lecture3keldefra/teaching/fall2016/uci... · 2016-10-06 · 4 average time required for exhaustive...
TRANSCRIPT
Lecture 3
EncryptionSuggested Readings:
• Chs 3&4inKPS(recommended)• Ch 3inStinson(optional)
1
2
• Acryptosystemhas(atleast)fiveingredients:– Plaintext– SecretKey– Ciphertext– EncryptionAlgorithm– DecryptionAlgorithm
• Securityusuallydependsonthesecrecyofthekey,notthesecrecyofthealgorithms
EncryptionPrinciples
3
CryptoBasics
4
AverageTimeRequiredforExhaustiveKey Search (forBrute ForceAttacks)
KeySize(bits)
NumberofAlternativeKeys
Timerequiredat106
Decr/µs
32 232 =4.3x109 2.15milliseconds
56 256 =7.2x1016 10hours
128 2128=3.4x1038 5.4x1018 years
168 2168=3.7x1050 5.9x 1030 years
5
TypesofAttainableSecurity
• Perfect,unconditionalor“informationtheoretic”:thesecurityisevidentfreeofany(computational/hardness)assumptions
• Reducibleor“provable”:securitycanbeshowntobebasedonsomecommon(oftenunproven)assumptions,e.g.,theconjectureddifficultyoffactoringlargeintegers
• Adhoc:thesecurityseemsgoodoften->“snakeoil”…
Takealookat:
http://www.ciphersbyritter.com/GLOSSARY.HTM
6
ComputationalSecurity• Encryptionschemeiscomputationallysecure if
– costofbreakingit(viabruteforce)exceedsthevalueoftheencryptedinformation;or
– timerequiredtobreakitexceedsusefullifetimeoftheencryptedinformation
• Mostmodernschemeswewillseeareconsidered computationallysecure– Usuallyrelyonverylargekey-space,impregnabletobruteforce
• Mostadvancedschemesrelyonlackofknowledgeofeffectivealgorithmsforcertainhardproblems,notonaproveninexistenceofsuchalgorithms(reduciblesecurity)!– Suchas:factoring,discretelogarithms,etc.
7
CryptosystemsClassifiedalongthreedimensions:
• Typeofoperationsusedfortransformingplaintextintociphertext– Binaryarithmetic:shifts,XORs,ANDs,etc.
• Typicalforconventional(orsymmetric) encryption– Integerarithmetic
• Typicalforpublickey(orasymmetric) encryption• Numberofkeysused
– Symmetricorconventional(singlekeyused)– Asymmetricorpublickey(2keys:1toencrypt,1todecrypt)
• Howplaintextisprocessed:– Onebitatatime– Astringofanylength– Ablockofbits
Conventional(Symmetric)Cryptography
•AliceandBobshare akey KAB whichtheysomehowagreeupon(how?)• keydistribution/keymanagementproblem• ciphertextisroughlyaslongasplaintext• examples:Substitution,VernamOTP,DES,AES
8
plaintextciphertext
K AB
encryptionalgorithm
decryptionalgorithm
K AB
plaintextm
K(m)AB
K(m)ABm =K( )
AB
UsesofConventionalCryptography
•MessageTransmission(confidentiality):• Communicationoverinsecurechannels
•SecureStorage:cryptonUnix•StrongAuthentication:provingknowledgeofasecretwithoutrevealingit:• Seenextslide• Evecanobtainchosen<plaintext,ciphertext>pair• Challengeshouldbechosenfromalargepool
• IntegrityChecking:fixed-lengthchecksumformessageviasecretkeycryptography• SendMACalongwiththemessageMAC=H(m,K)
9
Challenge-ResponseAuthenticationExample
10
K AB
challenge
K AB
ra
KAB(ra) challengereply
rb
KAB(rb)
challenge
challengereply
11
ConventionalCryptographyØ Advantages
l highdatathroughputl relativelyshortkeysizel primitivestoconstructvariouscryptographicmechanisms
Ø Disadvantagesl keymustremainsecretatboth endsl keymustbedistributedsecurelyandefficientlyl relativelyshortkeylifetime
• AsymmetricCryptography
• Inventedin1974-1978(Diffie-HellmanandRivest-Shamir-Adleman)
• Twokeys:private(SK),public(PK)• Encryption:withpublickey;• Decryption:withprivatekey• DigitalSignatures:Signingbyprivatekey;Verificationbypublickey.i.e.,“encrypt”messagedigest/hash-- h(m)-- withprivatekey• Authorship(authentication)• Integrity:SimilartoMAC• Non-repudiation:cannotdowithsecretkeycryptography
•Muchslower (~1000x)thanconventionalcryptography• Oftenusedtogetherwithconventionalcryptography,e.g.,toencryptsessionkeys
12
PublicKeyCryptography
13
GenesisofPublicKeyCryptography:Diffie- HellmanPaper
PublicKeyCryptography
14
plaintextmessage,m
ciphertextencryptionalgorithm
decryptionalgorithm
Bob’spublic key
plaintextmessagePK(m)
B
PKBBob’sprivate key
SKB
m=SK(PK(m))BB
UsesofPublicKeyCryptography•DataTransmission(confidentiality):• Aliceencryptsma usingPKB,Bobdecryptsittoobtainma usingSKb.
•SecureStorage:encryptwithownpublickey,laterdecryptwithownprivatekey•Authentication:• Noneedtostoresecrets,onlyneedpublickeys.• Secretkeycryptography:needtosharesecret keyforeverypersononecommunicateswith
•DigitalSignatures(authentication,integrity,non-repudiation)
15
16
Ø Advantagesl onlytheprivatekeymustbekeptsecretl relativelylonglifetimeofthekeyl moresecurityservicesl relativelyefficientdigitalsignaturesmechanisms
Ø Disadvantagesl lowdatathroughputl muchlargerkeysizesl distribution/revocationofpublickeysl securitybasedonconjecturedhardnessofcertaincomputationalproblems
PublicKeyCryptography
17
Ø PublicKeyl Encryption,signatures(esp.,non-repudiation)andkeymanagement
Ø Conventionall Encryptionandsomedataintegrityapplications
Ø KeySizesl Keysinpublickeycryptomustbelarger(e.g.,2048bitsforRSA)thanthoseinconventionalcrypto(e.g.,112bitsfor3-DESor256bitsforAES)• mostattackson“good”conventionalcryptosystemsareexhaustivekeysearch(bruteforce)
• publickeycryptosystemsaresubjectto“short-cut”attacks(e.g.,factoringlargenumbersinRSA)
ComparisonSummary
“Modern”BlockCiphers
DataEncryptionStandard(DES)
Generic Example of BlockEncryption
20
Feistel Cipher Structure
•Virtuallyallconventionalblockencryptionalgorithms,includingDES,haveastructurefirstdescribedbyHorstFeistelofIBMin1973
•SpecificrealizationofaFeistelNetworkdependsonthechoiceofthefollowingparametersandfeatures:
20
Feistel Cipher Structure• BlockSize: largerblocksizesmeangreatersecurity
• KeySize: largerkeysizemeans greater security
•Number of Rounds: multiple rounds offerincreasingsecurity
• Subkey GenerationAlgorithm: greater complexity willlead togreater difficulty of cryptanalysis
• FastSoftwareEn/De-cryption: speedof execution ofthealgorithm becomes aconcern
21
22
ClassicFeistel Network
“RoundKeys”aregeneratedfromoriginalkeyvia
subkey generationalgorithm
BlockCiphers
23
• Originatedwithearly1970'sIBMefforttodevelopbankingsecuritysystems
• FirstresultwasLucifer,mostcommonvarianthas128-bitkeyandblocksize
• Wasnotsecureinanyofitsvariants
• CalledaFeistel orproduct cipher
• F()-functionisasimpletransformation,doesnothavetobereversible
• Eachstepiscalledaround;themorerounds,thegreaterthesecurity(toapoint)
• MostfamousexampleofthisdesignisDES
Conventional Encryption Standard
• DataEncryptionStandard(DES)•Mostwidelyusedencryptionmethod(AESisprobablytakingoverbynow)• Blockcipher(innativeECBmode)• Plaintextprocessedin64-bitblocks• Keyis56bits
24
• 64bitinputblock• 64bitoutputblock• 16rounds• 64(effective56)bitkey• Keyschedulecomputedatstartup•Aimedatbulkdata• >16roundsdoesnothelp• >56bitkeydoesnothelp•OtherS-boxesusuallyhurt…
DataEncryption Standard(DES)
25
26
BasicStructure of DES
27
Encryption vsDecryption inDES
64BitPlaintext
InitialPermutation
32BitL0 32BitR0
F(R0,K1)+
32BitL1 32BitR1
32BitL15 32BitR15
F(R15,K16)+
32BitL16 32BitR16
FinalPermutation
64BitCiphertext
EncryptionProcess DESSystem64BitKey
PermutationChoice1
56BitKey
28BitC0 28BitD0
LeftShift RightShift
C1 D1
BuildingBlocks
PermutedChoice2
K1(48bits)
C16 D16
PermutedChoice2
KeySchedule
K16(48bits)
27
Li-132bits
Ri-1
32bits
S-BoxSubstitutionchoses32bits
P-boxPermutation
Li32bits
Ri
32bits
56bitsKeyPermutedChoice
48bits
FunctionF
Expansion(E)Permutation48bits
28
30
DESSubstitutionBoxesOperation
29
31
OperationTablesofDES(IP,IP-1,EandP)
30
32 31
33 32
BreakingDES(Cryptanalysis)DESKeysize=56bits• Bruteforce=255 attemptsonavg• Differentialcryptanalysisè 247 chosen plaintexts• Linearcryptanalysisè 247 known plaintexts
• Longerthan56bitkeysdonotmakeitanystronger• Morethan16roundsdonotmakeitanystronger• DESKeyProblems:• Weakkeys(all0s,all1s,afewothers)• Keysize=56bits=8*7-bitASCII• Alphanumeric-onlypasswordconvertedtouppercase
8*~5-bitchars=40bits33
BreakingDES(Cryptanalysis)DifferentialCryptanalysis
• LooksforcorrelationsinF()-functioninputandoutput
LinearCryptanalysis
• Looksforcorrelationsbetweenkeyandcipherinputandoutput
Related-keyCryptanalysis
• Looksforcorrelationsbetweenkeychangesandcipherinput/output
Differentialcryptanalysisdiscoveredin1990;virtuallyallblockciphersfrombeforethattimearevulnerable...
...exceptDES.IBM(andtheNSA)knewaboutit15yearsearlier34
ModesofOperation(notjustforDES,foranyblockcipher)
…
ENCRYPTION
…
…
…
P1 P2 Pi Pi+1 Pn-1 Pn
C1 C2 Ci Ci+1 Cn-1 Cn
http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation35
"Native”ECBModeElectronicCode-Book(ECB)Mode• Inputtoencryptionalgorithmiscurrentplaintextblock:
Ci =E(K,Pi)Pi=D(K,Ci )
• Duplicateplaintextblocks(patterns)visibleinciphertext• WhatifAliceencryptsonewordperplaintextblock?
• Ciphertext blockrearrangementispossible• Todetectit,needexplicitblocknumberinginplaintext
• Parallelencryptionanddecryption(randomaccess)• Errorinoneciphertext blockè one-blockloss• One-blocklossinciphertext?
36
CBCModeCipher-BlockChaining(CBC)Mode• InputtoencryptionalgorithmistheXORofcurrentplaintextblockandprecedingciphertext block:
Ci =E(K,PiXOR Ci-1 )C0=IVPi =D(K,Ci )XOR Ci-1
• Duplicateplaintextblocks(patterns)NOTexposed• Blockrearrangementisdetectable• Noparallelencryption• Howaboutparalleldecryption?
• Errorinoneciphertext blockè two-blockloss• One-blockciphertext loss?
37
39
OFBModeOutputFeedback(OFB)Mode• Key-streamisproducedbyrepeatedencryptionofVo:
Ci=E(K,Vi-1)XOR Pi V0=IVPi =E(K,Vi-1)XOR Ci
• Duplicateplaintextblocks(patterns)NOTexposed• Blockrearrangementisdetectable• Key-streamisindependentofplaintext• Howdoesthataffectspeedofencryption?Parallelism?
• Biterrorinoneciphertextblockè one-biterrorinplaintext• One-blockciphertextlossè bigmessJ• Canencryptlessthanblocksize
39
CFBModeCipherFeedback(CFB)Mode• Key-streamisproducedbyre-encryptionofprecedingciphertext -- Ci-1:
Ci =Pi XOR E(K,Ci-1) C0=IVPi =E(K,Ci-1)XOR Ci
• Duplicateplaintextblocks(patterns)NOTexposed• Blockrearrangementisdetectable• Key-streamisdependentonplaintext• Howdoesthataffectspeedofencryption?Parallelism?
• Biterrorinoneciphertext blockè one-bit+one-blocklossinplaintext• Adversarycanstillselectivelyflip/changebits
• One-blockciphertext lossè 1-extra-blockloss• Canencryptlessthanblocksize
40
CTRModeCounter(CTR)Mode• Key-streamisproducedbyencryptionincreasingcounter:
Ci =E(K,CTRi )XOR Pi CTRi =CTRi-1+1Pi =E(K,CTRi )XOR Ci
• Duplicateplaintextblocks(patterns)NOTexposed,unless?• Blockrearrangementisdetectable• Key-streamisindependentofplaintext• Parallelencryptionanddecryption(randomaccess)• Biterrorinoneciphertext blockè one-biterrorinplaintext• One-blockciphertext lossè bigmess• Canencryptlessthanblocksize
41
MACModeMessageAuthenticationCode(MAC)Mode• EncryptionisthesameasinCBCmode,but,ciphertext isNOTsent!
Ci=E(K,PiXOR Ci-1 )C0=IV
Whatissentorstored:P1,...,Pn,Cn=MAC
ReceiverrecomputesCnwithKandcompares
• AnychangeinplaintextresultsinunpredictablechangesinMAC
42
HowtostrengthenDES:thecaseofdoubleDES
• 2DES:C=DES(K1,DES(K2,P))
• Seemstobehardtobreakby“bruteforce”,approx.2111 trials
• AssumeEveistryingtobreak2DESandhasasingle(P,C)pair
Meet-in-the-middle(orRendesvouz)ATTACK:
I. ForeachpossibleK’i (where0<i <256)1. ComputeC’i =DES(K’i ,P)2. Store:[K’i,C’i ]intableT(sortedbyC’i)
II. ForeachpossibleK”i (where0<i <256)1. ComputeC”i =DES-1 (K”i ,C)2. LookupC”i inTç notexpensive!3. Iflookupsucceeds,output:K1=K’i,K2=K”i
TOTALCOST:O(256)operations+O(256)storage 43
DESVariantso3-DES(TripleDES)
oC=E(K1,D(K2,E(K1,P)))à 112effectivekeybits
oC=E(K3,D(K2,E(K1,P)))à 168effectivekeybits
oDESx
oC=K3XOR E(K2,(K1XORP))à seemslike184keybits
oEffectivekeybitsà approx.118
o2-DES:
oC=E(K2,E(K1,P))à rendezvous(meet-in-the-middleattack)
oAnothersimplevariation:
oC=K1XORE(K1’,P)à weak!
NOTE:Thesamevariantscanbeconstructedoutofanycipher44
DESVariantsWhydoes3-DES(orgenerallyn-DES)work?
Because,asafunction,DESisnotagroup…
A“group”isanalgebraicstructure.Oneofitspropertiesisthat,takingany2
elementsofthegroup(a,b)andapplyinganoperatorF()yieldsanotherelementcin
thegroup.
Suppose:C=DES(K1,DES(K2,P))
ThereisnoK,suchthat:
foreachpossibleplaintextP,DES(K,P)=C
45
DESSummary• Permutation/substitutionblockcipher
• 64-bitdatablocks
• 56-bitkeys(8paritybits)
• 16rounds(shifts,XORs)
• Keyschedule
• S-boxselectionsecret…
• DES“aging”
• 2-DES:rendezvousattack
• 3-DES:112-bitsecurity
• DESx :118-bitsecurity
46
Skipjack•ClassifiedalgorithmoriginallydesignedfortheNSA-sponsoredClipperchip•declassifiedin1998•32rounds,breakablewith31rounds•80bitkey,inadequateforlong-termsecurity
GOST•GOST28147,RussiananswertoDES•32rounds,256bitkey• Incompletelyspecified
Other OldSymmetric Ciphers
47
• IDEA(X.ILai,J.Massey,ETH)• DevelopedasPES(proposedencryptionstandard),• adaptedtoresistdifferentialcryptanalysis• GainedpopularityviaPGP,128bitkey• Patented(AscomCH)
•Blowfish(B.Schneier,Counterpane)• Optimizedforhigh-speedexecutionon32-bitprocessors• 448bitkey,relativelyslowkeysetup• FastforbulkdataonmostPCs/laptops• Easytoimplement,runsinca.5Kofmemory
Other Symmetric Ciphers
48
• RC4(Ron’sCipher#4)StreamCipher:• Optimizedforfastsoftwareimplementation• Characterstreaming(notbit)• 8-bitoutput• FormertradesecretofRSADSI,• Reverse-engineeredandpostedtothenetin1994:• 2048-bitkey• Usedinmanyproductsuntilabout1999-2000
Other Symmetric Ciphers
49
x=y=0;
while(length-- )
{/*state[0-255]containskeybytes*/
sx =state[++x&0xFF];
y+=sx &0xFF;
sy =state[y];
state[y]=sx;
state[x]=sy;
*data++^=state[(sx+sy )&0xFF];
}
Takesaboutaminutetoimplementfrommemory
Other Symmetric Ciphers (RC4)
50
Other Symmetric Ciphers• RC5(Ron’sCipher#5)• Suitableforhardwareandsoftware• Fast,simple• Adaptabletoprocessorsofdifferentwordlengths• Variablenumberofrounds• Variable-lengthkey(0-256bytes)• Verylowmemoryrequirements• Highsecurity(noeffectiveattacks,yet…)• Data-dependentrotations
52
Other Symmetric Ciphers• RC5singleroundpseudocode:
52
AdvancedEncryptionStandard(AES):TheRijndael BlockCipher
55
• NationalInstituteofScienceandTechnology(NIST)regulatesstandardizationintheUS
• Bymid-90s,DESwasanagingstandardthatnolongermettheneedsforstrongcommercial-gradeencryption
• Triple-DES:EndorsedbyNISTasa“defacto”standard• But…slowinsoftwareandlargefootprint(codesize)• AdvancedEncryptionStandard(AES)
• Finalizedin2001• GoalistodefinetheFederalInformationProcessingStandard(FIPS)byselectinganewencryptionalgorithmsuitableforencrypting(non-classifiednon-military)governmentdocuments
• Candidatealgorithmsmustbe:• Symmetric-keycipherssupporting128,192,and256bitkeys• Royalty-Free• Unclassified(i.e.,publicdomain)• Availableforworldwideexport
IntroductionandHistory
56
IntroductionandHistory• AESRound-3FinalistAlgorithms:• MARS
• CandidateofferingfromIBMResearch• RC6
• ByRonRivest ofMIT&RSALabs,creatorofthewidelyusedRC4/RC5algorithmand“R”inRSA
• Twofish• FromCounterpaneInternetSecurity,Inc.(MN)
• Serpent• byRossAnderson(UK),EliBiham (ISR)andLarsKnudsen(NO)
• Rijndael• byJoanDaemen andVincentRijmen (B)
57
TheWinner:Rijndael• JoanDaemen (ofProtonWorldInternational) andVincentRijmen (of
Katholieke Universiteit Leuven).• Pronounced“Rhine-doll”• Allowsonly128,192,and256-bitkeysizes(unlikeothercandidates)• Variableinputblocklength:128,192,or256bits.Allninecombinationsofkey-blocklengthpossible.• Ablockisthesmallestdatasizethealgorithmwillencrypt
• VastspeedimprovementoverDESinbothhw andswimplementations• 8,416bytes/secona20MHz8051• 8.8Mbytes/secona200MHzPentiumPro
Rijndael
58
P r1
Key
r2 Rn-1 rnr3 CRn-2
k1 k2 Kn-1 knk3 Kn-2
K
KE KeyExpansion
RoundKeys
EncryptionRoundsr1 …rn
• Keyisexpandedtoasetofnroundkeys• InputblockPputthrunrounds,eachwithadistinctroundsub-key.• Strengthofalgorithmreliesondifficultyofobtainingintermediateresults(or
state)ofroundi fromroundi+1withouttheroundkey.
Rijndael
59
Rijndael
Detailedviewofroundn
• Eachroundperformsthefollowingoperations:• Non-linearLayer:Nolinearrelationshipbetweentheinputandoutputofaround• LinearMixingLayer:Guaranteeshighdiffusionovermultiplerounds
• Verysmallcorrelationbetweenbytesoftheroundinputandthebytesoftheoutput
• KeyAdditionLayer:BytesoftheinputaresimplyXOR’ed withtheexpandedroundkey
ByteSub ShiftRow MixColumn AddRoundKey
Kn
Resultfromroundn-1
Passtoroundn+1
60
Rijndael• Threelayersprovidestrengthagainstknowntypesofcryptographicattacks:Rijndaelprovides“fulldiffusion”afteronlytworounds
• Immuneto:• Linearanddifferentialcryptanalysis• Related-keyattacks• Squareattack• Interpolationattacks• Weakkeys
• Rijndaelhasbeen“shown”secure:• Nokeyrecoveryattacksfasterthanexhaustivesearchexist• Noknownsymmetrypropertiesintheroundmapping• Noweakkeysidentified• Norelated-keyattacks:Notwokeyshaveahighnumberofexpandedroundkeysincommon
61
Rijndael:ByteSub
Eachbyteattheinputofaroundundergoesanon-linearbytesubstitutionaccordingtothefollowingtransform:
Substitution(“S”)-box
62
Rijndael:ShiftRow
Dependingontheblocklength,each“row”oftheblockiscyclicallyshiftedaccordingtotheabovetable
63
Rijndael:MixColumn
EachcolumnismultipliedbyafixedpolynomialC(x)=’03’*X3 +’01’*X2 +’01’*X+’02’
Thiscorrespondstomatrixmultiplicationb(x)=c(x)Ä a(x):
NotXOR
64
Rijndael:KeyExpansionandAddition
EachwordissimplyXOR’ed withtheexpandedroundkey
KeyExpansion(int* Key[4*Nk], int* EKey[Nb*(Nr+1)]){
for(i = 0; i < Nk; i++)EKey[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]);
for(i = Nk; i < Nb * (Nr + 1); i++){
temp = EKey[i - 1];if (i % Nk == 0)
temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];EKey[i] = EKey[i - Nk] ^ temp;
}}
KeyExpansionalgorithm:
65
Rijndael:Implementations• Well-suitedforsoftwareimplementationson8-bitprocessors(importantfor“SmartCards”)• Atomicoperationsfocusonbytesandnibbles,not32- or64-bitintegers• LayerssuchasByteSub canbeefficientlyimplementedusingsmalltablesinROM(e.g.,<256bytes).
• Nospecialinstructionsarerequiredtospeedupoperation,e.g.,barrelrotates
• For32-bitimplementations:• Anentireroundcanbeimplementedviaafasttablelookuproutineonmachineswith32-bitorhigherwordlengths
• Considerableparallelismexistsinthealgorithm• EachlayerofRijndael operatesinaparallelmanneronthebytesoftheroundstate,allfourcomponenttransformsactonindividualpartsoftheblock• AlthoughtheKeyexpansioniscomplicatedandcannotbenefitmuchfromparallelism,itonlyneedstobeperformedonce untilthetwopartiesswitchkeys.
66
Rijndael:Implementations• HardwareImplementations
• Rijndael performsverywellinsoftware,buttherearecaseswhenbetterperformanceisrequired(e.g.,serverandVPNapplications).
• MultipleS-Boxengines,round-keyXORs,andbyteshiftscanallbeimplementedefficientlyinhardwarewhenabsolutespeedisrequired
• Smallamountofhardwarecanvastlyspeedup8-bitimplementations
• InverseCipher• Exceptforthenon-linearByteSub step,eachpartofRijndael hasastraightforwardinverseandtheoperationssimplyneedtobeundoneinthereverseorder.
• However,Rijndael wasspeciallywrittensothatthesamecodethatencryptsablockcanalsodecryptthesameblocksimplybychangingcertaintablesandpolynomialsforeachlayer.Therestoftheoperationremainsidentical.
67
ConclusionsandTheFuture
• Rijndael is an extremely fast, state-of-the-art, highlysecure algorithm
• Amenable to efficient implementation in both hwand sw; requires no special instructions to obtaingood performance on any computing platform
• Triple-DES, still highly secure and supported by NIST,is expected to be common for the foreseeable future.
68
Reminder:World’s BestCipher!
69
One-TimePad(OTP)
Foreachcharacter:
0 1 1 1 0 0 1 0 1 1 0
pad(key)
1 0 1 1 0 1 0 1 1 0 0
ciphertext(encryptedmsg)
Å1 1 0 0 0 1 1 1 0 1 0
msg(plaintext)
70
One-TimePad(cont.)
•Symmetric•Padisselectedatrandom•Padisaslongasplaintext•Perfectlysecure,but...•Onetimeonly:
sosendingthepadisjustashardassendingthemsg
71