7/29/2019 1_ClassicCrypto
1/57
Classic Crypto 1
Classic Crypto
7/29/2019 1_ClassicCrypto
2/57
Classic Crypto 2
Overview
We briefly consider the following classic(pen and paper) cipherso Transposition ciphers
o Substitution cipherso One-time pado Codebook
These were all chosen for a reasono We see same principles in modern ciphers
7/29/2019 1_ClassicCrypto
3/57
Classic Crypto 3
Transposition Ciphers
In transposition ciphers, we transpose(scramble) the plaintext letterso The scrambled text is the ciphertext
o The transposition is the key
Corresponds to Shannons principle ofdiffusion (more about this later)
o This idea is widely used in modern ciphers
7/29/2019 1_ClassicCrypto
4/57
Classic Crypto 4
Scytale
Spartans, circa 500 BC Wind strip of leather around a rod Write message across the rod
T H E T I M E H AS C O M E T H E W
A L R U S S A I DT O T A L K O F M
A N Y T H I N G S When unwrapped, letters are scrambled
TSATAHCLONEORTYTMUATIESLHMTS
7/29/2019 1_ClassicCrypto
5/57
Classic Crypto 5
Scytale
Suppose Alice and Bob use Scytale to encrypta messageo What is the key?
o How hard is it for Trudy to break without key? Suppose many different rod diameters are
available to Alice and Bobo How hard is it for Trudy to break a message?
o Can Trudy attack messages automaticallywithoutmanually examining each putative decrypt?
7/29/2019 1_ClassicCrypto
6/57
Classic Crypto 6
Columnar Transposition Put plaintext into rows of matrix then read
ciphertext out of columns For example, suppose matrix is 3 x 4
o Plaintext: SEETHELIGHT
o Ciphertext: SHGEEHELTTIX
Same effect as Scytaleo What is the key?
7/29/2019 1_ClassicCrypto
7/57
Classic Crypto 7
Keyword Columnar Transposition For example
o Plaintext: CRYPTOISFUNo Matrix 3 x 4 and keyword MATH
o Ciphertext: ROUPSXCTFYIN
What is the key? How many keys are there?
7/29/2019 1_ClassicCrypto
8/57
Classic Crypto 8
Keyword Columnar Transposition
How can Trudy cryptanalyze this cipher? Consider the ciphertext
VOESA IVENE MRTNL EANGE WTNIM HTMLL ADLTR NISHODWOEH
Matrix is n x m for some n and m Since 45 letters, nm = 45
How many cases to try? How will Trudy know when she is correct?
7/29/2019 1_ClassicCrypto
9/57
Classic Crypto 9
Keyword Columnar Transposition
The ciphertext isVOESA IVENE MRTNL EANGE WTNIM HTMLL ADLTR NISHO
DWOEH
If encryption matrix was 9 x 5, then
7/29/2019 1_ClassicCrypto
10/57
Classic Crypto 10
Cryptanalysis: Lesson I
Exhaustive key searcho Always an option for Trudy
If keyspace is too large, such an attack willnot succeed in a reasonable timeo Or it will have a low probability of success
A large keyspace is necessary for security
But, large keyspace is not sufficient
7/29/2019 1_ClassicCrypto
11/57
Classic Crypto 11
Double Transposition
Plaintext:ATTACK AT DAWN
Permute rowsand columns
Ciphertext: XTAWXNATTXADAKCKey?
o 5 x 3 matrix, perms (2,4,0,3,1) and (0,2,1)
columns 0 1 2row 0 A T Trow 1 A C K
row 2 X A Trow 3 X D Arow 4 W N X
columns 0 2 1row 2 X T Arow 4 W X N
row 0 A T Trow 3 X A Drow 1 A K C
7/29/2019 1_ClassicCrypto
12/57
Classic Crypto 12
Double Transposition
How can Trudy attack double transposition? Spse Trudy sees 45-letter ciphertext Then how many keys?
o Size of matrix: 3 x 15, 15 x 3, 5 x 9, or 9 x 5o A lot of possible permutations!
5! 9! 225 and 3! 15! 242
Size of keyspace is greater than 243
Is there a shortcut attack?
7/29/2019 1_ClassicCrypto
13/57
Classic Crypto 13
Double Transposition
Shortcut attack on double transposition? Suppose ciphertext is
ILILWEAHREOMEESANNDDVEGMIERWEHVEMTOSTTAONNTNH
Suppose Trudy guesses matrix is9 x 5
Then Trudy has:
Now what? Try all perms?
5! 9! 225
Is there a better way?
column 0 1 2 3 4
row 0 I L I L W
row 1 E A H R E
row 2 O M E E S
row 3 A N N D Drow 4 V E G M I
row 5 E R W E H
row 6 V E M T O
row 7 S T T A O
row 8 N N T N H
7/29/2019 1_ClassicCrypto
14/57
Classic Crypto 14
Double Transposition
Shortcut attack on double transposition? Trudy tries columns first strategy
Now what?
Permutecolumns
column 0 1 2 3 4
row 0 I L I L W
row 1 E A H R Erow 2 O M E E S
row 3 A N N D D
row 4 V E G M I
row 5 E R W E H
row 6 V E M T Orow 7 S T T A O
row 8 N N T N H
column 2 4 0 1 3
row 0 I W I L L
row 1 H E E A Rrow 2 E S O M E
row 3 N D A N D
row 4 G I V E M
row 5 W H E R E
row 6 M O V E Trow 7 T O S T A
row 8 T H N N N
7/29/2019 1_ClassicCrypto
15/57
Classic Crypto 15
Cryptanalysis: Lesson II
Divide and conquero Trudy attacks part of the keyspaceo A great shortcut attack strategy
Requires careful analysis of algorithm We will see this again and again in the
attacks discussed later
Of course, cryptographers try to preventdivide and conquer attacks
7/29/2019 1_ClassicCrypto
16/57
Classic Crypto 16
Substitution Ciphers
In substitution ciphers, we replace theplaintext letters with other letterso The resulting text is the ciphertext
o The substitution rule is the key
Corresponds to Shannons principle ofconfusion (more on this later)
o This idea is used in modern ciphers
7/29/2019 1_ClassicCrypto
17/57
Classic Crypto 17
Ceasars Cipher
Plaintext:FOURSCOREANDSEVENYEARSAGO
Key:a b c d e f g h i j k l m n o p q r s t u v w x y
D E F G H I J K L M N O P Q R S T U V W X Y Z A B
z
C
Ciphertext:IRXUVFRUHDAGVHYHABHDUVDIR
More succinctly, key is shift by 3
Plaintext
Ciphertext
7/29/2019 1_ClassicCrypto
18/57
Classic Crypto 18
Ceasars Cipher
Then plaintext isSPONGEBOBSQUAREPANTS
a b c d e f g h i j k l m n o p q r s t u v w x y
D E F G H I J K L M N O P Q R S T U V W X Y Z A B
z
CPlaintext
Ciphertext
Trudy loves the Ceasars cipherSuppose ciphertext is
VSRQJHEREVTXDUHSDQWV
7/29/2019 1_ClassicCrypto
19/57
Classic Crypto 19
Simple Substitution
Caesars cipher is trivial if we adhereto Kerckhoffs Principle
We want a substitution cipher withlots of keys
What to do?
Generalization of Caesars cipher
7/29/2019 1_ClassicCrypto
20/57
Classic Crypto 20
Simple Substitution
Key is some permutation of lettersNeed not be a shift
For example
a b c d e f g h i j k l m n o p q r s t u v w x y
J I C A X S E Y V D K W B Q T Z R H F M P N U L G
z
OPlaintext
Ciphertext
Then 26! 288 possible keysThats lots of keys!
7/29/2019 1_ClassicCrypto
21/57
Classic Crypto 21
Cryptanalysis of Simple
Substitution Trudy know a simple substitution is used Can she find the key given ciphertext:PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWI
PBVWLXTOXBTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFAGFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODX
QHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEFZQWGFLVWPTOFFA
7/29/2019 1_ClassicCrypto
22/57
7/29/2019 1_ClassicCrypto
23/57
Classic Crypto 23
Cryptanalysis of SimpleSubstitution
Ciphertext:PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXT
OXBTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFAGFOTHFEFB
QUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODXQHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKF
ABVYYDZBOTHPBQPQJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEFZQWGFLVWPTOFFA
A B C D E F G H I J K L M N O P Q R S T U V W X Y21 26 6 10 12 51 10 25 10 9 3 10 0 1 15 28 42 0 0 27 4 24 22 28 6
Z
8
Ciphertext frequency counts:
7/29/2019 1_ClassicCrypto
24/57
Classic Crypto24
Cryptanalysis: Lesson III
Statistical analysiso Statistics might reveal info about key
Ciphertext should appear randomBut randomness is not easy
o Difficult to define random (entropy)
Cryptographers work hard to preventstatistical attacks
7/29/2019 1_ClassicCrypto
25/57
7/29/2019 1_ClassicCrypto
26/57
7/29/2019 1_ClassicCrypto
27/57
Classic Crypto27
Affine Cipher
Encryption: ci = api + b (mod 26)Decryption: pi = a
1(ci b) (mod 26)
Keyspace size?o Keyspace size is 26(26) = 312o Too small to be practical
7/29/2019 1_ClassicCrypto
28/57
Classic Crypto28
Vigenere Cipher Key is of the form K = (k0,k1,,kn-1)
o Where each ki{0,1,2,,25}
Encryption
ci = pi + ki (mod n) (mod 26) Decryption
pi = ci ki (mod n) (mod 26) Nothing tricky here! Just a repeating sequence of (shift by n)
simple substitutions
7/29/2019 1_ClassicCrypto
29/57
7/29/2019 1_ClassicCrypto
30/57
Classic Crypto30
Vigenere Cipher
Vigenere is just a series of k simplesubstitution ciphers
Should be able to do k simplesubstitution attackso Provided enough ciphertext
But how to determine k (key length)? Index of coincidence
7/29/2019 1_ClassicCrypto
31/57
Classic Crypto31
Index of Coincidence
Assume ciphertext is English letters Let n0 be number ofAs, n1 number of
Bs, , n25 number of Zs in ciphertext
Let n = n0 + n1+ + n25Define index of coincidence
What does this measure?
7/29/2019 1_ClassicCrypto
32/57
Classic Crypto32
Index of Coincidence Gives the probability that 2 randomly
selected letters are the same For plain English, prob. 2 letter are same:
o p02 + p1
2+ + p252 0.065, where pi is
probability of ith letter
Then for simple substitution, I 0.065 For random letters, each pi = 1/26
o Then p02 + p1
2+ + p252 0.03846
Then I 0.03846 for poly-alphabeticsubstitution with a very long keyword
7/29/2019 1_ClassicCrypto
33/57
Classic Crypto33
Index of Coincidence How to use this to estimate length of
keyword in Vigenere cipher? Suppose keyword is length k, message is
length no Ciphertext in matrix with k columns, n/k rows Select 2 letters from same columns
o Like selecting from simple substitution
Select 2 letters from different columnso Like selecting random letters
7/29/2019 1_ClassicCrypto
34/57
Classic Crypto34
Index of Coincidence Suppose k columns and n/k rows Approximate number of matching pairs from
same column, but 2 different rows:
Approximate number of matching pairs from2 different columns, and any two rows:
7/29/2019 1_ClassicCrypto
35/57
Classic Crypto35
Index of Coincidence
Approximate index of coincidence by:
Solve for k to find:
Use n and I (known from ciphertext) toapproximate length of Vigenere keyword
7/29/2019 1_ClassicCrypto
36/57
Classic Crypto36
Index of Coincidence:
Bottom LineA crypto breakthrough when invented
o By William F. Friedman in 1920s
Useful against classical and WWII-era ciphers Incidence of coincidence is a well-
known statistical testo Many other statistical tests exists
7/29/2019 1_ClassicCrypto
37/57
Classic Crypto37
Hill Cipher
Hill cipher is not related to small mountains
Invented by Lester Hill in 1929o A pre-modern block cipher
Idea is to create a substitution cipher with alarge alphabet
All else being equal (which it never is) cipher
should be stronger than simple substitution
7/29/2019 1_ClassicCrypto
38/57
Classic Crypto38
Hill Cipher
Plaintext, p0, p1, p2, Each pi is block of n consecutive letters
o As a column vector
LetA be n x n invertible matrix, mod 26 Then ciphertext block ci is given by
o ci = Api (mod 26)
o Decryption: pi= A1c
i(mod 26)
The matrixA is the key
7/29/2019 1_ClassicCrypto
39/57
Classic Crypto39
Hill Cipher Example Let n = 2 and Plaintext
MEETMEHERE = (12,4,4,19,12,4,7,4,17,4)
Then
And
Ciphertext:(4,22,23,9,4,22,24,19,10,25) = EWXJEWYTKZ
7/29/2019 1_ClassicCrypto
40/57
7/29/2019 1_ClassicCrypto
41/57
7/29/2019 1_ClassicCrypto
42/57
Classic Crypto42
One-time Pad
A provably secure cipherNo other cipher we discuss is
provably secureWhy not use one-time pad for
everything?o Impractical for most applications
o But it does have its uses
7/29/2019 1_ClassicCrypto
43/57
7/29/2019 1_ClassicCrypto
44/57
Classic Crypto44
One-time Pad Decryptione=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
s r l h s s t h s r
110 101 100 001 110 110 111 001 110 101
111 101 110 101 111 100 000 101 110 000
001 000 010 100 001 010 111 100 000 101
h e i l h i t l e r
Decryption: Ciphertext Key = Plaintext
Ciphertext:
Key:
Plaintext:
7/29/2019 1_ClassicCrypto
45/57
Classic Crypto45
One-time Pad
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
s r l h s s t h s r
110 101 100 001 110 110 111 001 110 101101 111 000 101 111 100 000 101 110 000
011 010 100 100 001 010 111 100 000 101
k i l l h i t l e r
Ciphertext:key:
Plaintext:
Double agent claims sender used key:
7/29/2019 1_ClassicCrypto
46/57
7/29/2019 1_ClassicCrypto
47/57
7/29/2019 1_ClassicCrypto
48/57
Classic Crypto48
Real-world One-time Pad
Project VENONAo Soviet spy messages from U.S. in 1940so Nuclear espionage, etc.
o Thousands of messaged Spy carried one-time pad into U.S. Spy used pad to encrypt secret messages Repeats within the one-time pads made
cryptanalysis possible
VENONA D c pt (1944)
http://www.nsa.gov/venona/index.cfmhttp://www.nsa.gov/venona/index.cfm7/29/2019 1_ClassicCrypto
49/57
Classic Crypto 49
VENONA Decrypt (1944)[C% Ruth] learned that her husband [v] was called up by the army buthe was not sent to the front. He is a mechanical engineer and is now
working at the ENORMOUS [ENORMOZ] [vi] plant in SANTA FE, NewMexico. [45 groups unrecoverable]
detain VOLOK [vii] who is working in a plant on ENORMOUS. He is aFELLOWCOUNTRYMAN [ZEMLYaK] [viii]. Yesterday he learned thatthey had dismissed him from his work. His active work in progressiveorganizations in the past was cause of his dismissal. In theFELLOWCOUNTRYMAN line LIBERAL is in touch with CHESTER [ix].
They meet once a month for the payment of dues. CHESTER isinterested in whether we are satisfied with the collaboration andwhether there are not any misunderstandings. He does not inquireabout specific items of work [KONKRETNAYa RABOTA]. In as muchas CHESTER knows about the role of LIBERAL's group we begconsent to ask C. through LIBERAL about leads from among peoplewho are working on ENOURMOUS and in other technical fields.
Ruth == Ruth Greenglass Liberal == Julius Rosenberg Enormous == the atomic bomb
7/29/2019 1_ClassicCrypto
50/57
Classic Crypto 50
Codebook Cipher
Literally, a book filled with codeso More precisely, 2 codebooks, 1 for
encryption and 1 for decryption
Key is the codebook itselfSecurity of cipher requires physical
security for codebook
Codebooks widely used thru WWII
7/29/2019 1_ClassicCrypto
51/57
Classic Crypto 51
Codebook Cipher
Literally, a book filled with codewords Zimmerman Telegram encrypted via codebook
Februar 13605fest 13732finanzielle 13850folgender 13918Frieden 17142Friedenschluss 17149
: :
Modern block ciphers are codebooks! More on this later
http://library.thinkquest.org/28005/flashed/timemachine/courseofhistory/zimmerman.shtml?tqskip1=1&tqtime=1029http://library.thinkquest.org/28005/flashed/timemachine/courseofhistory/zimmerman.shtml?tqskip1=1&tqtime=1029http://library.thinkquest.org/28005/flashed/timemachine/courseofhistory/zimmerman.shtml?tqskip1=1&tqtime=1029http://library.thinkquest.org/28005/flashed/timemachine/courseofhistory/zimmerman.shtml?tqskip1=1&tqtime=10297/29/2019 1_ClassicCrypto
52/57
7/29/2019 1_ClassicCrypto
53/57
Classic Crypto 53
ZimmermanTelegramDecrypted
British had
recoveredpartialcodebook
Able to fill in
missing parts
7/29/2019 1_ClassicCrypto
54/57
7/29/2019 1_ClassicCrypto
55/57
Classic Crypto 55
Codebook Additive
Codebook additive is another bookfilled with random number
Sequence of additive numbers added tocodeword to yield ciphertext
plaintext codeword ciphertext
lookup in
codebook
add the
additive
7/29/2019 1_ClassicCrypto
56/57
7/29/2019 1_ClassicCrypto
57/57
Cl ssi C pt 57
Cryptanalysis: Summary
Exhaustive key searchDivide and conquerStatistical analysis
Exploit linearityOr any combination thereof (or anything
else you can think of)
Alls fair in love and waro and cryptanalysis!