This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: S. Dasgupta, C.H. Papadimitriou, and U.V. Vazirani 41 An application of number theory? The renowned mathematician G. H. Hardy once declared of his work: “I have never done anything useful.” Hardy was an expert in the theory of numbers, which has long been re garded as one of the purest areas of mathematics, untarnished by material motivation and consequence. Yet the work of thousands of number theorists over the centuries, Hardy’s in cluded, is now crucial to the operation of Web browsers and cell phones and to the security of financial transactions worldwide. 1.4.1 Privatekey schemes: onetime pad and AES If Alice wants to transmit an important private message to Bob, it would be wise of her to scramble it with an encryption function, e : h messages i → h encoded messages i . Of course, this function must be invertible—for decoding to be possible—and is therefore a bijection. Its inverse is the decryption function d ( · ) . In the onetime pad , Alice and Bob meet beforehand and secretly choose a binary string r of the same length—say, n bits—as the important message x that Alice will later send. Alice’s encryption function is then a bitwise exclusiveor , e r ( x ) = x ⊕ r : each position in the encoded message is the exclusiveor of the corresponding positions in x and r . For instance, if r = 01110010 , then the message 11110000 is scrambled thus: e r (11110000) = 11110000 ⊕ 01110010 = 10000010 . This function e r is a bijection from nbit strings to nbit strings, as evidenced by the fact that it is its own inverse! e r ( e r ( x )) = ( x ⊕ r ) ⊕ r = x ⊕ ( r ⊕ r ) = x ⊕ = x, where is the string of all zeros. Thus Bob can decode Alice’s transmission by applying the same encryption function a second time: d r ( y ) = y ⊕ r . How should Alice and Bob choose r for this scheme to be secure? Simple: they should pick r at random , flipping a coin for each bit, so that the resulting string is equally likely to be any element of { , 1 } n . This will ensure that if Eve intercepts the encoded message y = e r ( x ) , she gets no information about x . Suppose, for example, that Eve finds out y = 10 ; what can she deduce? She doesn’t know r , and the possible values it can take all correspond to different original messages x : 00 01 10 11 x 10 e 11 e 01 e 00 y e 10 42 Algorithms So given what Eve knows, all possibilities for x are equally likely! The downside of the onetime pad is that it has to be discarded after use, hence the name. A second message encoded with the same pad would not be secure, because if Eve knew x ⊕ r and z ⊕ r for two messages x and z , then she could take the exclusiveor to get x ⊕ z , which might be important information—for example, (1) it reveals whether the two messages begin or end the same, and (2) if one message contains a long sequence of zeros (as could easily be the case if the message is an image), then the corresponding part of the other message will be exposed. Therefore the random string that Alice and Bob share has to be the combined lengthexposed....
View
Full
Document
This document was uploaded on 08/10/2011.
 Spring '11
 Algorithms

Click to edit the document details