Soviet (pact with Nazis) Grey: Neutral Blue: Anti-‐Nazis Note: updated! Wikipedia has this for July 1941, but the Nazis attacked the Soviets on 22 June 1941, breaking the non-‐agression pact. (Thanks to Helen Simecek for correcting this!)
you paid us the honour of a visit, and we believe that you regard our work as important. … it seems to us that we have met with unnecessary impediments. …The cumulative effect, however, has been to drive us to the conviction that the importance of the work is not being impressed with sufficient force upon those outside authorities with whom we have to deal. A.M. Turing (+ 3 others) Winston Churchill
you paid us the honour of a visit, and we believe that you regard our work as important. … it seems to us that we have met with unnecessary impediments. …The cumulative effect, however, has been to drive us to the conviction that the importance of the work is not being impressed with sufficient force upon those outside authorities with whom we have to deal. A.M. Turing (+ 3 others) Winston Churchill
C1 C2 Cn Ki ... ... Kj To be perfect, there must be a key that maps each message to each ciphertext. |K | ≥ |M | Hence, any practical cipher must be imperfect! [Shannon 1945]
with same starting configuration Uses some abbreviations and makes some mistakes 17 GCHQ Today (not what it looked like in 1941!) SPRUCHNUMMER/SPRUCHNR (Serial Number)
wheels turn, or none do! Knew machine structure, but a different initial configuration was used for each message: need to find wheel settings (1019 possible) but weakness reduces to 41 × 31 K wheels, all rotate every letter M1 and M2 rotate conditionally
Å xc,i Å sc,i Message Key (parts from S-‐wheels and rest) Cryptanalyze: look for statistical properties How many of the zc,i ’s are 0? How many of (zc,i+1 Å zc,i ) are 0? ½ (not useful) ½ 23 5 channels for each Baudot-‐coded letter
= D M1,i Å D M2,i Å D X1,i Å D X2,i Å D S1,i Å D S2,i 24 = ½ (key) > ½ Yippee! > ½ Yippee! D M1,i Å D M2,i > ½ Higher probability following letter is a repetition D S1,i Å D S2,i > ½ S-‐wheels only turn when M-‐wheel is 1 Actual advantage ≈ 0.55
most 0s. 25 If the guess of X is incorrect: Pr(D Z1,i Å D Z2,I = 0) = ½ If the guess of X is correct: Pr(D Z1,i Å D Z2,I = 0) ≈ 0.55 # of double delta operations to try one guess for 10,000 letter message × 1271 settings × 7 Å per double delta = 89 M Å operations
Insecure Channel Key Key Alice Bob Requiring shared secret: -‐ Alice and Bob must pre-‐arrange it over a secure channel -‐ Alice and Bob can impersonate each other
q (large prime number) a (primitive root of q) a is a primitive root of q if for all 1 £ n < q, there is some m, 1 £ m < q such that am = n mod q All prime numbers have primitive roots.
q (large prime number) a (primitive root of q) 2. Generate random XA 3. Send YA =aXA mod q. 4. Generate random XB . 5. Send YB =aXB mod q. K = (YB ) XA mod q K = (YA )XB mod q
53 K = (YB ) XA mod q K = (YA )XB mod q YA = aXA mod q YB = aXB mod q = (aXB mod q)XA mod q = (aXBXA mod q)mod q = aXBXA mod q = (aXA mod q)XB mod q = (aXAXB mod q)mod q = aXAXB mod q Multiplication commutes (just like the padlocks)!
prime number) a (primitive root of q) 2. Generate random XA 3. Send YA =aXA mod q. 4. Generate random XB . 5. Send YB =aXB mod q. K = (YB ) XA mod q K = (YA )XB mod q Eve An eavesdropper cannot find K from all intercepted values: q, a, YA , YB
prime number) a (primitive root of q) 2. Generate random XA 3. Send YA =aXA mod q. 4. Generate random XB . 5. Send YB =aXB mod q. K = (YB ) XA mod q K = (YA )XB mod q Eve An eavesdropper cannot find K from all intercepted values: q, a, YA , YB Discrete logarithm problem: given a, n, and q find the one 0 £ m < q such that am = n mod q For good choices of q, this is believed to be hard.
prime number) a (primitive root of q) 2. Generate random XA 3. Send YA =aXA mod q. 4. Generate random XB . 5. Send YB =aXB mod q. K = (YB ) XA mod q K = (YA )XB mod q Eve An eavesdropper cannot find K from all intercepted values: q, a, YA , YB . If they could, could solve discrete log problem which is believed to be hard: given YA =aXA mod q find XA
University Admissions Medical residents in US, Canada, others 35,000 applicants Use Trusted Third Party to run matching algorithm: -‐ Receives all private rankings and keeps confidential -‐ Produces correct result -‐ uncorrupted
Garbled Circuit Protocol secret input a secret input b Agree on function f r = f(a, b) r = f(a, b) Learns nothing else about b Learns nothing else about a
x0 a1 b1 x1 a1 b0 x0 a0 or a1 x AND b0 or b1 Leaks information! “Obfuscated” Logic ai , bi , xi are random values, chosen by generator but meaningless to evaluator.
on her input Bob (evaluator) Picks random values for a{0, 1} , b{0, 1} , x{0, 1} Ea1 ||b0 (x0 ) Ea0 ||b1 (x0 ) Ea1 ||b1 (x1 ) Ea0 ||b0 (x0 ) Evaluates circuit, decrypting one row of each garbled gate xr Sends hashes to decode outputs r
on her input Bob (evaluator) Picks random values for a{0, 1} , b{0, 1} , x{0, 1} Ea1 ||b0 (x0 ) Ea0 ||b1 (x0 ) Ea1 ||b1 (x1 ) Ea0 ||b0 (x0 ) Evaluates circuit, decrypting one row of each garbled gate xr Sends hashes to decode outputs r How does the Bob learn his own input values?
Y f(x) d x Security properties Privacy: F, X, and d leak reveals nothing beyond f(x) Obliviousness: F, X reveals nothing (new) Authenticity: given F, X, hard to find Y’ such that: Decode(Y’, d) ∉ { f(x), error }
on known data Operate on encrypted wire labels One-‐bit logical operation requires moving some electrons a few nanometers One-‐bit logical operation requires performing four encryption operations Reuse is great! Reuse is not allowed! Ea1 ||b0 (x0 ) Ea0 ||b1 (x0 ) Ea1 ||b1 (x1 )
4.57 M Bidding 15.01 hours 173 B 3.19 M Total 17.08 hours 207 B 3.36 M Simulated 2016 US National Medical Residency Match: 35,476 prospective residents matching with 4836 programs with 30,750 total slots Running between 2 EC2.c4xlarge nodes in same region (1 Gbps)
4.57 M Bidding 15.01 hours 173 B 3.19 M Total 17.08 hours 207 B 3.36 M Simulated 2016 US National Medical Residency Match: 35,476 prospective residents matching with 4836 programs with 30,750 total slots Running between 2 EC2.c4xlarge nodes in same region (1 Gbps)
evansuva
mh4gf
cybozuinsideout
foursue
miyakemito
kazuya_araki_tokyo
nakamuuu
oracle4engineer
chibiegg
makky_tyuyan
toshi_atsumi
kenichirokimura
meihei3
mraible
shpigford
bryan
addyosmani
paulrobertlloyd
hannesfritz
sugarenia
hatefulcrawdad
tammyeverts
lemiorhan
erikaheidi
keathley
![Glimmers of Universal Machines 2 Leibniz’s Vision [1679] Babbage’s Analytical](https://files.speakerdeck.com/presentations/05564d4a4f204f10867ae912bc410f93/slide_2.jpg){kind=link}
![One-‐Time Pad C[i] = M[i] Å K[i] 13](https://files.speakerdeck.com/presentations/05564d4a4f204f10867ae912bc410f93/slide_13.jpg){kind=link}
