Classical Cryptography

p2. Outline [1] Introduction: Some Simple Cryptosystems The Shift Cipher The Substitution Cipher The Affine Cipher The Vigen è re Cipher The Hill Cipher The Permutation Cipher Stream Ciphers [2] Cryptanalysis Cryptanalysis of the Affine Cipher Cryptanalysis of the Substitution Cipher Cryptanalysis of the Vigen è re Cipher Cryptanalysis of the Hill Cipher Cryptanalysis of the LFSR Stream Cipher

p3. Classical Cryptography [1] Introduction AliceencrypterdecrypterBob Oscar secure channel key source xx K y

p4. Classical Cryptography Definition 1.1: A cryptosystem is a five-tuple ( P, C, K, E, D ) satisfies P is a finite set of possible plaintexts C is a finite set of possible ciphertexts K, the keyspace, is a finite set of possible keys For each K ∈ K, there is an encryption rule e K ∈ E and a corresponding decryption rule d K ∈ D d K (e K (x))=x for every plaintext x ∈ P

p5. Classical Cryptography Definition 1.2: a and b are integers, m is a positive integer congruence: a ≡ b (mod m) if m divides b-a Z m : the set {0,1,…,m-1} with 2 operations + and ☓ 10+20=4 in Z 26 (10+20 mod 26=4) 10 ☓ 20=18 in Z 26 (10 ☓ 20 mod 26=18)

p6. Classical Cryptography Shift Cipher Cryptosystem 1.1: Shift Cipher P = C = K = Z 26 K, x, y ∈ Z 26 e K (x)=(x+K) mod 26 d K (y)=(y-K) mod 26 ABCDEFGHIJKLM NOPQRSTUVWXYZ

p7. Classical Cryptography eg.: Suppose K=11 Plaintext: student Ciphertext: DEFOPZE plaintext student K ciphertextDEFOPZE

p8. Classical Cryptography Substitution Cipher Cryptosystem 1.2: Substitution Cipher P=C=Z 26 K: all possible permutations of the 26 symbols For each  ∈ K e  (x)=  (x) d  (y)=  -1 (y) where  -1 is the inverse permutation to 

p9. Classical Cryptography eg.: Plaintext: student Ciphertext: VMUSHSM xabCdefghijklm e  (x)XNYAHPOGZQWBT xnopqrstuvwxyz SFLRCVMUEKJDI

p10. Classical Cryptography Affine Cipher Theorem 1.1: ax ≡ b (mod m) has a unique solution x ∈ Z m for every b ∈ Z m iff gcd(a,m)=1 Definition 1.3: Suppose a≥1 and m≥2 are integers a and m are relatively prime if gcd(a,m)=1  (m): the number of integers in Z m that are relatively prime to m Theorem 1.2: Suppose

p11. Classical Cryptography Definition 1.4: Suppose a ∈ Z m a -1 mod m: the multiplicative inverse of a modulo m aa -1 ≡ a -1 a ≡ 1 (mod m) Cryptosystem 1.3: Affine Cipher P = C = Z 26 K ={(a,b) ∈ Z 26 ☓ Z 26 : gcd(a,26)=1} For K=(a,b) ∈ K ; x, y ∈ Z 26 e K (x)=(ax+b) mod 26 d K (y)=a -1 (y-b) mod 26

p12. Classical Cryptography e.g.: Suppose K=(7,3) 7 -1 mod 26 = 15 Plaintext: student Ciphertext: ZGNYFQG e K (x)=(7x+3) mod 26 d K (y)=15(y-3) mod 26 plaintext student e K (x) ciphertextZGNYFQG

p13. Classical Cryptography Vigenère Cipher Cryptosystem 1.4: Vigenère Cipher m: a positive integer P = C = K = (Z 26 ) m For a key K=(k 1,k 2, …,k m ) e K (x 1,x 2, …,x m )=(x 1 +k 1,x 2 +k 2, …,x m +k m ) d K (y 1,y 2, …,y m )=(y 1 -k 1,y 2 -k 2, …,y m -k m )

p14. Classical Cryptography e.g.: Suppose m=4 and K=(2,8,15,7) Plaintext: student Ciphertext: UBJKGVI plaintext student K ciphertext

p15. Classical Cryptography Hill Cipher Definition 1.5: Suppose A=(a i,j ) is an m ☓ m matrix A i,j : the matrix obtained from A by deleting the ith row and the jth column det A: the determinant of A m=1: det A=a 1,1 m>1: for any fixed i A * =(a * i,j ): the adjoint matrix of A a * i,j =(-1) i+j det A j,i

p16. Classical Cryptography Theorem 1.3: Suppose K=(ki,j) is an m ☓ m invertible matrix over Zn K -1 =(det K) -1 K * e.g.: det K=11 ☓ 7-8 ☓ 3 mod 26=1 K- 1 =(det K) -1 K * =

p17. Classical Cryptography Cryptosystem 1.5: Hill Cipher M ≥ 2 is an integer P = C = (Z 26 ) m K = {m ☓ m invertible matrices over Z 26 } For a key K e K (x)=xK d K (y)=yK -1 where K -1 is the inverse of K

p18. Classical Cryptography e.g.: Plaintext: GOD (6 14 3) Ciphertext: WTJ ( )

p19. Classical Cryptography Permutation Cipher Cryptosystem 1.6: Permutation Cipher m is a positive integer P = C = (Z 26 ) m K consist of all permutations of {1, …,m} For a key(a permutation)  e  (x 1, …,x m )=(x  (1), …,x  (m) ) where  -1 is the inverse permutation to 

p20. Classical Cryptography e.g.: Suppose m=6 Plaintext: CYBERFORMULA Ciphertext: BRCFEYMLOAUR x  (x) plaintextCYBERFORMULA ciphertextBRCFEYMLOAUR

p21. Classical Cryptography Stream Ciphers Definition 1.6: A synchronous stream cipher is a tuple ( P, C, K, L, E, D ) with a function g P : a finite set of possible plaintexts C : a finite set of possible ciphertexts K : a finite set of possible keys L : a finite set called the keystream alphabet g: the keystream generator Input: K g generates an infinite string z 1 z 2 …

p22. Classical Cryptography Definition 1.6 (cont.) For each z ∈ L, there is an encryption rule e z ∈ E and a corresponding decryption rule d Z ∈ D d z (e z (x))=x for every plaintext x ∈ P

p23. Classical Cryptography Vigenère Cipher can be defined as a synchronous stream cipher K = (Z 26 ) m P = C = L = Z 26 e z (x)=(x+z) mod 26 d z (y)=(y-z) mod 26

p24. Classical Cryptography Keystream can be produced efficiently in hardware using a LFSR (Linear Feedback Shift Register) k 1 would be tapped as the next keystream bit k 2, … k m would each be shifted 1 stage to the left The new value of km would be this is “ linear feedback “ (see Figure 1.2) This system is mudulo 2

p25. Classical Cryptography e.g.: in Figure 1.2,suppose K=(1,0,0,0) c 0 =1, c 1 =1, c 2 =0, c 3 =0 The keystream is … k1k1 k2k2 k3k3 k4k4 + Figure 1.2

p26. Classical Cryptography Non-synchronous stream cipher: Each keystream element zi depends on previous plaintext or ciphertext elements Cryptosystem 1.7: Autokey Cipher P = C = K = L = Z 26 z 1 =K, z i =x i-1 for all i>1 For x, y, z ∈ Z 26 e z (x)=(x+z) mod 26 d z (y)=(y-z) mod 26

p27. Classical Cryptography e.g.: Suppose K=8 Plaintext: student Ciphertext: ALNXHRG plaintext student keystream ciphertext ALNXHRG

p28. Classical Cryptography [2] Cryptanalysis Assumption:(Kerckhoffs’ principle) The opponent knows the cryptosystem being used Attack models: ciphertext only attack known plaintext attack chosen plaintext attack chosen ciphertext attack

p29. Classical Cryptography Statistical properties of the English language: (see Table 1.1) E: probability about T, A, O, I, N, S, H, R: between 0.06 and 0.09 D, L: 0.04 C, U, M, W, F, G, Y, P, B: between and V, K, J, X, Q, Z: 0.01 Most common digrams: TH, HE, IN, ER, AN, ND, … Most common trigrams: THE, ING, AND, END, …

p30. Classical Cryptography letterprobabilityletterprobability A.082N.067 B.015O.075 C.028P.019 D.043Q.001 E.127R.060 F.022S.063 G.020T.091 H.061U.028 I.070V.010 J.002W.023 K.008X.001 L.040Y.020 M.024Z.001 Table 1.1

p31. Classical Cryptography Cryptanalysis of the Affine Cipher Ciphertext obtained form an Affine Cipher: FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSH VUFEDKAPRKDLYEVLRHHRH Frequency analysis: Table 1.2 Most frequent ciphertext characters: R: 8 occurrences D: 7 occurrences E,H,K: 5 occurrences We now guess the mapping and solve the equation e K (x)=ax+b mod 26

p32. Classical Cryptography letterfrequencyletterfrequency A2N1 B1O1 C0P2 D7Q0 E5R8 F4S3 G0T0 H5U2 I0V4 J0W0 K5X2 L2Y1 M2Z0 Table 1.2

p33. Classical Cryptography Guess e → R,t → D  e K (4)=17, e K (19)=3  a=6, b=19  ILLEGAL (gcd(a,26)>1) Guess e → R,t → E  e K (4)=17, e K (19)=4  a=13, b=17  ILLEGAL (gcd(a,26)>1) Guess e → R,t → H  e K (4)=17, e K (19)=7  a=8, b=11  ILLEGAL (gcd(a,26)>1)

p34. Classical Cryptography Guess e → R,t → K  e K (4)=17, e K (19)=10  a=3, b=5  LEGAL  d K (y)=9y-19 Plaintext: algorithmsarequitegeneraldefinitionsofarithmetic processes

p35. Classical Cryptography Crytanalysis of the Substitution Cipher Ciphertext obtained from a Substitution Cipher YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDD UMJNDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZ UNMXZNZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCR WNZDZJJXZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYU CFWDJNZDIR Frequency analysis: Table 1.3 Z occurs most: guess d K (Z)=e occur at least 10 times: C,D,F,J,M,R,Y  These are encryptions of {t,a,o,i,n,s,h,r} But the frequencies do not vary enough to guess

p36. Classical Cryptography letterfrequencyletterfrequency A0N9 B1O0 C15P1 D13Q4 E7R10 F11S3 G1T2 H4U5 I5V5 J W8 K1X6 L0Y10 M16Z20 Table 1.3

p37. Classical Cryptography We now look at digrams: -Z or Z- 4 times: DZ,ZW Guess d K (W)=d: ed → ZW 3 times: NZ,ZU Guess d k (N)=h: he → NZ We have ZRW: guess d k (R)=n, end → ZRW We have CRW: guess d k (C)=a, and → CRW We have RNM, which decrypts to nh- Suggest h- begins a word: M should be a vowel We have CM: guess dK(M)=i (ai is more likely than ao)

p iend-----a-i-e-a YIFQFMZRWQFYVECFMDZPC -inedhi-e------a---i- VMRZWNMDZVEJBTXCDDUMJ h-----i-ea-i-e-a---a- NDIFEFMDZCDMQZKCEYFCJ i-nhad-a-en--a-e-hi-e MYRNCWJCSZREXCHZUNMXZ he-a-n-----in-i----ed NZUCDRJXYYSMRTMEYIFZW ---e---e-ineandhe-e-- DYVZVYFZUMRZCRWNZDZJJ -ed-a--inhi--hai--a-e XZWGCHSMRNMDHNCMFQCHZ -i--ed-----a-d--he--n JMXJZWIEJYUCFWDJNZDIR

p39. Classical Cryptography We have DZ(4 times) and ZD(2 times) Guess d K (D) ∈ {r,s,t} Since o is a common letter Guess e K (o) ∈ {F,J,Y} We have CFM and CJM: guess d K (Y)=o (aoi is impossible) Guess NMD → his : d K (D)=s Guess HNCMF → chair: d K (H)=c, d K (F)=r d K (J)=t: the → JNZ

p40. o-r-riend-ro--arise-a YIFQFMZRWQFYVECFMDZPC -inedhise--t---ass-it VMRZWNMDZVEJBTXCDDUMJ hs-r-riseasi-e-a-orat NDIFEFMDZCDMQZKCEYFCJ ionhadta-en--ace-hi-e MYRNCWJCSZREXCHZUNMXZ he-asnt-oo-in-i-o-red NZUCDRJXYYSMRTMEYIFZW so-e-ore-ineandhesett DYVZVYFZUMRZCRWNZDZJJ -ed-ac-inhischair-ace XZWGCHSMRNMDHNCMFQCHZ ti-ted--to-ardsthes-n JMXJZWIEJYUCFWDJNZDIR

p41. Classical Cryptography Now easy to determine the others d K (I)=ud K (Q)=f d K (V)=md K (E)=p d K (P)=xd K (B)=y d K (T)=gd K (X)=l d K (U)=wd K (K)=v d K (S)=kd K (G)=b

p42. ourfriendfromparisexa YIFQFMZRWQFYVECFMDZPC minedhisemptyglasswit VMRZWNMDZVEJBTXCDDUMJ hsurpriseasifevaporat NDIFEFMDZCDMQZKCEYFCJ ionhadtakenplacewhile MYRNCWJCSZREXCHZUNMXZ hewasntlookingipoured NZUCDRJXYYSMRTMEYIFZW somemorewineandhesett DYVZVYFZUMRZCRWNZDZJJ ledbackinhischairface XZWGCHSMRNMDHNCMFQCHZ tilteduptowardsthesun JMXJZWIEJYUCFWDJNZDIR

p43. Classical Cryptography Cryptanalysis of the Vigenère Cipher Kasaski test (1863) (Find m only): Search the ciphertext for pairs of identical segments (length at least 3) Record the distance between the starting positions of the 2 segments If we obtain several such distances  1,  2, …, we would conjecture that the key length m divides all of the  i ’ s m divides the gcd of the  i ’ s

p44. Classical Cryptography Friedman test (1925) Definition 1.7: Suppose x=x 1 x 2 … x n is a string of n alphabetic characters Index of coincidence of x, denoted I C (x): the probability that 2 random elements of X are identical We denote the frequencies of A,B,..,Z in x by f 0,f 1, …,f 25

p45. Classical Cryptography Using the expected probabilities in Table 1.1 p 0, …,p 25 : the expected probability of A, …,Z Suppose a ciphertext Y=y 1 y 2 …y n Define m substrings of Y 1, …,Y m of Y Each value I C (Y i ) should be roughly equal to 0.065

p46. Classical Cryptography If m is not the keyword length Y i will look much more random A completely random string will have

p47. Classical Cryptography Ciphertext obtained from a Vigenere Cipher CHREEVOAHMAERATBIAXXWTNXBEEOPHBSBQMQ EQERBWRVXUOAKXAOSXXWEAHBWGJMMQMNKG RFVGXWTRZXWIAKLXFPSKAUTEMNDCMGTSXMXB TUIADNGMGPSRELXNJELXVRVPRTULHDNQWTWD TYGBPHXTFALJHASVBFXNGLLCHRZBWELEKMSJIK NBHWRJGNMGJSGLXFEYPHAGNRBIEQJTAMRVLC RREMNDGLXRRIMGNSNRWCHRQHAEYEVTAQEBB IPEEWEVKAKOEWADREMXMTBHHCHRTKDNVRZC HRCLQOHPWQAIIWXNRMGWOIIFKEE CHR occurs in 5 places: 1,166,236,276,286 The distances from the 1 st one: 165,235,275,285 g.c.d. is 5: we guess m=5 (by Kasaski test)

p48. Classical Cryptography We check the indices of coincidences: m=1: I C (Y)=0.045 m=2: I C (Y 1 )=0.046, I C (Y 2 )=0.041 m=3: I C =0.043, 0.050, m=4: I C =0.042, 0.039, 0.046, m=5: I C =0.063, 0.068, 0.069, 0.061, By Friedman test, m=5

p49. Classical Cryptography Now we want to determine the key K=(k 1,k 2,…,k m ) f 0,f 1,…f 25 : the frequencies of A,B,…,Z n’=n/m: the length of the string Y i The probability distribution of the 26 letters in Y i : Y i is obtained by shift encryption using a shift k i  We hope that the shifted probability distribution would be close to p 0,…,p 25

p50. Classical Cryptography Define the quantity M g : for 0 ≤ g ≤ 25 If g=k i, If g≠k i, M g will smaller than Return to the previous example: Computes the values M g, for 1≤i≤5 (Table 1.4) For each i, look for a value of M g close to From Table 1.4: K=(9,0,13,4,19) The keyword is JANET

p51. iValue of M g (Y i ) Table 1.4

p52. Classical Cryptography Cryptanalysis of the Hill Cipher Hill Cipher is difficult to break with a ciphertext-only attack  We use a known plaintext attack Suppose the unknown key is an m ╳ m matrix and we have at least m distinct plaintext-ciphertext pairs x j =(x 1,j,x 2,j, …,x m,j ) y j =(y 1,j,y 2,j, …,y m,j ) y j =e K (x j ), for 1≤j≤m

p53. Classical Cryptography We define 2 m ╳ m matrices X=(x i,j ) and Y=(y i,j )  Y=XK  K=X -1 Y e.g.: m=2, plaintext: friday, ciphertext: PQCFKU e K (5,17)=(15,16) e K (8,3)=(2,5) e K (0,24)=(10,20)

p54. Classical Cryptography e.g. (cont.) 

p55. Classical Cryptography Cryptanalysis of the LFSR Stream Cipher Recall this system is mudulo 2 y i =(x i +z i ) mod 2 (z 1, …,z m )=(k 1, … k m ) i≥1, c 0, …,c m-1 ∈ Z 2

p56. Classical Cryptography We use a known-plaintext attack here If plaintext length ≥ 2m We can solve the system of m linear equations:

p57. Classical Cryptography e.g.: suppose the system uses a 5-stage LFSR Plaintext: Ciphertext: Keystream bits:

p58. Classical Cryptography e.g. (cont.)   z i+5 =(z i +z i+3 ) mod 2