Traditional Symmetric-Key Ciphers

Objectives To understand the concepts of symmetric-key ciphers To learn traditional ciphers Categories of Cryptanalysis used to break the ciphers

Topics Introduction Substitution Ciphers Transposition Ciphers Stream and Block Ciphers (SLE)

Introduction General idea of symmetric-key ciphers

Alice sends a message to Bob over an insecure channel with the assumption that an adversary, Eve, cannot understand the contents of the message by eavesdropping. Original message is called as the plaintext; the secret message sent is called as the ciphertext. To create the ciphertext, Alice uses an encryption algorithm and a shared secret key. To create the plaintext from ciphertext, Bob uses an decryption algorithm and the same secret key.

Encryption: C = Ek(P) Decryption: P = Dk(C) Dk(Ek(x)) = Ek(Dk(x)) = x Encryption and decryption algorithms are referred as ciphers and key is a set of values (numbers) that the ciphers operate on. If P is the plaintext , C is the ciphertext, and K is the key, then the encryption algorithm Ek(x) creates the ciphertext and the decryption algorithm Dk(x) creates the plaintext. Note: These two algorithms are inverse of each other. Encryption: C = Ek(P) Decryption: P = Dk(C) Dk(Ek(x)) = Ek(Dk(x)) = x

Alice and bob need another channel, a secured one, to exchange the secret key. They can meet once and agree upon a key. Secure channel in this case would be face-to-face key exchange. They can use temporary keys using other cryptographic techniques (asymmetric) to exchange the keys. Alice and Bob can use the same key for communication on the other direction, Bob to Alice. This is why we call it symmetric. If there are n people in a group then we need n-1 keys with a single person in the group.

Encryption can be viewed as locking a message in a box with a key and decryption is unlocking the box with the same key. In asymmetric, two keys are used, one more locking and one for unlocking.

Kerchhoff's Principle One should always assume that the adversary knows the encryption/decryption algorithm. The resistance of cipher to attack must be based on the secrecy of the key. Guessing the key should be so difficult that there is no need to hide the algorithms. Key domain for modern ciphers are so large that it makes it very difficult for the adversary to find the key.

Cryptanalysis Cryptography is the science and art of creating secret codes, cryptanalysis is the science and art of breaking the codes. Cryptanalysis is required to check how vulnerable is our cryptosystem and hence helps us to create better secret codes.

Ciphertext-Only Attack Eve has access only to ciphertext, she tries to find out the key and the plaintext (assuming she knows the algorithm). Most probable attack since, it requires only ciphertext.

Types of Ciphertext-Only Attacks, Brute-Force Attack (Exhaustive-key-search) Eve uses all possible keys. Assume that eve knows the algorithm and knows the key domain. Tries decrypting the message until a plaintext makes sense. In past using brute-force attack was difficult, but with faster computers this is easy. Prevention: Number of possible keys must be very large.

Statistical Attacks Uses some inherent characteristics of the plaintext language to launch a statistical attack. Example: Letter ‘E’ is the most-frequently used letter in English text. Cryptanalyst assumes that the most- frequently used character in ciphertext as letter ‘E’. After finding a few pairs, analyst finds the key and decrypts the message. Prevention: Cipher should hide the characteristics of the language.

Pattern Attacks Even if the characteristics of the language is hidden, there may be patterns in the ciphertext. Cryptanalyst may use pattern attack to break the cipher. Prevention: Keep the ciphertexts as random as possible

Known-Plaintext Attack In this kind of attack, Eve has access to some plaintext/ciphertext pairs in addition to an newly intercepted ciphertext that she wants to break.

Assumption is that the plaintext/ciphertext pair is collected earlier. Example: Alice sent a secret message to bob, but she later she made the message public. The newly intercepted ciphertext can be interpreted only if Alice has not changed the key while sending it. Chances of these kind of attacks are less (message is usually not made public and the key is frequently changed).

Chosen-Plaintext Attack Similar to known-Plaintext attack, but the plaintext/ciphertext pairs are chosen by the attacker. Possible only if Eve, has access to Alice’s computer. Key is not revealed as it is part of the software. It is very easy to implement but chances are less

Chosen-Ciphertext Attack Similar to chosen-Plaintext attack, except that this time ciphertext is chosen. Eve has access to Bob’s computer and wait until bob decrypts the ciphertext. Uses the plaintext at bob’s end.

Categories of Traditional Ciphers Substitution ciphers Replace a symbol with other symbol Transposition ciphers Reorder the position of symbols in plaintext

Substitution Ciphers A substitution cipher replaces one symbol with another. Example: If alphabets: then replacing ‘A’ with ‘D’, if digits then replacing 3 with 6. Substitution ciphers can be categorized as either monoalphabetic ciphers or polyalphabetic ciphers.

Monoalphabetic ciphers A character in plaintext is always changed to the same character in the ciphertext regardless of the position. Example 1: If algorithm changes ‘A’ to ‘D’. Then this is done for all the occurrences of ‘A’. Relationship between letters of plaintext and ciphertext is always one-to-one. Example 2: (Monoalphabetic) Plaintext: hello Ciphertext: KHOOR Example 3: (Not monoalphabetic) Plaintext: hello Ciphertext: ABNZF

Additive Cipher (shift cipher or Caesar cipher) Each character is assigned a unique integer value to the selected key value and perform modulo operation (Z26)

C = (P + k) mod 26 P = (C - k) mod 26 Encryption algorithm adds the key to the plaintext and decryption subtracts the key from the ciphertext. C = (P + k) mod 26 P = (C - k) mod 26 Assume key as 15 and Plaintext characters as “hello”. This will be encrypted as “WTAAD”

Shift Ciphers Historically additive ciphers are called shift ciphers (Shift key characters down) If key is 15, then encryption algorithm shifts 15 characters down (towards the end of the alphabet) During decryption, 15 characters are shifted up (towards beginning) If end or beginning is reached then we have wrap around.

Caesar Cipher Cryptanalysis Julius Caesar used additive ciphers to communicate with his officers. He used 3 as the key value. Cryptanalysis Additive ciphers are vulnerable to ciphertext- only attacks using exhaustive key searches. The key domain is very small. (Example: 26 keys, excluding ZERO, we have 25 keys) Eve can launch a brute-force attack on the ciphertext using these 25 keys.

Additive ciphers can also be subjected to statistical attacks. If Eve, gets hold of a long text then the commonly repeated words can be identified and analysed.

If the intercepted message is as shown below, then Eve will find the count most commonly used letter. Frequency of letters: I =14, V =13, S =12, and so on. The most common character is I with 14 occurrences. This means key = 4.

Multiplicative Cipher In multiplicative cipher, encryption algorithm specifies multiplication of the plaintext by the key. Decryption algorithm specifies division of the ciphertext by key. Since modulo operation, we consider the number and its multiplicative inverse.

If Z26 is being used then key needs to be in Z26 Since the key is 7, its multiplicative inverse, 15 is used for decryption

Affine Cipher Combine additive and multiplicative ciphers Two keys are used in Affine ciphers If addition is the last operation during encryption then subtraction will be the first operation during decryption.

Monoalphabetic Substitution Cipher Additive, multiplicative, affine ciphers are vulnerable to brute-force attacks (because of small key domain) Alice and Bob can agree upon a table showing the mapping of characters. This makes brute-force very difficult but it is still vulnerable to statistical attacks (no change in frequency).

Polyalphabetic Cipher Each occurrence of the character may have different substitute (one-to-many relation). Hides the frequency of characters of the language used. Ciphertext depends on both plaintext character and position of the plaintext character. A stream of keys k={k1,k2,k3,…..} are used.

Autokey Cipher Stream of keys are used, but first value will be agreed upon by Alice and Bob. Second subkey will be the first character in the plaintext, third will be the second character in plaintext and so on. Autokey- subkeys are automatically created during encryption. Frequency attacks are hidden but vulnerable to brute-force attacks (small key domain)

Playfair Cipher (British army- World war I) Key is 25 alphabet letters arranged in a 5 x 5 matrix. If two letters in a pair are same, then a bogus character is used to separate them. If no. of characters is odd then a bogus character is added at the end to make it even.

Three rules If the 2 letters in a pair are located in the same row of the secret key, the corresponding encrypted character for each letter is the next character in the same row. (Right) If the 2 letters in a pair are located in the same column of the secret key, the corresponding encrypted character for each character is the next character in the same column. (Beneath) If the 2 letters in a pair are not in the same row or column of the secret key, the corresponding encrypted character is the letter in its own row but in the same column as the other letter.

Plaintext: hello Pairs: he lx lo x – bogus character added to avoid pairing of l with l

Vigenere Cipher Uses a different strategy to create the key stream. Key stream is a repetition of an initial secret key stream of length m, 1 ≤ m ≤ 26 It doesn’t depend on plaintext characters but only its position.

Message: “she is listening”, Keyword: “PASCAL” (15,0,18,2,0,11)

Cryptanalysis of Vigenere Ciphers Two parts: Finding the length of the key and finding the key itself. Kasiski test: Search for the repeated text segment and find the length of the key. Index of co-incidence (IC) is used to cross verify the value obtained by kasiski test IC of standard English language is 0.065. If the letters are equally likely then IC is 0.038

Kasiski test for three character segments is as shown below Since all the values in differences (100,48,60,8) have gcd as 4. The length of the key is 4. This can also be confirmed using IC test

Hill Cipher Invented by Lester S. Hill, divides the plaintext into equal-size blocks. Blocks are encrypted one at a time such that each block contributes to the encryption of the next block. Key is a square matrix of size m x m, where m is the size of the block.

Plaintext “code is ready” can make a 3 × 4 matrix when adding extra bogus character “z” to the last block and removing the spaces. The ciphertext is “OHKNIHGKLISS”.

One-Time Pad Shannon has shown that perfect secrecy can be achieved if each plaintext symbol is encrypted with a key randomly chosen from a key domain. Additive cipher: First character with key 4, second with key 20, third with key 9 and so on. This idea is used in one-time pad (by vernam) wherein key and plain text have same length and key is randomly selected. Implementation is commercially impossible.

Rotor Cipher Uses the idea of monoalphabetic ciphers but changes the mapping between plaintext and ciphertext for each character. In this example it uses 6 characters: Initial position (Key) will be agreed upon by Alice and Bob;: bee will be encrypted as BCA

Enigma Machine (based on rotor) Invented by sherbius, but modified and used by German army during world war II. Components Keyboard- entering plaintext during encryption and ciphertext during decryption Lampboard- 26 lamps that shows ciphertext during encryption and plaintext during decryption Plugboard- 26 plugs connected manually by 13 wires, changed daily Three wired rotors- Out of the five available rotors Reflector- Stationary and wired

Code book- Settings for each day 3 rotors to be chosen out of 5 available The order in which rotors are installed Setting for the plugboard Three letter code for the day v

Procedure for Encryption Set the starting position of the rotors to the code of the day. Example: if code is “HUA”, the rotors will be initialized to “H”,”U”, and ”A” Choose a three letter code such as “ACF”, encrypt the text “ACFACF” using initial setting of rotors. Assume we get “OPNABT” Set the starting positions of the rotors to OPN (half of the code) Append the encrypted six letter (OPNABT) to the beginning of the message Encrypt the message using 6-letter code and send it.

Procedure for Decryption Receive the message and separate the first 6 letters Set the starting point of the rotors to the code of the day Decrypt the first 6 letters using the initial setup Set the positions of the rotors to the first half of the decrypted code. Decrypt the message without first six letters

Transposition Ciphers Transposition ciphers doesn’t substitute the characters but changes the locations (reorders). Example: First symbol appearing in 10th position. Keyless Transposition Ciphers Two methods of permutation of characters: Write column by column and transmit row by row Write row by row and transmit column by column

The Plaintext “meet me at the park” is arranged in 2 rows The Plaintext “meet me at the park” is arranged in 2 rows. The ciphertext will be send row by row. The Ciphertext would be “MEMATEAKETETHPR” Bob receives it, divides it to 2 equal parts. First half is set as row1 and second half is row2. Then he reads it in zig-zag pattern. This is known as “rail fence cipher”.

Arrange plaintext row by row and send it column wise Arrange plaintext row by row and send it column wise. Number of columns should be agreed upon by Bob and Alice. Ciphertext would be “MMTAEEHREAEKTTP”.

2nd character in the plaintext is moved to the 5th position. Pattern: (1,5,9,13), (2,6,10,13), (3,7,11,15) (4,8,12)

Keyed Transposition Ciphers Divide the plaintext into groups of predetermined size (blocks) and use a key to permute the characters in each block. Consider the plaintext “enemy attacks tonight”. First, we divide the plaintext into agreed upon size, say 5. enemy attac kston ightz Permutation key is used by both Alice and Bob, say the key is as shown below.

enemy attac kston ightz EEMYN TAACT TKONS HITZG Ciphertext is “EEMYNTAACTTKONSHITZG” Bob performs the reverse operation to get the paintext.

Combining Two Approaches Combine two approaches for better scrambling 3 Steps: Write text into a table row by row Permutation is done by reordering (Keyed) New table is read column by column. Known as Keyed columnar transposition or columnar transposition ciphers

Keys Single key was used for both encryption and decryption. 2 keys can be used: one for encryption and one for decryption. If encryption key is given decryption key can be known.

Using Matrices Plaintext and ciphertext are l x m matrices and keys are square matrices of size m x m. In a permutation matrix, every row and every column has exactly one 1 and rest are 0s. Encryption: Multiply plaintext matrix with encryption key. Decryption: Multiply ciphertext with inverse of key matrix

Cryptanalysis of Transposition Ciphers Statistical Attacks Transposition ciphers do not change the frequency of letters in the ciphertexts, it only reorders the letters. Useful only if the ciphertext is long enough Brute-Force Attacks If L is the length of the ciphertext then number of keys could by (1!+2!+3!+….+L!) Eve can find the number of column that divides L. (If L is 20 then 20=1 x 2 x 2 x 5) 1,2,4,5,10,20