SECURITY and CRYPTOGRAPHY 15-827 5 NOV 01
Lecture #14 M.B.
4615 Wean
Last time, I started with an instance of a general CLASS of PHONOIDS, #80.
That instance, and others like it, take me approximately 2 seconds per
digit to generate a response:
"If seven maids with seven mops swept it for half a year"
29 39224 12833 4229 39224 8350 39541 41 448 3131 3 1435
I personally happen to like that PHONOID CLASS a lot!
Why were students less than enthusiastic about it? They didn't like that
to create one's own personal PHONOID INSTANCE, an INSTANCE of the general
class of PHONOIDS, the user must be guided to come up with certain of his
own ideas, much as he must be guided to the choice of good passwords. I do
NOT consider this to be a serious weakness. Programs can help one to
generate good ideas, just like programs can help one to generate good
passwords.
There are at least two weaknesses with ordinary passwords:
1. Over-the-shoulder and Trojan-horse attacks.
#80 helps a lot against these attacks!
2. A password can be badly chosen.
Yes, this is a problem, but it's a problem only if there is no feedback
to the user to modify and/or replace a bad password by a good one.
I do believe that the two ideas that #80 asked people to come up with (a
PRIVATE rule for generating the first response digit, x1; and a PRIVATE
permutation of the CHALLENGE) can be brainstormed by anyone who has seen
and understood enough examples. Students felt that by requiring people to
come up with ideas, the protocol was thereby weakened, and that it made the
protocol harder if not impossible to analyze.
To my mind, user creativity is a STRENGTH not a WEAKNESS. It's up to us to
find a way to analyze the protocol as well as possible.
Having said that, I am today going to define a new class of PhonOIDS, #82,
that solves ALL of the problems of #80 but one, and that one is the
excessive amount of time that it takes to use #82 to produce a response.
Since #82 does not require much arithmetic, it may be that the response
time can be greatly shortened (or that the portocol can be modified to make
the response time short). This is still open.
ALL digits produced by #82 are equally random-looking. At the least, the
user can use #82 to get ONE random looking digit x1, then switch to #80
(the PHONOID CLASS of lecture 13) to generate the remaining digits. This
greatly reduces what the user of #80 must come up with himself to a private
rule for an on-the-fly permutation of the challenge characters.
^?^G@n^C^F^?
PHONOID CLASS #82 is good in almost every respect. A USER has to learn a
function, a permutation, and a password that are randomly chosen and given
to him. The user does not choose anything.
To run the protocol, the user has only to do some very simple arithmetic
mod 10. The class appears to be enormously resistant to chosen challenge
attack.
CLASS #82 PHONOIDS DEFINED:
CHALLENGE = A single word consisting of up to at least k=3 and
at most k = 6 letters from the alphabetic characters A,..,Z. If k=3, the
letters can be randomly chosen. For k>3, it would be better (for the user's
memory) to choose a simple dictionary word.
RESPONSE = a K-digit number for K in {1,..,9}.
In general we can produce up to 9 digits, no matter what the length of the
challenge. It is not necessary for the k of the challenge to be the same
as the K of the response, though for simplicity of explanation, we take K=k.
The ALGORITHM CLASS assumes that the human USER has memorized a PRIVATE
RANDOM function
f:{A,...,Z} -> {0,...,9},
a PRIVATE RANDOM permutation
g:{0,...,9} -> {0,...,9},
and a private random K-tuple of DISTINCT digits , called the
*initializing password*.
The USER does not supply any PRIVATE rules. She has only to follow the
general algorithm below.
ALGORITHM:
For i = 1..K, set xi = g(...g(g((di+f(a1)))+f(a2))+...+f(ak))
The RESPONSE to challenge is .
EXAMPLE with
d1=7 d2=5 d3=8
f: F->4 U->6 N->2 ...
g: 0->0 1->7 2->5 3->8 4->4 5->2 6->9 7->1 8->3 9->6
CHALLENGE = FUN (F=4, U=6, N=2)
HIDDEN: 7 -> 7+F = 1 -> 7 -> 7+U = 3 -> 8 -> 8+N = 0 -> 0
5 -> 5+F = 9 -> 6 -> 6+U = 2 -> 5 -> 5+N = 7 -> 1
8 -> 8+F = 2 -> 5 -> 5+U = 1 -> 7 -> 7+N = 9 -> 6
RESPONSE = 016
FNU
561
^?^G@n^C^F^?
DEFINITION: Two alphabetic characters are EQUIVALENT if f maps both
characters to the same digit. For example, A is equivalent to F since f(A)
= f(F) = 4, but A is not equivalent to B since f(B)=8.
Some OBSERVATIONS:
* Each digit of the RESPONSE is a nontrivial function of ALL the CHALLENGE
characters. So a single change in any CHALLENGE character to a
nonequivalent character will change the RESPONSE.
* In general, a permutation of the CHALLENGE characters will change the
RESPONSE.
FUN -> 016 UNF -> 408 UFN -> 162 NFU -> 930 NUF -> 628 FNU -> ?
* In general, a change in any one letter of the CHALLENGE to a
nonequivalent character will change all the RESPONSE digits:
BUG -> 603 HUG -> 478 JUG -> 986 MUG -> 254 RUG -> 391 TUG -> ?
* Here are my single-digit responses to single-digit challenges:
CHALLENGE = A B C D E I J P Q S
RESPONSE = 7 2 8 1 0 3 4 9 6 5
* My two-digit responses to single-digit challenges:
CHALLENGE = A B C D E I J P Q S
RESPONSE = 76 28 87 12 03 39 45 94 61 50
* My 3-digit responses to 1-digit challenges:
CHALLENGE = A B C D E I J P Q S
RESPONSE = 765 289 874 123 037 396 452 941 610 508
* Because addition mod 10 is an (algebraic) group, and because g is a
permutation, the map di -> xi from the initializing password digit di to
the corresponding response digit xi is 1:1.
* For the above reasons, and because permutations are invertible, the map
di -> xi from the initial digit di to the corresponding response digit xi
can be inverted. This means that from knowledge of f,g, the challenge, and
xi, one can determine di. It follows that di <> dj => xi <> xj. Since
d1..dk are all DISTINCT, it follows that x1..xk are also all distinct --
even if some or all of the challenge characters are the same!
Example: A=4 B=8 C=6 D=0 E=3 I=1 J=7 P=9 Q=2 S=5
CHALLENGE = AA BB CC DD EE II JJ PP QQ SS
RESPONSE = 70 09 48 75 89 40 75 38 38 02
\ /
note!
^?^G@n^C^F^?
* It follows that knowing the response (first row of the following table)
to AA, AB, ... AQ enables one to construct the response 57 to AS (the last
entry of the first row). How?
Similarly for all other rows and all columns.
A=4 B=8 C=6 D=0 E=3 I=1 J=7 P=9 Q=2 S=5
A B C D E I J P Q S
A 70 24 85 19 06 31 48 92 63 57
B 95 09 34 53 27 86 62 71 40 18
C 57 92 48 31 70 63 24 19 06 85
D 29 60 13 75 42 58 36 07 84 91
E 41 37 96 08 89 74 10 65 52 23
I 18 71 62 86 95 40 09 53 27 34
J 36 58 07 42 13 29 75 84 91 60
P 83 15 20 64 51 02 97 38 79 46
Q 02 46 51 97 64 15 83 20 38 79
S 64 83 79 20 38 97 51 46 15 02
HOMEWORK: Toss 100 balls into 90 bins.
a) How many bins are expected to be empty? to have just one ball? to have
two balls?
b) Compare to the table above.
* The number of possible protocols of type #82, corresponding to the number
of possible mappings f, permutations g, and initializing 3-digit passwords,
is at least
10^10 * 10! * 10*9*8 = 2.6x10^19
It follows that an eavesdropper must on average see at least 19 digits to
have the information necessary to specify the protocol.