Solitaire CRyptography Applications Bistro 8 April 2004.
-
Upload
jeffry-horton -
Category
Documents
-
view
217 -
download
0
Transcript of Solitaire CRyptography Applications Bistro 8 April 2004.
![Page 1: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/1.jpg)
Solitaire
CRyptography Applications Bistro
8 April 2004
![Page 2: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/2.jpg)
Tuesday:– High-tech crypto with sophisticated, expensive
equipment using the principles of quantum mechanics to solve a problem most people don’t have
Today:– Low-tech crypto with ordinary, inexpensive
equipment using the principles of shuffling to solve a problem most people don’t have
![Page 3: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/3.jpg)
Solitaire
• Output-feedback mode stream cipher
• Designed by Bruce Schneier in 1999
• Implemented using a deck of cards
• Featured in Neal Stephenson’s novel Cryptonomicon
![Page 4: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/4.jpg)
Tin-foil hat time
• You want to communicate securely with other people
• You don’t want the secret police to be able to decode your messages
• You don’t want to have to keep around incriminating evidence, such as a computer with PGP
• You want to be able to do this without electricity
![Page 5: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/5.jpg)
Requirements
• Cannot rely on security-through-obscurity• Must be secure even against a well-funded
adversary• Must be simple enough that someone can
remember it• Must not require incriminating equipment• Must be entertaining enough to go in a Neal
Stephenson novel
![Page 6: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/6.jpg)
Overview of Solitaire
• The key consists of a shuffled deck, with two jokers: A and B
• A sequence of cuts and rearrangements generates a pseudo-random keystream
• The keystream is added to the plaintext, modulo 26, to encrypt
• The keystream is subtracted from the ciphertext to decrypt
![Page 7: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/7.jpg)
The Algorithm
1. Move the A-joker one card down
2. Move the B-joker two cards down
3. Perform the triple-cut
4. Perform a count-cut, using the card on the bottom to count with
5. Find the output card, using the card on the top to count with
![Page 8: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/8.jpg)
1. Moving the A joker
• If the joker is on the bottom, move it to one below the top card
9
2
6*A
10
9
9
2
*A610
9
![Page 9: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/9.jpg)
2. Moving the B joker
• If the joker is on the bottom, wrap around like we did with the A joker
2
8
J*B
3
Q
2
8
QJ3
*B
![Page 10: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/10.jpg)
A3. The Triple-Cut
AAAA*B
AAA6
*A
AAA2
AAA2*B
AAA6
*A
AAAAA
![Page 11: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/11.jpg)
4. The Count Cut5555J
555555555535
5555J555553
5555J5
= 0 + n = 13 + n = 26 + n = 39 + n*A = *B = 53
![Page 12: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/12.jpg)
5. Finding the output card7
555J52J555555535
= 0 + n = 13 + n = 26 + n = 39 + n*A = *B = 53
1. Convert the top card to a number2. Count down that many from the top3. The next card is the output card4. If the output card is a joker, go back to
step 15. The deck does not change
J = 13 + 11 = 24
![Page 13: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/13.jpg)
PLGRM BZIVF JGH
A 1 J 10 S 19B 2 K 11 T 20C 3 L 12 U 21D 4 M 13 V 22E 5 N 14 W 23F 6 O 15 X 24G 7 P 16 Y 25H 8 Q 17 Z 26I 9 R 18
![Page 14: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/14.jpg)
Key Distribution
• Solitaire is a symmetric cipher, so we must have a key known to both parties– Use identically shuffled decks: 54! 2237
• requires distributing decks• requires good shuffling
– Use a bridge ordering: 52!/(13!)4 295
• need way to position jokers• the secret police read newspapers too
– Use a passphrase to key the deck
![Page 15: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/15.jpg)
Keying the Deck with a Passphrase
1. Move the A-joker down one card
2. Move the B-joker down two cards
3. Perform the triple cut
4. Perform the count cut based on top card
5. Perform a second count cut based on a letter from the passphrase
![Page 16: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/16.jpg)
How many shuffles does it take to be “random”?
• In an ideal riffle shuffle, we split the deck in halves, then interleave the halves
• Cards in the same half are not reordered
• This yields 54!/(27! 27!) 250
• We’d need five shuffles to reach 2237
![Page 17: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/17.jpg)
Shuffling, in practice
• In practice, the 250 interleavings are not equally likely– cards near each other don’t separate much
• Keller [1995] claims seven shuffles are needed
![Page 18: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/18.jpg)
How many bits are in a passphrase?
• English text is highly redundant– some studies claim you get 1.4 bits per
character– You need at least 80 characters
![Page 19: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/19.jpg)
Bias in Solitaire
• One would expect that, if Solitaire is a good CPRNG, the probability of getting the same keystream letter twice in a row would be 1/26
• Crowley [2001], through simulations, found that this is not the case: it appears to be about 1/22.5
• This information could, in theory, be exploited to form an attack
![Page 20: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/20.jpg)
Non-reversibility
• The cipher was designed to be reversible– You should be able to reconstruct the previous deck
state from the current deck state
• However, the rules allowing the jokers to move from the bottom to the top of the deck are not reversible:* 1 2 3 4 5 6 ... 51 52 1 * 2 3 4 5 6 ... 51 521 2 3 4 5 6 ... 51 52 * 1 * 2 3 4 5 6 ... 51 52
• Reversibility is not necessarily a problem, but reversible ciphers are easier to analyze
![Page 21: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/21.jpg)
Practical Issues
• Solitaire uses output-feedback mode:– A single bit error in the ciphertext results in a single-bit
error in the plaintext (good)– Not self-synchronizing: drop a bit of ciphertext and
everything after it is lost (bad)– The keystream can be generated in advance of
receiving the message
• Encryption and decryption are slow• Key distribution is difficult• Potential attacks based on lack of randomness
![Page 22: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/22.jpg)
Future Work
• Develop attacks on Solitaire
• Develop a hand-computable asymmetric algorithm– This would address key distribution problem– You could, in theory, compute RSA by hand,
but not with reasonable key sizes (for further details, see Dave’s license tag)
![Page 23: Solitaire CRyptography Applications Bistro 8 April 2004.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649da75503460f94a931f1/html5/thumbnails/23.jpg)
Other Games
• A deck of cards doesn’t have enough entropy for an assymetric key (237 bits)– Two decks might be enough (474 or 578 bits)
• An 8x8 chessboard has 64!/(32!8!8!2!2!2!2!2!2!) 2141 states– a group in CS588 designed a chess-based cipher last
year
• A 19x19 go board has 3361 2572 states• Cellular automata might be computable by hand as
well