Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered."— Presentation transcript:

1

2 Sigaba 1 Sigaba

3 Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered impossible  Like Enigma, Sigaba is a rotor machine o But instead of 3 rotors, Sigaba uses 15 rotors!  Not suitable for battlefield o Bigger, heavier, more fragile than Enigma

4 Sigaba 3 Sigaba  Like a big typewriter  A really big typewriter…  A really, really big typewriter…

5 Sigaba 4 Sigaba  Developed by Rowlett, Friedman and others o Knew odometer stepping of rotors is weakness  Sigaba uses 10 rotors to determine stepping of the 5 cipher rotors  Any of 5 cipher rotors can step o From 1 to 4 cipher rotors step for each letter  Almost like using one Enigma to determine rotor stepping of another Enigma

6 Sigaba 5 Sigaba  Rotors  Lots of rotors…  Rotors, rotors, and more rotors

7 Sigaba 6 Sigaba Wiring Diagram  Control and index rotors determine stepping of cipher rotors

8 Sigaba 7 Sigaba Wiring Diagram  Control and cipher rotors each permute 26 letters  Can be interchanged and inserted in reverse

9 Sigaba 8 Sigaba Wiring Diagram  Control rotors step like “scrambled odometer”  Index rotors set initially, but do not step  From 1 to 4 of cipher rotors step

10 Sigaba 9 Rotor Stepping  Index rotors do not step  Control rotors o Middle 3 step as: slow, fast, medium o Outside rotors don’t step  Cipher rotors o At least 1, at most 4 step each time o Stepping is somewhat complex…

11 Sigaba 10 Cipher Rotor Stepping  When a letter is typed  4 inputs to control rotors activated o These are: F,G,H,I o Then 4 (scrambled) letters output  Outputs of control rotors combined o Then fed into index rotors

12 Sigaba 11 Cipher Rotor Stepping  Outputs of control rotors combined o Result(s) go into index rotors o From 1 to 4 inputs to index rotors  Index rotor outputs combined in pairs o Active index rotor outputs determine which cipher rotors step

13 Sigaba 12 Cipher Rotor Stepping  F,G,H,I input to control rotors  Let I 0,I 1,…,I 9 be inputs to index rotors o I 0 is always inactive, and… I 1 = BI 2 = C I 3 = D  E I 4 = F  G  HI 5 = I  J  KI 6 = L  M  N  O I 7 = P  Q  R  S  TI 8 = U  V  W  X  Y  Z I 9 = A  Where “  ” is OR, and o A,B,C,…, Z are control rotor outputs

14 Sigaba 13 Cipher Rotor Stepping  Let O 0,O 1,…,O 9 be index rotor outputs  If C i == 1, cipher rotor i steps o Cipher rotors numbered left-to-right  Then the C i given by C 0 = O 0  O 9 C 1 = O 7  O 8 C 2 = O 5  O 6 C 3 = O 3  O 4 C 4 = O 1  O 2  Note that 1 to 4 of the O i are active  Implies that 1 to 4 of C i are active

15 Sigaba 14 Stepping Maze  A picture is worth 2 10 words ?

16 Sigaba 15 Theoretical Keyspace  If cipher/control rotors all set to “ A ”  And index rotors all set to “ 0 ” o Select 5 cipher rotors: (26!) 5 = 2 442 o Select 5 control rotors: (26!) 5 = 2 442 o Select 5 index rotors: (10!) 5 = 2 109  Keyspace is enormous: 993 bits!

17 Sigaba 16 WWII Sigaba Keyspace  10 cipher and control rotors o 2 orientations for each o Control rotors set to any initial position o Cipher rotors set to default positions (usually)  5 index rotor o Inserted in a fixed order o Each set to one of 10 initial positions  Apparently, gives 10!  2 10  26 5  10 5 = 2 71.9

18 Sigaba 17 WWII Actual Keyspace  Keyspace of 10!  2 10  26 5  10 5 = 2 71.9 ?  Control rotors settings sent in the clear! o Sent as part of the message indicator (MI) o An attacker could see this  So, actual keyspace: 10!  2 10  10 5 = 2 48.6 o On POTUS-PRIME link, 71.9 -bit keyspace used  Why give away so much of keyspace?

19 Sigaba 18 WWII Actual Keyspace  Why give away so much of keyspace?  Device is complex to configure  Larger keyspace means o More settings to initialize o More chance for error o Problem for time-sensitive info  One daily key o Then MI gives unique message key

20 Sigaba 19 WWII Theoretical Keyspace  Given components available in WWII  Appears that maximum keyspace was 10!  2 10  26 10  5!  10 5 = 2 102.3  But this is a little too high o Index rotors do not rotate o So only 10! different index perms o And 10! < 5!  10 5  So it looks like largest possible keyspace 10!  2 10  26 10  10! = 2 100.6

21 Sigaba 20 WWII Theoretical Keyspace  About 10!  2 10  26 10  10! = 2 100.6 ?  No, this is still too high!  Index rotor outputs are ORed in pairs o Used to determine cipher rotor stepping o As seen previously  Therefore, 32 equivalent index perms  Final answer: maximum WWII keyspace 10!  2 10  26 10  10!/32 = 2 95.6

22 Sigaba 21 Sigaba Attack  Assumptions o Full 95.6 bit WWII keyspace is used o Trudy has a Sigaba machine (so Trudy knows rotor permutations) o Trudy has some known plaintext o Goal: use as little known plaintext as possible  How efficiently can we attack Sigaba under these assumptions?

23 Sigaba 22 Sigaba Attack  Two phases to this (complex) attack  Primary phase o Find all cipher rotor settings that are consistent with known plaintext o Requires some amount of known plaintext  Secondary phase o Find control rotor settings, index perm o May require more known plaintext

24 Sigaba 23 Primary Phase  Select and initialize cipher rotors o Binomial(10,5)  5!  2 5  26 5 = 2 43.4 settings  For each of these 2 43.4 settings, how many cipher perms are possible at next step? o From 1 to 4 cipher rotors can step o 30 ways that 1 to 4 (out of 5) rotors can step  How can we use this information?

25 Sigaba 24 Primary Phase  Given a putative cipher rotor setting…  Check whether it matches known plaintext  If not, discard it  If a match, try all 30 steps and keep any that match with next known plaintext  Repeat until either o No matches (putative setting is discarded) o Used all known plaintext (save for secondary)

26 Sigaba 25 Primary Phase  Correct rotor setting is said to be causal o All incorrect settings are random  How many random matches do we expect?  First letter matches with probability 1/26  If it matches, then must try all 30 steps o Each matches with probability 1/26 o Binomial distribution with p = 1/26 and n = 30  Expected matches is 30/26 = 1.154  If first letter matches, then after n steps, we expect about (1.154) n surviving paths

27 Sigaba 26 Primary Phase  If first plaintext matches, about (1.154) n surviving paths after n steps  This looks bad…  We want to eliminate putative cipher rotor settings that are incorrect o The random settings  How to do this when we get more paths!

28 Sigaba 27 Primary Phase  Maybe not as bad as it seems…  We are only concerned with initial cipher rotor guess, not paths  In fact o Some paths merge o Expected distribution of paths differs in causal case and random cases

29 Sigaba 28 Primary Phase: Merging Paths  Suppose first 3 plaintext match o With initial settings AAAAA Consistent pathsMerged consistent paths  Can merge paths since only the rotor settings (not path) needed for next step

30 Sigaba 29 Primary Phase: Distributions  In causal and random cases, expected number of paths differs  Empirical results show that… RandomCausal  However, the variance is high

31 Sigaba 30 Primary Phase: Bottom Line  Test each of 2 43.4 cipher rotor settings  Only 1/26 match 1st plaintext letter  Many others eliminated due to merging  More eliminated by expected distribution o Note: this makes the attack probabilistic  Can reduce primary survivors to about 2 20

32 Sigaba 31 Secondary Phase  Discussion here applies to each primary phase survivor  Each primary survivor gives putative cipher rotors and settings  Obvious secondary test is to… o Try all control and index settings: 10!/32  5!  2 5  26 5 = 2 52.2 of these o Work of more than 2 52 per primary survivor  Can we do better?

33 Sigaba 32 Secondary Phase  Primary work is about 2 43 o With about 2 20 survivors  Obvious secondary has total work about 2 72 o Since 2 52 work for each of 2 20 survivors  Can we improve secondary phase?  Cipher rotor motion is not uniform o Recall that from 1 to 4 steps for each letter o Also, index permutation is fixed for a message

34 Sigaba 33 Stepping Maze  Model control permutations as random  Probabilities of the C i are not uniform

35 Sigaba 34 Example  Consider index perm 0123456789  5479381026 o C 4 connected to 10 control letters o C 2 connected to 1 control letter  C 4 will step much more frequently than C 2

36 Sigaba 35 Index Perm Inputs  Can use this table to determine input pairs o Count number of times each cipher rotor steps (using the known plaintext)

37 Sigaba 36 Improved Secondary  About 100 to 200 known plaintexts  Reduces number of index perms to… o …about 2 7  This reduces secondary work from o 10!/32  5!  2 5  26 5 = 2 52.2  To about o 2 7  5!  2 5  26 5 = 2 42.4  Note: this work is per primary survivor

38 Sigaba 37 Sigaba Attack: Bottom Line  WWII Sigaba had a readily available keyspace of 95.6 bits  Our attack has work factor of about 2 60 o Under reasonable assumptions  Sigaba as generally used in WWII had exhaustive key search work of 2 47.6

39 Sigaba 38 Bottom Bottom Line  Given limitations of WWII, our attack shows Sigaba has, at most, 60 bits of security  Although 95.6 bits of key available, only 47.6 generally used  However, on link between Roosevelt and Churchill ( POTUS-PRIME ), 71.9 bit key used  It would not make sense to have bigger key than work for reasonable shortcut attack

40 Sigaba 39 Bottom Bottom Bottom Line  Our attack is less work than exhaustive key search on POTUS-PRIME link  Conclusion?  Developers of Sigaba (Rowlett and Friedman) were unaware of the attack  Or they did not consider it practical

Download ppt "Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered."

Similar presentations

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”

Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Enigma? Several Images from Wikipedia (an online encyclopedia)

Enigma? Several Images from Wikipedia (an online encyclopedia)
Enigma Meghan Emilio Faculty Sponsor: Ralph Morelli (Computer Science)

Enigma Meghan Emilio Faculty Sponsor: Ralph Morelli (Computer Science)
Reconfigurable Computing - Verifying Circuits John Morris Chung-Ang University The University of Auckland ‘Iolanthe’ at 13 knots on Cockburn Sound, Western.

Reconfigurable Computing - Verifying Circuits John Morris Chung-Ang University The University of Auckland ‘Iolanthe’ at 13 knots on Cockburn Sound, Western.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.

PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.
11.Hash Tables Hsu, Lih-Hsing. Computer Theory Lab. Chapter 11P.2 11.1 Directed-address tables Direct addressing is a simple technique that works well.

11.Hash Tables Hsu, Lih-Hsing. Computer Theory Lab. Chapter 11P Directed-address tables Direct addressing is a simple technique that works well.
FEAL FEAL 1.

FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Point and Confidence Interval Estimation of a Population Proportion, p

Point and Confidence Interval Estimation of a Population Proportion, p
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Purple 1 Purple Purple 2 Purple  Used by Japanese government o Diplomatic communications o Named for color of binder cryptanalysts used o Other Japanese.

Purple 1 Purple Purple 2 Purple  Used by Japanese government o Diplomatic communications o Named for color of binder cryptanalysts used o Other Japanese.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.

Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Chapter 2 Basic Encryption and Decryption (part B)

Chapter 2 Basic Encryption and Decryption (part B)
CMEA 1 CMEA. CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For.

CMEA 1 CMEA. CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For.
Enigma Meghan Emilio Advisor: Professor Ralph Morelli April 2004.

Enigma Meghan Emilio Advisor: Professor Ralph Morelli April 2004.

Similar presentations

Ads by Google