Cryptography

Lecture 02 Byte-wise Shift Cipher Byte-wise Shift Cipher

I Instead of a, b, c, d,..., z have (for example) 0000, 0001,...,1111. I Works for an alphabet of bytes rather than (English, lowercase) letters

I Data in a computer is stored this way anyway. So works natively for arbitrary data!

I Use XOR instead of modular addition. Fast! I Decode and Encode are both XOR.

I Essential properties still hold Hexadecimal (base 16)

Hex Bits (“nibble”) Decimal Hex Bits (“nibble”) Decimal 0 0000 0 8 1000 8 1 0001 1 9 1001 9 2 0010 2 A 1010 10 3 0011 3 B 1011 11 4 0100 4 C 1100 12 5 0101 5 D 1101 13 6 0110 6 E 1110 14 7 0111 7 F 1111 15 Hexadecimal (base 16)

Notation: 0x before a string of {0, 1,..., 9, A, B, C, D, E, F } means that the string will be base 16. I 0x10

I 0x10 = 16*1 + 0 = 16

I 0x10 = 0001 0000

I 0xAF

I 0xAF = 16*A + F = 16*10 + 15 = 175

I 0xAF = 1010 1111 ASCII

I Characters (often) represented in ASCII with TWO hex-digits.

I Potentially 256 characters via {0,..., 9, A,..., F } × {0,..., 9, A,..., F }

I Only use 128 characters via {0,... 8} × {0,..., 9, A,..., F }

ASCII

I ‘1’ = 0x31 = 0011 0001

I ‘F’ = 0x46 = 0100 0110 Useful observations

I Only 128 valid ASCII chars (128 bytes invalid)

I 0x20-0x7E printable

I 0x41-0x7A includes upper/lowercase letters

I Uppercase letters begin with 0x4 or 0x5

I Lowercase letters begin with 0x6 or 0x7 Byte-wise shift cipher

I M = {strings of bytes}

I Gen: choose uniform byte k ∈ K = {0,. . . ,255}

I Enck (m1 ... mt ): output c1 ... ct , where ci := mi ⊕ k

I Deck (c1 ... ct ): output m1 ... mt , where mi := ci ⊕ k

I Verify that correctness holds. . . Question: Should it worry Alice and Bob that the key itself was transmitted? Discuss No. Eve has no way of knowing that.

Example

Key is 11001110. Alice wants to send 00011010, 11100011, 00000000 She sends

00011010 ⊕ 11001110, 11100011 ⊕ 11001110, 00000000 ⊕ 11001110

= 11010100, 00101101, 11001110 No. Eve has no way of knowing that.

Example

Key is 11001110. Alice wants to send 00011010, 11100011, 00000000 She sends

00011010 ⊕ 11001110, 11100011 ⊕ 11001110, 00000000 ⊕ 11001110

= 11010100, 00101101, 11001110 Question: Should it worry Alice and Bob that the key itself was transmitted? Discuss Example

Key is 11001110. Alice wants to send 00011010, 11100011, 00000000 She sends

00011010 ⊕ 11001110, 11100011 ⊕ 11001110, 00000000 ⊕ 11001110

= 11010100, 00101101, 11001110 Question: Should it worry Alice and Bob that the key itself was transmitted? Discuss No. Eve has no way of knowing that. Is this cipher secure?

I No – only 256 possible keys!

I Given a ciphertext, try decrypting with every possible key

I If ciphertext is long enough, only one plaintext will “look like English” (use the vector method of the last set of slides).

I Can further optimize

I First nibble of plaintext likely 0x4, 0x5, 0x6, 0x7 (assuming letters only)

I Can reduce exhaustive search to 26 keys (how?) I Talk to your friends or blood enemies about this. Sufficient key space principle

I The key space must be large enough to make exhaustive-search attacks impractical

I How large do you think that is?

I Note: this makes some assumptions. . .

I English-language plaintext

I Ciphertext sufficiently long so only one valid plaintext Credit Card Numbers also have patterns: 1. Visa cards always begin with 4 2. American Express always begins 34 or 37 3. Mastercard starts with 51 or 52 or 53 or 54. Upshot: If Eve knows what kind of information is being transmitted (English, Credit Card Numbers, numbers on checks) she can use this to make any cipher with a small key space insecure.

Is this cipher secure if we are transmitting numbers?

If Alice sends Bob a Document in English via Byte-Shift then insecure! What if Alice sends Bob a credit card number? Discuss Is this cipher secure if we are transmitting numbers?

If Alice sends Bob a Document in English via Byte-Shift then insecure! What if Alice sends Bob a credit card number? Discuss Credit Card Numbers also have patterns: 1. Visa cards always begin with 4 2. American Express always begins 34 or 37 3. Mastercard starts with 51 or 52 or 53 or 54. Upshot: If Eve knows what kind of information is being transmitted (English, Credit Card Numbers, numbers on checks) she can use this to make any cipher with a small key space insecure. Affine, Quadratic, Cubic, and Polynomial Ciphers Does this work? Vote YES or NO or OTHER Answer: OTHER 2x + 1 does not work: 0 and 13 both map to 1. Need the map to be a bijection so it will have a unique inverse.

Condition on a, b so that x → ax + b is a bij: a rel prime to 26. Condition on a, b so that a has an inv mod 26: a rel prime to 26.

Affine Cipher Recall: Shift cipher with shift s: 1. Encrypt via x → x + s (mod 26). 2. Decrypt via x → x − s (mod 26). We replace x + s with more elaborate functions

Definition: The Affine cipher with a, b: 1. Encrypt via x → ax + b (mod 26). 2. Decrypt via x → a−1(x − b) (mod 26) Answer: OTHER 2x + 1 does not work: 0 and 13 both map to 1. Need the map to be a bijection so it will have a unique inverse.

Condition on a, b so that x → ax + b is a bij: a rel prime to 26. Condition on a, b so that a has an inv mod 26: a rel prime to 26.

Affine Cipher Recall: Shift cipher with shift s: 1. Encrypt via x → x + s (mod 26). 2. Decrypt via x → x − s (mod 26). We replace x + s with more elaborate functions

Definition: The Affine cipher with a, b: 1. Encrypt via x → ax + b (mod 26). 2. Decrypt via x → a−1(x − b) (mod 26)

Does this work? Vote YES or NO or OTHER 2x + 1 does not work: 0 and 13 both map to 1. Need the map to be a bijection so it will have a unique inverse.

Condition on a, b so that x → ax + b is a bij: a rel prime to 26. Condition on a, b so that a has an inv mod 26: a rel prime to 26.

Affine Cipher Recall: Shift cipher with shift s: 1. Encrypt via x → x + s (mod 26). 2. Decrypt via x → x − s (mod 26). We replace x + s with more elaborate functions

Definition: The Affine cipher with a, b: 1. Encrypt via x → ax + b (mod 26). 2. Decrypt via x → a−1(x − b) (mod 26)

Does this work? Vote YES or NO or OTHER Answer: OTHER Need the map to be a bijection so it will have a unique inverse.

Condition on a, b so that x → ax + b is a bij: a rel prime to 26. Condition on a, b so that a has an inv mod 26: a rel prime to 26.

Affine Cipher Recall: Shift cipher with shift s: 1. Encrypt via x → x + s (mod 26). 2. Decrypt via x → x − s (mod 26). We replace x + s with more elaborate functions

Definition: The Affine cipher with a, b: 1. Encrypt via x → ax + b (mod 26). 2. Decrypt via x → a−1(x − b) (mod 26)

Does this work? Vote YES or NO or OTHER Answer: OTHER 2x + 1 does not work: 0 and 13 both map to 1. Condition on a, b so that x → ax + b is a bij: a rel prime to 26. Condition on a, b so that a has an inv mod 26: a rel prime to 26.

Affine Cipher Recall: Shift cipher with shift s: 1. Encrypt via x → x + s (mod 26). 2. Decrypt via x → x − s (mod 26). We replace x + s with more elaborate functions

Definition: The Affine cipher with a, b: 1. Encrypt via x → ax + b (mod 26). 2. Decrypt via x → a−1(x − b) (mod 26)

Does this work? Vote YES or NO or OTHER Answer: OTHER 2x + 1 does not work: 0 and 13 both map to 1. Need the map to be a bijection so it will have a unique inverse. Affine Cipher Recall: Shift cipher with shift s: 1. Encrypt via x → x + s (mod 26). 2. Decrypt via x → x − s (mod 26). We replace x + s with more elaborate functions

Definition: The Affine cipher with a, b: 1. Encrypt via x → ax + b (mod 26). 2. Decrypt via x → a−1(x − b) (mod 26)

Does this work? Vote YES or NO or OTHER Answer: OTHER 2x + 1 does not work: 0 and 13 both map to 1. Need the map to be a bijection so it will have a unique inverse.

Condition on a, b so that x → ax + b is a bij: a rel prime to 26. Condition on a, b so that a has an inv mod 26: a rel prime to 26. Today They are both easy to crack.

Both Need: The Is English algorithm. Reading through 312 transcripts to see which one looks like English would take A LOT of time!

Shift vs Affine

Shift: Key space is size 26

Affine: Key space is |{1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25}| × 26 = 12 × 26 = 312

In an Earlier Era Affine would be harder to crack than Shift. Shift vs Affine

Shift: Key space is size 26

Affine: Key space is |{1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25}| × 26 = 12 × 26 = 312

In an Earlier Era Affine would be harder to crack than Shift.

Today They are both easy to crack.

Both Need: The Is English algorithm. Reading through 312 transcripts to see which one looks like English would take A LOT of time! Does this work? Vote YES or NO Answer: NO 1. No easy test for Invertibility (depends on def of easy). 2. It turns out that every quadratic function mod 26 is an affine function.

The Quadratic Cipher

Definition: The Quadratic cipher with a, b, c: 1. Encrypt via x → ax2 + bx + c (mod 26). Answer: NO 1. No easy test for Invertibility (depends on def of easy). 2. It turns out that every quadratic function mod 26 is an affine function.

The Quadratic Cipher

Definition: The Quadratic cipher with a, b, c: 1. Encrypt via x → ax2 + bx + c (mod 26).

Does this work? Vote YES or NO 1. No easy test for Invertibility (depends on def of easy). 2. It turns out that every quadratic function mod 26 is an affine function.

The Quadratic Cipher

Definition: The Quadratic cipher with a, b, c: 1. Encrypt via x → ax2 + bx + c (mod 26).

Does this work? Vote YES or NO Answer: NO The Quadratic Cipher

Definition: The Quadratic cipher with a, b, c: 1. Encrypt via x → ax2 + bx + c (mod 26).

Does this work? Vote YES or NO Answer: NO 1. No easy test for Invertibility (depends on def of easy). 2. It turns out that every quadratic function mod 26 is an affine function. Unknown to Science but if over mod a prime then in P. Course website, Notes, has pointer to blog of mine on this. Some of the comments have theorems and pointers to the literature. The first place The Polynomial Cipher appeared was

my 3-week summer course on crypto for High School Students.

So, as the kids say, its not a thing.

The Polynomial Cipher

Definition: Poly Cipher with poly p (coefficients in {0,..., 25}. 1. Encrypt via x → p(x) (mod 26). 2. Decrypt via x → p−1(x) (mod 26).

Given a polynomial over mod 26 (or any mod) does it have an inverse? What is the complexity of this problem? Vote: P, NP-complete, unknown to science. Course website, Notes, has pointer to blog of mine on this. Some of the comments have theorems and pointers to the literature. The first place The Polynomial Cipher appeared was

my 3-week summer course on crypto for High School Students.

So, as the kids say, its not a thing.

The Polynomial Cipher

Definition: Poly Cipher with poly p (coefficients in {0,..., 25}. 1. Encrypt via x → p(x) (mod 26). 2. Decrypt via x → p−1(x) (mod 26).

Given a polynomial over mod 26 (or any mod) does it have an inverse? What is the complexity of this problem? Vote: P, NP-complete, unknown to science. Unknown to Science but if over mod a prime then in P. The first place The Polynomial Cipher appeared was

my 3-week summer course on crypto for High School Students.

So, as the kids say, its not a thing.

The Polynomial Cipher

Definition: Poly Cipher with poly p (coefficients in {0,..., 25}. 1. Encrypt via x → p(x) (mod 26). 2. Decrypt via x → p−1(x) (mod 26).

Given a polynomial over mod 26 (or any mod) does it have an inverse? What is the complexity of this problem? Vote: P, NP-complete, unknown to science. Unknown to Science but if over mod a prime then in P. Course website, Notes, has pointer to blog of mine on this. Some of the comments have theorems and pointers to the literature. my 3-week summer course on crypto for High School Students.

So, as the kids say, its not a thing.

The Polynomial Cipher

Definition: Poly Cipher with poly p (coefficients in {0,..., 25}. 1. Encrypt via x → p(x) (mod 26). 2. Decrypt via x → p−1(x) (mod 26).

Given a polynomial over mod 26 (or any mod) does it have an inverse? What is the complexity of this problem? Vote: P, NP-complete, unknown to science. Unknown to Science but if over mod a prime then in P. Course website, Notes, has pointer to blog of mine on this. Some of the comments have theorems and pointers to the literature. The first place The Polynomial Cipher appeared was The Polynomial Cipher

Definition: Poly Cipher with poly p (coefficients in {0,..., 25}. 1. Encrypt via x → p(x) (mod 26). 2. Decrypt via x → p−1(x) (mod 26).

Given a polynomial over mod 26 (or any mod) does it have an inverse? What is the complexity of this problem? Vote: P, NP-complete, unknown to science. Unknown to Science but if over mod a prime then in P. Course website, Notes, has pointer to blog of mine on this. Some of the comments have theorems and pointers to the literature. The first place The Polynomial Cipher appeared was

my 3-week summer course on crypto for High School Students.

So, as the kids say, its not a thing. Uncrackable! Eve has to go through all 26! possibilities!!

NOT EVEN CLOSE! Eve can use Freq Analysis

General Substitution Cipher

Shift and Affine were good for Alice and Bob since 1. Easy to encrypt, Easy to decrypt 2. Short Key: Roughly 5 bits for Shift, 10 bits for Affine. Definition: Gen Sub Cipher with perm f on {0,..., 25}. 1. Encrypt via x → f (x). 2. Decrypt via x → f −1(x)

1. Key is now permutation, roughly 125 bits. 2. Encrypt and Decrypt slightly harder NOT EVEN CLOSE! Eve can use Freq Analysis

General Substitution Cipher

Shift and Affine were good for Alice and Bob since 1. Easy to encrypt, Easy to decrypt 2. Short Key: Roughly 5 bits for Shift, 10 bits for Affine. Definition: Gen Sub Cipher with perm f on {0,..., 25}. 1. Encrypt via x → f (x). 2. Decrypt via x → f −1(x)

1. Key is now permutation, roughly 125 bits. 2. Encrypt and Decrypt slightly harder Uncrackable! Eve has to go through all 26! possibilities!! General Substitution Cipher

Shift and Affine were good for Alice and Bob since 1. Easy to encrypt, Easy to decrypt 2. Short Key: Roughly 5 bits for Shift, 10 bits for Affine. Definition: Gen Sub Cipher with perm f on {0,..., 25}. 1. Encrypt via x → f (x). 2. Decrypt via x → f −1(x)

1. Key is now permutation, roughly 125 bits. 2. Encrypt and Decrypt slightly harder Uncrackable! Eve has to go through all 26! possibilities!!

NOT EVEN CLOSE! Eve can use Freq Analysis Freq Analysis

Alice sends Bob a LONG text encrypted by Gen Sub Cipher. Eve finds freq of letters, pairs, triples, ....

Text in English. 1. Can use known freq: e is most common letter, th is most common pair. 2. If Alice is telling Bob about Mid East Politics than may need to adjust: q is more common (Iraq, Qatar) and some words more common. Silly Counter Example – Pangrams

Pangrams: Sentence where each letter occurs at least once. Short Panagrams ruin Freq analysis. Here are some: 1. The quick brown fox jumps over the lazy dog. 2. Pack my box with five dozen liquor jugs. 3. Amazingly few discotheques provide jukeboxes. 4. Watch Jeopardy! Alex Trebek’s fun TV quiz game. Silly Counter Example – Lipograms

Lipograms: A work that omits one letter 1. Gadsby is a 50,000-word novel with no e. 2. Eunoia is a 5-chapter novel, indexed by vowels. Chapter A only use the vowel A, etc. 3. How I met your mother, Season 9, Episode 9: Lily and Robin challenge Barney to get a girl’s phone number without using the letter e. We are not going to deal with this sillyness! We assume long normal texts! Alternatives to Gen Sub (History)

In the Year 2018 Alice can easily generate a random permutation of {a,..., z} and send it to Bob.

In the Year 1018 Alice needs a way to encode a random-looking permutation of {a,..., z} and transmit it to Bob. So need SHORT description of random-looking perm. 1. Two ways to do this will be on the HW. 2. Foreshadowing the need for a short description of a random-looking string of bits which we will be central later in this course. The Vigen´ereCipher The Vigen`erecipher

Key: A word or phrase. Example: dog = (3,14,6). Easy to remember and transmit. Example using dog. Shift 1st letter by 3 Shift 2nd letter by 14 Shift 3nd letter by 6 Shift 4th letter by 3 Shift 5th letter by 14 Shift 6th letter by 6, etc.

Jacob Prinz is a Physics Major Jacob Prinz isaPh ysics Major encrypts to MOIRP VUWTC WYDDN BGOFG SDXUU The Vigen`erecipher

Key: k = (k1, k2,..., kn). Encrypt (all arithmetic is mod 26)

Enc(m1, m2,..., mN ) =

m1 + k1, m2 + k2,..., mn + kn,

mn+1 + k1, mn+2 + k2,..., mn+n + kn,

··· Decrypt Decryption just reverse the process The Vigen`erecipher

I Size of key space?

14 66 I If keys are 14-char then key space size 26 ≈ 2 I If variable length keys, even more. I Brute-force search infeasible

I Is the Vigen`erecipher secure?

I Believed secure for many years. . .

I Might not have even been secure then. . . Cracking Vig cipher: Step One-find Keylength

Assume T is a text encoded by Vig, key length L unknown. For 0 ≤ i ≤ L − 1, letters in pos ≡ i (mod 26) – same shift. Look for a sequence of (say) 3-letters to appear (say) 4 times. Example: aiq appears in the 57-58-59th slot, 87-88-89th slot 102-103-104th slot 162-163-164th slot Important: Very likely that aiq encrypted the same 3-letter sequence and hence the length of the key is a divisor of 87-57=30 102-87=15 162-102=60 The only possible L’s are 1,3,5,15. Good Enough: We got the key length down to a small finite set. Assume (and its roughly true): In an English text of length N, if i  N, then if you take every ith letter of T : e occurs ∼ 13% t occurs ∼ 9% a occurs ∼ 8% Etc- other letters same frequencies as normal texts. Relevant to us: P26 2 ~q freq of every Lth letter: then i=1 qi ≈ 0.065. P26 2 ~q is NOT (we won’t define that rigorously): i=1 qi MUCH lower.

Important Point about letter Freq

Assume (and its roughly true): In an English text of length N: e occurs ∼ 13% t occurs ∼ 9% a occurs ∼ 8% Etc- other letters have frequencies that are true for all texts. Relevant to us: P26 2 ~q freq of every Lth letter: then i=1 qi ≈ 0.065. P26 2 ~q is NOT (we won’t define that rigorously): i=1 qi MUCH lower.

Important Point about letter Freq

Assume (and its roughly true): In an English text of length N: e occurs ∼ 13% t occurs ∼ 9% a occurs ∼ 8% Etc- other letters have frequencies that are true for all texts. Assume (and its roughly true): In an English text of length N, if i  N, then if you take every ith letter of T : e occurs ∼ 13% t occurs ∼ 9% a occurs ∼ 8% Etc- other letters same frequencies as normal texts. Important Point about letter Freq

Assume (and its roughly true): In an English text of length N: e occurs ∼ 13% t occurs ∼ 9% a occurs ∼ 8% Etc- other letters have frequencies that are true for all texts. Assume (and its roughly true): In an English text of length N, if i  N, then if you take every ith letter of T : e occurs ∼ 13% t occurs ∼ 9% a occurs ∼ 8% Etc- other letters same frequencies as normal texts. Relevant to us: P26 2 ~q freq of every Lth letter: then i=1 qi ≈ 0.065. P26 2 ~q is NOT (we won’t define that rigorously): i=1 qi MUCH lower. Cracking Vig cipher: Step One-find Keylength Let K be the set of possible key lengths. K is small. For every L ∈ K: I Form a stream of every Lth character. I Find the frequencies of that stream: ~q. P 2 I Compute Q = qi I If Q ≈ 0.065 then YES L is key length. I If Q much less than 0.065 then NO L is not key length. I One of these two will happen I Just to make sure, check another stream. Note: Differs from Is English: Is English wanted to know if the text was actually English What we do above is see if the text has same dist of English, but okay if diff letters. E.g., if z is 13%, a is 9%, and other letters have roughly same numbers as English then we know the stream is SOME Shift. We later use Is English to see which shift. A Note on Finding Keylength

We presented one method: 1. Find phrase of length x appearing y times. Differences D. 2. K is set of divisors of all L ∈ D. Correct keylength in K. 3. Test L ∈ K for key length until find one that works. Alternative just try all key lengths up to a certain length: 1. Let K = {1,..., 100} (I am assuming key length ≤ 100). 2. Test L ∈ K for key length until find one that works. Note: With modern computers use Method 2. In days of old eyeballing it made method 1 reasonable. Cracking the Vig cipher: Step Two-Freq Anal

After Step One we have the key length L. Note:

th I Every L character is “encrypted” using the same shift.

I Important: Letter Freq still hold if you look at every L 14th letter! Step Two: 1. Separate text T into L streams depending on position mod L 2. For each steam try every shift and use Is English to determine which shift is correct. 3. You now know all shifts for all positions. Decrypt! Using plaintext letter frequencies Byte-wise Vigen`erecipher

I The key is a string of bytes

I The plaintext is a string of bytes

I To encrypt, XOR each character in the plaintext with the next character of the key

I Wrap around in the key as needed

I Decryption just reverses the process. Note: Decryption and Encryption both use XOR with same key. Note: Can be cracked as original Vig can be cracked. -12? the number that when you add to 12 you get 0. Try all x ∈ {0,..., 99} and hope one works? Better way? YES: 100 − 12 = 88 works: (100 − 12) + 12 = 100 ≡ 0. More general: −a (mod n) is n − a.

1 1 3 ? 3 the number that when you mult by 3 you get 1. Try all x ∈ {0,..., 99} and hope one works? Better way? YES: Later. Now want 3x ∈ {101, 201, 301,...}. Note 3 div 201 3x = 201, so x = 67. 1 Note: −12, 3 are intermediaries. Want result in {0,..., n − 1}.

REVIEW: Negatives and Inverses Mod n

Say we are in mod 100. Our universe is {0,..., 99}. YES: 100 − 12 = 88 works: (100 − 12) + 12 = 100 ≡ 0. More general: −a (mod n) is n − a.

1 1 3 ? 3 the number that when you mult by 3 you get 1. Try all x ∈ {0,..., 99} and hope one works? Better way? YES: Later. Now want 3x ∈ {101, 201, 301,...}. Note 3 div 201 3x = 201, so x = 67. 1 Note: −12, 3 are intermediaries. Want result in {0,..., n − 1}.

REVIEW: Negatives and Inverses Mod n

Say we are in mod 100. Our universe is {0,..., 99}. -12? the number that when you add to 12 you get 0. Try all x ∈ {0,..., 99} and hope one works? Better way? More general: −a (mod n) is n − a.

1 1 3 ? 3 the number that when you mult by 3 you get 1. Try all x ∈ {0,..., 99} and hope one works? Better way? YES: Later. Now want 3x ∈ {101, 201, 301,...}. Note 3 div 201 3x = 201, so x = 67. 1 Note: −12, 3 are intermediaries. Want result in {0,..., n − 1}.

REVIEW: Negatives and Inverses Mod n

Say we are in mod 100. Our universe is {0,..., 99}. -12? the number that when you add to 12 you get 0. Try all x ∈ {0,..., 99} and hope one works? Better way? YES: 100 − 12 = 88 works: (100 − 12) + 12 = 100 ≡ 0. 1 1 3 ? 3 the number that when you mult by 3 you get 1. Try all x ∈ {0,..., 99} and hope one works? Better way? YES: Later. Now want 3x ∈ {101, 201, 301,...}. Note 3 div 201 3x = 201, so x = 67. 1 Note: −12, 3 are intermediaries. Want result in {0,..., n − 1}.

REVIEW: Negatives and Inverses Mod n

Say we are in mod 100. Our universe is {0,..., 99}. -12? the number that when you add to 12 you get 0. Try all x ∈ {0,..., 99} and hope one works? Better way? YES: 100 − 12 = 88 works: (100 − 12) + 12 = 100 ≡ 0. More general: −a (mod n) is n − a. YES: Later. Now want 3x ∈ {101, 201, 301,...}. Note 3 div 201 3x = 201, so x = 67. 1 Note: −12, 3 are intermediaries. Want result in {0,..., n − 1}.

REVIEW: Negatives and Inverses Mod n

Say we are in mod 100. Our universe is {0,..., 99}. -12? the number that when you add to 12 you get 0. Try all x ∈ {0,..., 99} and hope one works? Better way? YES: 100 − 12 = 88 works: (100 − 12) + 12 = 100 ≡ 0. More general: −a (mod n) is n − a.

1 1 3 ? 3 the number that when you mult by 3 you get 1. Try all x ∈ {0,..., 99} and hope one works? Better way? 1 Note: −12, 3 are intermediaries. Want result in {0,..., n − 1}.

REVIEW: Negatives and Inverses Mod n

Say we are in mod 100. Our universe is {0,..., 99}. -12? the number that when you add to 12 you get 0. Try all x ∈ {0,..., 99} and hope one works? Better way? YES: 100 − 12 = 88 works: (100 − 12) + 12 = 100 ≡ 0. More general: −a (mod n) is n − a.

1 1 3 ? 3 the number that when you mult by 3 you get 1. Try all x ∈ {0,..., 99} and hope one works? Better way? YES: Later. Now want 3x ∈ {101, 201, 301,...}. Note 3 div 201 3x = 201, so x = 67. REVIEW: Negatives and Inverses Mod n

Say we are in mod 100. Our universe is {0,..., 99}. -12? the number that when you add to 12 you get 0. Try all x ∈ {0,..., 99} and hope one works? Better way? YES: 100 − 12 = 88 works: (100 − 12) + 12 = 100 ≡ 0. More general: −a (mod n) is n − a.

1 1 3 ? 3 the number that when you mult by 3 you get 1. Try all x ∈ {0,..., 99} and hope one works? Better way? YES: Later. Now want 3x ∈ {101, 201, 301,...}. Note 3 div 201 3x = 201, so x = 67. 1 Note: −12, 3 are intermediaries. Want result in {0,..., n − 1}. Gen 2-letter Sub and Matrix Codes Shift, Affine, Vig, Gen Sub, Easy to Crack

Shift, Affine, Vig all 1-letter substitutions. Freq cracked them. Idea: Lets substitute two letters at a time. An Idea Which History Passed By: Definition: Gen Sub 2-Cipher with perm f on {0,..., 25}2. 1. Encrypt via xy → f (xy). 2. Decrypt via xy → f −1(xy) Why never used? 1. It was used but they kept it hidden and still not known! 2. The key length is roughly 262 × 9 = 6084 bits. 3. Old days: hard to use. Now: easy to crack. Need bijection of {0,..., 25} × {0,..., 25} that is easy to use. HEY- WAIT A MINUTE! Easy to see if M−1 exists? Easy to find M−1? Is Bill punking you ... again? No he is not.

 a b  M = c d Then 1 M−1 = M ad − bc Do you recognize the expression ad − bc? Determinant!

The Matrix Cipher Definition: Matrix Cipher. Pick M a 2 × 2 matrix. 1. Encrypt via xy → M(xy). 2. Decrypt via xy → M−1(xy) Encode: Break T into blocks of 2, apply M to each pair. Decode: Do the same only with M−1. Easy to see if M−1 exists? Easy to find M−1? Is Bill punking you ... again? No he is not.

 a b  M = c d Then 1 M−1 = M ad − bc Do you recognize the expression ad − bc? Determinant!

The Matrix Cipher Definition: Matrix Cipher. Pick M a 2 × 2 matrix. 1. Encrypt via xy → M(xy). 2. Decrypt via xy → M−1(xy) Encode: Break T into blocks of 2, apply M to each pair. Decode: Do the same only with M−1. HEY- WAIT A MINUTE! Is Bill punking you ... again? No he is not.

 a b  M = c d Then 1 M−1 = M ad − bc Do you recognize the expression ad − bc? Determinant!

The Matrix Cipher Definition: Matrix Cipher. Pick M a 2 × 2 matrix. 1. Encrypt via xy → M(xy). 2. Decrypt via xy → M−1(xy) Encode: Break T into blocks of 2, apply M to each pair. Decode: Do the same only with M−1. HEY- WAIT A MINUTE! Easy to see if M−1 exists? Easy to find M−1? No he is not.

 a b  M = c d Then 1 M−1 = M ad − bc Do you recognize the expression ad − bc? Determinant!

The Matrix Cipher Definition: Matrix Cipher. Pick M a 2 × 2 matrix. 1. Encrypt via xy → M(xy). 2. Decrypt via xy → M−1(xy) Encode: Break T into blocks of 2, apply M to each pair. Decode: Do the same only with M−1. HEY- WAIT A MINUTE! Easy to see if M−1 exists? Easy to find M−1? Is Bill punking you ... again? Determinant!

The Matrix Cipher Definition: Matrix Cipher. Pick M a 2 × 2 matrix. 1. Encrypt via xy → M(xy). 2. Decrypt via xy → M−1(xy) Encode: Break T into blocks of 2, apply M to each pair. Decode: Do the same only with M−1. HEY- WAIT A MINUTE! Easy to see if M−1 exists? Easy to find M−1? Is Bill punking you ... again? No he is not.

 a b  M = c d Then 1 M−1 = M ad − bc Do you recognize the expression ad − bc? The Matrix Cipher Definition: Matrix Cipher. Pick M a 2 × 2 matrix. 1. Encrypt via xy → M(xy). 2. Decrypt via xy → M−1(xy) Encode: Break T into blocks of 2, apply M to each pair. Decode: Do the same only with M−1. HEY- WAIT A MINUTE! Easy to see if M−1 exists? Easy to find M−1? Is Bill punking you ... again? No he is not.

 a b  M = c d Then 1 M−1 = M ad − bc Do you recognize the expression ad − bc? Determinant! Inverse Matrix in C and in Mods

 a b  M = c d

1. Matrix M over C has an inverse iff ad − bd 6= 0. 2. Matrix M over Mod n has an inverse iff ad − bc is rel prime to n iff ad − bc has an inverse in Mod n. 3. Matrix M over Mod 26 has an inverse iff ad − bc is rel prime to 26 iff ad − bc has no factors of 2 or 13 iff has an inverse in Mod 26. The Matrix Cipher

 a b  M = c d Good News: 1. Can test if M−1 exists, and is so find it, easily. 2. M small, so Key small. 3. Applying M or M−1 to a vector is easy computationally. Bad News: 1. Eve CAN crack using frequencies of pairs of letters. 2. Eve CAN crack – Key space has < 264 = 456976. Small. So what to do? 1. Can determine if M has inv and if so find it easily. 2. M still small, so Key small. 3. Applying M or M−1 to a vector is easy computationally. 4. Eve can crack using freqs of 30-long sets of letters? Hard? 5. Eve cannot use brute force – Key Space is ∼ 26900.

The Matrix Cipher

Definition: Matrix Cipher. Pick n and M an n × n matrix with det rel prime to 26. 1. Encrypt via xy → M(xy). 2. Decrypt via xy → M−1(xy) We’ll take n = 30. The Matrix Cipher

Definition: Matrix Cipher. Pick n and M an n × n matrix with det rel prime to 26. 1. Encrypt via xy → M(xy). 2. Decrypt via xy → M−1(xy) We’ll take n = 30. 1. Can determine if M has inv and if so find it easily. 2. M still small, so Key small. 3. Applying M or M−1 to a vector is easy computationally. 4. Eve can crack using freqs of 30-long sets of letters? Hard? 5. Eve cannot use brute force – Key Space is ∼ 26900. 1. If Eve just has ciphertext then brute force needs of 26n2 possibilities. Can get that down to 26n. 2. 26n is still large. Can Eve do better? Seems to be Unknown to Science! So why is it not used? Discuss! 3. In reality Eve has prior messages and what they coded to, so from that she can easily crack it. (Next Slide.) That is why not used.

Is Matrix Cipher Uncrackable?

VOTE: Yes, No, Unknown to Science, Other. 2. 26n is still large. Can Eve do better? Seems to be Unknown to Science! So why is it not used? Discuss! 3. In reality Eve has prior messages and what they coded to, so from that she can easily crack it. (Next Slide.) That is why not used.

Is Matrix Cipher Uncrackable?

VOTE: Yes, No, Unknown to Science, Other. 1. If Eve just has ciphertext then brute force needs of 26n2 possibilities. Can get that down to 26n. Seems to be Unknown to Science! So why is it not used? Discuss! 3. In reality Eve has prior messages and what they coded to, so from that she can easily crack it. (Next Slide.) That is why not used.

Is Matrix Cipher Uncrackable?

VOTE: Yes, No, Unknown to Science, Other. 1. If Eve just has ciphertext then brute force needs of 26n2 possibilities. Can get that down to 26n. 2. 26n is still large. Can Eve do better? So why is it not used? Discuss! 3. In reality Eve has prior messages and what they coded to, so from that she can easily crack it. (Next Slide.) That is why not used.

Is Matrix Cipher Uncrackable?

VOTE: Yes, No, Unknown to Science, Other. 1. If Eve just has ciphertext then brute force needs of 26n2 possibilities. Can get that down to 26n. 2. 26n is still large. Can Eve do better? Seems to be Unknown to Science! 3. In reality Eve has prior messages and what they coded to, so from that she can easily crack it. (Next Slide.) That is why not used.

Is Matrix Cipher Uncrackable?

VOTE: Yes, No, Unknown to Science, Other. 1. If Eve just has ciphertext then brute force needs of 26n2 possibilities. Can get that down to 26n. 2. 26n is still large. Can Eve do better? Seems to be Unknown to Science! So why is it not used? Discuss! Is Matrix Cipher Uncrackable?

VOTE: Yes, No, Unknown to Science, Other. 1. If Eve just has ciphertext then brute force needs of 26n2 possibilities. Can get that down to 26n. 2. 26n is still large. Can Eve do better? Seems to be Unknown to Science! So why is it not used? Discuss! 3. In reality Eve has prior messages and what they coded to, so from that she can easily crack it. (Next Slide.) That is why not used. If Eve learns one more 2-letter message decoding then she will have Four linear equations, Four variables which she can solve! Yeah? Boo? Depends whose side you are on.

Cracking Matrix Cipher

Example using 2 × 2 Matrix Cipher. Eve learns that (19,8) encrypts to (3, 9). Hence:

a b 19 3 = c d 8 9 So

19a + 8b = 3 19c + 8d = 9 Two linear equations, Four variables Cracking Matrix Cipher

Example using 2 × 2 Matrix Cipher. Eve learns that (19,8) encrypts to (3, 9). Hence:

a b 19 3 = c d 8 9 So

19a + 8b = 3 19c + 8d = 9 Two linear equations, Four variables If Eve learns one more 2-letter message decoding then she will have Four linear equations, Four variables which she can solve! Yeah? Boo? Depends whose side you are on. Something Wrong With All Cipher So Far What About Short Messages?: discuss Recall: For Shift Eve can tell if two messages same or not. Not Just Shift: For C Eve can tell if two messages same or not.

Danger! Eve knows the message will say where spy is. Will be of the form city,state (without punctuation). Alice sends to Bob adecn aapad ecnaa pxuaq. Eve notices adecnaap adecnaap xuaq. Even knows that the city and state are the same!

Even Short Messages Insecure

Let C be any of Shift, Affine, Vigenere, Matrix. Recall: C is crackable if text is long enough. Recall: For Shift Eve can tell if two messages same or not. Not Just Shift: For C Eve can tell if two messages same or not.

Danger! Eve knows the message will say where spy is. Will be of the form city,state (without punctuation). Alice sends to Bob adecn aapad ecnaa pxuaq. Eve notices adecnaap adecnaap xuaq. Even knows that the city and state are the same!

Even Short Messages Insecure

Let C be any of Shift, Affine, Vigenere, Matrix. Recall: C is crackable if text is long enough. What About Short Messages?: discuss Not Just Shift: For C Eve can tell if two messages same or not.

Danger! Eve knows the message will say where spy is. Will be of the form city,state (without punctuation). Alice sends to Bob adecn aapad ecnaa pxuaq. Eve notices adecnaap adecnaap xuaq. Even knows that the city and state are the same!

Even Short Messages Insecure

Let C be any of Shift, Affine, Vigenere, Matrix. Recall: C is crackable if text is long enough. What About Short Messages?: discuss Recall: For Shift Eve can tell if two messages same or not. Danger! Eve knows the message will say where spy is. Will be of the form city,state (without punctuation). Alice sends to Bob adecn aapad ecnaa pxuaq. Eve notices adecnaap adecnaap xuaq. Even knows that the city and state are the same!

Even Short Messages Insecure

Let C be any of Shift, Affine, Vigenere, Matrix. Recall: C is crackable if text is long enough. What About Short Messages?: discuss Recall: For Shift Eve can tell if two messages same or not. Not Just Shift: For C Eve can tell if two messages same or not. Alice sends to Bob adecn aapad ecnaa pxuaq. Eve notices adecnaap adecnaap xuaq. Even knows that the city and state are the same!

Even Short Messages Insecure

Let C be any of Shift, Affine, Vigenere, Matrix. Recall: C is crackable if text is long enough. What About Short Messages?: discuss Recall: For Shift Eve can tell if two messages same or not. Not Just Shift: For C Eve can tell if two messages same or not.

Danger! Eve knows the message will say where spy is. Will be of the form city,state (without punctuation). Eve notices adecnaap adecnaap xuaq. Even knows that the city and state are the same!

Even Short Messages Insecure

Let C be any of Shift, Affine, Vigenere, Matrix. Recall: C is crackable if text is long enough. What About Short Messages?: discuss Recall: For Shift Eve can tell if two messages same or not. Not Just Shift: For C Eve can tell if two messages same or not.

Danger! Eve knows the message will say where spy is. Will be of the form city,state (without punctuation). Alice sends to Bob adecn aapad ecnaa pxuaq. Even knows that the city and state are the same!

Even Short Messages Insecure

Let C be any of Shift, Affine, Vigenere, Matrix. Recall: C is crackable if text is long enough. What About Short Messages?: discuss Recall: For Shift Eve can tell if two messages same or not. Not Just Shift: For C Eve can tell if two messages same or not.

Danger! Eve knows the message will say where spy is. Will be of the form city,state (without punctuation). Alice sends to Bob adecn aapad ecnaa pxuaq. Eve notices adecnaap adecnaap xuaq. Even Short Messages Insecure

Let C be any of Shift, Affine, Vigenere, Matrix. Recall: C is crackable if text is long enough. What About Short Messages?: discuss Recall: For Shift Eve can tell if two messages same or not. Not Just Shift: For C Eve can tell if two messages same or not.

Danger! Eve knows the message will say where spy is. Will be of the form city,state (without punctuation). Alice sends to Bob adecn aapad ecnaa pxuaq. Eve notices adecnaap adecnaap xuaq. Even knows that the city and state are the same! Alabama*, Arizona*, Arkansas, California, Colorado*, Delaware, Florida, New Georgia*, Idaho, Illinois*, Indianapolis, Iowa, Jersey, Kansas, Maryland*, Minneapolis, Minnesota, Mississippi*, Missouri, Montana, Nebraska, Nevada*, New York, Ohio, Oklahoma, Oregon, Tennessee*, Texas, Utah*, Virginia*, Virginia Beach, Wisconsin Dells, Wisconsin Rapids.

There are 33 such cities, 22 of which still exist. Eve’s search for the spy is reduced!

What Does Eve Know?

Cities with states name. * means no longer a city. There are 33 such cities, 22 of which still exist. Eve’s search for the spy is reduced!

What Does Eve Know?

Cities with states name. * means no longer a city.

Alabama*, Arizona*, Arkansas, California, Colorado*, Delaware, Florida, New Georgia*, Idaho, Illinois*, Indianapolis, Iowa, Jersey, Kansas, Maryland*, Minneapolis, Minnesota, Mississippi*, Missouri, Montana, Nebraska, Nevada*, New York, Ohio, Oklahoma, Oregon, Tennessee*, Texas, Utah*, Virginia*, Virginia Beach, Wisconsin Dells, Wisconsin Rapids. What Does Eve Know?

Cities with states name. * means no longer a city.

Alabama*, Arizona*, Arkansas, California, Colorado*, Delaware, Florida, New Georgia*, Idaho, Illinois*, Indianapolis, Iowa, Jersey, Kansas, Maryland*, Minneapolis, Minnesota, Mississippi*, Missouri, Montana, Nebraska, Nevada*, New York, Ohio, Oklahoma, Oregon, Tennessee*, Texas, Utah*, Virginia*, Virginia Beach, Wisconsin Dells, Wisconsin Rapids.

There are 33 such cities, 22 of which still exist. Eve’s search for the spy is reduced! Need that even if x = y could have C(x) 6= C(y). Discuss: How can we do that? Use a very long key and keep using different parts of it. This is the idea behind 1-time pad which we study soon. Discuss: Can we do this without a long key?

How to Fix This?

Problem: If C is any of the ciphers discussed then Eve can tell when two messages are the same. Discuss: Is there a cipher for which Eve cannot tell this? Use a very long key and keep using different parts of it. This is the idea behind 1-time pad which we study soon. Discuss: Can we do this without a long key?

How to Fix This?

Problem: If C is any of the ciphers discussed then Eve can tell when two messages are the same. Discuss: Is there a cipher for which Eve cannot tell this? Need that even if x = y could have C(x) 6= C(y). Discuss: How can we do that? Discuss: Can we do this without a long key?

How to Fix This?

Problem: If C is any of the ciphers discussed then Eve can tell when two messages are the same. Discuss: Is there a cipher for which Eve cannot tell this? Need that even if x = y could have C(x) 6= C(y). Discuss: How can we do that? Use a very long key and keep using different parts of it. This is the idea behind 1-time pad which we study soon. How to Fix This?

Problem: If C is any of the ciphers discussed then Eve can tell when two messages are the same. Discuss: Is there a cipher for which Eve cannot tell this? Need that even if x = y could have C(x) 6= C(y). Discuss: How can we do that? Use a very long key and keep using different parts of it. This is the idea behind 1-time pad which we study soon. Discuss: Can we do this without a long key? Recall Deterministic Shift: Key is s ∈ S.

1. To send message (m1,..., mL) send (m1 + s,..., mL + s)

2. To decode message (c1,..., cL) find (c1 − s,..., cL − s) Randomized shift: Key is a function f : S → S.

1. To send message (m1,..., mL) (each mi is a character) 1.1 Pick random r1,..., rL ∈ S. For 1 ≤ i ≤ L compute si = f (ri ). 1.2 Send ((r1; m1 + s1),..., (rL; mL + sL)) 2. To decode message ((r1; c1),..., (rL; cL)) 2.1 For 1 ≤ i ≤ L si = f (ri ). 2.2 Find (c1 − s1,..., cL − sL)

How to Fix This Without a Long Key

Obstacle: All of our ciphers are deterministic. Need Rand. Randomized shift: Key is a function f : S → S.

1. To send message (m1,..., mL) (each mi is a character) 1.1 Pick random r1,..., rL ∈ S. For 1 ≤ i ≤ L compute si = f (ri ). 1.2 Send ((r1; m1 + s1),..., (rL; mL + sL)) 2. To decode message ((r1; c1),..., (rL; cL)) 2.1 For 1 ≤ i ≤ L si = f (ri ). 2.2 Find (c1 − s1,..., cL − sL)

How to Fix This Without a Long Key

Obstacle: All of our ciphers are deterministic. Need Rand. Recall Deterministic Shift: Key is s ∈ S.

1. To send message (m1,..., mL) send (m1 + s,..., mL + s)

2. To decode message (c1,..., cL) find (c1 − s,..., cL − s) How to Fix This Without a Long Key

Obstacle: All of our ciphers are deterministic. Need Rand. Recall Deterministic Shift: Key is s ∈ S.

1. To send message (m1,..., mL) send (m1 + s,..., mL + s)

2. To decode message (c1,..., cL) find (c1 − s,..., cL − s) Randomized shift: Key is a function f : S → S.

1. To send message (m1,..., mL) (each mi is a character) 1.1 Pick random r1,..., rL ∈ S. For 1 ≤ i ≤ L compute si = f (ri ). 1.2 Send ((r1; m1 + s1),..., (rL; mL + sL)) 2. To decode message ((r1; c1),..., (rL; cL)) 2.1 For 1 ≤ i ≤ L si = f (ri ). 2.2 Find (c1 − s1,..., cL − sL) Example

The key is f (r) = 2r + 7. Alice wants to send NY,NY which we interpret as nyny. Need four shifts.

Pick random r = 4, so first shift is 2 ∗ 4 + 7 = 15 Pick random r = 10, so second shift is 2 ∗ 10 + 7 = 1 Pick random r = 1, so third shift is 2 ∗ 1 + 7 = 9 Pick random r = 17, so fourth shift is 2 ∗ 17 + 7 = 15

Send (4;C), (10,Z), (1,W), (17,N)

Eve will not be able to tell that is of the form XYXY. PRO: If Alice sends NY,NY Eve can’t tell its XYXY. PRO: More generally, Eve cannot tell if two messages are the same. CON: More effort on Alice and Bob’s part. Question: Is Randomized Shift crackable? Discuss.

PROS and CONS of Randomized Shift

Discuss PRO: More generally, Eve cannot tell if two messages are the same. CON: More effort on Alice and Bob’s part. Question: Is Randomized Shift crackable? Discuss.

PROS and CONS of Randomized Shift

Discuss PRO: If Alice sends NY,NY Eve can’t tell its XYXY. CON: More effort on Alice and Bob’s part. Question: Is Randomized Shift crackable? Discuss.

PROS and CONS of Randomized Shift

Discuss PRO: If Alice sends NY,NY Eve can’t tell its XYXY. PRO: More generally, Eve cannot tell if two messages are the same. Question: Is Randomized Shift crackable? Discuss.

PROS and CONS of Randomized Shift

Discuss PRO: If Alice sends NY,NY Eve can’t tell its XYXY. PRO: More generally, Eve cannot tell if two messages are the same. CON: More effort on Alice and Bob’s part. PROS and CONS of Randomized Shift

Discuss PRO: If Alice sends NY,NY Eve can’t tell its XYXY. PRO: More generally, Eve cannot tell if two messages are the same. CON: More effort on Alice and Bob’s part. Question: Is Randomized Shift crackable? Discuss. Cracking Randomized Shift

With a long text Rand Shift is crackable. If N is long and Eve sees

(r1; σ1)(r2; σ2) ··· (rN ; σN ) Then many r will appear many times. Say r appears 10,000 times. then Eve knows the shift of lots of letters.

1. From our study of Vig we know that every Lth letter has same freq dist as English. 2. It turns out that if you take RANDOM letters, also get same freq dist as English Hence can find f (r). If do this for many r, have f . Cracking Randomized Shift

Question: Pick numbers from {1,..., n} rand. Want m so if pick m, prob of getting two same is ≥ p. If pick m then 1) number of ways is nm 2) number of ways they are all diff is ∼ n(n − 1) ··· (n − m) Prob of all diff is

n(n − 1) ··· (n − m) n − 1 n − 2 n − m = × ··· nm n n n

 1 2  m = 1 − 1 − ··· 1 − ∼ e−1/n−2/n−···−m/n n n n

2 − 1 (1+2+···+m) − m(m+1) − m = e n ∼ e 2n ∼ e 2n Cracking Randomized Shift

Question: Pick numbers from {1,..., n} rand. Want m so if pick m, prob of getting two same is ≥ p. 2 − m √ m must satisfy e 2n ≤ 1 − p. Try m = an

2 − m −a e n = e < 1 − p Need a > − ln(1 − p). Example: if p = .99 then need a ≥ 5 suffices. √ Note: Need only wait ∼ n for a repeat. This is important for Randomized Shift. Will also use later in course √ Upshot: After an numbers prob have a repeat. a is small. Cracking Randomized Shift

Question: Pick numbers from {1,..., n} rand. Want m so if pick m, prob of getting four same is ≥ p. √ If take an get two that are the same with high prob. √ √ Take an blocks of size an. View the number that repeats as if picked in prior problem. So whp get two blocks with same two numbers, so get four same. Upshot: After an numbers prob have a repeat. a is small. Cracking Randomized Shift

With n1/2 picks get TWO same With n1 picks get FOUR same With n2 picks get EIGHT same With n4 picks get SIXTEEN same Upshot: If text long enough will see many of the same r and can do Freq analysis on that shift. Note: The poly’s given here are larger than what you need. Origin of Randomized Shift

I made it up for this course to make a point about sending the same message twice.

The point I am making is very important! Eve should NOT be able to tell that two messages are the same. This is a real issue in crypto that I expressed in a fake way. The One-Time Pad One-time pad

I Patented in 1917 by Vernam

I Recent historical research indicates it was invented (at least) 35 years earlier One-time pad

n I Let M = {0, 1}

n I Gen: choose a uniform key k ∈ {0, 1}

I Enck (m) = k ⊕ m

I Deck (c) = k ⊕ c

I Correctness:

Deck (Enck (m)) = k ⊕ (k ⊕ m) = (k ⊕ k) ⊕ m = m Is the one-time pad uncrackable: VOTE: Yes, No, or Other. Yes. Really! Caveat: Generating truly random bits is hard.

Example Of One-time pad

Key is 100010100010001111101111100 Alice wants to send Bob 1110. She sends 1110 ⊕ 1000 = 0110 Then Bob wants to send Alice 00111. He sends 0011 ⊕ 10100 = 10011. 1. If Key is N bits long can only send N bits. 2. ⊕ is FAST! Yes. Really! Caveat: Generating truly random bits is hard.

Example Of One-time pad

Key is 100010100010001111101111100 Alice wants to send Bob 1110. She sends 1110 ⊕ 1000 = 0110 Then Bob wants to send Alice 00111. He sends 0011 ⊕ 10100 = 10011. 1. If Key is N bits long can only send N bits. 2. ⊕ is FAST! Is the one-time pad uncrackable: VOTE: Yes, No, or Other. Caveat: Generating truly random bits is hard.

Example Of One-time pad

Key is 100010100010001111101111100 Alice wants to send Bob 1110. She sends 1110 ⊕ 1000 = 0110 Then Bob wants to send Alice 00111. He sends 0011 ⊕ 10100 = 10011. 1. If Key is N bits long can only send N bits. 2. ⊕ is FAST! Is the one-time pad uncrackable: VOTE: Yes, No, or Other. Yes. Really! Example Of One-time pad

Key is 100010100010001111101111100 Alice wants to send Bob 1110. She sends 1110 ⊕ 1000 = 0110 Then Bob wants to send Alice 00111. He sends 0011 ⊕ 10100 = 10011. 1. If Key is N bits long can only send N bits. 2. ⊕ is FAST! Is the one-time pad uncrackable: VOTE: Yes, No, or Other. Yes. Really! Caveat: Generating truly random bits is hard. One-time pad Something ELSE Wrong With All Cipher So Far English: So Message is probably garbage. Can tell its not English. Numbers: Could be Alice? Gee! More Serious Ciphers: Many ciphers can be manipulated by clever Eve. Goal for now: Make Shift Cipher not forgeable. Discuss

Eve Can Pretend to be Alice or Bob

Scenario: Bob gets a message. How does he know its from Eve? Discuss Numbers: Could be Alice? Gee! More Serious Ciphers: Many ciphers can be manipulated by clever Eve. Goal for now: Make Shift Cipher not forgeable. Discuss

Eve Can Pretend to be Alice or Bob

Scenario: Bob gets a message. How does he know its from Eve? Discuss English: So Message is probably garbage. Can tell its not English. More Serious Ciphers: Many ciphers can be manipulated by clever Eve. Goal for now: Make Shift Cipher not forgeable. Discuss

Eve Can Pretend to be Alice or Bob

Scenario: Bob gets a message. How does he know its from Eve? Discuss English: So Message is probably garbage. Can tell its not English. Numbers: Could be Alice? Gee! Goal for now: Make Shift Cipher not forgeable. Discuss

Eve Can Pretend to be Alice or Bob

Scenario: Bob gets a message. How does he know its from Eve? Discuss English: So Message is probably garbage. Can tell its not English. Numbers: Could be Alice? Gee! More Serious Ciphers: Many ciphers can be manipulated by clever Eve. Eve Can Pretend to be Alice or Bob

Scenario: Bob gets a message. How does he know its from Eve? Discuss English: So Message is probably garbage. Can tell its not English. Numbers: Could be Alice? Gee! More Serious Ciphers: Many ciphers can be manipulated by clever Eve. Goal for now: Make Shift Cipher not forgeable. Discuss Has No Name (HNN) Shift

HNN shift: Key is a shift s and a function g : S → S.

1. To send message (m1,..., mL) (each mi is a char) send

(m1 + s, g(m1)),..., (mL + s, g(mL)).

2. To decode message ((c1, d1),..., (cL, dL)) just

(c1 − s,..., cL − s).

3. To authenticate Once Bob has m1,..., mL he computes g(m1),..., g(mL) and checks that, for all i, g(mi ) = di .