Eindhoven University of Technology MASTER An analysis and application of one-time pad in a group Zijlstra, A.T. Award date: 2017 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain Department of Mathematics and Departamento de Ciência da Computer Science Computação Master’s thesis An analysis and application of One-time Pad in a group by Arjen Teijo Zijlstra Supervisor: dr.ir. L.A.M. (Berry) Schoenmakers External supervisor: prof.dr. J.A.M. (Jeroen) van de Graaf December 23, 2016 Abstract One-time Pad (otp) is a cryptosystem that encrypts a plaintext by taking the ex- clusive or with a key that is the same length as the plaintext, truly random and only used once. Although there are challenges to overcome when using otp, the trend of storage getting cheaper and upcoming Quantum Key Distribution methods make it an interesting system. In this work we extend the analysis on parameters for the Group One-time Pad (gotp) cryptosystem presented in [Gra16]. The gotp cryptosystem applies otp in a group by selecting a certain number of parts from a secret for encryption keys at random. The main result is a heuristic lower bound for the number of parts selected per encryption key. This bound is equal to the natural logarithm of the number of parts available in a secret, where the number of parts selected per encryption key is odd. If we apply this cryptosystem in the Bounded Retrieval Model, this bound increases a lot and depends heavily on the expected amount of leakage. Besides the analysis, we design and implement software for the gotp cryptosys- tem. The implementation is in the form of an open source C++ library freely available at github.com/arjenzijlstra for academic use. i Acknowledgements First of all, I would like to thank dr.ir. Berry Schoenmakers for being my supervisor, for all his effort and time he put in, and the many useful ideas and remarks on my work he provided. Furthermore, I would like to thank prof.dr. Jeroen van de Graaf for all his feedback and ideas and for giving me the chance to come to Brazil to work on this project, while learning about the language and culture in the country. E, claro, quero agradecer aos meus amigos Brasileiros e internacionais por toda a ajuda e por terem me proporcionado um período incrível no Brasil. Muito obrigado a vocês. And finally, I would like to thank all my family, friends and fellow students in the Netherlands for always being there for me and for the feedback you guys gave me. Arjen Teijo Zijlstra Belo Horizonte & Eindhoven, December 2016. ii Table of Contents Abstract i Acknowledgements ii 1 Introduction 1 1.1 Related work . 2 2 One-time Pad in a group 4 2.1 Traditional One-time Pad . 4 2.2 Group Usage . 6 2.2.1 Towards Group One-time Pad . 7 2.2.2 Group One-time Pad . 9 2.2.3 On Collisions and Dependencies . 10 2.3 Quantitative analysis . 11 2.3.1 Probability of collisions . 11 2.3.2 Random Matrices . 12 2.3.3 Sparse Binary Matrices . 13 2.4 Block Size and Secret Size . 19 2.5 Maximise Utilisation of a Secret . 20 2.5.1 Broadcast . 20 2.5.2 Byzantine Generals . 22 2.5.3 Ostrich Tactic . 23 3 Bounded Retrieval Model 25 3.1 Background . 25 3.2 Big-key Cryptography . 26 3.2.1 Subkey Prediction . 27 3.2.2 Authenticated Encryption . 28 3.2.3 Comparison to Group OTP . 28 iii iv Table of Contents 3.3 Group OTP in the brm ......................... 29 4 Extensions to GOTP 33 4.1 Seeded Key Selection . 33 4.2 Shorter Secrets . 34 4.2.1 Sponge Construction . 34 4.2.2 Randomly Accessible Pseudo Random Generator . 35 4.3 Authenticated Encryption . 35 5 High-level design 38 5.1 Use Case View . 38 5.1.1 Encrypt Message . 39 5.1.2 Decrypt Message . 40 5.1.3 Import Secret . 40 5.1.4 Export Secret . 41 5.2 Logical View . 41 5.2.1 Secret . 42 5.2.2 Text . 45 5.2.3 Cipher . 47 5.2.4 Key Selector . 48 6 Findings and Future Work 50 6.1 Conclusions . 50 6.2 Future Work . 51 References 52 A Simulations A1 B Source Code B1 C Requirements C1 Chapter 1 Introduction Traditionally, symmetric encryption methods protect a plaintext message by encrypt- ing it with a small secret and sharing this small secret over a secure channel, while sharing the large encrypted plaintext over a public channel. One-time Pad (otp) protects a plaintext by encrypting it with a secret equally as large as the plaintext, which is not any easier to share. Probably the most quoted text in discussions about One-time Pad is: “What a one-time pad system does is take a difficult message security problem and turn it into a just-as-difficult key distribution problem.” – Bruce Schneier [Sch02] The point is clear: distributing a large otp secret in a secure way poses a chal- lenge. However, there are specific situations in which using otp could be practical and provide the level of security that is desirable. People who meet on a regular basis but who also want to communicate their thoughts over the internet, without surveil- lance agencies being able to listen in, could share a large secret using SD cards, USB keys or hard drives when they meet and use this secret at a later time to encrypt their communication. Communication produced by and sent between people who meet regularly mostly consist of chat messages, emails or small files, all of which use very little storage. Therefore, a large otp secret will be consumed slowly and exchanging a new secret is only necessary after quite some time, depending on its size and the number of people making use of the same secret. The most important asset of otp is that it is not based on mathematically hard 1 2 1.1. Related work problems and currently the only perfectly secure cryptosystem. The security of otp is based on the requirement that each bit of the otp secret is only used once, which in combination with its randomness results in a ciphertext on which cryptanalysis is impossible. Its perfect security makes otp a good system to use for encrypting communication that consists of small messages. However, to be able to use otp there are some hurdles to overcome. Key dis- tribution is not the only challenge of otp; other disadvantages include message authentication, lack of randomness and prevention of reusing encryption keys. The focus of this thesis is on prevention of reusing encryption keys. It is assumed that methods for generating random bits exist and therefore randomness will not be part of this work. Message authentication will be briefly discussed. When using otp between at most two parties, it is easy to avoid using the same part of the otp secret for encrypting two different messages. However, problems arise when dealing with a group of people that work together and want to use otp. Either a separate secret must be shared for each direction of encryption or a smarter way of managing encryption keys is needed. The option to share an otp secret between every pair of persons will rapidly result in many secrets that must be shared and stored securely, which is not feasible when using very large otp secrets. Assuming that a group is based on mutual trust, all members could make use of the same secret to derive keys from for encrypting their communication, but we have to make sure that no part of the secret is ever used twice. The goal of this work is to find a solution for securely applying One-time Pad in a group. From now on the concept will be referred to as Group otp or gotp. In this work we extend the analysis on parameters for the gotp cryptosystem presented in [Gra16]. Furthermore, we compare the gotp cryptosystem to big-key cryptog- raphy presented in [BKR16] and analyse the applicability of gotp in the Bounded Retrieval Model. Finally, we design and implement the system in the form of an open source C++ library. 1.1 Related work Only little work has been performed on the use of one large secret shared between a group of parties, therefore we look at a broader spectrum of methods that make use Chapter 1. Introduction 3 of otp. In [Hal06] a method that makes use of the otp system is presented. They use a random number table, generated by concatenating random numbers, at its base.