SECURITY and CRYPTOGRAPHY 15-827 8 NOV 01
Lecture #15 M.B.
4615 Wean
Handout: Charles Bennett's Fuhrman-Buster.
Bennett's Fuhrman-Buster can be cheated when technology is able to do
real-time simulations/renderings/AI. Similarly, CAPTCHAS can be cheated
when technology is able to solve the AI problems (such as OCR) on which
they are based.
Why do I like #80 more than #82?
Recall PHONOID #80.
"If seven maids with seven mops swept it for half a year"
29 39224 12833 4229 39224 8350 39541 41 448 3131 3 1435
It takes me approximately 2 seconds per digit to generate a response.
COUNT STEPS.
#80:
To generate a response to a k-long challenge, , do:
1. read a1.
read a2.
add *// a1+a2 //*
permute *// g(a1+a2)//*
output x1 *// x1 = g(a1+a2)//*
2. For i = 2..k, do:
read ai *// ai //*
add *// x + ai //*
permute *//g(x + ai)//*
output xi
Count each instruction as 1 step. This algorithm takes 5+4*(k-1) = 4k+1 steps.
#82:
To generate a K-digit response to a k-long challenge,
, do:
for i=1..K, do:
read di. *//from memory//*
for i=1..k, do:
read ai. *//from challenge//*
add *// di+a2 //*
permute *//g(d1+a2)//*
output xi.
Counting each instruction as 1 step, this algorithm takes (3*k+2)*K =
2K+3k*K steps.
Taking K=k (number of output digits = number of input characters):
#80 outputs k=8 digits in 33 steps.
#82 outputs k=3 digits in 33 steps.
Comparison of PHONOID #82 to DES (Data Encryption Standard):
DES has permutations and Substitution functions (S-boxes).
PHONOID #82 has additions and substitutions (given by the permutation g).
In DES, the S-boxes vary from stage to stage, and they are PUBLIC. In
PHONOID #82, the substitutions (applications of g) are unchanging from
stage to stage, and they are PRIVATE.
How secure is #82 ? Recall that the ALGORITHM is given by:
For i = 1..K, set xi = g(...g(g((di+f(a1)))+f(a2))+...+f(ak))
We shall run thru all possible 10! permutations for g (as in the past) and
all 10 possible values for d1, for a total of
10*10! = 3.6x10^7 (parallel) stages. At each stage, presumed knowledge of g
implies that g', the inverse permutation of g, is also known.
The case k=K=1: The eavesdropper knows x1 = g(d1+f(a1)). So she knows (can
compute) f(a1) = g'(x1)-d1. Clearly, there is no additional security. An
eavesdropper who sees the response to the single challenge a1 can
efficiently determine the digit to which f maps a1.
The case k=K=2: One possibility is to guess f(a1), compute y1 = g(d1+f(a1))
and from that compute f(a2) = g'(x1)-y1. This gives a way to compute f(a2)
from f(a1). The second respond digit x2 enables to confirm or reject the
guess for f(a1): compute y2 = g(d2+f(a1)) and from that and knowledge of x2
compute f(a2) = g'(x2)-y2. This gives a way to reject most if not all wrong
initial guesses, f(a1), thereby reducing the number of possibilities for
f(a1) to one or a small number of possibilities: reject if the two
equations give rise to different values for f(a2).
For example, with =<7,5> and challenge , the response
=<2,4> is satisfied by only two possible mappings: either
= <4,8> or
= <6,7>.
For example:
d1 = 7 -> 7+4 = 1 -> 7 -> 7+8 = 5 -> 2
d2 = 5 -> 5+4 = 9 -> 6 -> 6+8 = 4 -> 4
All other mappings f are inconsistent.
If there is no better way to solve, then the number of choices to be
considered for the case k=K=2 goes from 10*10! to (10^2)*10!
HOMEWORK #2: Surely there is a better way to solve? Either give such a way
or explain why you think there is none such.