SECURITY and CRYPTOGRAPHY 15-827                   8 NOV 01
             Lecture #15                                 M.B.
                                                      4615 Wean

Handout: Charles Bennett's Fuhrman-Buster.
Bennett's Fuhrman-Buster can be cheated when technology is able to do
real-time simulations/renderings/AI. Similarly, CAPTCHAS can be cheated
when technology is able to solve the AI problems (such as OCR) on which
they are based.


Why do I like #80 more than #82?

Recall PHONOID #80. 

"If seven maids with seven mops swept it for half a year"
 29 39224 12833 4229 39224 8350 39541 41 448 3131 3 1435

It takes me approximately 2 seconds per digit to generate a response.

COUNT STEPS.

#80: 
To generate a response <x1,..,xk> to a k-long challenge, <a1,..,ak>, do:

1. read a1.
   read a2.
   add          *//        a1+a2 //*
   permute      *//      g(a1+a2)//*
   output x1    *// x1 = g(a1+a2)//*
2. For i = 2..k, do:
   read ai      *//           ai //*
   add          *//  x<i-1> + ai //*   
   permute      *//g(x<i-1> + ai)//*   
   output xi

Count each instruction as 1 step. This algorithm takes 5+4*(k-1) = 4k+1 steps.


#82:
To generate a K-digit response <x1,..,xK> to a k-long challenge,
<a1,..,ak>, do:

for i=1..K, do:
     read di.          *//from memory//*
     for i=1..k, do:
          read ai.     *//from challenge//*
          add          *//  di+a2 //*
          permute      *//g(d1+a2)//*
     output xi.

Counting each instruction as 1 step, this algorithm takes  (3*k+2)*K =
2K+3k*K steps.


Taking K=k (number of output digits = number of input characters):
#80 outputs k=8 digits in 33 steps.
#82 outputs k=3 digits in 33 steps.


Comparison of PHONOID #82 to DES (Data Encryption Standard):
DES has permutations and Substitution functions (S-boxes).
PHONOID #82 has additions and substitutions (given by the permutation g).
In DES, the S-boxes vary from stage to stage, and they are PUBLIC. In
PHONOID #82, the substitutions (applications of g) are unchanging from
stage to stage, and they are PRIVATE.


How secure is #82 ?  Recall that the ALGORITHM is given by:

For i = 1..K, set xi = g(...g(g((di+f(a1)))+f(a2))+...+f(ak))

We shall run thru all possible 10! permutations for g (as in the past) and
all 10 possible values for d1, for a total of 
10*10! = 3.6x10^7 (parallel) stages. At each stage, presumed knowledge of g
implies that g', the inverse permutation of g, is also known.

The case k=K=1: The eavesdropper knows x1 = g(d1+f(a1)). So she knows (can
compute) f(a1) = g'(x1)-d1. Clearly, there is no additional security. An
eavesdropper who sees the response to the single challenge a1 can
efficiently determine the digit to which f maps a1.

The case k=K=2: One possibility is to guess f(a1), compute y1 = g(d1+f(a1))
and from that compute f(a2) = g'(x1)-y1. This gives a way to compute f(a2)
from f(a1). The second respond digit x2 enables to confirm or reject the
guess for f(a1): compute y2 = g(d2+f(a1)) and from that and knowledge of x2
compute f(a2) = g'(x2)-y2. This gives a way to reject most if not all wrong
initial guesses, f(a1), thereby reducing the number of possibilities for
f(a1) to one or a small number of possibilities: reject if the two
equations give rise to different values for f(a2).

For example, with <d1,d2>=<7,5> and challenge <a1,a2>, the response
<x1,x2>=<2,4> is satisfied by only two possible mappings: either
<f(a1),f(a2)> = <4,8> or 
                 <f(a1),f(a2)> = <6,7>.

For example:
d1 = 7 -> 7+4 = 1 -> 7 -> 7+8 = 5 -> 2
d2 = 5 -> 5+4 = 9 -> 6 -> 6+8 = 4 -> 4

All other mappings f are inconsistent.

If there is no better way to solve, then the number of choices to be
considered for the case k=K=2 goes from 10*10! to (10^2)*10!

HOMEWORK #2: Surely there is a better way to solve? Either give such a way
or explain why you think there is none such.