This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: CS 161 Computer Security Spring 2010 Paxson/Wagner Discussion 6 March 09, 2010 1. OneTime Pads Recall how a onetime pad works. Alice shares a stream of random bits with Bob, and she encrypts a message of length n for Bob by XORing the next n bits of this stream with the message. Bob decrypts by XORing the ciphertext with the same n bits from the stream of random bits. (a) Does this scheme work if we replace XOR with OR? How about with AND? (b) Suppose you want to encrypt a message M ∈ { , 1 , 2 } using a shared random key K ∈ { , 1 , 2 } . Sup pose you do this by representing K and M using two bits (00, 01, or 10), and then XORing the two representations. Does this scheme have the same security guarantees of the onetime pad? Explain. (c) Give an alternate encryption algorithm for carrying out the above task that does provide strong security guarantees. Note: You must not change the message space { , 1 , 2 } or the key space { , 1 , 2 } . Instead, we want you to design an encryption algorithm E ( · , · ) so that E ( K , M ) is a secure encryption of M , when K and M are distributed as above. Answer: (a) No, it doesn’t work with either OR or AND. First of all, correctness is broken; it is not true that ( m ∨ k ) ∨ k = m for all choices of m and k (where m and k are each a single bit). Similarly, ( m ∧ k ) ∧ k 6 = m for all choices of m and k . This means that you can’t actually decrypt an encrypted message. Security is also broken. For OR, consider what an eavesdropper learns when she sees a 0 bit in the ciphertext. The only way this can happen is if both the key bit k and the message bit m are 0. For AND, when an eavesdropper sees a 1 bit in the ciphertext, she knows that both k and m are 1. Both OR and AND leak information. (b) No, this scheme does not have the security guarantees of a onetime pad. The table below lists the resulting encrypted messages using this scheme. We can see that some outcomes exclude certain inputs. For example, given E ( K , M ) = 11 an attacker knows that the sent message M is not 0. K M E ( K , M ) 00 00 00 01 00 01 10 00 10 00 01 01 01 01 00 10 01 11 00 10 10 01 10 11 10 10 00 CS 161, Spring 2010, Discussion 6 1 (c) We wish to design a new encryption algorithm E * ( · , · ) that has the security guarantees of the onetime pad. We require that given E * ( K , M ) , an attacker should get no information about M . This property is satisfied for any...
View
Full
Document
This note was uploaded on 04/14/2010 for the course CS 161 taught by Professor Wagner during the Spring '10 term at University of Central Arkansas.
 Spring '10
 wagner
 Computer Security

Click to edit the document details