Now I'd like to talk about the open discussion question
posted in the Homework 1.
To review, Alice wants to send a message to Bob
using a one-time pad to let Bob know yes or no
if she's going to be taking CS387, and they're worried about Mallory,
who could possibly intercept the message and then change around the message
so that Bob would get the wrong message.
And we saw in the question that Mallory could--
whatever she intercepts, she can't tell whether it's yes or no,
but she can XOR it with the difference between yes and no,
and that will flip the answer and some of this suggested--
solutions were to change yes and no to other things
thinking there was something special about yes and no, that those could be flipped.
But you can flip anything, and you're flipping it by XORing it with the difference.
Whatever was there was either yes or no XORed with some key.
You don't know the key, but XORing that with the difference of them
will cancel out the Ys, or if this was an N, it would cancel out the Ns and leave the Y.
So whatever the message was, it can be XORed with the difference.
There's nothing special about Y or N.
It would work--let's say--if you replaced it with yes and not.
The difference is just Mallory would XOR it with the XOR of yes and not.
All of the solutions that were ideas about changing the content
don't really solve anything.
Mallory knows the 2 options and can XOR them and can flip the content.
There are some other approaches that had better success, though.
There were 2 main styles.
For example, Steve Krenzel from Seattle suggested using
kind of more advanced crypto tools.
He wanted to append the nonce to the message and then hash the entire message.
So, I think what he was suggesting--which is a good solution to this--
is to take the yes or no, so you're still giving the response.
You're going to concatenate that with the nonce, which is just some random value.
We'll call it r.
This is long random value.
And then concatenate that with a hash of the y,
whatever the answer was, with the nonce.
And we haven't talked about hash functions yet in Unit 1,
but we do talk about them in Unit 2,
and a hash function is just a function that takes some input
and maps it in a complex and unpredictable way to some other value.
And that's useful because Bob can't predict what this value is
without knowing what the value of r is, and if the value of r is random
and not known to Bob, there's no way for Bob to predict the output of this hash.
If he tries to change this, well, there's no way to change it in a way
that knows the difference between what the result would be if this was an N
and when it was a Y, so Bob could flip these bits,
but then the hash value wouldn't be correct.
I'm sorry, Mallory could flip these bits.
Then the hash value wouldn't be correct, and Bob would know that it was wrong,
so this is a reasonable way to do it.
The difficulty with the solution is it involved cryptographic tools
that are much more complex than just the XOR hash functions are,
things we'll talk about in the next unit but involve a fair amount of computation.
It's not something you could easily do by hand.
What we want is some solution that would allow Alice and Bob to do this
without using any more advanced cryptographic tools.
Yeah, the other style solution was one proposed by StirCat,
which involves sending a number of dashes--maybe 8 or 16 dashes in a row--
and then randomly picking one character to set to Y or N,
and what are your thoughts on that?
This is a really interesting idea.
We're going to take--instead of sending just one character,
we've got a string of 8 dashes, and we're randomly going to pick one of those
and replace it with either the Y or the N.
That's going to be the answer.
And now this means when Mallory intercepts it,
if she doesn't know which one was randomly picked,
well, she can XOR out the difference between a Y or N from any one of these 8,
but if she picks the wrong one, she's going to change a dash into something else.
And I don't know what it would be. We'd have to look at the numbers.
But it's not going to be a dash anymore, and so when Bob
looks at the result, it's going to look wrong.
Bob will know the message was tampered with.
It's only if Mallory was lucky enough to guess the right one to flip
that she could change the answer, and her probability of guessing it correctly
is 1 over the number of positions here.
If we have 8, she has a 1 in 8 chance of guessing the right one and flipping that one.
The other times when she doesn't guess correctly she'll get caught.
This is pretty good. This has a nice property.
It means if we make a message long enough, we can make Mallory's success
probability as low as we want, but we need a really long message.
If we want her success to be less than 1 in 256,
we need a string that's 256 bytes long, which is not a big deal but is less elegant.
We could get a similar property with a shorter message
if instead of having only one of them depend on the choice
we make a short message where each of the characters in the message
depend on the yes or no value, but Alice randomly picks
either to send a Y or a 1 if the answer is yes
or to send an N or a 0, so let's say those are the 4 choices.
She's going to randomly pick.
If the answer is Y, she's going to send something like YY1Y,
randomly picking for each position whether to send a Y or a 1.
When Mallory intercepts this,
the XOR between Y and N is different from the XOR between 1 and 0.
Those two are not equal, so for Mallory to flip an answer,
she's got to guess whether it was a Y or an N or a 1 or a 0,
and she can guess and flip one.
If she guesses them all correctly, then she could flip them all,
and Bob would see the wrong answer.
But if she guesses the one wrong, then Bob will see one of the characters
in the string doesn't match, and so now Mallory's probability
of guessing them all correct is ½ to the power of how many there are,
so if there were 4 characters, it would be ½ to the 4th or 1/16,
but this is a much lower success probability than we had
having the string of dashes where Mallory only had to guess
one position correctly out of that whole length.
Now she's got to guess each position correctly with ½ chance for each time.
This just involves Alice picking randomly,
so we didn't need to add something beyond the one-time pad.
Alice has to be able to flip a coin or some other source of randomness
to decide whether to send the Y or the 1 for each of these 4 positions
or more positions if she wants the success probability
to be lower than ½ to the 4th.
Could you also do a lowercase y and a t for true and a lowercase t?
You could, yeah.
Probably what you'd have to be careful about is if you did a lowercase y and a lowercase n.
The XOR of those might be the same as the difference between
the uppercase Y and uppercase N.
I would guess if you did true and false,
those would be different, but you should be careful
and know that the XOR is not the same.
But as long as the XOR is different, then each byte
Mallory has just ½ chance of making a change in the right way.
Okay. I think that's all we have.
Cool, so thanks for joining office hours, and thanks for all the discussion.
It looked like we got a lot of good responses to open discussion questions,
so hopefully we'll see that again in Homework 2.
Thank you.>>Thanks.
