CryptographyPart 1: Classical Ciphers

Jerzy Wojdyło

May 4, 2001

Cryptography, Jerzy Wojdylo, 5/4/01

Overview

Classical Cryptography– Simple Cryptosystems– Cryptoanalysis of Simple Cryptosystems

Shannon’s Theory of Secrecy Modern Encryption Systems

– DES, Rijndel– RSA

Signature Schemes

Cryptography, Jerzy Wojdylo, 5/4/01

Cryptosystem

A cryptosystem is a five-tuple (P,C,K,E,D), where the following are satisfied:

1. P is a finite set of possible plaintexts

2. C is a finite set of possible ciphertexts

3. K, the keyspace, is a finite set of possible keys

4. KK, eKE (encryption rule), dKD (decryption rule). Each eK: PC and dK: CP are functions such that xP, dK(eK(x)) = x.

Cryptography, Jerzy Wojdylo, 5/4/01

Notation

English alphabet Lower case: a, b, c,…, z for plaintext Upper case: A, B, C,…, Z for ciphertext For encryption and decryption algorithms,

we will substitute letters a, b, c,…, z with numbers 0, 1, 2,…, 25.

Cryptography, Jerzy Wojdylo, 5/4/01

Classical Cryptography

Monoalphabetic CiphersOnce a key is chosen, each alphabetic character of a plaintext is mapped onto a unique alphabetic character of a ciphertext.

– The Shift Cipher (Caesar Cipher)

– The Substitution Cipher

– The Affine Cipher

Cryptography, Jerzy Wojdylo, 5/4/01

Classical Cryptography

Polyalphabetic CiphersEach alphabetic character of a plaintext can be mapped onto m alphabetic characters of a ciphertext. Usually m is related to the encryption key.

– The Vigenère Cipher

– The Hill Cipher

– The Permutation Cipher

Cryptography, Jerzy Wojdylo, 5/4/01

The Shift (Caesar) Cipher

Let P = C = K = Z26.

xP, yC, KK, define

eK(x) = x + K (mod 26)

and

dK(y) = y - K (mod 26).

Example on www.

Cryptography, Jerzy Wojdylo, 5/4/01

The Substitution Cipher

Let P = C = Z26, let K = S26

xP, yC, K, define

e(x) = (x)

and

d(x) = -1(x).

Example on www.

Cryptography, Jerzy Wojdylo, 5/4/01

The Affine Cipher

Let P = C = Z26, let

K = {(a, b) Z26 Z26 | gcd(a, 26) = 1}.xP, yC, K K, define

eK(x) = ax + b (mod 26)and

dK(y) = a-1(y – b) (mod 26).

Example on www.

Cryptography, Jerzy Wojdylo, 5/4/01

The Vigenère Cipher

Let m Z+, let P = C = K = (Z26)m. For a key K = (k1, k2, ,…, km),

we define

eK (x1, x2, ,…, xm) = (x1+ k1, x2+ k2,…, xm + km)and

dK (x1, x2, ,…, xm) = (x1– k1, x1 – k1,…, xm – km)where all operations are modulo 26.

This is an example (www) of a block cipher.

Cryptography, Jerzy Wojdylo, 5/4/01

The Hill Cipher

Let m Z+, let P = C = (Z26)m, let

K = {mm invertible matrices over Z26}.For a key K, we define

eK(x) = Kx (mod 26)and

dK(y) = K-1y (mod 26).

Example MATLAB.

Cryptography, Jerzy Wojdylo, 5/4/01

The Permutation Cipher

Let m Z+, let P = C = (Z26)m, let K = Sm.

For a key (i.e. a permutation) π we define

eπ (x1, x2, ,…, xm) = (xπ (1), xπ (2),…, xπ (m))

and

dπ (y1, y2, ,…, ym)=(yπ-1(1), yπ -1 (2),…, yπ-1(m))

where π-1 is the inverse permutation to π.

(The Hill Cipher, where K = a permutation matrix.)

Cryptography, Jerzy Wojdylo, 5/4/01

Cryptoanalysis

Kerchkhoff’s Principle: cryptosystem (the algorithm) is NOT secret, the key is secret.

Common attacks to obtain the key– Ciphertext-only– Known plaintext – Chosen plaintext– Chosen ciphertext

Cryptography, Jerzy Wojdylo, 5/4/01

Attack on a Shift Cipher

Ciphertext-only Exhaustive search 26 cases Very insecure cipher

Cryptography, Jerzy Wojdylo, 5/4/01

Cryptoanalysis of a Monoalphabetic Cipher Ciphertext-only attack Letter frequencies the English language

0.127

0.091

0.082

0.075

0.070

0.067

0.063

0.061

0.060

0.043

0.040

0.028

0.028

0.024

0.023

0.022

0.020

0.020

0.019

0.015

0.010

0.008

0.002

0.001

0.001

0.001

0.000

0.020

0.040

0.060

0.080

0.100

0.120

0.140

E T AO I N S HRD L CUMWFG Y P B V K J Q X Z

Cryptography, Jerzy Wojdylo, 5/4/01

Attack on a Substitution Cipher

Insecure cipher, even though the number of possible keys is 26! = 403291461126605635584000000(approximately 4.0329·1026)

Letter frequencies calculator www

Cryptography, Jerzy Wojdylo, 5/4/01

Attack on the Vigenère Cipher

Kasiski test (m, length of the key)– Fredrich Wilhelm Kasiski (1863)– Charles Babbage (1854, result remained secret)

Two identical segments of plaintext will be encrypted to the same ciphertext if their occurrence in the plaintext is x position apart, where x is a multiple of m.

Cryptography, Jerzy Wojdylo, 5/4/01

Attack on the Vigenère Cipher

CHREEVOAHMAERATBIAXXWTNXBEEOPHBSBQMQEQERBWRVXUOAKXAOSXXWEAHBWGJMMQMNKGRFVGXWTRZXWIAKLXFPSKAUTEMNDCMGTSXMXBTUIADNGMGPSRELXNJELXVRVPRTULHDNQWTWDTYGBPHXTFALJHASVBFXNGLLCHRZBWELEKMSJIKNBHWRJGNMGJSGLXFEYPHAGNRBIEQJTAMRVLCRREMNDGLXRRIMGNSNRWCHRQHAEYEVTAQEBBIPEEWEVKAKOEWADREMXMTBHHCHRTKDNVRZCHRCLQOHPWQAIIWXNRMGWOIIFKEE

Cryptography, Jerzy Wojdylo, 5/4/01

Attack on the Vigenère Cipher

Positions of CHR: 1, 166, 236, 276, 286. Differences of positions:

166 – 1 = 165 236 – 1 = 235276 – 1 = 235 286 – 1 = 285

The gcd of these differences is 5, so the key is most likely of length m = 5.

Cryptography, Jerzy Wojdylo, 5/4/01

Attack on the Vigenère Cipher

Divide the ciphertext into 5 subsrtings (positions 5k, 5k+1, 5k+2, 5k+3, 5k+4)

Analize each substring as a monoalphabetic cipher.

Continue on http://math.ucsd.edu/~crypto/java/EARLYCIPHERS/Vigenere.html

Also an insecure cipher

Cryptography, Jerzy Wojdylo, 5/4/01

Cryptonalysis of the Hill Cipher

Number of keys k = number of invertible mm matrices with coefficients from Z26.Does anyone know the formula?

If p is prime, the alphabet is Zp then

If p = 29 and

k p pm i

i

m

c h0

1

m 3 4 5 10

k 1.4·1013 2.4·1023 3.5·1036 1.7·10146

Cryptography, Jerzy Wojdylo, 5/4/01

Cryptonalysis of the Hill Cipher

Easily broken with known plaintext attack. Permutation Cipher = Hill Cipher, where

the key is a permutation matrix. Both ciphers are insecure.

Cryptography, Jerzy Wojdylo, 5/4/01

Perfect Secrecy

A cryptosystem is computationally secure if the best algorithm for breaking it requires at least N operations, where N is some specified , very large number.Problems…

A cryptosystem is unconditionally secure if it cannot be broken with infinite computational resources.

Cryptography, Jerzy Wojdylo, 5/4/01

Perfect Secrecy

None of the classical cryptosystems is even computationally secure.

However the Shift Cipher, the Substitution Cipher, and the Vigènere Cipher are unconditionally secure if only one element of plaintext is encrypted with a given key!REALLY???

Cryptography, Jerzy Wojdylo, 5/4/01

Perfect Secrecy

Claude Shannon “Communication Theory of Secrecy Systems”, Bell Systems Technical Journal, (1949) .

A cryptosystem has perfect secrecy if pP(x|y) = pP(x) for any xP and yC. That is the a posteriori probability that the plaintext is x, given that the ciphertext is y, is identical to the a priori probability that the plaintext is x.

Cryptography, Jerzy Wojdylo, 5/4/01

Perfect Secrecy

Theorem (Shannon). Suppose the 26 keys in the Shift Cipher are used with equal probability 1/26. Then for any plaintext probability distribution, the Shift Cipher has perfect secrecy.

Consequences: One-time Pad Cryptosystem (Gilbert Vernam, 1917). Key, plaintext, and ciphertext have the same length. Problems with keys: very long, distribution. Each key can be used only ONCE!

The EndCryptography, Part 1: Classical Ciphers

Cryptography

Part 2: Modern Cryptosystems

Stay Tuned…