Classical Cryptography

1
Classical Cryptography
2
Outline

• 1 Introduction Some Simple Cryptosystems
• lt1gt The Shift Cipher
• lt2gt The Substitution Cipher
• lt3gt The Affine Cipher
• lt4gt The Vigenère Cipher
• lt5gt The Hill Cipher
• lt6gt The Permutation Cipher
• lt7gt Stream Ciphers
• 2 Cryptanalysis
• lt1gt Cryptanalysis of the Affine Cipher
• lt2gt Cryptanalysis of the Substitution Cipher
• lt3gt Cryptanalysis of the Vigenère Cipher
• lt4gt Cryptanalysis of the Hill Cipher
• lt5gt Cryptanalysis of the LFSR Stream Cipher

3
Classical Cryptography

• 1 Introduction

4
Classical Cryptography

• Definition 1.1 A cryptosystem is a five-tuple
  (P,C,K,E,D) satisfies
• P is a finite set of possible plaintexts
• C is a finite set of possible ciphertexts
• K, the keyspace, is a finite set of possible keys
• For each K?K, there is an encryption rule eK?E
  and a corresponding decryption rule dK?D
• dK(eK(x))x for every plaintext x?P

5
Classical Cryptography

• Definition 1.2 a and b are integers,
• m is a positive integer
• congruence ab (mod m) if m divides b-a
• Zm the set 0,1,,m-1
• with 2 operations and ?
• 10204 in Z26 (1020 mod 264)
• 10?2018 in Z26 (10?20 mod 2618)

6
Classical Cryptography

• lt1gt Shift Cipher
• Cryptosystem 1.1 Shift Cipher
• P C K Z26
• K, x, y ?Z26
• eK(x)(xK) mod 26
• dK(y)(y-K) mod 26

7
Classical Cryptography

• eg. Suppose K11
• Plaintext student
• Ciphertext DEFOPZE

8
Classical Cryptography

• lt2gt Substitution Cipher
• Cryptosystem 1.2 Substitution Cipher
• PCZ26
• K all possible permutations of the 26 symbols
• For each p?K
• ep(x)p(x)
• dp(y)p-1(y)
• where p-1 is the inverse permutation to p

9
Classical Cryptography

• eg.
• Plaintext student
• Ciphertext VMUSHSM

10
Classical Cryptography

• lt3gt Affine Cipher
• Theorem 1.1 axb (mod m) has a unique solution
  x?Zm for every b?Zm iff gcd(a,m)1
• Definition 1.3 Suppose a1 and m2 are integers
• a and m are relatively prime if gcd(a,m)1
• f(m) the number of integers in Zm that are
  relatively prime to m
• Theorem 1.2 Suppose

11
Classical Cryptography

• Definition 1.4 Suppose a?Zm
• a-1 mod m
• the multiplicative inverse of a modulo m
• aa-1a-1a1 (mod m)
• Cryptosystem 1.3 Affine Cipher
• P C Z26
• K(a,b) ?Z26?Z26 gcd(a,26)1
• For K(a,b)?K x, y?Z26
• eK(x)(axb) mod 26
• dK(y)a-1(y-b) mod 26

12
Classical Cryptography

• e.g. Suppose K(7,3)
• 7-1 mod 26 15
• Plaintext student
• Ciphertext ZGNYFQG

eK(x)(7x3) mod 26
dK(y)15(y-3) mod 26
13
Classical Cryptography

• lt4gt Vigenère Cipher
• Cryptosystem 1.4 Vigenère Cipher
• m a positive integer
• P C K (Z26)m
• For a key K(k1,k2,,km)
• eK(x1,x2,,xm)(x1k1,x2k2,,xmkm)
• dK(y1,y2,,ym)(y1-k1,y2-k2,,ym-km)

14
Classical Cryptography

• e.g. Suppose m4 and K(2,8,15,7)
• Plaintext student
• Ciphertext UBJKGVI

15
Classical Cryptography

• lt5gt Hill Cipher
• Definition 1.5 Suppose A(ai,j) is an m?m matrix
• Ai,j the matrix obtained from A by deleting the
  ith row and the jth column
• det A the determinant of A
• m1 det Aa1,1
• mgt1 for any fixed i
• A(ai,j) the adjoint matrix of A
• ai,j(-1)ijdet Aj,i

16
Classical Cryptography

• Theorem 1.3 Suppose K(ki,j) is an m?m
  invertible matrix over Zn
• K-1(det K)-1K
• e.g.
• det K11?7-8?3
  mod 261
• K-1(det K)-1K

17
Classical Cryptography

• Cryptosystem 1.5 Hill Cipher
• M 2 is an integer
• P C (Z26)m
• K m?m invertible matrices over Z26
• For a key K
• eK(x)xK
• dK(y)yK-1
• where K-1 is the inverse of K

18
Classical Cryptography

• e.g.
• Plaintext GOD (6 14 3)
• Ciphertext WTJ (22 19 9)

19
Classical Cryptography

• lt6gt Permutation Cipher
• Cryptosystem 1.6 Permutation Cipher
• m is a positive integer
• P C (Z26)m
• K consist of all permutations of 1,,m
• For a key(a permutation) p
• ep(x1,,xm)(xp(1),,xp(m))
• where p-1 is the inverse permutation to p

20
Classical Cryptography

• e.g. Suppose m6
• Plaintext CYBERFORMULA
• Ciphertext BRCFEYMLOAUR

21
Classical Cryptography

• lt7gt Stream Ciphers
• Definition 1.6 A synchronous stream cipher is a
  tuple (P,C,K,L,E,D) with a function g
• P a finite set of possible plaintexts
• C a finite set of possible ciphertexts
• K a finite set of possible keys
• L a finite set called the keystream alphabet
• g the keystream generator
• Input K
• g generates an infinite string z1z2

22
Classical Cryptography

• Definition 1.6 (cont.)
• For each z?L, there is an encryption rule ez?E
  and a corresponding decryption rule dZ?D
• dz(ez(x))x for every plaintext x?P

23
Classical Cryptography

• Vigenère Cipher can be defined as a synchronous
  stream cipher
• K (Z26)m
• P C L Z26
• ez(x)(xz) mod 26
• dz(y)(y-z) mod 26

24
Classical Cryptography

• Keystream can be produced efficiently in hardware
  using a LFSR (Linear Feedback Shift Register)
• k1 would be tapped as the next keystream bit
• k2,km would each be shifted 1 stage to the left
• The new value of km would be
• this is linear feedback (see Figure 1.2)
• This system is mudulo 2

25
Classical Cryptography

• e.g. in Figure 1.2,suppose K(1,0,0,0)
• c01, c11, c20, c30
• The keystream is
• 100010011010111

Figure 1.2
26
Classical Cryptography

• Non-synchronous stream cipher
• Each keystream element zi depends on previous
  plaintext or ciphertext elements
• Cryptosystem 1.7 Autokey Cipher
• P C K L Z26
• z1K, zixi-1 for all igt1
• For x, y, z ?Z26
• ez(x)(xz) mod 26
• dz(y)(y-z) mod 26

27
Classical Cryptography

• e.g. Suppose K8
• Plaintext student
• Ciphertext ALNXHRG

28
Classical Cryptography

• 2 Cryptanalysis
• Assumption(Kerckhoffs principle)
• The opponent knows the cryptosystem being used
• Attack models
• ciphertext only attack
• known plaintext attack
• chosen plaintext attack
• chosen ciphertext attack

29
Classical Cryptography

• Statistical properties of the English language
  (see Table 1.1)
• E probability about 0.120
• T, A, O, I, N, S, H, R between 0.06 and 0.09
• D, L 0.04
• C, U, M, W, F, G, Y, P, B between 0.015 and
  0.028
• V, K, J, X, Q, Z 0.01
• Most common digrams
• TH, HE, IN, ER, AN, ND,
• Most common trigrams
• THE, ING, AND, END,

30
Classical Cryptography
Table 1.1
31
Classical Cryptography

• lt1gt Cryptanalysis of the Affine Cipher
• Ciphertext obtained form an Affine Cipher
• FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDKAPRKDLYE
  VLRHHRH
• Frequency analysis Table 1.2
• Most frequent ciphertext characters
• R 8 occurrences
• D 7 occurrences
• E,H,K 5 occurrences
• We now guess the mapping and solve the equation
  eK(x)axb mod 26

32
Classical Cryptography
Table 1.2
33
Classical Cryptography

• Guess e?R,t?D
• eK(4)17, eK(19)3
• a6, b19
• ILLEGAL (gcd(a,26)gt1)
• Guess e?R,t?E
• eK(4)17, eK(19)4
• a13, b17
• ILLEGAL (gcd(a,26)gt1)
• Guess e?R,t?H
• eK(4)17, eK(19)7
• a8, b11
• ILLEGAL (gcd(a,26)gt1)

34
Classical Cryptography

• Guess e?R,t?K
• eK(4)17, eK(19)10
• a3, b5
• LEGAL
• dK(y)9y-19
• Plaintext
• algorithmsarequitegeneraldefinitionsofarithmeticpr
  ocesses

35
Classical Cryptography

• lt2gt Crytanalysis of the Substitution Cipher
• Ciphertext obtained from a Substitution Cipher
• YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJNDIFEFMD
  ZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZNZUCDRJXYYSMRTME
  YIFZWDYVZVYFZUMRZCRWNZDZJJXZWGCHSMRNMDHNCMFQCHZJMX
  JZWIEJYUCFWDJNZDIR
• Frequency analysis Table 1.3
• Z occurs most guess dK(Z)e
• occur at least 10 times C,D,F,J,M,R,Y
• These are encryptions of t,a,o,i,n,s,h,r
• But the frequencies do not vary enough to guess

36
Classical Cryptography
Table 1.3
37
Classical Cryptography

• We now look at digrams -Z or Z-
• 4 times DZ,ZW
• Guess dK(W)d ed?ZW
• 3 times NZ,ZU
• Guess dk(N)h he?NZ
• We have ZRW guess dk(R)n, end?ZRW
• We have CRW guess dk(C)a, and?CRW
• We have RNM, which decrypts to nh-
• Suggest h- begins a word M should be a vowel
• We have CM guess dK(M)i
• (ai is more likely than ao)

38
(No Transcript)
39
Classical Cryptography

• We have DZ(4 times) and ZD(2 times)
• Guess dK(D)?r,s,t
• Since o is a common letter
• Guess eK(o)?F,J,Y
• We have CFM and CJM guess dK(Y)o
• (aoi is impossible)
• Guess NMD?his dK(D)s
• Guess HNCMF?chair dK(H)c, dK(F)r
• dK(J)t the?JNZ

40
(No Transcript)
41
Classical Cryptography

• Now easy to determine the others

42
(No Transcript)
43
Classical Cryptography

• lt3gt Cryptanalysis of the Vigenère Cipher
• Kasaski test (1863) (Find m only)
• Search the ciphertext for pairs of identical
  segments (length at least 3)
• Record the distance between the starting
  positions of the 2 segments
• If we obtain several such distances d1,d2,, we
  would conjecture that the key length m divides
  all of the dis
• m divides the gcd of the dis

44
Classical Cryptography

• Friedman test (1925)
• Definition 1.7
• Suppose xx1x2xn is a string of n alphabetic
  characters
• Index of coincidence of x, denoted IC(x) the
  probability that 2 random elements of X are
  identical
• We denote the frequencies of A,B,..,Z in x by
  f0,f1,,f25

45
Classical Cryptography

• Using the expected probabilities in Table 1.1
• p0,,p25 the expected probability of A,,Z
• Suppose a ciphertext Yy1y2yn
• Define m substrings of Y1,,Ym of Y
• Each value IC(Yi) should be roughly equal to 0.065

46
Classical Cryptography

• If m is not the keyword length
• Yi will look much more random
• A completely random string will have

47
Classical Cryptography

• Ciphertext obtained from a Vigenere Cipher
• CHREEVOAHMAERATBIAXXWTNXBEEOPHBSBQMQEQERBWRVXUOAKX
  AOSXXWEAHBWGJMMQMNKGRFVGXWTRZXWIAKLXFPSKAUTEMNDCMG
  TSXMXBTUIADNGMGPSRELXNJELXVRVPRTULHDNQWTWDTYGBPHXT
  FALJHASVBFXNGLLCHRZBWELEKMSJIKNBHWRJGNMGJSGLXFEYPH
  AGNRBIEQJTAMRVLCRREMNDGLXRRIMGNSNRWCHRQHAEYEVTAQEB
  BIPEEWEVKAKOEWADREMXMTBHHCHRTKDNVRZCHRCLQOHPWQAIIW
  XNRMGWOIIFKEE
• CHR occurs in 5 places 1,166,236,276,286
• The distances from the 1st one 165,235,275,285
• g.c.d. is 5 we guess m5 (by Kasaski test)

48
Classical Cryptography

• We check the indices of coincidences
• m1 IC(Y)0.045
• m2 IC(Y1)0.046, IC(Y2)0.041
• m3 IC0.043, 0.050, 0.047
• m4 IC0.042, 0.039, 0.046, 0.040
• m5 IC0.063, 0.068, 0.069, 0.061, 0.072
• By Friedman test, m5

49
Classical Cryptography

• Now we want to determine the key K(k1,k2,,km)
• f0,f1,f25 the frequencies of A,B,,Z
• nn/m the length of the string Yi
• The probability distribution of the 26 letters in
  Yi
• Yi is obtained by shift encryption using a shift
  ki
• We hope that the shifted probability distribution
  would be close to p0,,p25

50
Classical Cryptography

• Define the quantity Mg
• for 0 g 25
• If gki ,
• If g?ki , Mg will smaller than 0.065
• Return to the previous example
• Computes the values Mg, for 1i5 (Table 1.4)
• For each i, look for a value of Mg close to 0.065
• From Table 1.4 K(9,0,13,4,19)
• The keyword is JANET

51
Table 1.4
52
Classical Cryptography

• lt4gt Cryptanalysis of the Hill Cipher
• Hill Cipher is difficult to break with a
  ciphertext-only attack
• We use a known plaintext attack
• Suppose the unknown key is an m?m matrix and we
  have at least m distinct plaintext-ciphertext
  pairs
• xj(x1,j,x2,j,,xm,j)
• yj(y1,j,y2,j,,ym,j)
• yjeK(xj), for 1jm

53
Classical Cryptography

• We define 2 m?m matrices X(xi,j) and Y(yi,j)
• YXK
• KX-1Y
• e.g. m2, plaintext friday, ciphertext PQCFKU
• eK(5,17)(15,16)
• eK(8,3)(2,5)
• eK(0,24)(10,20)

54
Classical Cryptography

• e.g. (cont.)

55
Classical Cryptography

• lt5gt Cryptanalysis of the LFSR Stream Cipher
• Recall this system is mudulo 2
• yi(xizi) mod 2
• (z1,,zm)(k1,km)
• i1, c0,,cm-1?Z2

56
Classical Cryptography

• We use a known-plaintext attack here
• If plaintext length 2m
• We can solve the system of m linear equations

57
Classical Cryptography

• e.g. suppose the system uses a 5-stage LFSR
• Plaintext 101101011110010
• Ciphertext 011001111111000
• Keystream bits 110100100001010

58
Classical Cryptography

• e.g. (cont.)
• zi5(zizi3) mod 2