SECURITY and CRYPTOGRAPHY 15-827 11 OCT 01 Lecture #8 M.B. 4615 Wean Recall HW 2. Come up with an original PHONOID. More specifically, come up with 10 original PHONOIDS, but show me your best. Be prepared to exhibit your protocol on Tue Oct 9. Did anyone (besides Brian Clark) come up with a protocol that does NOT require any arithmetic at all? (Is such a protocol possible? Yes!) MIDTERM EXAM 1 will be on October 25. I will give you a sample class of protocols, more specifically a probability distribution on a class of protocols. Your job will be to comment on the distribution, i.e. to give the plusses and minusses of the class of protocols. In preparation, I'll give you a SAMPLE midterm exam as your next HOMEWORK problem, to be handed out this coming Tuesday October 16, and due on Tue October 23 (2 weeks from now). The midterm like the homework will give you a class of PhonOID protocols. It'll ask you to evaluate the class of protocols along a number of dimensions of your own choosing. What dimensions? Here are a few: EASE of GENERATION of a PROTOCOL. * How easy is it to generate a random protocol? * How easy is it to learn a (once in a lifetime) random protocol? (Since one's protocol is forever, this need not be the most important consideration, but it's a consideration nonetheless.) * How many possible protocols are there? * What is the maximum probability with which any particular protocol is chosen from the distribution? EASE of GENERATION of a CHALLENGE. * How easy is it to generate a random challenge? * How many possible challenges are there? * What is the maximum probability with which any particular challenge is chosen? EASE of GENERATION of a RESPONSE. * How easy is it for a human to generate a correct response to a randomly generated challenge? * If easy, how much FUN is it to generate a response? DIFFICULTY of BREAKING * How many RANDOM challenge-response pairs suffice to break the protocol? * How many CHOSEN challenge-response pairs suffice? * For a given number of challenge-response pairs, how much computation suffices to break the protocol?