perfect secrecy - indian institute of technology...
TRANSCRIPT
CR
PerfectSecrecy
ChesterRebeiroIITMadras
STINSON:chapter2
CR 2
CR
Encryp-on
Alice Bob
Plaintext“A?ackatDawn!!”
untrustedcommunicaGonlink
MalloryHowdowedesignciphers?
E D
K K
“A?ackatDawn!!”encrypGon decrypGon
#%AR3Xf34^$(ciphertext)
3
CR
CipherModels(Whatarethegoalsofthedesign?)
Computa-onSecurityUncondi-onalSecurity
4
Myciphercanwithstandalla?ackswithcomplexityless
than22048
Thebesta?ackerwiththebestcomputaGonresources
wouldtake3centuriestoa?ack
mycipher
Mycipherissecureagainstalla?acksirrespecGveof
thea?acker’spower.Icanprovethis!!
ThismodelisalsoknownasPerfectSecrecy.Cansuchacryptosystembebuilt?WeshallinvesGgatethis.
ProvableSecurity(Hardnessrela-vetoatoughproblem)
Ifmyciphercanbebrokenthenlargenumberscanbefactoredeasily
CR
AnalyzingUncondi-onalSecurity
• AssumpGons– Ciphertextonlya?ackmodelThea?ackeronlyhasinformaGonabouttheciphertext.Thekeyandplaintextaresecret.
• WefirstanalyzeasingleencrypGonthenrelaxthisassumpGonbyanalyzingmulGpleencrypGonswiththesamekey
5
CR
Encryp-on
P C
ek
• Foragivenkey,theencrypGon(ek)definesaninjecGvemappingbetweentheplaintextset(P)andciphertextset(C)
• Alicepicksaplaintextx∈P,choosesakey(independently),andencryptsittoobtainaciphertexty∈C
plaintextset ciphertextset
6
CR
PlaintextDistribu-on
PlaintextDistribu-on• LetXbeadiscreterandomvariableoverthesetP • AlicechoosesxfromPbasedonsomeprobabilitydistribuGon
– LetPr[X=x]betheprobabilitythatxischosen– Thisprobabilitymaydependonthelanguage
P
a
b
c
Plaintextset
Pr[X=a]=1/2
Pr[X=b]=1/3
Pr[X=c]=1/6
Note:Pr[a]+Pr[b]+Pr[c]=1
7
CR
KeyDistribu-onKeyDistribu-on • Alice&BobagreeuponakeykchosenfromakeysetK • LetKbearandomvariabledenoGngthischoice
keyspace
Pr[K=k1]=¾
Pr[K=k2]=¼
ek1
ek2TherearetwokeysinthekeysetthustherearetwopossibleencrypGonmappings
8
CR
• LetYbeadiscreterandomvariableoverthesetC • TheprobabilityofobtainingaparGcularciphertexty
dependsontheplaintextandkeyprobabiliGes
CiphertextDistribu-on
∑==k
k ydkyY ))(Pr()Pr(]Pr[
ek1
ek2
P
Q
R
P
Q
R
Pr[Y=P]=Pr(k1)*Pr(c)+Pr(k2)*Pr(c)=(3/4*1/6)+(1/4*1/6)=1/6
a
b
c
a
b
c
plaintext
Pr[X=a]=1/2
Pr[X=b]=1/3
Pr[X=c]=1/6
keyspace
Pr[K=k1]=¾
Pr[K=k2]=¼
Pr[Y=Q]=Pr(k1)*Pr(b)+Pr(k2)*Pr(a)=(3/4*1/3)+(1/4*1/2)=3/8
Pr[Y=R]=Pr(k1)*Pr(a)+Pr(k2)*Pr(b)=(3/4*1/2)+(1/4*1/3)=11/24
Note:Pr[Y=P]+Pr[Y=Q]+Pr[Y=R]=1
9
CR
AUacker’sProbabili-es
• Thea?ackerwantstodeterminetheplaintextx• Twoscenarios
– A?ackerdoesnothavey(aprioriProbability)• ProbabilityofdeterminingxissimplyPr[x]• DependsonplaintextdistribuGon(eg.LanguagecharcterisGcs)
– A?ackerhasy(aposterioriprobability)• ProbabilityofdeterminingxissimplyPr[x|y]
10
CR
AposterioriProbabili-es• Howtocomputethea?acker’saposterioriprobabiliGes?
– Bayes’Theorem
]|Pr[ yYxX ==
]Pr[]|Pr[]Pr[]|Pr[
yxyxyx ×
=
probabilityofthisciphertext
probabilityoftheplaintext
∑=
=})(:{]Pr[]|Pr[
xydk k
kxy
Theprobabilitythatyisobtainedgivenxdependsonthekeyswhichprovidesuchamapping
?
11
CR
Pr[y|x]Pr[P|a]=0Pr[P|b]=0Pr[P|c]=1Pr[Q|a]=Pr[k2]=¼Pr[Q|b]=Pr[k1]=¾ Pr[Q|c]=0Pr[R|a]=Pr[k1]=¾ Pr[R|b]=Pr[k2]=¼ Pr[R|c]=0
12
keyspace
Pr[K=k1]=¾
Pr[K=k2]=¼
ek1
ek2
P
Q
R
P
Q
R
a
b
c
a
b
c
CR
Compu-ngAPosterioriProbabili-es
Pr[a|P]=0Pr[a|Q]=1/3Pr[a|R]=9/11
13
]Pr[]|Pr[]Pr[]|Pr[
yxyxyx ×
=plaintext
Pr[X=a]=1/2
Pr[X=b]=1/3
Pr[X=c]=1/6
ciphertext
Pr[Y=P]=1/6
Pr[Y=Q]=3/8
Pr[Y=R]=11/24
Pr[y|x]
Pr[P|a]=0Pr[P|b]=0Pr[P|c]=1
Pr[Q|a]=¼Pr[Q|b]=¾Pr[Q|c]=0
Pr[R|a]=¾Pr[R|b]=¼Pr[R|c]=0
Pr[b|P]=0Pr[b|Q]=2/3Pr[b|R]=2/11
Pr[c|P]=1Pr[c|Q]=0Pr[c|R]=0
Ifthea?ackerseesciphertextPthenshewouldknowtheplaintextwascIfthea?ackerseesciphertextRthenshewouldknowaisthemostlikelyplaintextNotagoodencryp-onmechanism!!
CR
PerfectSecrecy• Perfectsecrecyachievedwhen
aposterioriprobabili-es=aprioriprobabili-es
i.ethea?ackerlearnsnothingfromtheciphertext
]Pr[]|Pr[ xyx =
14
Intui-vely,byseeingthesafe,youlearnnothingaboutwhatisinit
CR
PerfectSecrecyExample• FindtheaposterioriprobabiliGesforthefollowingscheme• Verifythatitisperfectlysecret.
15
keyspace
Pr[K=k1]=1/3
Pr[K=k2]=1/3
Pr[K=k3]=1/3
plaintext
Pr[X=a]=1/2
Pr[X=b]=1/3
Pr[X=c]=1/6
ek1
ek2
P
Q
R
P
Q
R
a
b
c
a
b
c
ek3 P
Q
R
a
b
c
CR
Observa-onsonPerfectSecrecy
16
]Pr[]|Pr[ yYxXyY ====FollowsfromBaye’stheorem
PerfectIndis-nguishability
]|Pr[]|Pr[ 21 xXyYxXyY =====Pxx ∈∀ 21,
PerfectSecrecyiff
PerfectsecrecyhasnothingtodowithplaintextdistribuGon.Thusacrypto-schemewillachieveperfectsecrecyirrespecGveofthelanguageusedintheplaintext.
CR
Shi_CipherwithaTwist
• Plaintextset:P ={0,1,2,3…,25}• Ciphertextset:C ={0,1,2,3…,25}• Keyspace:K ={0,1,2,3…,25}• EncrypGonRule:eK(x)=(x+K)mod26,• DecrypGonRule:dk(x)=(x–K)mod26 whereK∈K andx∈P
TheTwist:(1)thekeychangesazereveryencrypGon
(2)keysarepickedwithuniformprobability
17
CR
TheTwistedShi_CipherisPerfectlySecure
18
Keyschosenwithuniformprobability
Thisis1becausethesumisoverallvaluesofx
Foreverypairofyandx,thereisexactlyonekey.Probabilityofthatkeyis1/26
y
P C
CR
TheTwistedShi_CipherisPerfectlySecure
19
CR
Shannon’sTheorem
Intui-on:Everyy∈C canresultfromanyofthepossibleplaintextsxSince|K|=|P|thereisexactlyonemappingfromeachplaintexttoySinceeachkeyisequi-probable,eachofthesemappingsisequallyprobable
20
If|K|=|C|=|P|thenthesystemprovidesperfectsecrecyiff(1)everykeyisusedwithequalprobability1/|K|,and(2)foreveryx∈P andy∈C,thereexistsauniquekeyk∈Ksuchthatek(x)=y
CR
OneTimePad(Verman’sCipher)
21
exor
plaintext
key
ciphertext
plaintextciphertextblock
key
lengthL
lengthL
chosenuniformlyfromkeyspaceofsize2LPr[K=k]=1/2L
EncrypGon:DecrypGon:
ykx =⊕xky =⊕
CR
OneTmePad(Example)
22
CR
OneTimePadisPerfectlySecure
• ProofusingindisGnguishability
23
LkK
ykxxXkKxXxXyY
21]Pr[
from]|,Pr[]|Pr[
===
=⊕======
Xxx
xXyYxXyY L
∈∀
======
21
21
,
]|Pr[21]|Pr[
ThisimpliesperfectIndis-nguishabilitythatisindependentoftheplaintextdistribu-on
CR
Limita-onsofPerfectSecrecy• Keymustbeatleastaslongasthemessage
– Limitsapplicabilityifmessagesarelong
• KeymustbechangedforeveryencrypGon– Ifthesamekeyisusedtwice,thenanadversarycancomputetheex-orofthemessages
Thea?ackercanthendolanguageanalysistodeterminey1andy2
24
2121
22
11
yyxxykxykx
⊕=⊕
=⊕
=⊕
CR
CiphersinPrac-ce
• PerfectsecrecyisdifficulttoachieveinpracGce• Insteadweuseacrypto-schemethatcannotbebrokeninreasonable9mewithreasonablesuccess
• Thismeans,– SecurityisonlyachievedagainstadversariesthatruninpolynomialGme
– A?ackerscanpotenGallysucceedwithaverysmallprobability(a?ackersneedtobeveryluckytosucceed)
25
CR
Quan-fyingInforma-on
26
CR
AMetrictoQuan-fyInforma-on
27
reateshoolso?
Thereisonealphabetmissingineachofthesewords.Canyoufindthealphabetsothatthewordsmakesense?
noughntworkhardwar
createschoolsco?
enoughnetworkhardware
Frequentlyoccurringle?ers(likee)containlessinformaGonthannon-frequentle?ers(likec)
WeneedtohavefuncGontoquanGfyinformaGon!AddiGonally,thefuncGonshouldbe(1)conGnuous(2)shouldbeabletosumindividualinformaGon(eg.X1:Message1,X2:Message2)I(X1,X2)=I(Message1)+I(Message2)
CR
MetrictoQuan-fyInforma-on
28
ClaudeShannon
H (X) = pi log21pi
⎛
⎝⎜
⎞
⎠⎟
i=1
n
∑
Pr(e)=0.12702-log2(0.12702)=2.97Pr(a)=0.08167-log2(0.08167)=3.61Pr(m)=0.02406-log2(0.02406)=5.37Pr(c)=0.02782-log2(0.02782)=5.16Pr(q)=0.0095-log2(0.0095)=6.71.........
AhigherprobabilityindicateslesserinformaGoncontent.
CR
MetrictoQuan-fyInforma-on
29
ClaudeShannon
H (X) = pi log21pi
⎛
⎝⎜
⎞
⎠⎟
i=1
n
∑
TofindtheaverageinformaGoncontentofalanguagefindweightedsumasfollows
CR
MetrictoQuan-fyInforma-on
30
ClaudeShannon
H (X) = pi log21pi
⎛
⎝⎜
⎞
⎠⎟
i=1
n
∑
TofindtheaverageinformaGoncontentofalanguagefindweightedsumasfollowsCallthistermtheEntropy
EntropyofEnglishContemporary:4.03bitsShakesphere:4.106bitsGerman:4.08bitsFrench:4.00bitsItalian:3.98bitsSpanish:3.98bits
MaximumEntropyoccurswheneachalphabetisequallylikely(ie.1/26).Themaximumentropyis-log_2(1/26)=4.7
EntropyprovidestheaveragenumberofbitsneededtorepresentleUersinthelanguage
CR
EntropyoftheWeatherForecast
31
M1:Sunny(withprobability0.05)M2:Cloudy(withprobability0.15)M3:LightRain(withprobability0.70)M4:HeavyRain(withprobability0.10)
Tomorrow I the weather will be __________
WeatherForecast
H (Forecast) = pi log21pi
⎛
⎝⎜
⎞
⎠⎟
i=1
n
∑
= −((0.05)log2 0.05+ (0.15)log2 0.15+ (0.7)log2 0.7+ (0.1)log2 0.1)=1.319
CR
EntropyandUncertainity• Alicethinksofanumber(0or1)• ThechoiceisdenotedbyadiscreterandomvariableX.
• WhatisMallory’suncertaintyaboutX?– DependsontheprobabilitydistribuGonofX
32
XWhatisX?
CR
Uncertainty• LetsassumeMalloryknowthisprobability
distribuGon.• IfPr[X=1]=1andPr[X=0]=0
– ThenMallorycandeterminewith100%accuracy
• IfPr[X=0]=.75andPr[X=1]=.25– MallorywillguessXas0,andgetsitright75%of
theGme
• IfPr[X=0]=Pr[X=1]=0.5– Mallory’sguesswouldbesimilartoauniformly
randomguess.Getsitright½theGme.
33
WhatisX?
Entrop
yofX
0 1.5
Pr[X=0]
CR
WhatistheEntropyofX?
Pr[X=0]=pandPr[X=1]=1-pH(X)=–plog2p–(1-p)log2(1–p)
H(X)p=0=0,H(X)p=1=0,H(X)p=.5=1
34
XWhatisX?
usinglimp->0(plogp)=0H(X)
0 1.5p 1
1
CR
Proper-esofH(X)• IfXisarandomvariable,whichtakesonvalues{1,2,3,….n}
withprobabiliGesp1,p2,p3,….pn,then1. H(X)≤log2n
2. Whenp1=p2=p3=…pn=1/nthenH(X)=log2n
35
Examplean8facedice.Ifthediceisfair,thenweobtainthemaximumentropyof3bitsIfthediceisunfair,thentheentropyis<3bits
CR
EntropyandCoding
• EntropyquanGfiesInformaGoncontent“CanweencodeamessageMinsuchawaythattheaveragelengthisasshortaspossibleandhopefullyequaltoH(M)?”
HuffmanCodes:allocatemorebitstoleastprobableevents
allocatelessbitstopopularevents
36
CR
Example• S={A,B,C,D}are4symbols• ProbabilityofOccurrenceis:
P(A)=1/8,P(B)=½,P(C)=1/8,P(D)=1/4
37
C A1/8 1/8
0 1
1/41/4D
1/2
10
1/2B
10
EncodingA:111B:0C:110D:10
Todecode,witheachbittraversethetreefromrootunGlyoureachaleaf.Decodethis?1101010111
CR
Example:AverageLengthandEntropy
• S={A,B,C,D}are4symbols• ProbabilityofOccurrenceis:
p(A)=1/8,p(B)=½,p(C)=1/8,p(D)=¼
• AverageLengthofHuffmancode:3*p(A)+1*p(B)+3*p(C)+2*p(D)=1.75
• EntropyH(S)=-1/8log2(8)–½log2(2)–1/8log2(8)–¼log2(4)
=1.75
38
EncodingA:111B:0C:110D:10
CR
MeasuringtheRedundancyinaLanguage
• LetSbele?erinalanguage(eg.S={A,B,C,D})• isasetrepresenGngmessagesof
lengthk• LetS(k)bearandomvariableinS • TheaverageinformaGonineachle?erisgivenbytherateof
S(k).
• rkforEnglishisbetween1.0and1.5bits/le?er
39
)times(kSSSSSS ×××××=S
kSHrk
k)( )(
=
CR
MeasuringtheRedundancyinaLanguage
• AbsoluteRate:ThemaximumamountofinformaGonpercharacterinalanguage– theabsoluterateoflanguageSisR=log2|S|– ForEnglish,|S|=26,thereforeR=4.7bits/le?er
• RedundancyofalanguageisD=R–rk– ForEnglishwhenrk=1,thenD=3.7àaround70%redundant
40
CR
Example(OneleUeranalysis)• Consideralanguagewith26le?ersofthesetS={s1,s2,s3,
…..,s26}.SupposethelanguageischaracterizedbythefollowingprobabiliGes.Whatisthelanguageredundancy?
41
26,...,12,111281)(
10,9,8,7,6,5,4,3641)(
41)(,
21)( 21
==
==
==
iforsP
iforsP
sPsP
i
i
625.287
86
21
21
128log12811664log
64184log
412log
21
)(1log)(
)(26
1
)1(1
=+++=
⎟⎠
⎞⎜⎝
⎛+⎟⎠
⎞⎜⎝
⎛++=
=
=
∑=i i
i sPsP
SHrRateoftheLanguagefor1leUeranalysis
7.426log ==RAbsoluteRate
075.2625.27.41 =−=−= rRDLanguageRedundancy
Languageis~70%redundant
CR
Example(TwoleUeranalysis)• InthesetS={s1,s2,s3,…..,s26},supposethediagram
probabilitesisasbelow.Whatisthelanguageredundancy?
42
021)|()|()|()|(
24121)|()|(
2622612512526
21
areiesprobabilitotherall
ssPssPssPssP
toiforsisPssP iii
====
=== ++
256/1),(),(),(),(24......,,12,11256/1)()|(),(24......,,12,11256/1)()|(),(
10......,,4,3128/1)()|(),(10......,,4,3128/1)()|(),(
8/1)()|(),(;8/1)()|(),(4/1)()|(),(;4/1)()|(),(
2261261252625
22
11
22
11
2244222332
1133111221
====
===
===
===
===
=×==×=
=×==×=
++
++
++
++
ssPssPssPssPiforsPssPssPiforsPssPssPiforsPssPssPiforsPssPssP
sPssPssPsPssPssPsPssPssPsPssPssP
iiiii
iiiii
iiiii
iiiii
8125.12625.31
87
431
21
256log256132128log
1281168log
8124log
412
21
),(1log),(
21
2/)(26
1,
)2(2
==⎥⎦
⎤⎢⎣
⎡ +++=
⎥⎦
⎤⎢⎣
⎡⎟⎠
⎞⎜⎝
⎛+⎟⎠
⎞⎜⎝
⎛+⎟⎠
⎞⎜⎝
⎛+⎟⎠
⎞⎜⎝
⎛=
=
=
∑=ji ji
ji ssPssP
SHr
RateoftheLanguagefor2leUeranalysis
9.28125.17.42 =−=−= rRDLanguageRedundancy
Languageis~60%redundant
CR
Observa-ons
• H(S(2))–H(S(1))=1bit– why?
• Asweincreasethemessagesize– Ratereduces;inferringlessinformaGonperle?er– Redundancyincreases
43
075.2;625.2)(: )1(1 === DSHranalysisletterSingle
9.2;8125.1;625.3)(: 2)2( === DrSHanalysisletterTwo
CR
Condi-onalEntropy
• SupposeXandYaretwodiscreterandomvariables,thencondiGonalentropyisdefinedas
• CondiGonalentropymeans….– WhatistheremaininguncertaintyaboutXgivenY– H(X|Y)≤H(X)withequalitywhenXandYareindependent
44
⎟⎟⎠
⎞⎜⎜⎝
⎛=
⎟⎟⎠
⎞⎜⎜⎝
⎛=
∑∑
∑∑
),()(log),(
)|(1log)|()()|(
2
2
yxpxpyxp
yxpyxpypYXH
x y
xy
Deriveusingthefactthatp(a|b)=p(a,b)/p(b)
CR
JointEntropy• SupposeXandYaretwodiscreterandomvariables,andp(x,y)
thevalueofthejointprobabilitydistribuGonwhenX=xandY=y
• Thenthejointentropyisgivenby
• Thejointentropyistheaverageuncertaintyof2randomvariables
45
∑∑ ⎟⎟⎠
⎞⎜⎜⎝
⎛=
xy yxpyxpYXH
),(1log),(),( 2
CR
EntropyandEncryp-on
• Therearethreeentropies:H(P(n)),H(K),H(C(n))• MessageEquivocaGon:
Ifthea?ackercanviewnciphertexts,whatishisuncertaintyaboutthemessage
46
E
KdistribuGon
MndistribuGon CndistribuGon
m
k
c
n:lengthofmessage/ciphertext
∑∑∈∈
⎟⎟⎠
⎞⎜⎜⎝
⎛=
nn MmCc
nn
cmpcmpcpCMH
)|(1log)|()()|( 2
)()(
CR
EntropyandEncryp-on
• KeyEquivocaGon:Ifthea?ackercanviewnciphertexts,whatishisuncertaintyaboutthekey
47
E
KdistribuGon
MndistribuGon CndistribuGon
m
k
c
n:lengthofmessage/ciphertext
∑∑∈∈
⎟⎟⎠
⎞⎜⎜⎝
⎛=
nn MmCc
n
ckpckpcpCKH
)|(1log)|()()|( 2
)(
CR
UnicityDistance
• Asnincreases,H(K|C(n))reduces…– Thismeansthattheuncertaintyofthekeyreducesasthea?acker
observesmoreciphertexts
• Unicitydistanceisthevalueofnforwhich– Thismeans,theenGrekeycanbedeterminedinthiscase
48
∑∑∈∈
⎟⎟⎠
⎞⎜⎜⎝
⎛=
nn MmCc
n
ckpckpcpCKH
)|(1log)|()()|( 2
)(
0)|( )( ≈nCKH
CR
UnicityDistanceandClassicalCiphers
Cipher UnicityDistance(forEnglish)
Caesar’sCipher 1.5le?ers
AffineCipher 2.6le?ers
SimpleSubsGtuGonCipher 27.6le?ers
PermutaGonCipher 0.12(blocksize=3)0.66(blocksize=4)1.32(blocksize=5)2.05(blocksize=6)
VigenereCipher 1.47d(disthekeylength)
49
CR
ProductCiphers• ConsideracryptosystemwhereP=C (thisisanendomorphicsystem)
– Thustheciphertextandtheplaintextsetisthesame• Combinetwocipheringschemestobuildaproductcipher
50
E1 E2C1 = P2P C
K1 K2
Ciphertextoffirstcipherfedasinputtothesecondcipher
K1 ||K2
),,,,(: 2121 DEKKPPSS ××
),,,,(:),,,,(:
2222
1111
DEKPPSDEKPPS
Giventwoendomorphiccrypto-systems
ResultantProductCipher
ResultantKeySpace 21 KK ×
CR
ProductCiphers• ConsideracryptosystemwhereP=C (thisisanendomorphicsystem)
– Thustheciphertextandtheplaintextsetisthesame• Combinetwocipheringschemestobuildaproductcipher
51
E1 E2C1 = P2P C
K1 K2
Ciphertextoffirstcipherfedasinputtothesecondcipher
K1 ||K2
))(()(
))(()(
1221
1221
),(
),(
21
xddxd
xeexeSS
KKKK
KKKK
=
=
×
))((:
))((:
22
11
2
1
xedxS
xedxS
KK
KK
=
=
Giventwoendomorphiccrypto-systems
ResultantProductCipher
ResultantKeySpace 21 KK ×
CR
EncrypGon(ea(x)):y=axmod26DecrypGon(da(x)):x=a-1ymod26
AffineCipherisaProductCipher• P=C={0,1,2,…25}AffineCipher=MxS
• Affinecipher:y=ax+bmod26• SizeofKeyspaceis
– SizeofkeyspaceforMulGplicaGvecipher*Sizeofkeyspaceforshizcipher
– 12*26=312
52
EncrypGon(eb(x)):y=x+bmod26DecrypGon(db(x)):x=y-bmod26
MulGplicaGveCipher ShizCipher
CR
IsSxMsameastheAffineCipher• SxM:y=a(x+b)mod26
=ax+bamod26• Keyis(b,a)• bamod26issomeb’suchthat
a-1b’=bmod26• ThiscanberepresentedasanAffinecipher, y=ax+b’mod26
53
Thusaffineciphersarecommutable(i.e.SxM=MxS)
Createanon-commutableproductciphers
CR
IdempotentCiphers
• Ifisanendomorphiccipher• thenitispossibletoconstructproductciphersoftheformS1xS1,denoted
• IfthenthecipheriscalledidempotentcipherShowthatthesimplesubsGtuGoncipherisidempotentDoesthesecurityofthenewlyformedcipherincrease?Inanon-idempotentcipher,howeverthesecuritymayincrease.
54
),,,,(: 111 DEKPPS
),,,,(:2 DEKKPPS ×
SS =2
CR
Itera-veCipher• Ann-foldproductofthisisSxSxS…(n-mes)=Snisan
iteraGvecipherAllmodernblockcipherslikeDES,3-DES,AES,etc.areiteraGve,non-idempotent,productciphers.
Wewillseemoreabouttheseciphersnext!!
55