkeysidentified� Norelated-keyattacks:Notwokeyshaveahighnumberofexpandedroundkeysincommon
61
���
Rijndael: ByteSub
Eachbyteattheinputofaroundundergoesanon-linearbytesubstitutionaccordingtothefollowingtransform:
Substitution(“S”)-box
62
Rijndael: ShiftRow
Dependingontheblocklength,each“row”oftheblockiscyclicallyshiftedaccordingtotheabovetable
63
���
Rijndael: MixColumn
EachcolumnismultipliedbyafixedpolynomialC(x)=’03’*X3+’01’*X2+’01’*X+’02’
Thiscorrespondstomatrixmultiplicationb(x)=c(x)⊗a(x):
NotXOR
64
Rijndael: Key Expansion and Addition
EachwordissimplyXOR’edwiththeexpandedroundkey
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
KeyExpansionalgorithm:
65
���
Rijndael: Implementations � Well-suitedforsoftwareimplementationson8-bitprocessors(importantfor“SmartCards”)� Atomicoperationsfocusonbytesandnibbles,not32-or64-bitintegers� LayerssuchasByteSubcanbeefficientlyimplementedusingsmalltablesinROM(e.g.,<256bytes).
� Nospecialinstructionsarerequiredtospeedupoperation,e.g.,barrelrotates
� For32-bitimplementations:� Anentireroundcanbeimplementedviaafasttablelookuproutineonmachineswith32-bitorhigherwordlengths
� Considerableparallelismexistsinthealgorithm� EachlayerofRijndaeloperatesinaparallelmanneronthebytesoftheroundstate,allfourcomponenttransformsactonindividualpartsoftheblock� AlthoughtheKeyexpansioniscomplicatedandcannotbenefitmuchfromparallelism,itonlyneedstobeperformedonceuntilthetwopartiesswitchkeys.
66
Rijndael: Implementations � HardwareImplementations
� Rijndaelperformsverywellinsoftware,buttherearecaseswhenbetterperformanceisrequired(e.g.,serverandVPNapplications).
� MultipleS-Boxengines,round-keyXORs,andbyteshiftscanallbeimplementedefficientlyinhardwarewhenabsolutespeedisrequired
� Smallamountofhardwarecanvastlyspeedup8-bitimplementations
� InverseCipher� Exceptforthenon-linearByteSubstep,eachpartofRijndaelhasastraightforwardinverseandtheoperationssimplyneedtobeundoneinthereverseorder.
� However,Rijndaelwasspeciallywrittensothatthesamecodethatencryptsablockcanalsodecryptthesameblocksimplybychangingcertaintablesandpolynomialsforeachlayer.Therestoftheoperationremainsidentical.
67
���
Conclusions and The Future
� Rijndael isanextremely fast, state-of-the-art,highlysecurealgorithm
� Amenable to efficient implementation in both hwand sw; requires no special instructions to obtaingoodperformanceonanycomputingplatform
� Triple-DES,stillhighlysecureandsupportedbyNIST,isexpectedtobecommonfortheforeseeablefuture.
68
Reminder: World’s Best Cipher!
69
���
One-Time Pad (OTP)
Foreachcharacter:
�� �� �� �� �� �� �� �� �� �� ���
�
pad(key)
�� �� �� �� �� �� �� �� �� �� ���
�
ciphertext(encryptedmsg)
⊕�� �� �� �� �� �� �� �� �� �� ��
�
�
msg(plaintext)
70
One-Time Pad (cont.)
� Symmetric� Padisselectedatrandom� Padisaslongasplaintext� Perfectlysecure,but...� Onetimeonly:
sosendingthepadisjustashardassendingthemsg
71
Related Documents
