CSCI283/172 Fall 2008 GWU Classical Ciphers - Terminology - Monoalphabetic ciphers (Shift, Affine) - Permutation Cipher; Vigenere - Substitution Cipher and one-time pad
CSCI283/172 Fall 2008GWU
Classical Ciphers
- Terminology
- Monoalphabetic ciphers (Shift, Affine)
- Permutation Cipher; Vigenere
- Substitution Cipher and one-time pad
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
2
Some terminologyA sender encrypts a plaintext message to get ciphertext which is
sent to the receiver who decrypts it to obtain the plaintext. e(P) = Cd(C) = P
d(e(P)) = P; de = I e one-to-one
For the application of secret communication between two parties, it should not be possible for an eavesdropper to decrypt the
message. i.e d should be easy for the (legitimate) receiver, not for anyone else.
From Schneier
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
3
Some terminology - contd.
• Cipher: is the cryptographical algorithm/mathematical function used to encrypt
• A restricted cipher is one whose security depends on keeping the algorithm secret.
Inadequate, because doing so does not provide a systematic way of simulated attack/vulnerability analysis by external experts - which typically improves security .
From Schneier:
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
4
Some terminology - contd.
• A key is used as a parameter in some ciphers. The security of ciphers that use keys is based on keeping the key(s), and not the cipher, secret.
eK1(P) = C; dK2(C) = P
• Keyspace: set of all possible keys.
• Cryptosystem: algorithm + all ciphertexts + all plaintexts + all keys
From Schneier:
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
5
Formal definition: cryptosystem
A cryptosystem consists of: P set of all plaintext C set of all ciphertext K set of all keys E set of encryption rules, eK: P C D set of decryption rules dK : C P
dK eK(x) = x
dK eK invertible and inverses of each other
From Stinson
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
6
Typical Scenario
• Alice and Bob randomly choose a key, K K when they are unobserved or communicating on a secure channel
• If Alice wants to send Bob a message, x1x2x3x4…xn
She sends: y1y2y3y4…yn
Where yi = eK(xi)
xi is a symbol from the alphabet
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
7
Shift cipher on English alphabetClassical Substitution Cipher
A B C D E F G H I J K L M N0 1 2 3 4 5 6 7 8 9 10 11 12 13
O P Q R S T U V W X Y Z14 15 16 17 18 19 20 21 22 23 24 25
Key = k (add 10, so A goes to 10, i.e. k)ABCDEFGHIJKLMNOPQRSTUVWXYZKlmnopqrstuvwxyzabcdefghijEncryption example
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
8
Some more definitions
• Substitution cipher: A letter in the plaintext is substituted with another letter from the same alphabet
• Transposition Cipher: Plaintext positions are changed, but letters are not.
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
9
Some terminology - Cryptanalysis
• Cryptanalysis is an (usually vulnerability) analysis of a cipher. • Loss of key through means other than cryptanalysis (storage of
key in an insecure fashion, for example) is a compromise. • An attempt at cryptanalysis is an attack
Kerckhoff’s assumption is that security resides entirely in the key, i.e. cipher not restricted in any way.
This assumption is useful for external/open vulnerability analysis of different ciphers and for determining their security.
From Schneier
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
10
Cryptanalysis - types of attacks
• Known-plaintext: m and c knownWhen a known message/expected message is encrypted, as in file
headers in known file-types (jpeg, tiff)
• Chosen-plaintext: m chosen by attackerAttacker manages to make naïve encrypter encrypt a chosen
message
• Adaptive-chosen-plaintext: m chosen by attacker as attack proceeds
• Chosen-key: k chosen
From Schneier
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
11
Cryptanalysis - types of attacks – contd.
• Ciphertext-only: c knownAny eavesdropping/wire tapping/message interception
• Chosen-ciphertext: c chosen by attacker (as when the attacker has access to the decryption, for
example DVD players for watermarking, or decrypting of a message encrypted with a public key)
• Rubber-hose (Physical threat to key-holder)
From Schneier
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
12
Caesar cipher; key = 3 or D
ABCDEFGHIJKLMNOPQRSTUVWXYZdefghijklmnopqrstuvwxyzabc
E(A) =d; Key = 3 (or Key = d)E(M) = M3 mod 26D(c) = c-3 mod 26
EKey(symbol) = symbolKey mod alphabet sizeDkey(symbol) = symbol - Key mod alphabet size
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
13
Shift cipher - cryptanalysis
Decrypt (encrypted with a shift cipher): Beeakfydjxuqyhyjiqryhtyjiqfbqduyjiikfuhcqd
• Deciphering exactly one symbol in the ciphertext is enough to break the cipher. Serious weakness.
• Can decipher by targeting specific statistical properties of the language of the message – for example, single-lettered words in english can only be “a” or “I”
• Can decipher easily by brute-force, need to try only 26 keys.
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
14
Shift cipher – weaknesses and strengths
• Strengths: – Computationally efficient to encrypt and decrypt– No storage requirements– Ciphertext not longer than plaintext
• Weaknesses: – Vulnerable to brute force: a given ciphertext can correspond
to only 26 messages (or messages equal to the length of the alphabet)
– Even more vulnerable when the language has statistical properties, because some keys will be quickly apparent as unlikely/impossible given ciphertext
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
15
Shift cipher - Lessons learnt
• Need cipher that takes more keys than length of language alphabet, so brute force is more difficult
• Key should not be determinable from decrypting a single symbol
• How about two variables in the key, not 1?
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
16
Affine cipher - definition
e(x) = ax + b mod m
d(y) = a-1(y-b) mod mIs this possible for all a?
Try on example: m = 6. Find a-1 for all a Zm
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
17
GCD: definition
The gcd (Greatest Common Divisor) of two integers m and n denoted gcd(m, n) is the largest non-negative integer that divides both m and n.
In other words it is the unique positive integer x that satisfies:
y|m and y|n y|x y
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
18
Affine Cipher
P = C = Zm
K = {(a, b) Zm X Zm gcd(a, m) =1}
eK(x) = (ax+b) mod mdK(y) = a-1(y-b) mod m
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
19
Affine cipher examples
Encrypt
firstletstrythekasiskitest
Using key:
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
20
Complexity of attacks
Brute Force attack for alphabet of size nHow difficult is it to break this? How many possible keys?
m2? m?
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
21
Vigenère Cipher
Ek: Zmn Zm
n
v v + k mod m
Long strings of letters k, such as lines from poems.
Example.
No index of coincidence.
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
22
Permutation Cipher
x 1 2 3 4 5
(x) 3 2 5 1 4
x 1 2 3 4 5
-1(x)
Encrypt: canwegohomenow
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
23
Definition: Permutation Cipher
P = C = (Zm)n
K = { | a permutation of {1, 2, ….n}}e (x1, x2,…xn) = (x (1), x (2),…x (n))
d (x1, x2,…xn) = (x -1(1), x -1(2),…x -1(n))
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
24
Special Permutation Cipherperhaps the oldest known cipher
classisboringtodayciidlsnaabgysotrsrox
What was the permutation?
History
How about a cipher with many, many possible keys?
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
26
ABCDEFGHIJKLMNOPQRSTUVWXYZcjmzuvywrdbunjoxaeslptfghi
Different key for each letter in the alphabet?A letter goes to another one.
Each time a letter appears in the message it encrypts to the same letter in the ciphertext
How about using many, many keys?
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
27
P = C = Zm
K = all permutations of Zm
e(x) = (x)
d(y) = -1(y)
The key is the table: 26! KeysBrute force could be expensive
Substitution cipher
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
28
Substitution cipher - cryptanalysis
lxr rwq zoazqgr sfuqb bqabq virw gxlkiz uqnb, vwqjq ir bIsgkn sqfab fggkniay rwq gjicfrq rjfabmojsfrioa mijbr fad rwqa rwq gxlkiz oaq. wq wfcq aorqd rwfr f sfeoj gjolkqs virw gjicfrq uqnb ib rwq bwqqj axslqj om uqnb f biaykq xbqj wfb ro brojq fad rjfzu. virw gxlkiz uqnb, oakn rvo uqnb fjq aqqdqd gqj xbqj: oaq gxlkiz fad oaq gjicfrq. Kqr xb bqq vwfr dimmejqazq rwib sfuqb ia rwq axslqj om uqnb aqqdqd.
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
29
Substitution cipher - cryptanalysis
• a 22• b 24• c 4• d 9• e 2• f 21• g 13• h• i 20• j 16• k 10• l 8• m 6
• n 9• o 15• p• q 51• r 28• s 9• t• u 9• v 7• w 16• x 10• y 2• z 8
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
30
Frequency of occurence• English (every
1000)E 127T 91A 82O 75I 70N 67S 63H 61R 60D 43L 40C 28
• Ciphertext
q 51r 28b 24a 22f 21i 20j 16w 16o 15g 13x 10k 10d 9
U 28M 24W 23F 22G 20Y 20P 19B 15V 10K 8J 2Q 1X 1Z 1
u 9n 9s 9l 8z 8v 7m 6c 4e 2y 2h 0t 0p 0
From Stinson
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
31
q = E
lxr rwE zoazEgr sfuEb bEabE virw gxlkiz uEnb, vwEjE ir bIsgkn sEfab fggkniay rwE gjicfrE rjfabmojsfrioa mijbr fad rwEa rwE gxlkiz oaE. vE wfcE aorEd rwfr f sfeoj gjolkEs virw gjicfrE uEnb ib rwE bwEEj axslEj om uEnb f biaykE xbEj wfb ro brojE fad rjfzu. virw gxlkiz uEnb oakn rvo uEnb fjE aEEdEd gEj xbEj: oaE gxlkiz fad oaE gjicfrE. kEr xb bEE vwfr dimmejEazE rwib sfuEb ia rwE axslEj om uEnb aEEdEd.
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
32
Digram/Trigram occurence• Digram THHEINERANREEDONESSTENAT
• TrigramTHEINGANDHEREREENTTHANTHWASETHFORDTH
TONTHANDOUEANGASORTIISET
ITARTESEHIOF
From Stinson
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
33
q = Elxr rwE zoazEgr sfuEb bEabE virw gxlkiz uEnb vwEjE ir bIsgkn sEfab
fggkniay rwE gjicfrE rjfabmojsfrioa mijbr fad rwEa rwE gxlkiz oaE. vE wfcE aorEd rwfr f sfeoj gjolkEs virw gjicfrE uEnb ib rwE bwEEj axslEj om uEnb f biaykE xbEj wfb ro brojE fad rjfzu. Virw gxlkiz uEnb, oakn rvo uEnb fjE aEEdEd gEj xbEj: oaE gxlkiz fad oaE gjicfrE. kEr xb bEE vwfr dimmejEazE rwib sfuEb ia rwE axslEj om uEnb aEEdEd.
En 6 Ej 6 Ed 5 Ea 2 Eb 2 Er 1 Ef 1 Es 1 Eg 1 ER ED ES EN EA ETuE 8 wE 8 aE 5 bE 5 rE 4 kE 3 jE 3 dE 2 zE 2 gE 1 vE 1 cE lE 1 sE 1HE RE TE SE
TAOI NSHRD r b af i j wogxkdj=R; d = D; b or a = S; w = H;
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
34
q = E; j=R; w=H; d=D
lxr rHE zoazEgr sfuEb bEabE virH gxlkiz uEnb vHERE ir bIsgkn sEfab fggkniay rHE gRicfrE rRfabmoRsfrioa miRbr fad rHEa rHE gxlkiz oaE. vE HfcE aorEd rHfr f sfeoR gRolkEs virH gjicfrE uEnb ib rHE bHEER axslER om uEnb f biaykE xbER Hfb ro broRE fad rRfzu. HirH gxlkiz uEnb, oakn rvo uEnb fRE aEEdEd gER xbER: oaE gxlkiz fad oaE gRicfrE. kEr xb bEE vHfr dimmeREazE rHib sfuEb ia rHE axslER om uEnb aEEdEd.
TAOI NSr b af i ogr = T
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
35
q = E; j=R; w=H; r=T; d=D
lxT THE zONzEgr MAuES SENSE WITH gxlkIz uEnS WHERE IT SIMgkn MEANS AggknINy THE gRIcATE TRANSFORMATION FIRST AND THEN THE gxlkIz ONE. WE HAVE NOTED THAT A MAJOR PROlkEM WITH PRIVATE uEnS IS THE SHEER NxMlER OF uEnS A SIaykE xSER HAS TO STORE AND TRAzu. WITH gxlkIz uEnS, ONkn TWO uEnS ARE NEEDED gER xSER: ONE PxlkIz AND ONE PRIVATE. kET xS SEE WHAT DImmeRENzE THIS sAuESIN THE NxBlER OF uEnS NEEDED.
O NSb a ogv=W; i=I; f=A; b=S; o=O; m=F; a=N; s=M; c=V; g=P; e=J;
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
36
Substitution cipher - cryptanalysis
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z f l z d q m y w i e u k s a o g t j b r x c v h n p
BUT THE CONCEPT MAKES SENSE WITH PUBLIC KEYS WHERE IT SIMPLY MEANS APPLYING THE PRIVATE TRANSFORMATION FIRST AND THEN THE PUBLIC ONE. WE HAVE NOTED THAT A MAJOR PROBLEM WITH PRIVATE KEYS IS THE SHEER NUMBER OF KEYS A SINGLE USER HAS TO STORE AND TRACK. WITH PUBLIC KEYS ONLY TWO KEYS ARE NEEDED PER USER ONE PUBLIC AND ONE PRIVATE. LET US SEE WHAT DIFFERENCE THIS MAKES IN THE NUMBER OF KEYS NEEDED.
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
37
Substitution cipher – cryptanalysis algorithm
• Look for “a”/”I”• Compute frequency of single letters; compare to that
of English• Compute frequency of digrams, compare to that of
English• Compute frequency of trigrams, compare to that of
English
• Etc.
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
38
Substitution cipher – strengths and weaknesses
• Strengths:– Not vulnerable to brute force attacks– Encryption and decryption requires low computational
overhead, though more than Shift cipher– Ciphertext not longer than plaintext
• Weaknesses:– Vulnerable to statistical attack if language/message has
statistical structure– Requires storage of key table
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
39
Substitution cipher – lessons learnt
• In spite of 26! possible keys, can break, because of structure of message
• Can we make message without statistical structure?
• Examples?Images in well-compressed form. What about zip files?
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
40
Perfect Cipher
One time pad
Example over English alphabet
Example over binary alphabet
Perfect because, after knowing ciphertext, a random guess is as good as any other.
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
41
Doesn’t need a computer
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
42
Doesn’t need a computer
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
43
Doesn’t need a computer
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
44
Basic Pixels(from Douglas Stinson’s website)
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
45
What about biased one-time pad
Suppose the probability of a 0 in the key is p. Is the one-time pad perfectly secret?
04/22/23 CS283-172/Fall08/GWU/Vora Classical Ciphers
46
One-time pad inefficient
Need to get the entire key secretly to the message receiver
Need a cryptosystem where managing keys is easier.