Session 1: Introduction to cryptology
Cryptology Cryptology: criptos=secret + logos=science Cryptology = Cryptography + Cryptanalysis Opposite and complementary at the same time Cryptography: develops methods of encipherment in order to protect information. Cryptanalysis: breaks these methods in order to reconstruct the original information.
Cryptographic Procedure : The General Scheme A Plaintext KEY decipher decrypt Cryptanalysis Ciphertext encipher Plaintext KEY B
General classification : Secret key cryptography (symmetric) Shared key (secret), delivered to both parties in advance via a secure channel. Public key cryptography (asymmetric) The key is reconstructed from the secret part and the public part. The secure channel is not needed. Secret key cryptography Stream ciphers Block ciphers
Secret key cryptography Stream ciphers The transformation is applied to every symbol of the original message. Example: to every bit of the message. Block ciphers The transformation is applied to a group of symbols of the original message Example : to groups of 64 bits (DES).
Secret key cryptography Stream ciphers Prof. Simon John Shepherd: “ Every high-grade military cipher is a stream cipher ” Consequence: limitations introduced by governments. Block ciphers Slower and less secure (in general), but there are no implementation and export limitations. Because of that, they are used a lot in practice.
Classical cipher systems Substitution Example: ABCDEFGHIJKLMNOPQRSTUVWXYZ PLOKNMJUIBVGYTFCXDRESZWAQH MessageT H I SI SA N E X A M P L E CryptogramE U I RI RP T N A P Y C G N
Classical cipher systems Transposition Example: MessageC L A S S I C A LS Y S T E M S CryptogramS A L C A C I S SY S L S M E T Groups of 4 letters Transposition: ( )
Classical cipher systems Monoalphabetic substitution Equal symbols of the plaintext are always substituted with the same symbol. Polialphabetic substitution Equal symbols of the plaintext are substituted with different symbols, depending on the key.
Classical cipher systems Caesar’s cipher (monoalphabetic) (1st century B.C.) MessageVINIVIDIVINCI KeyDDDDDDDDDDDDD CryptogramZMQMZMGMZMQFM ABCDEFGHIKLMNOPQRSTVXYZ DEFGHIKLMNOPQRSTVXYZABC
Classical cipher systems Vigenère’s cipher (polialphabetic) (1586) Key: Z i = L, O, U, P Encipherment: Decipherment: MessagePARISVAUTBIENUNEMESSE KeyLOUPLOUPLOUPLOUPLOUPL CryptogramAOLXDJUJEPCTYIHTXSMHP
Classical cipher systems Blaise de Vigenère ( )
VIGENÈRE’S TABLE (1586) A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Note that the modulus of a negative value is computed by repeatedly adding the base until a positive value is obtained.
ABCDEFGHIJKLMNOPQRSTUVWXYZ BCDEFGHIJKLMNOPQRSTUVWXYZA CDEFGHIJKLMNOPQRSTUVWXYZAB DEFGHIJKLMNOPQRSTUVWXYZABC EFGHIJKLMNORQRSTUVWXYZABCD FGHIJKLMNOPQRSTUVWXYZABCDE GHIJKLMNOPQRSTUVWXYZABCDEF HIJKLMNOPQRSTUVWXYZABCDEFG IJKLMNOPQRSTUVWXYZABCDEFGH JKLMNOPQRSTUVWXYZABCDEFGHI KLMNOPQRSTUVWXYZABCDEFGHIJ LMNOPQRSTUVWXYZABCDEFGHIJK MNOPQRSTUVWXYZABCDEFGHIJKL NOPQRSTUVWXYZABCDEFGHIJKLM OPQRSTUVWXYZABCDEFGHIJKLMN PQRSTUVWXYZABCDEFGHIJKLMNO QRSTUVWXYZABCDEFGHIJKLMNOP RSTUVWXYZABCDEFGHIJKLMNOPQ STUVWXYZABCDEFGHIJKLMNOPQR TUVWXYZABCDEFGHIJKLMNOPQRS UVWXYZABCDEFGHIJKLMNOPQRST VWXYZABCDEFGHIJKLMNOPQRSTU WXYZABCDEFGHIJKLMNOPQRSTUV XYZABCDEFGHIJKLMNOPQRSTUVW YZABCDEFGHIJKLMNOPQRSTUVWX ZABCDEFGHIJKLMNOPQRSTUVWXY
Classical cipher systems Beaufort’s cipher (polialphabetic) (1857) Key: Z i = W, I, N, D Encipherment: Decipherment: Message THIS IS THE SAME OLD STUFF Key WIND WINDW INDW IND WINDW Cryptogram DBFL OQ UWS QNRS UCA EPTYR Sir Francis Beaufort ( ) Encipherment and decipherment are the same (involution)
ABCDEFGHIJKLMNOPQRSTUVWXYZ BCDEFGHIJKLMNOPQRSTUVWXYZA CDEFGHIJKLMNOPQRSTUVWXYZAB DEFGHIJKLMNOPQRSTUVWXYZABC EFGHIJKLMNORQRSTUVWXYZABCD FGHIJKLMNOPQRSTUVWXYZABCDE GHIJKLMNOPQRSTUVWXYZABCDEF HIJKLMNOPQRSTUVWXYZABCDEFG IJKLMNOPQRSTUVWXYZABCDEFGH JKLMNOPQRSTUVWXYZABCDEFGHI KLMNOPQRSTUVWXYZABCDEFGHIJ LMNOPQRSTUVWXYZABCDEFGHIJK MNOPQRSTUVWXYZABCDEFGHIJKL NOPQRSTUVWXYZABCDEFGHIJKLM OPQRSTUVWXYZABCDEFGHIJKLMN PQRSTUVWXYZABCDEFGHIJKLMNO QRSTUVWXYZABCDEFGHIJKLMNOP RSTUVWXYZABCDEFGHIJKLMNOPQ STUVWXYZABCDEFGHIJKLMNOPQR TUVWXYZABCDEFGHIJKLMNOPQRS UVWXYZABCDEFGHIJKLMNOPQRST VWXYZABCDEFGHIJKLMNOPQRSTU WXYZABCDEFGHIJKLMNOPQRSTUV XYZABCDEFGHIJKLMNOPQRSTUVW YZABCDEFGHIJKLMNOPQRSTUVWX ZABCDEFGHIJKLMNOPQRSTUVWXY
Classical systems – electromechanical devices The principal drawback of the systems that used tables was their inefficiency at enciphering/deciphering long texts. At the same time, the need to process long texts increased. In the beginning of the 20th century, technology advanced enough to enable design of electromechanical cryptographic devices.
Classical systems – ENIGMA One of the most famous ones was the ENIGMA machine, used extensively by the Germans in the World War II. The machine was patented in 1918 by Arthur Scherbius, a German engineer. Essentially, this was a multiple Vigenère’s cipher that achieved a considerably higher number of possible combinations to search in the process of cryptanalysis than the older ciphers.
Classical systems - ENIGMA M Q ENIGMA – principle of operation ENIGMA – one of the rotors
Classical systems - ENIGMA All the machines of this kind consisted of wheels. Some were fixed (stators) and some were mobile (rotors). ENIGMA consisted of two fixed wheels (the entry wheel and the reflector) and 3 or 4 rotors. Rotors could be selected out of a number of rotors (usually 3 out of five).
Classical systems - ENIGMA The choice of the rotors, as well as their ordering constituted a part of the key. All the rotors had contacts on both sides, through which current was flowing. Each contact corresponded to a letter of the alphabet and the contacts on both sides of a rotor were connected by a special wiring. Thus each rotor realized a monoalphabetic substitution cipher.
Classical systems - ENIGMA Due to a special kind of stepping motion of the wheels, not all the wheels rotated the same number of shifts at enciphering different letters. There was one wheel that moved with every single letter to be enciphered, and the other wheels moved more slowly. Current positions of the contacts on the wheels determined the substitution of the given (typed) letter on the machine. In such a way, long period of the output letter sequence was achieved.
Classical systems - ENIGMA Some variants of ENIGMA also included a permutation (’plugboard’) that was realized through wiring, and that permutation occasionally changed. The role of the plugboard was to change the letter that was actually typed to some other letter (depending on the permutation) before and after the current entered the wheels.
Classical systems - ENIGMA What distinguished the ENIGMA machine from the other electromechanical cryptographic machines was the use of the reflector - a special stator that was redirecting the flow of the current back through the rotors by a different route. The reflector ensures that the ENIGMA machine is self-reciprocal, i.e. the enciphering and the deciphering transformations are the same.
Classical systems - ENIGMA However, by introducing the reflector, substituting the given letter with itself was disabled. That introduced a small bias in the statistics of the letter sequence produced by the machine that enabled the cryptanalysis.
Classical systems (Enigma) Source:
Classical systems Electromechanical cryptographic devices of the ENIGMA type had an additional drawback - the machine itself constituted (a part of) the key. Replacing compromised machines, especially during the war, was a very difficult and often impossible task.
Classical systems The goal of the next generation of cryptographic machines was to implement a system whose security lied only in the key that was used, not on the enciphering transformation. The Vernam cipher, patented in 1917 in the U.S.A., was such a cipher. This concept was also proved to be the best from the theoretical point of view in 1949 by C. Shannon.
Classical systems The Vernam cipher (1917) (One-time pad) Key: Binary random sequence used only once. Encipherment: Decipherment: Message: COME SOON (Encoding ITA-2) Message Key Cryptogram
Classical systems The Vernam cipher was a cipher intended to be used on teletype writers. Because of that, the key storage medium was a paper tape of the same type as the tape that was used for storing the messages. The message had to be encoded first, and the teletype writer itself performed this transformation. Every teletype writer implemented some encoding and the most widespread one was International Telegraph Alphabet No 2 (ITA-2).
Classical systems – ITA 2 Binary Decimal LETTERS NUMBERS Binary Decimal LETTERS NUMBERS BLANK BLANK T E Z " LF LF L ) A W SP SP H # S BELL Y I P U Q CR CR O D $ B ? R G & J ‘ FIGS FIGS N, M F ! X / C : V ; K ( LTRS LTRS
Unconditional security (THEORETICAL) (Perfect secrecy – Shannon) – the system is secure against an attacker with unlimited time and computational resources. Example: The Vernam cipher (One-time pad). Computational security (PRACTICAL) – the system is secure against an attacker with limited time and computational resources. Example: The RSA cryptosystem. Cryptographic Security
Perfect secrecy conditions (Shannon) Application conditions: The key is used only once The cryptanalyst has access only to the cryptogram. Perfect secrecy : “ The plaintext X is statistically independent on the cryptogram Y for all the possible plaintexts and all the possible cryptograms” P(X = x | Y = y) = P(X = x)
Entropy Entropy is a measure of uncertainty. It is a function of probability distribution of a random variable. Shannon’s entropy of the (discrete) random variable X:
Entropy Example 1: H(X) reaches its maximum for p=0.5.
Entropy
Example 2: n-sided fair die. n outcomes, each with probability 1/n.
Entropy For two random variables, X and Y, the joint entropy H(X,Y) is defined as Conditional entropy Theorem (chain rule)
Entropy Theorem where the equality holds iff all elements of are equally likely. where the equality holds iff X and Y are independent.
Entropy Thus, the fact that X and Y are independent random variables causes the same uncertainty of the plaintext regardless of the knowledge of the cryptogram.
Is perfect secrecy practically achievable? The cipher with X, Y, Z {0,1,…,L-1} K The key is selected at random The ciphering transformation: The number of keys/plaintexts/ciphertexts is L K. With a fixed plaintext, since the key is selected at random, a unique cryptogram corresponds to every possible value of the key.
Then, any of the L K possible cryptograms corresponds to any plaintext with equal probability. Then P(X = x | Y = y) = P(X = x). L=2, the Vernam cipher.
Security of classical systems Monoalphabetic ciphers The statistical properties of the plaintext are reflected exactly in the ciphertext. The statistical methods of cryptanalysis use the statistical properties of the language in which the message has been written.
Letter statistics - English E12.31% T9.59% A8.05% O7.94% N7.19% I7.18% S6.59% R6.03% H5.14% L4.03% D3.65% C3.20% U3.10% P2.29%
Letter statistics - English F2.28% M2.25% W2.03% Y1.88% B1.62% G1.61% V0.93% K0.52% Q0.20% X J0.10% Z0.09%
Letter statistics - Norwegian E 17% N, R 9% T 8% S 7% I, L 6% A, D, K 5% G, O 4% M 3% F, P, U, V 2% B, H, J, Y, Æ, Ø, Å 1% C, Q, W, X, Z<1% Source: Kryptografi – Ben Johnsen, Tapir Akademisk Forlag, Trondheim, 2005.
Security of classical systems The Vigenère cipher (polialphabetic) The Kasiski Cryptanalysis (The incidence of the coincidences) (1863) The repetition of certain group of letters in the cryptogram originating from the same group of letters in the plaintext takes place at a distance equal to a multiple of the length of the key word (30=6*5). PETERLEGRANDISAGOODFRIENDOFNAPOLEONLEGRAND EDGAREDGAREDGAREDGAREDGAREDGAREDGAREDGARED THZEIPHMRRRGOSRKRUDWVLKNUSITAGSOKOEPHMRRRG
Security of classical systems The Vigenère cipher (polialphabetic) By studying these repetitions, it is possible to determine the length K of the key word. Then the original cryptogram can be decomposed into simple cryptograms.
Security of classical systems The Vernam cipher Meets the conditions of perfect secrecy. One key bit for every plaintext bit.
Unicity distance Given a ciphertext, if we try all the possible keys, how many keys will decrypt it to something meaningful? The unicity distance n 0 is the length of ciphertext at which one expects that there is a unique meaningful plaintext. If the text is long enough, there will be a unique key and a unique corresponding plaintext. R is redundancy of the text ( 0.75 for English), K is the key space and L is the alphabet.
Unicity distance H is the entropy of the language. Example: One-time pad for a message of length N. There are 26 N possible keys. We need more letters than the entire ciphertext for a unique decryption.
Mathematical fundamentals Mathematical disciplines, whose results are used in cryptography: Algebra Number theory Combinatorics Probability theory and statistics Computational complexity theory Etc.
Groups A group G is a non empty set with a binary operation, which satisfies the axioms of the group: Closure: Associativity: Existence of the identity (neutral) element: Existence of the inverse elements (inverses):
Groups Multiplicative group: the operation * is the multiplication. The operation is The identity element is 1. The inverse element is x -1. Additive group: the operation * is the sum. The operation is + The identity element is 0. The inverse element is – x.
Groups Examples of additive groups: Z, Q, R, C,, where the operation is the sum modulo n. Examples of multiplicative groups: where the operation is the multiplication modulo n.
Groups Example: Verify that Z n is a group. Closure: yes, because the operation is the sum modulo n. The identity element is 0. Associativity: obvious. The inverse element:
Groups If in the group G the operation * fulfils the commutative property, i.e. then G is a commutative or Abelian group. If G is a finite group, the number of elements in G is called order of G and is represented by #G.
Groups An element g G is a generator of G if every element of G can be written as a power of g. G is then a cyclic group. The cyclic group: Example: the generators of Z 12 are 1, 5, 7 and 11.
Groups
A nonempty subset H of G is called subgroup of G if it is closed for the multiplication and the inversion, i.e. The Lagrange theorem: If G is a finite group and H is its subgroup, then #H divides #G.
Groups Examples: A group of order 8 can have subgroups of order 2 and 4, but not of order 3 or 6. A finite group, whose order is a prime number cannot have its own subgroups.
Groups The order of an element g G of a finite group is the least positive integer k such that g k =e. If k is the order of g G, then {e, g, g 2, …, g k-1 } is a subgroup of G. Corollary of the Lagrange theorem: In a finite group, the order of each element divides the order of the group.
Groups Example: a subgroup of Z 8 :
Groups The symmetric group S n : Contains all the permutations of the elements {1,…,n}. The operation of the group is the composition of functions . #S n =n! It is not Abelian for n 3.
Groups Example: S 3 Elements:
Finite fields A field is a set K together with two operations, + and , sum and product, which satisfy the following properties: (K,+) is a commutative group – the additive group of the field. (K*=K\{0}, ) is a commutative group – the multiplicative group of the field. The product has the distributive property with respect to the sum.
Finite fields Example: If p is a prime number, then Z p is a field Z p is an additive commutative group. (Z p ) is a multiplicative commutative group. the Euler function. The product obviously has the distributive property with respect to the sum.
Finite fields Theorem: (i) The number of elements of a finite field K must be equal to the power of a prime number, i.e. #K=p m. p is the characteristic of the field. The field is represented by GF(p m ) (Galois Field).
Finite fields Theorem (cont.): (ii) There is only one finite field of p m elements. If we fix an irreducible polynomial F(x) of degree m with coefficients in Z p, the elements of GF(p m ) are represented as polynomials with coefficients in Z p of degree <m and the product of elements of GF(p m ) is realised as the product of polynomials modulo F(x).
Finite fields Example: p=2, m=3 is irreducible.