From c8a6efaa23e7007f1558da8c3a731e56f60198ce Mon Sep 17 00:00:00 2001 From: dg-latacora Date: Thu, 5 Nov 2020 20:10:10 -0600 Subject: [PATCH 1/3] Smaller bites reviewed for PR384 --- src/exclusive-or.rst | 227 +++++++++++++++++++++---------------------- 1 file changed, 112 insertions(+), 115 deletions(-) diff --git a/src/exclusive-or.rst b/src/exclusive-or.rst index a44bb5fd..686e303d 100644 --- a/src/exclusive-or.rst +++ b/src/exclusive-or.rst @@ -58,16 +58,16 @@ both) is 1: There are a few useful arithmetic tricks we can derive from that. -#. You can apply XOR in any order: +#. XOR can be applied in any order: :math:`a \xor (b \xor c) = (a \xor b) \xor c` -#. You can flip the operands around: :math:`a \xor b = b \xor a` +#. The operands can be flipped around: :math:`a \xor b = b \xor a` #. Any bit XOR itself is 0: :math:`a \xor a = 0`. If :math:`a` is 0, - then it's :math:`0 \xor 0 = 0`; if :math:`a` is 1, then it's :math:`1 \xor 1 = 0`. + then :math:`0 \xor 0 = 0`; if :math:`a` is 1, then :math:`1 \xor 1 = 0`. #. Any bit XOR 0 is that bit again: :math:`a \xor 0 = a`. If :math:`a` - is 0, then it's :math:`0 \xor 0 = 0`; if :math:`a` is 1, then it's + is 0, then :math:`0 \xor 0 = 0`; if :math:`a` is 1, then :math:`1 \xor 0 = 1`. -These rules also imply :math:`a \xor b \xor a = b`: +These rules imply that :math:`a \xor b \xor a = b`: .. math:: @@ -77,9 +77,8 @@ These rules also imply :math:`a \xor b \xor a = b`: & = b & \; & \text{(fourth rule)} \end{aligned} -We'll use this property often when using XOR for encryption; you can -think of that first XOR with :math:`a` as encrypting, and the second one -as decrypting. +We use this property for XOR encryption. The first XOR :math:`a` can be thought of +as encrypting, and the second one as decrypting. Bitwise XOR ~~~~~~~~~~~ @@ -89,9 +88,9 @@ values. Since we usually deal with values comprised of many bits, most programming languages provide a “bitwise XOR” operator: an operator that performs XOR on the respective bits in a value. -Python, for example, provides the ``^`` (caret) operator that performs -bitwise XOR on integers. It does this by first expressing those two -integers in binary [#binary-integer]_, and then performing XOR on their respective +As an example, Python has the ``^`` (caret) operator performing +bitwise XOR on integers. It first expresses two +integers in binary [#binary-integer]_, and then performs XOR on their respective bits. Hence the name, *bitwise* XOR. .. math:: @@ -111,31 +110,30 @@ bits. Hence the name, *bitwise* XOR. \end{aligned} .. [#binary-integer] - Usually, numbers are already stored in binary internally, so this - doesn't actually take any work. When you see a number prefixed with - “0b”, the remaining digits are a binary representation. + Usually, numbers are internally stored in binary, so this + does not take any work. When a number is prefixed with + “0b” it means that the remaining digits are a binary representation. One-time pads ~~~~~~~~~~~~~ XOR may seem like an awfully simple, even trivial operator. Even so, -there's an encryption scheme, called a one-time pad, which consists of -just that single operator. It's called a one-time pad because it -involves a sequence (the “pad”) of random bits, and the security of the -scheme depends on only using that pad once. The sequence is called a pad +there is an encryption scheme. It is called a one-time pad, which consists of +a single operator with a sequence (“pad”) of random bits. The security of the +scheme depends on using the pad only once. The sequence is called a pad because it was originally recorded on a physical, paper pad. -This scheme is unique not only in its simplicity, but also because it -has the strongest possible security guarantee. If the bits are truly -random (and therefore unpredictable by an attacker), and the pad is only -used once, the attacker learns nothing about the plaintext when they see +The scheme is unique not only in its simplicity. It +has the highest security guarantee possible. If the bits are truly +random, they become unpredictable for an attacker. Additionally, if the pad is only +used once, the attacker learns nothing about the plaintext when viewing a ciphertext. [#msg-exists]_ .. [#msg-exists] - The attacker does learn that the message exists, and, in this simple - scheme, the length of the message. While this typically isn't too - important, there are situations where this might matter, and there - are secure cryptosystems to both hide the existence and the length of + The attacker does learn that the message exists and the message length + in this simple scheme. While this typically is not too + important, there are situations where this matters. + Secure cryptosystems exist to both hide the existence and the length of a message. @@ -148,10 +146,10 @@ XOR of the two sequences of bits. :align: center :alt: OTP -If an attacker sees the ciphertext, we can prove that they will learn -zero information about the plaintext without the key. This property is -called *perfect security*. The proof can be understood intuitively by -thinking of XOR as a programmable inverter, and then looking at a +If an attacker sees the ciphertext, we can prove that +zero information is learned about the plaintext without the key. This property is +called *perfect secrecy*. The proof can be understood intuitively. +Think of XOR as a programmable inverter, and look at a particular bit intercepted by Eve, the eavesdropper. .. figure:: Illustrations/XOR/OTPEve.svg @@ -167,28 +165,28 @@ probable. Attacks on “one-time pads” ~~~~~~~~~~~~~~~~~~~~~~~~~~ -The one-time pad security guarantee only holds if it is used correctly. -First of all, the one-time pad has to consist of truly random data. +The one-time pad security guarantee only holds if used correctly. +First of all, the one-time pad must consist of truly random data. Secondly, the one-time pad can only be used once (hence the name). Unfortunately, most commercial products that claim to be “one-time pads” -are snake oil [#snake-oil]_, and don't satisfy at least one of those two +are snake oil [#snake-oil]_, and do not satisfy at least one of these two properties. .. [#snake-oil] - “Snake oil” is a term for all sorts of dubious products that claim - extraordinary benefits and features, but don't really realize any of + “Snake oil” is a term for dubious products that claim + extraordinary benefits and features, yet do not realize any of them. Not using truly random data ^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The first issue is that they use various deterministic constructs to -produce the one-time pad, instead of using truly random data. That isn't +The first issue is that various deterministic constructs +produce the one-time pad instead of using truly random data. That is not necessarily insecure: in fact, the most obvious example, a synchronous -stream cipher, is something we'll see later in the book. However, it +stream cipher, is something we will see later in the book. However, it does invalidate the “unbreakable” security property of one-time pads. -The end user would be better served by a more honest cryptosystem, -instead of one that lies about its security properties. +The end user is better served by a more honest cryptosystem, +not one that lies about its security properties. Reusing the “one-time” pad ^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -258,19 +256,19 @@ with :numref:`fig-multitimepad`. XOR of ciphertexts. Two plaintexts, the re-used key, their respective - ciphertexts, and the XOR of the ciphertexts. Information about the - plaintexts clearly leaks through when we XOR the ciphertexts. + ciphertexts, and the XOR of the ciphertexts. Plaintext information clearly + leaks through when we XOR the ciphertexts. Crib-dragging ^^^^^^^^^^^^^ -A classical approach to breaking multi-time pad systems involves -“crib-dragging”, a process that uses small sequences that are expected -to occur with high probability. Those sequences are called “cribs”. The -name crib-dragging originated from the fact that these small “cribs” are +A classic approach to break multi-time pad systems is +“crib-dragging.” Crib-dragging uses small sequences expected +to occur with high probability. Those sequences are “cribs”. The +name crib-dragging originates from the fact that these small “cribs” are dragged from left to right across each ciphertext, and from top to -bottom across the ciphertexts, in the hope of finding a match somewhere. -Those matches form the sites of the start, or “crib”, if you will, of +bottom across the ciphertexts, in the hope of finding a match. +The matches form the sites of the start, or “crib”, if you will, of further decryption. The idea is fairly simple. Suppose we have several encrypted messages @@ -293,26 +291,26 @@ messages, let's say :math:`C_j`, we'd know :math:`K`: &= K \end{aligned} -Since :math:`K` is the shared secret, we can now use it to decrypt all -of the other messages, just as if we were the recipient: +Since :math:`K` is the shared secret, we can use it to decrypt all +other messages as if we are the recipient: .. math:: P_i = C_i \xor K \qquad \text{for all }i -Since we usually can't guess an entire message, this doesn't actually -work. However, we might be able to guess parts of a message. +This typically does not work because we cannot +guess an entire message. However, we can guess parts of a message. If we guess a few plaintext bits :math:`p_i` correctly for *any* of the -messages, that would reveal the key bits at that position for *all* of -the messages, since :math:`k = c_i \xor p_i`. Hence, all of the -plaintext bits at that position are revealed: using that value for +messages that reveals the key bits at that position for *all* of +the messages since :math:`k = c_i \xor p_i`. Hence, all of the +plaintext bits at that position are revealed. Using that value for :math:`k`, we can compute the plaintext bits :math:`p_i = c_i \xor k` for all the other messages. -Guessing parts of the plaintext is a lot easier than guessing the entire +Guessing parts of the plaintext is easier than guessing the entire plaintext. Suppose we know that the plaintext is in English. There are -some sequences that we know will occur very commonly, for example (the +sequences that will occur very commonly. For example (the :math:`\verb*| |` symbol denotes a space): - :math:`\verb*| the |` and variants such as :math:`\verb*|. The |` @@ -321,52 +319,52 @@ some sequences that we know will occur very commonly, for example (the - :math:`\verb*| and |` (no variants; only occurs in the middle of a sentence) - :math:`\verb*| a |` and variants -If we know more about the plaintext, we can make even better guesses. -For example, if it's HTTP serving HTML, we would expect to see things -like ``Content-Type``, ````, and so on. +We can make better guesses if more information is known about the plaintext. +For example, if HTTP is serving HTML we expect to see +`Content-Type``, ````, and so on. -That only tells us which plaintext sequences are likely, giving us -likely guesses. How do we tell if any of those guesses are correct? If -our guess is correct, we know all the other plaintexts at that position -as well, using the technique described earlier. We could simply look at +This only tells us which plaintext sequences are likely, giving us +likely guesses. How can we tell if the guesses are correct? If +our guess is correct, we know all the plaintexts at that position +based on using the technique described earlier. We can simply look at those plaintexts and decide if they look correct. -In practice, this process needs to be automated because there are so -many possible guesses. Fortunately that's quite easy to do. For example, -a very simple but effective method is to count how often different +In practice, the process needs to be automated because of all potential +guesses. Fortunately that is easy to do. For example, +a simple but effective method is to count how often different symbols occur in the guessed plaintexts: if the messages contain English -text, we'd expect to see a lot of letters e, t, a, o, i, n. If we're -seeing binary nonsense instead, we know that the guess was probably +text, we expect to see a lot of letters e, t, a, o, i, n. If we +see binary nonsense instead, we know that the guess was probably incorrect, or perhaps that message is actually binary data. -These small, highly probable sequences are called “cribs” because -they're the start of a larger decryption process. Suppose your crib, +These small, highly probable sequences are known as “cribs” because +they are the start of a larger decryption process. Suppose your crib, ``the``, was successful and found the five-letter sequence ``t thr`` in -another message. You can then use a dictionary to find common words -starting with ``thr``, such as ``through``. If that guess were correct, -it would reveal four more bytes in all of the ciphertexts, which can be -used to reveal even more. Similarly, you can use the dictionary to find +another message. You can use a dictionary to find common words +starting with ``thr``, such as ``through``. If that is a correct guess, +it can reveal four more bytes in all of the ciphertexts. This information can be +useful for revealing more. Similarly, you can use the dictionary to find words ending in ``t``. -This becomes even more effective for some plaintexts that we know more -about. If some HTTP data has the plaintext ``ent-Len`` in it, then we -can expand that to ``Content-Length:``, revealing many more bytes. +This becomes greatly effective for plaintexts that we know more +about. If HTTP data has the plaintext ``ent-Len``, then we +can expand that to ``Content-Length:``. More bytes are easily revealed. While this technique works as soon as two messages are encrypted with -the same key, it's clear that this becomes even easier with more -ciphertexts using the same key, since all of the steps become more -effective: - -- We get more cribbing positions. -- More plaintext bytes are revealed with each successful crib and - guess, leading to more guessing options elsewhere. -- More ciphertexts are available for any given position, making guess - validation easier and sometimes more accurate. - -These are just simple ideas for breaking multi-time pads. While they're -already quite effective, people have invented even more effective -methods by applying advanced, statistical models based on natural -language analysis. This only demonstrates further just how broken +the same key, it is clear that the process becomes simpler when more +ciphertexts use the same key. Since all of the steps become more +effective we get: + +- More cribbing positions. +- More plaintext bytes revealed with each successful crib and + guess. This leads to more guessing options elsewhere. +- More ciphertexts available for any given position. This simplies guess + validation and at times increases accuracy. + +We have reviewed simple ideas for breaking multi-time pads. While they are +already quite effective, people invent more effective +methods by applying advanced, statistical models using natural +language analysis. This further demonstrates just how broken multi-time pads are. :cite:`mason:nltwotimepads` Remaining problems @@ -375,28 +373,27 @@ Remaining problems Real one-time pads, implemented properly, have an extremely strong security guarantee. It would appear, then, that cryptography is over: encryption is a solved problem, and we can all go home. Obviously, -that's not the case. - -One-time pads are rarely used, because they are horribly impractical: -the key is at least as large as all information you'd like to transmit, -*put together*. Plus, you'd have to exchange those keys securely, ahead -of time, with all people you'd like to communicate with. We'd like to -communicate securely with everyone on the Internet, and that's a very -large number of people. Furthermore, since the keys have to consist of -truly random data for its security property to hold, key generation is -fairly difficult and time-consuming without specialized hardware. - -One-time pads pose a trade-off. It's an algorithm with a solid -information-theoretic security guarantee, which you can not get from any -other system. On the other hand, it also has extremely impractical key -exchange requirements. However, as we'll see throughout this book, -secure symmetric encryption algorithms aren't the pain point of modern -cryptosystems. Cryptographers have designed plenty of those, while -practical key management remains one of the toughest challenges facing -modern cryptography. One-time pads may solve a problem, but it's the +that is not the case. + +One-time pads are rarely used for being horribly impractical. +The key is at least as large as all information you would like transmitted, +*put together*. Plus, the keys must be exchanged securely, ahead +of time, with all people in your communication network. We like to +communicate securely with everyone on the Internet, and that is a very +large number of people. Furthermore, since the keys must consist of +truly random data for the security property to hold, key generation is +difficult and time-consuming without specialized hardware. + +One-time pads pose a trade-off. An advantage is that a one-time pad is an algorithm with a solid +information-theoretic security guarantee. The guarantee is not available with any +other system. On the other hand, the key exchange requirements are exteremely impractical. +However, throughout this book, +we will see that secure symmetric encryption algorithms are not the pain point of modern +cryptosystems. Cryptographers designed plenty while +practical key management is the toughest challenges facing +modern cryptography. One-time pads may solve a problem, but it is the wrong problem. -While they may have their uses, they're obviously not a panacea. We need -something with manageable key sizes while maintaining secrecy. We need -ways to negotiate keys over the Internet with people we've never met -before. +One-time pads may have practical use, but they are obviously not a panacea. We need +a system with manageable key sizes and capable of maintaining secrecy. Additionally, a +system to negotiate keys over the Internet with complete strangers is necessary. From 22a9af586005180a4b6bec39df76ef4a3a917bae Mon Sep 17 00:00:00 2001 From: dg-latacora Date: Tue, 10 Nov 2020 20:14:51 -0600 Subject: [PATCH 2/3] Fix 1 typo and 1 phrase --- src/exclusive-or.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/exclusive-or.rst b/src/exclusive-or.rst index 686e303d..8671005b 100644 --- a/src/exclusive-or.rst +++ b/src/exclusive-or.rst @@ -320,7 +320,7 @@ sequences that will occur very commonly. For example (the - :math:`\verb*| a |` and variants We can make better guesses if more information is known about the plaintext. -For example, if HTTP is serving HTML we expect to see +For example, if HTML is served over HTTP we expect to see `Content-Type``, ````, and so on. This only tells us which plaintext sequences are likely, giving us @@ -358,7 +358,7 @@ effective we get: - More cribbing positions. - More plaintext bytes revealed with each successful crib and guess. This leads to more guessing options elsewhere. -- More ciphertexts available for any given position. This simplies guess +- More ciphertexts available for any given position. This simplifies guess validation and at times increases accuracy. We have reviewed simple ideas for breaking multi-time pads. While they are From 7c61b18d9e5f11b8b7fbdae7147fc7f04a464428 Mon Sep 17 00:00:00 2001 From: dg-latacora Date: Mon, 16 Nov 2020 15:39:05 -0600 Subject: [PATCH 3/3] Change back a meaning chaning phrase to the original wording --- src/exclusive-or.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/exclusive-or.rst b/src/exclusive-or.rst index 8671005b..0a2e524a 100644 --- a/src/exclusive-or.rst +++ b/src/exclusive-or.rst @@ -378,7 +378,7 @@ that is not the case. One-time pads are rarely used for being horribly impractical. The key is at least as large as all information you would like transmitted, *put together*. Plus, the keys must be exchanged securely, ahead -of time, with all people in your communication network. We like to +of time, with all people you would like to communicate with. We would like to communicate securely with everyone on the Internet, and that is a very large number of people. Furthermore, since the keys must consist of truly random data for the security property to hold, key generation is