Perché i pad monouso sono perfettamente sicuri? [chiuso]

-5

Posso trovare / accedere all'articolo di Francis Litterio "Perché i one time pad sono perfettamente sicuri?"

    
posta Will 21.05.2018 - 00:09
fonte

2 risposte

1

Non capisco davvero la tua domanda, ma ecco quello che penso hai richiesto:

link - Articolo di Francis Litterio:

First, I describe how an xor-based one-time pad (OTP) cipher works. Then, I show why xor-based OTPs are perfectly secure against ciphertext-only cryptanalysis.

What is a One-Time Pad?

A one-time pad is a very simple yet completely unbreakable symmetric cipher. “Symmetric” means it uses the same key for encryption as for decryption. As with all symmetric ciphers, the sender must transmit the key to the recipient via some secure and tamperproof channel, otherwise the recipient won’t be able to decrypt the ciphertext. The key for a one-time pad cipher is a string of random bits, usually generated by a cryptographically strong pseudo-random number generator (CSPRNG). For more information, see David Deley’s Computer Generated Random Numbers. It is better to generate the key using the natural randomness of quantum mechanical events (such as those detected by a Geiger counter), since quantum events are believed by many to be the only source of truly random information in the universe. One-time pads that use CSPRNGs are open to attacks which attempt to compute part or all of the key. With a one-time pad, there are as many bits in the key as in the plaintext. This is the primary drawback of a one-time pad, but it is also the source of its perfect security (see below). It is essential that no portion of the key ever be reused for another encryption (hence the name “one-time pad”), otherwise cryptanalysis can break the cipher. The cipher itself is exceedlingly simple. To encrypt plaintext, P, with a key, K, producing ciphertext, C, simply compute the bitwise exclusive-or of the key and the plaintext:

C = K^P

To decrypt ciphertext, C, the recipient computes

P = K^C
It’s that simple, and it’s perfectly secure, as long as the key is random and is not compromised.

Why Are One-Time Pads Perfectly Secure?

If the key is truly random, an xor-based one-time pad is perfectly secure against ciphertext-only cryptanalysis. This means an attacker can’t compute the plaintext from the ciphertext without knowlege of the key, even via a brute force search of the space of all keys! Trying all possible keys doesn’t help you at all, because all possible plaintexts are equally likely decryptions of the ciphertext. This result is true regardless of how few bits the key has or how much you know about the structure of the plaintext. To see this, suppose you intercept a very small, 8-bit, ciphertext. You know it is either the ASCII character ‘S’ or the ASCII character ‘A’ encrypted with a one-time pad. You also know that if it’s ‘S’, the enemy will attack by sea, and if it’s ‘A’, the enemy will attack by air. That’s a lot to know. All you are missing is the key, a silly little 8-bit one-time pad. You assign your crack staff of cryptanalysts to try all 256 8-bit one-time pads. This is a brute force search of the keyspace. The results of the brute force search of the keyspace is that your staff finds one 8-bit key that decrypts the ciphertext to ‘S’ and one that decrypts it to ‘A’. And you still don’t know which one is the actual plaintext. This argument is easilly generalized to keys (and plaintexts) of arbitrary length.

by Francis Litterio

Answer StackExchange

    
risposta data 21.05.2018 - 00:50
fonte
0

Un pad monouso utilizza fondamentalmente una chiave di crittografia lunga quanto il messaggio che sta crittografando. XOR con la chiave per crittografare, XOR di nuovo per decifrare. Fornendo un mezzo sicuro di pre-condivisione di quella chiave, e la si usa solo una volta, e non c'è modo di predire la chiave (cioè è completamente casuale), non c'è modo di craccarla. Non è possibile sfruttare alcuna prevedibilità in alcune parti del messaggio per ricavare la chiave e quindi sbloccare il resto del messaggio: anche se si conosce il 50% del messaggio, l'altro 50% è opaco.

Non c'è quindi alcuna magia in esso, ed è semplice, ma le sue pretese di sicurezza arrivano con qualificazioni molto grandi: tutto dipende dalla capacità di condividere in modo sicuro quella chiave in anticipo. Se hai un messaggio molto lungo da trasmettere, devi anche aver trasmesso quella chiave molto lunga separatamente, in modo sicuro. E se hai una "chiave" in eccesso pre-generata e pre-condivisa per ridurla, allora nel frattempo deve essere conservata in modo sicuro.

    
risposta data 21.05.2018 - 08:00
fonte

Leggi altre domande sui tag