Computer Science 126. Prologue: A Simple Machine. General Computer Science Fall Robert Sedgewick

Transcription

1 COMPUTR SCIC S D G W I C K / W A Y Computer Science 26 General Computer Science Prologue: A Simple Machine Fall 24 Robert Sedgewick COMPUTR SCIC S D G W I C K / W A Y Who are you? [data from 2-2] Intended major Prologue: A Simple Machine Brief introduction Secure communication with a one-time pad Linear feedback shift registers Implications Programming experience Class Social Sciences other Science/Math other ngineering Humanities CS none some lots st year Sophomore Junior Senior Over 6% of all Princeton students take COS 26 CS..A.Prologue.Introduction 4

2 The basics What is this course about? A broad introduction to computer science. Lectures. [Sedgewick] Goals RS office hours. Demystify computer systems. mpower you to exploit available technology. Build awareness of substantial intellectual underpinnings. Design and architecture of computers. Theory of computation. Applications in science and engineering. and art, music, finance, and many other fields. M T W T F S Tips on assignments / worked examples Questions on lecture material. Informal and interactive. Science is everything we understand well enough to explain to a computer Friend 6/7 lab. [undergraduate assistants] Don Knuth 6 7 Help with systems/debugging. o help with course material. 8 9 Computers are incredibly fast, accurate, and stupid; humans are incredibly slow, inaccurate, and brilliant; together they are powerful beyond imagination. Piazza. [online discussion] Best chance of quick response to a question. Post to class or private post to staff. Albert instein 5 Grades assignments due See for full current details and office hours. 6 Course website are based on achievement. Due dates SP Opportunities for us to determine your level of achievement: OV OCT 9 programming assignments. 2 written exams (in class, /9 and 2/). 2 programming exams (evenings, /23 and 2/8). Final programming project (due Dean s date ). xtra credit / staff discretion. Adjust borderline cases. DC participation helps frequent absence hurts JA We do not grade on a "curve". everyone needs to meet me! Precepts. [Gabai, Ginsburg and team] Topics Programming in Java. S 9 you are already here Su Mo Tu We Th Fr Sa bookmark this page!

3 Textbook and Booksite Programming assignments are an essential part of the experience in learning CS. Textbook. Full introduction to course material. Developed for this course. For use while learning and studying. Desiderata Address an important scientific or commercial problem. Illustrate the importance of a fundamental CS concept. You solve the problem from scratch on your own computer! Booksite. Summary of content. Code, exercises, examples. Supplementary material. OT the textbook. (also not the course web page). For use while online. -body simulation pluck a guitar string estimate Avogadro's number bookmark this page, too! 9 What's Ahead? Coming events Lecture 2. Basic programming concepts. Precept. Meets today/tomorrow. ot registered? Go to any precept now; officially register ASAP. Change precepts? Use SCOR. Assignment due Monday :59PM Things to do before attempting assignment Read Sections. and.2 in textbook. Read assignment carefully. Install introcs software as per instructions. Do a few exercises. Lots of help available, don't be bashful. see Colleen Kenny-McGinley in CS 2 if the only precept you can attend is closed COMPUTR SCIC S D G W I C K / W A Y. Prologue: A Simple Machine Brief introduction Secure communication with a one-time pad Linear feedback shift registers Implications D OF ADMIISTRATIV STUFF CS..B.Prologue.OneTimePad

4 Sending a secret message with a cryptographic key ncrypt/decrypt methods use yt25a5i/s if I ever send you an encrypted message Alice wants to send a secret message to Bob. Sometime in the past, they exchange a cryptographic key. Alice uses the key to encrypt the message. Bob uses the same key to decrypt the message. Goal. Design a method to encrypt and decrypt data. "OK" S D M O Y v 7 K Y encrypt Alice g X 7 6 W 3 decrypt Hey, Bob. Here's a secret message. Hi Alice. OK, I'm ready. key: S D M O gx76w3v7k yt25a5i/s SDMOY Bob Hey, Bob. Here's a secret message. Hi Alice. OK, I'm ready. sending gx76w3v7k key: yt25a5i/s xample. nigma encryption machine [German code, WWII] SDMOY Broken by Turing bombe (one of the first uses of a computer). Broken code helped win Battle of Atlantic by providing U-boat locations. gx76w3v7k??? encrypted message is "in the clear" (anyone can read it) Critical point: Without the key, ve cannot understand the message. xample 2. One-time pad [details to follow] Q. How does the system work? xample 3. Linear feedback shift register [later this lecture] ve 3 A digital world 4 ncoding text as a sequence of bits Base64 encoding of character strings A bit is a basic unit of information. A simple method for representing text. Two possible values ( or ). asy to represent in the physical world (on or off ). 64 different symbols allowed: A-Z, a-z, -9, +, /. 6 bits to represent each symbol. ASCII and Unicode methods used on your computer are similar. In modern computing and communications systems, we represent everything as a sequence of bits. Text [details to follow in this lecture] umbers Sound [details to follow in this course] Pictures [details to follow in this course] Programs [profound implications, stay tuned]. A B C D F G H I J K L M O P Q R S T U V W X bits symbols 6 64 Base64 Y Z a b c d e f g h i j k l m n o p q r s t u v M O ASCII Unicode 6 65,536+ w x y z / xample: 2 = 69 S D Y Bottom line. If we can send and receive bits, we can send and receive anything. 5 6

5 One-Time Pads ncryption with a one-time pad What is a one-time pad? Preparation A cryptographic key known only to the sender and receiver. Create a "random" sequence of bits (a one-time pad). Good choice: A random sequence of bits (stay tuned). Send one-time pad to intended recipient through a secure channel. Security depends on each sequence being used only once. ncryption ncode text as a sequence of bits. Use the first bits of the pad. important point: need to have as many bits in the pad as there are in the message. Compute a new sequence of bits from the message and the pad. Decode result to get a sequence of characters. Result: A ciphertext (encrypted message). a simple machine ote: Any sequence of bits can be decoded into a sequence of characters. more convenient than bits for initial exchange message one-time pad ciphertext 7 8 A (very) simple machine for encryption Self-assessment on bitwise encryption To compute a cyphertext from a message and a one-time pad ncode message and pad in binary. ach cyphertext bit is the bitwise exclusive or of corresponding bits in message and pad. Q. ncrypt the message A S Y with the pad 2 3. Def. The bitwise exclusive or of two bits is if they differ, if they are the same. message one-time pad cyphertext 9 2

6 Decryption with a one-time pad A (very) simple machine for encryption and decryption To compute a message from a cyphertext and a one-time pad Use binary encoding of cyphertext and pad. ach message bit is the bitwise exclusive or of corresponding bits in cyphertext and pad. if they differ; if they are the same cyphertext one-time pad A. Alice's device uses a "bitwise exclusive or" machine to encrypt the message. Q. What kind of machine does Bob's device use to decrypt the message? message (!) A. The same one (!!) 2 22 Why does it work? Decryption with the wrong pad message one-time pad ve cannot read a message without knowing the pad. My informant tells me that Alice and Bob's one-time pad might be qwdgbduav ciphertext one-time pad ve message Crucial property: Decrypted message is the same as the original message. Let m be a bit of the message and k be the corresponding bit of the one-time pad. To prove: ( m k ) k = m Approach : Truth tables m k m k (m k ) k otation: m k is equivalent to (m, k) Approach 2: Boolean algebra (k k) = m = m (m k) k = m (k k) = m = m 23 ciphertext wrong pad q w D g b D u a v gibberish K n 4 a B h l q w D g b D u a v K n 4 a B h l One-time pad is provably secure [Shannon, 94s] IF each pad is used only once, AD the pad bits are random, TH ve cannot distinguish cyphertext from random bits. foiled again Kn4aBhl??? 24

7 ve's problem with one-time pads Goods and bads of one-time pads ve has a computer. Why not try all possibilities? Problem Goods. Very simple encryption method. Decrypt with the same method. Provably unbreakable if bits are truly random. Widely used in practice. ve 54 bits, so there are 254 possible pad values. Suppose ve could check a million values per second. It would still take 57+ years to check all possibilities. pad value message? AAAAAAAAA gx76w3v7k AAAAAAAAB gx76w3v7l AAAAAAAAC gx76w3v7i a one-time pad cold war hotline qwdgbduav Much worse problem There are also 254 possible messages. tttpwk+ If ve were to check all the pads, she'd see all the messages. o way to distinguish the real one from any other. One-time pad is provably secure. I'd like to send you a secret video ( GB) Kn4aBhl asily breakable if seed is re-used. Truly random bits are very hard to come by. eed separate secure channel to distribute key. Pad must be as long as the message. yt25a5i/s SDMOY ////////+ fo7fpiq ///////// fo7fpiq Where are you going to get 8 billion bits for the key? Bads. WTATTOO o room on my phone for both the video and the key. Alice Bob COMPUTR SCIC Random bits are not so easy to find You might look on the internet. S D G W I C K / W A Y The randomness comes from atmospheric noise Prologue: A Simple Machine Brief introduction Secure communication with a one-time pad Linear feedback shift registers Implications I think I'll call it random.org if you trust the internet. ext: Creating a (long) sequence of "pseudo-random" bits from a (short) key. 27 CS..C.Prologue.LFSR

8 A pseudo-random number generator is a deterministic machine that produces a long sequence of pseudo random bits. A pseudo-random number generator is a deterministic machine that produces a long sequence of pseudo random bits. xamples nigma. Linear feedback shift register (next). Blum-Blum-Shub generator. [ an early application of computing ] [ research still ongoing ] Deterministic: Given the current state of the machine, we know the next bit. An absolute requirement: Alice and Bob need the same sequence. Random: We never know the next bit. Pseudo-random: The sequence of bits appears to be random.??? Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin. John von eumann Appears to be random?? A profound and elusive concept. x. : o long repeats x. 2: About the same number of s and s x. 3: About the same number of s, s, s, and s. For this lecture: "Has enough properties of a random sequence that ve can't tell the difference" Which of these sequences appear to be random? Linear feedback shift register but # of s and s are about equal but # of s s s and s are about equal key for Alice and Bob Terminology Bit: or. Cell: storage element that holds one bit. Register: sequence of cells. Seed: initial sequence of bits. Feedback: Compute of two bits and put result at right. Shift register: when clock ticks, bits propagate one position to left. ciphertext for SDMOY generated by coin flips An [, 9] LFSR ote: Any one of them could be random! typed arbitrarily (no long seqs of s or s) More terminology Tap: Bit positions used for (one must be leftmost). [, k] LFSR: -bit register with taps at and k. umbered from right, starting at. ot all values of k give desired effect (stay tuned). 3 32

9 Linear feedback shift register simulation History of register contents Time a pseudo-random bit sequence! A random bit sequence? Q. Is this a random sequence? Looks random to me. one-time pad in our example o long repeats. 997 s, 3 s. 256 s, 254 s, 256 s, 257 s A. o. It is the output of an [, 9] LFSR with seed! It is pseudo-random (at least to some observers). 34 Self-assessment on LFSRs ncryption/decryption with an LFSR Q. Give first steps of [5,4] LFSR with initial fill. Preparation Alice creates a book of "random" (short) seeds. Alice sends the book to Bob through a secure channel. ncryption/decryption Alice sends Bob a description of which seed to use. They use the specified seed to initialize an LFSR and produce bits. [and proceed in the same way as for one-time pads] Alice Use the next seed in the book to decode this secret video ( GB) Bob OK (consults book) message seed LFSR ciphertext seed LFSR message 35 36

10 ve's opportunity with LFSR encryption Key properties of LFSRs ve has computers. Why not try all possible seeds? Seeds are short, messages are long. Property. Don t use all s as a seed! Fill of all s will not otherwise occur. All seeds give a tiny fraction of all messages. xtremely likely that all but real seed will produce gibberish. ve Good news (for ve): This approach can work. x: -bit register implies 247 possibilities. xtremely likely that only one of those is not gibberish. After this course, you could write a program to check whether any of the 247 messages have words in the dictionary. Bad news (for ve): It is easy for Alice and Bob to use a much longer LFSR Key properties of LFSRs Key properties of LFSRs Property. Don t use all s as a seed! Fill of all s will not otherwise occur. x. [4,3] LFSR Property. Don t use all s as a seed! Fill of all s will not otherwise occur. x. [4,2] LFSR 2 2 Property 2. Bitstream must eventually cycle. 3 Property 2. Bitstream must eventually cycle. 3 2 nonzero fills in an -bit register. Future output completely determined by current fill nonzero fills in an -bit register. Future output completely determined by current fill Property 3. Cycle length in an -bit register is at most 2. Could be smaller; cycle length depends on tap positions. eed theory of finite groups to know good tap positions

11 Key properties of LFSRs ve's problem with LFSR encryption gx76w3v7k??? Property. Don t use all s as a seed! Fill of all s will not otherwise occur. Property 2. Bitstream must eventually cycle. 2 nonzero fills in an -bit register. Future output completely determined by current fill., 9 63, 62 Without the seed, ve cannot read the message. ve has computers. Why not try all possible seeds? Seeds are short, messages are long. All seeds give a tiny fraction of all messages. xtremely likely that all but real seed will produce gibberish. ve xponential growth dwarfs technological improvements [stay tuned] Property 3. Cycle length in an -bit register is at most 2. Could be smaller; cycle length depends on tap positions. eed theory of finite groups to know good tap positions. Bottom line. [, 9] register generates 247 bits before repeating. [63, 62] register generates bits before repeating. XILIX manual, 99s Definitely preferable: small cost, huge payoff. 4 Bad news (for ve): There are still way too many possibilities. x: 63-bit register implies 2 63 possibilities. If ve could check million seeds per second, it would take her 2923 centuries to try them all! Bad news (for Alice and Bob): LFSR output is not random. OT OUGH COMPUTRS experts have cracked LFSRs 42 Goods and bads of LFSRs COMPUTR SCIC S D G W I C K / W A Y Goods. Very simple encryption method. Decrypt with the same method. Scalable: 2 cells for million bits; 3 cells for billion bits. Widely used in practice. [xample: military cryptosystems.] a commercially available LFSR Prologue: A Simple Machine Bads. asily breakable if seed is re-used. Still need secure key distribution. xperts can crack LFSR encryption. xample. CSS encryption widely used for DVDs. Widely available DeCSS breaks it! /* efdtt.c Author: Charles M. Hannum <root@ihack.net> */ /* Usage is: cat title-key scrambled.vob efdtt >clear.vob */ #define m(i)(x[i]s[i+84])<< unsigned char x[5],y,s[248];main( n){for( read(,x,5 );read(,s,n=248,s,n) )if(s ); write( [3]%8+2] /6%4 ){int [y=s == i=m( ) m() 8,k =m(2),j= m(4) 7 m(3) 9k* 2-k%8 8,a =,c =26;for (s[y] -=6; --c;j *=2)a= a*2i&,i=i /2j& <<24;for(j= 27; ++j<n;c=c> y) c +=y=ii/8i>>4i>>2, i=i>>8y<<7,a=a>>4,y=aa*8a<<6,a=a >>8y<<9,k=s[j],k ="7Wo~'G_\26"[k &7]+2"cr3sfw6v;*k+>/n."[k>>4]*2k*257/ 8,s[j]=k(k&k*2&34)*6c+~y ;}} DeCSS DVD decryption code 43 CS..D.Prologue.Implications Brief introduction Secure communication with a one-time pad Linear feedback shift registers Implications

12 LFSRs and general-purpose computers A Profound Idea component LFSR computer control start, stop, load same clock LFSR computer Important similarities. Both are built from simple components. Both scale to handle huge problems. Both require careful study to use effectively. Critical differences: Operations, input. Programming. We can write a Java program to simulate the operation of any abstract machine. Basis for theoretical understanding of computation. Basis for bootstrapping real machines into existence. Stay tuned (we cover these sorts of issues in this course). same memory 2 bits billions of bits input 2 bits bit sequence computation shift, + * / YOU will be writing code like this within a few weeks. pseudo-random bit any computable bit sequence sequence output but the simplest computers differ only slightly from LFSRs! General purpose computer can simulate any abstract machine. All general purpose computers have equivalent power (! ) [stay tuned]. public class LFSR { public static void main(string[] args) { int[] a = {,,,,,,,,,,, }; for (int t = ; t < 2; t++) { a[] = (a[] a[9]); System.out.print(a[]); for (int i = ; i > ; i--) a[i] = a[i-]; } System.out.println(); } } % java LFSR ote: You will write and apply an LFSR simulator in Assignment COMPUTR SCIC Profound questions S D G W I C K / W A Y Q. What is a random number? LFSRs do not produce random numbers. They are deterministic. von eumann's "state of sin": we know that "deterministic" is incompatible with "random" It is not obvious how to distinguish the bits LFSRs produce from random, BUT experts have figured out how to do so. Q. Are random processes found in nature?. Prologue: A Simple Machine Motion of cosmic rays or subatomic particles? Mutations in DA? Q. Is the natural world a (not-so-simple) deterministic machine?? God does not play dice. Albert instein 47