Analyzing Spanish Civil War Ciphers by Combining …€¦ · Acknowledgements...

EMSEC

Analyzing Spanish Civil War Ciphers by CombiningCombinatorial and Statistical Methods

Luis Alberto Benthin Sanguino

Master’s Thesis. December 19, 2013.Chair for Embedded Security – Prof. Dr.-Ing. Christof PaarAdvisor: Dr. Gregor Leander

Abstract

According to historical reports, some telegrams that date from the Spanish Civil War(1936-1939) still remain undisclosed. It is believed that these documents were encryptedwith the Spanish Strip Cipher (SSC).

The SSC was the most used cryptographic algorithm during the civil war. This methodcorresponds to a substitution cipher, in which a plaintext letter can map between threeor five homophones in the ciphertext. In our research, we analyzed in depth the structureof different versions of the SSC that led us to detect a weakness in the encryption process.In this thesis, we present an analytical attack in which this vulnerability is exploited.

The attack is based on combinatorial and statistical methods, and it is divided intothree phases:

1. Homophones-table analysis.

2. Letter-frequency analysis.

3. Dictionary search.

The results show that it is possible to efficiently reconstruct a plaintext from a shortciphertext (201 symbols) by performing the proposed attack.

In order to test the attack, we implemented the following tools:

∙ A plug-in that performs the SSC encryption and decryption. This plug-in wasintegrated into the open-source program for cryptography and cryptanalysisCrypTool 2 (CT2) [Cry].

∙ A code-breaker tool that implements the attack’s phases.

The contributions of this thesis will help future researches to address this interestingtopic successfully. Improvements to the proposed attack can be implemented, with thepurpose of breaking other variations of the SSC.

Acknowledgements

I remember that around two years ago, the words about IT Security that used to cross mymind were related with antivirus, firewalls, access control, pins, passwords, and nothingelse. I had no idea that cryptographic algorithms are the engines that provide securityto information technologies. To be honest, even the word cryptography was not on thetop “ten” of my dictionary.

I would like thank Prof. Christof Paar not only for giving me the opportunity to writethis thesis in the chair for embedded security, but also for his motivating lectures. A bigpart of my current understanding about cryptography is thanks to him. By attendinghis lectures, I was able to appreciate one of the most interesting topics I have ever seen.Certainly, the word cryptography is now on the top ten.

I deeply thank Dr. Gregor Leander for his support and great ideas that made possiblethe realization of this thesis. I do appreciate his patience. Ich kann mich vorstellen, dassmein Aussprache manchmal wie verschlüsselt klingt! If by any chance this thesis is beingread by a person who did not understand the previous phrase, please do not consider itas a ciphertext, or if you think so, I give you a hint to decrypt it: Google Translator.

A special thanks to Prof. Bernhard Esslinger for all his significant collaboration,feedbacks, and willingness with this project. He made possible that the SSC is nowavailable in a mature way in the e-learning platform for cryptography and cryptanalysisCT2.

Thanks to all the professors and tutors of the master program in IT-Sicherheit / Netzeund Systeme.

i

DeclarationI hereby declare that this submission is my own work and that, to the best of myknowledge and belief, it contains no material previously published or written by anotherperson nor material which to a substantial extent has been accepted for the award of anyother degree or diploma of the university or other institute of higher learning, exceptwhere due acknowledgment has been made in the text.

ErklärungHiermit versichere ich, dass ich die vorliegende Arbeit selbstständig verfasst und keineanderen als die angegebenen Quellen und Hilfsmittel benutzt habe, dass alle Stellen derArbeit, die wörtlich oder sinngemäß aus anderen Quellen übernommen wurden, als solchekenntlich gemacht sind und dass die Arbeit in gleicher oder ähnlicher Form noch keinerPrüfungsbehörde vorgelegt wurde.

Luis Alberto Benthin Sanguino

Contents

1 Introduction 11.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.3 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.4 Organization of this Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 The Spanish Strip Cipher 52.1 Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.3.1 Mathematical Representation . . . . . . . . . . . . . . . . . . . . . 82.4 Practical Relevance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3 Cryptanalysis 113.1 Brute-Force Attack against the SSC . . . . . . . . . . . . . . . . . . . . . 11

3.1.1 Key-Space Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 113.2 Analytical Attack against the SSC . . . . . . . . . . . . . . . . . . . . . . 14

3.2.1 Previous Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.2.2 SSC Variant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.2.3 Assumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.2.4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4 Phase 1: Homophones-Table Analysis 194.1 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4.1.1 Reconstructing the Homophones Columns . . . . . . . . . . . . . . 204.2 Formal Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.2.1 The Homophones-Table and the Ciphertext . . . . . . . . . . . . . 304.2.2 The Intersection Operation and the Candidate Column Ca . . . . 324.2.3 Analysis of the Candidate Ca . . . . . . . . . . . . . . . . . . . . . 32

4.3 Ciphertext-Length Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 364.3.1 Analysis of the Results . . . . . . . . . . . . . . . . . . . . . . . . . 36

5 Phase 2: Letter-Frequency Analysis 415.1 Frequencies Relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425.2 Generation of the Columns-Letters Candidate List . . . . . . . . . . . . . 44

5.2.1 Practical Relevance . . . . . . . . . . . . . . . . . . . . . . . . . . 455.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

iv Contents

6 Phase 3: Dictionary Search 496.1 Cipher-Plaintext Generation . . . . . . . . . . . . . . . . . . . . . . . . . . 496.2 Word-Vectors Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 496.3 Plaintext-Trees Generation . . . . . . . . . . . . . . . . . . . . . . . . . . 506.4 Final Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

6.4.1 Analysis of the Results . . . . . . . . . . . . . . . . . . . . . . . . . 546.4.2 Analysis of a Candidate Plaintext . . . . . . . . . . . . . . . . . . 546.4.3 Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

7 Implementation 577.1 Encryption and Decryption Tool . . . . . . . . . . . . . . . . . . . . . . . 57

7.1.1 Development Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 577.1.2 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577.1.3 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587.1.4 Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

7.2 Code-Breaker Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637.2.1 Development Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 637.2.2 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

8 Conclusions 678.1 Attack Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

A Acronyms 71

B Telegrams 73B.1 Telegram with 125 letters . . . . . . . . . . . . . . . . . . . . . . . . . . . 73B.2 Telegram with 502 letters . . . . . . . . . . . . . . . . . . . . . . . . . . . 73B.3 Telegram with 735 letters . . . . . . . . . . . . . . . . . . . . . . . . . . . 74B.4 Telegram with 934 letters . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

C DVD Content 79

List of Figures 81

List of Tables 83

List of Algorithms 84

Bibliography 87

1 Introduction

Throughout wars, cryptography played a main role to protect secret information. On theother hand, cryptanalysis has been employed with the purpose of breaking codes thatallowed the enemy to read secret messages. For example, during World War II, the alliesintelligence services, with the help of Polish cryptanalysts, were able to intercept anddecrypt German messages that had been encrypted with the Enigma machine [Bra].

During the Spanish Civil War (1936-1939) this scenario was not different. Both sides,the nationalists and republicans, employed cryptographic algorithms to protect sensibleinformation. But also, both sides had a so-called "Eavesdropping and Decrypting Unit"[Jos08], which aimed to intercept and decrypt encrypted messages.

According to [Jos08], nationalists and republicans used several encryption methods,including monoalphabetic substitution ciphers, homophonic substitution ciphers, thePlayfair method, a variation of the Gronsfeld cipher, and the machines: Enigma, Kryha,and Hagilin.

In addition to these methods, the algorithm, which is called the Spanish Strip Cipher(SSC) or the Spanish Method, was widely adopted by both sides. As stated in [Jos08],this method was the most popular cipher during the civil war.

The SSC is a variation of the homophonic cipher, in which a plaintext letter can mapmore than just one ciphertext symbol. The idea behind this one-to-𝑛 relationship is toavoid letter-frequency attacks. In the homophonic cipher the variable 𝑛 is related with theplaintext letters frequencies. For instance, in a Spanish text, the letter A has a frequencyof 12.53 % and the letter C only 4.68 %; hence, the letter A should approximately mapthree times more ciphertext symbols than the letter C. In contrast to this, in the SSCthere are, regardless the letters frequency, three fixed mappings: one-to-three, one-to-four,or one-to-five. Furthermore, the Spanish method employs a random alphabet which isgenerated by means of a keyword, and then shifted using an element called initial position.

The main goal of this thesis is to demonstrate that a weakness in the SSC encryptionprocess can be exploited, by using combinatorial and statistical methods, to efficientlyreconstruct a plaintext from a given ciphertext with, for example, only 200 homophones.In order to reach this goal, the analytical attack against the SSC is divided in threephases: homophones-table analysis, letter-frequency analysis, and dictionary search.

Additionally, as part of this work, the encryption and decryption algorithms of the SSCwere implemented and then integrated as plug-in in the Open-Source Program CT2 whichis part of the CrypTool project that develops the most-widespread e-learning programworldwide for cryptography and cryptanalysis [Cry].

The next sections provide the motivation to deal with this project, a summary ofthe relevant previous works, the contribution of this work, and the organization of theremaining chapters of this document.

2 1 Introduction

1.1 Motivation

Historians report that many documents of the Spanish civil war have been shelved becausethey still remain encrypted. If we consider that encryption, in most cases, is used toprotect secret and important information, we can conclude that these documents containvaluable historical information.

Unfortunately, little is known about the SSC in the cryptography world. There wasnot even a public software implementation of this cryptographic algorithm. Furthermore,only a few papers have dealt with the task of breaking it.

We strongly believe that if we systematically categorize the possible variants of theSSC and then identify their exploitable vulnerabilities, the valuable information, whichis contained in those encrypted documents, will be soon unveiled.

1.2 Related Work

In our research, the first article consulted was [Jos07]. This article clearly explains howthe SSC works. By reading it, we were able to detect the vulnerability when selecting ahomophone that substitutes a plaintext letter in the ciphertext.

Afterwards, we analyzed the article [Fco13] and the thesis [Jos11]. Both papers proposea method to break the SSC by means of Genetic Algorithms (GA). In [Fco13], it isassumed that the homophones table is known, claiming that at wartime the administrationof such tables was poor, and thus, in many cases they ended up in the enemy hands.In other words, they propose a method to break a monoalphabetic substitution cipher.As result, a ciphertext with 511 homophones is decrypted. Comparatively, in the thesis[Jos11], the homophones table is considered unknown. In the best result of this work,the 62.16 % of the plaintext was recovered from a ciphertext with 934 homophones. Innone of these two works, the weakness, which we encountered in the encryption process,is deemed.

Finally, we studied the method explained in [Jua13] which deals with the letter-frequency analysis in monoalphabetic substitution ciphers. This method was used asbackground for letter-frequency attack carried out in this thesis. Unlike the methods usedin [Fco13] and [Jos11], this method is based on the discrete probability distributions ofthe homophones-column frequencies in the ciphertext in relation to the letter frequenciesof the Spanish language.

1.3 Contribution

The first contribution of this work is the implementation of the first public tool thatperforms the encryption and decryption algorithms of the SSC. This tool was integratedas plug-in in the open-source program for cryptography and cryptanalysis CT2 [Cry].

The main contribution of this thesis is the detailed description and implementationof a method that can break one of the variants of the SSC, in which a plaintext isreconstructed from a relatively short ciphertext at low computational resources.

1.4 Organization of this Thesis 3

1.4 Organization of this ThesisThe remainder of this document is organized as follows:

The Spanish Strip Cipher This chapter provides the necessary information to under-stand the encryption and decryption algorithms of the SSC. It also includes a detaileddescription of each of the elements of the cryptographic key.

Cryptanalysis In this chapter, it is first proven that a brute-force attack againstthe SSC is computationally infeasible. Thereafter, an overview of the three phases of theanalytical attack against the SSC is provided. Beforehand, we define the SSC variant thatis attacked, and also, we explain which assumption about the encryption vulnerabilitymust be fulfilled so that our attack will be successful.

Phase 1: Homophones-Table Analysis The attack to break the SSC begins in thischapter. By means of an example, it is explained, how the homophones-table columns arereconstructed from a ciphertext. Afterwards, the employed method is formally described.Finally, the results of the ciphertext-length analysis are given. This analysis shows therelation between the number of ciphertext homophones and the number of columns thatcan be reconstructed in this phase.

Phase 2: Letter-Frequency Analysis This chapter describes how the columns, whichwere reconstructed in the previous phase, are used to perform a letter-frequency attack.The main points of this chapter are: the relationship between the columns frequencies andthe letters frequencies, the calculation of the columns probabilities, and the calculationof the joint probabilities which are used to generate a list of columns-letters candidates.

Phase 3: Dictionary Search This chapter explains the last phase of the proposedattack. It includes the generation of a partially decrypted ciphertext by substitutinga columns-letters candidate in the ciphertext; the generation of the word vectors, andfinally the generation of the plaintext trees.

Implementation This chapter provides the requirements, the components, and themain algorithms of the SSC plug-in and the code-breaker tool.

Conclusions At the end of this document, the conclusions of this thesis are presented.In addition, future improvements to this work are proposed.

2 The Spanish Strip Cipher

This chapter describes the SSC, which was the most used encryption algorithm duringthe Spanish Civil War (1936-1939) [Jos07, Jos08].

The SSC is a variation of the homophonic substitution cipher, in which a plaintextletter not only maps one ciphertext character, as in monoalphabetic substitution ciphers,but also it can map more than one.

As shown in Figure 2.1, a homophonic cipher is formed by an alphabet and a homo-phones table, where each letter of the plaintext alphabet maps one homophones columnand each homophone of the table maps only one plaintext letter.

Figure 2.1: Homophonic substitution cipher. This table was used by the nationalist side(XIV Division) during the Spanish civil war [Jos08].

Normally, the number of homophones in a column is related with the letter’s frequency.For example, in a Spanish text the letter E occurs with a frequency of 13.68 % approxi-mately. On the other hand, the letter N approximately occurs with a frequency of 6.71%. Thus, more ciphertext characters should be assigned to the letter E than to the letterN. In this way, frequency analysis attacks become more difficult.

Compared with the homophonic substitution cipher depicted in Figure 2.1, in the SSCeach plaintext letter maps between three and five ciphertext homophones, regardless theletter’s frequency. In addition, the SSC encompasses three extra elements (see Figure2.2): A random alphabet, a keyword, which is used to generate the random alphabet, andan initial position which is used to shift the random alphabet. These three elements,together with the homophones table, form a key.

As seen in [Jos08], during the Spanish civil war at least 13 keys (e.g. ABANDO,AVIACIÓN ROJA 1870, BOCHO, R45, NUEVA GENERAL, etc.) were employed. Thesekeys have some differences each other. For instance, in the key ABANDO, the Spanishalphabet has 26 letters, due to the exclusion of the letter W. On the other hand, in thekey AVIACIÓN ROJA 1870, a Spanish alphabet with 29 letters is used, in which thedigraphs CH and LL are included. In most of these keys, the homophones table contains99 two-digit numbers in the range of 01-99, where each column contains between three

6 2 The Spanish Strip Cipher

and five numbers. According to [Jos08], these keys are variations of the original designof the SSC (see Figure 2.2).

Figure 2.2: Original design of the Spanish Strip Cipher. In this key the keyword iscryptool and the initial position is B in C

The following sections explain in detail the elements of the SSC as well as the encryptionand decryption algorithms.

2.1 Elements

The SSC is formed by the following five elements:

1. Ordered alphabet This element contains between 26 and 29 letters of the Spanishalphabet.

The current Spanish alphabet is formed by the following letters:

A B C D E F G H I J K L M N Ñ O P Q R S T U V W X Y Z.

Since 1994 the digraphs CH and LL were excluded [Rea]. Figure 2.2 shows that theoriginal design of the SSC utilize the current Spanish alphabet. However, as seen in[Jos08], during the Spanish civil war some variations employed a Spanish alphabet with26 letters, where the letter W is not used, or with 29 letters, in which the digraphs CHund LL are taken into account.

2. Homophones Table In the original design of the SSC(see Figure 2.2), the ho-mophones table contains 90 two-digit numbers in the range of 10-99. Nonetheless, asseen in [Jos08], during the Spanish civil war all the numbers in the range of 01-99 wereconsidered. In the key NUEVA GENERAL even the number 00 is taken into account.

The number of columns of the homophones table is related with the alphabet. Asshown in Figure 2.2, the alphabet contains 27 letters; thus, the table has 27 columns,where each one contains between 3 and 5 homophones. However, as shown in Figure 2.2,in the original design each column only contain 3 or 4 homophones.

In order to agree with a homophones table, the sender and receiver define whichcolumns contain 3, 4, or 5 homophones, and they also establish the order of the numbersin the table.

2.2 Encryption 7

3. Keyword String of arbitrary length which is formed by letters of the orderedalphabet. This element is needed to generate the random alphabet.

4. Random Alphabet This element contains the same letters as the ordered alphabet.However, the position of each letter is determined as follows:

∙ First, any repeated letter in the keyword is removed. For example, if we use thekeyword CRYPTOOL, the second occurrence of the letter O is removed. The resultis: CRYPTOL.

∙ In the second step, the ordered alphabet is sequentially written under the remainingletters of the keyword ignoring the letters which already occur in the keyword. Asresult, the following table is generated:

1 2 3 4 5 6 7C R Y P T O LA B D E F G HI J K M N Ñ QS U V W X Z

∙ Finally, each column of this table is placed horizontally. The resulting randomalphabet is:

𝐶𝐴𝐼𝑆⏟ ⏞ 1

𝑅𝐵𝐽𝑈⏟ ⏞ 2

𝑌 𝐷𝐾𝑉⏟ ⏞ 3

𝑃𝐸𝑀𝑊⏟ ⏞ 4

𝑇𝐹𝑁𝑋⏟ ⏞ 5

𝑂𝐺Ñ𝑍⏟ ⏞ 6

𝐿𝐻𝑄⏟ ⏞ 7

5. Initial Position This element is used to shift the random alphabet. As can be seen inFigure 2.2, for the initial position B in C, the random alphabet is shifted (24 positions),until the letter B reaches the same position as the letter C of the ordered alphabet.

2.2 EncryptionTo begin the encryption of a plaintext, the sender and receiver, first of all, must agree ona key. As already mentioned, in the SSC a key is formed by a keyword, a homophonestable and an initial position.

After generating the random alphabet, the encryption process is ready to begin. Foreach plaintext letter:

1. We look for the same letter in the random alphabet.

2. We substitute the plaintext letter by one the homophones pointed by the randomalphabet letter.

For instance, the plaintext letter A can be replaced by the homophones 27, 52 and 79(see Figure 2.2). The selection of one of these homophones can be performed either

8 2 The Spanish Strip Cipher

sequentially or randomly.

Example 3.1. Encryption A plaintext is encrypted using the key from Figure 2.2.

Plaintext U N I V E R S I D A D R U BCiphertext 36 22 14 18 17 12 10 43 11 27 38 56 45 20

Note that in the above example the homophones were selected sequentially.

2.3 Decryption

As the encryption, the decryption is a straightforward process, in which each ciphertexthomophone is replaced by its corresponding letter of the random alphabet.

Example 3.2. Decryption A ciphertext is decrypted using the key shown in Figure 2.2.

Ciphertext 10 17 35 12 39 33Plaintext S E C R E T

2.3.1 Mathematical Representation

Since a ciphertext homophone only map one plaintext letter, we can represent thedecryption process as a function:

𝑓 : 𝐻 → 𝐴ℎ ↦→ 𝑓(ℎ),

where 𝐻 is the set of ciphertext characters, ℎ ∈ 𝐻, and 𝐴 is the set of random alphabetletters.

The preimage 𝑓−1(𝑎) of a letter 𝑎 ∈ 𝐴 is defined as:

𝑓−1(𝑎) := { ℎ ∈ 𝐻 | 𝑓(ℎ) = 𝑎}

As a plaintext letter maps between 3 and 5 homophones, the function 𝑓 : 𝐻 → 𝐴 issurjective, where the condition

3 ≤ |𝑓−1(𝑎)| ≤ 5

or

3 ≤ |𝑓−1(𝑎)| ≤ 4

is met. The second condition is for the original design of the SSC (see Figure 2.2).Figure 2.3 shows the relation between the sets 𝐻 and 𝐴. Please note that in order to

make the figure legible, only two elements of the set A are represented.

2.4 Practical Relevance 9

Figure 2.3: Relation between the homophones {10, 37, 61, 81, 15, 51, 93} ∈ 𝐻 and therandom alphabet letters {𝑆, 𝑂} ∈ 𝐴

2.4 Practical RelevanceAs seen in Section 2.2, during the encryption the homophones, which substitute a plaintextletter, can be selected randomly of sequentially. In terms of functionality, both methodsdelivered the same result. Nonetheless, in terms of security, the sequential methodrepresents a thread that can be exploited by attackers to reconstruct the plaintext froma given ciphertext.

In our research, we did not see any work that considered this practical aspect. In thisthesis, we demonstrate that this weakness allows us to decrypt a ciphertext with only201 homophones.

3 Cryptanalysis

One of the main goals of cryptography is to hide the meaning of a message, in such away that only those with a secret key can read it. This goal is called confidentiality.

For example, if Alice wants to send a message to Bob, without taking the risk thatOscar can understand it (in this case, it is assumed that Oscar is able to eavesdrop on thecommunication between Alice and Bob), they need to choose a cryptographic algorithm(e.g. the SSC) and then agree on a key to encrypt the message.

Unfortunately for Alice and Bob, Oscar still has the chance, even without knowing thekey, to recover the plaintext by performing the following attacks:

1. Brute-Force Attacks All the possible keys are tested until the right one is found[Chr10].

2. Analytical Attacks The internal structure of the cryptosystem is analyzed withthe purpose of detecting mathematical weaknesses that can help the attacker torecover the plaintext or the secret key [Chr10].

The next section analyze the possibility to implement a brute-force attack againstthe SSC. Basically, the key space of the SSC to determine the attack’s complexity isanalyzed. In addition, Section 3.2 provides an overview of the analytical attack which isproposed in this thesis to break the SSC.

3.1 Brute-Force Attack against the SSC

Let’s first set the scenario for the attack: The attacker, Oscar, was able to intercepta ciphertext that was sent from Alice to Bob. Moreover, he knows that the employedcryptographic algorithm was the SSC.

Figure 3.1 illustrates the attack proposed by Oscar, in which 𝑛 keys can be tested tofind the right one. For each candidate key, Oscar must verify whether the output of thedecryption algorithm is a Spanish text.

It seems to be an easy job for Oscar, but however, in the following section we demon-strate that is computationally infeasible to find the right key.

3.1.1 Key-Space Analysis

In order to determine whether the brute-force attack proposed by Oscar is computationallyinfeasible or not, we need to calculate the key space of the SSC. Please note that we onlyanalyze the SSC variant which is defined in Section 3.2.2.

12 3 Cryptanalysis

Figure 3.1: Brute-force attack against the SSC.

As described in Section 2.2, a plaintext is encrypted by only using the random alphabetand the homophones table. Therefore, for the assessment of the key space, we do not needto take into account the keyword and the initial position. Nonetheless, we also providean analysis of both elements, in which we show that the search of the correct keyword isharder than finding the correct random alphabet. Furthermore, we demonstrate that theinitial position does not add any extra complexity to the attack.

Random Alphabet Space The random alphabet space is given by the number ofpermutations of the ordered alphabet:

27 · 26 · · · 3 · 2 · 1 = 27! ≈ 293,

where 27 is the number of letters of the ordered alphabet.

Keyword Space The keyword is a string of any length formed by letters of the orderedalphabet, and it is used to generate the random alphabet. In this process, the repeatedletters in the keyword are removed. For example, for the Keyword: CRYPTOGRAPHYthe result is: CRYPTOGAH. Based on this information, the keyword space is calculatedas follows:

∙ First, we calculate the number of all possible keyword combinations of length 𝑘,for 1 <= 𝑘 <= 27:

27 · (27− 1) · (27− 2) · · · (27− 𝑘 − 1) =∏︀𝑘−1

𝑖=0 (27− 𝑖),

where 27 is the number of letters of the ordered alphabet.

∙ Since the keyword length is unknown, all possible lengths must be considered. Thus,the keyword space is:

∑︀27𝑘=1

∏︀𝑘−1𝑖=0 (27− 𝑖) ≈ 27 + 702 · · · 292 + 293 + 293 ≈ 294.

As can be seen, the keyword space is bigger than the random alphabet space; hence, theexhaustive search of the random alphabet is easier than the search of the keyword.

3.1 Brute-Force Attack against the SSC 13

Initial Position This element is only used to shift the random alphabet.Figure 3.2 shows a random alphabet that is generated from the keyword CRYPTOOL

and then shifted with the initial position B in C. As one can see, both the random alphabetand the shifted random alphabet are permutations of the ordered alphabet. Therefore,the initial position element does not add any extra complexity to the brute-force attackagainst the SSC.

Figure 3.2: Ordered alphabet permutations.

Homophones-Table Space This element contains 99 numbers arranged in 27 columns,in which each one contains 3 or 4 numbers. By means of the following equation system,we calculate the amount of columns containing 3 and 4 numbers respectively.{︃

x + y = 273x + 4y = 99

The solution for the equation system is: 𝑥 = 9 and 𝑦 = 18, where 𝑥 is the number of3-homophones columns and 𝑦 is the number of 4-homophones columns.

Using the solution of 𝑥, we calculate the number of possible combinations that can begenerated from the 3-homophones columns.(︀99

3)︀·(︀99−3·1

3)︀·(︀99−3·2

3)︀· · ·

(︀99−3·83

)︀=

∏︀8𝑖=0

(︀99−3·𝑖3

)︀=

∏︀8𝑖=0

(99−𝑖)!3!(99−3𝑖−3)! = 99!

(3!)9(99−27)! ,

where each binomial coefficient delivers all the possible 3-combinations of the 99 homo-phones. Since a homophone can just be in one column, for the next binomial coeficient, wehave to exclude the homophones which were already selected in the previous calculation.

Similarly, the number of possible combinations of the 4-homophones columns is deter-mined by:(︀72

4)︀·(︀72−4·1

4)︀·(︀72−4·2

4)︀· · ·

(︀72−4·174

)︀=

∏︀17𝑗=0

(︀72−4·𝑗4

)︀=

∏︀17𝑗=0

(72−4·𝑗)!4!(72−4·𝑗−4)! = 72!

(4!)18 ,

where 72 is the number of elements left after arranging 27 elements in 9 columns with 3homophones.

Finally, we calculate the homophones table space as follows:99!

(3!)9(99−27)! ·72!

(4!)18 = 99!(3!)9(4!)18 ≈ 2412.

14 3 Cryptanalysis

SSC Key Space In order to decrypt the ciphertext, Oscar needs to test each randomalphabet candidate with all the homophones table candidates; thus, the key space of theSSC is calculated as follows:

Key Space ≈ 2412 · 293 = 2505.

The key space of the Advanced Standard Algorithm Advanced Encryption Standard (AES)can be: 2128, 2192 and 2256. So far, for none of those keys, there exists a successfulbrute-force attack. The key space of the SSC is 2249 times bigger than the key spaceof 256-AES. Hence, we conclude that is computationally infeasible to break the SSC byperforming a brute-force attack.

3.2 Analytical Attack against the SSC

As seen in the previous section, if Oscar wants to read the message sent between Aliceand Bob, he should implement a different attack instead of performing brute-force.Alternatively, Oscar could analyze the structure of the SSC in order to detect weaknessesthat lead him to decrypt the ciphertext.

In this section, we first provide a summary of the previous work that deal with thechallenge of breaking the SSC. Afterwards, we define the SSC variant that is attackedin this thesis. Then, we establish the assumption made to carry out our attack. Thisassumption represents a weakness in the encryption process of the SSC. Finally, we offeran overview of the three phases of this attack.

3.2.1 Previous Work

In our research, we mainly focused on two works: [Fco13] and [Jos11]. In both papers,the application of GA to crack the SSC is described. In [Fco13], it is assumed thatthe homophones table is known. Thus, the attack is reduced to the analysis of amonoalphabetic substitution cipher.

According to the information provided in [Jos11], the results delivered by the GAmethod are analyzed by a person who is able to reconstruct all the plaintext in aroundone hour in the first case study (934 letters), and in two hours in the second case study(502 letters).

The results of these works are summarized in Table 3.1.

3.2.2 SSC Variant

As seen in Chapter 2, there are several variations of the SSC. However, in the analyticalattack proposed in this thesis, we work on a SSC variant with the following features:

∙ The ordered alphabet contains 27 letters as in the original design of the SSC (seeFigure 2.2).

3.2 Analytical Attack against the SSC 15

Table 3.1: Previous work summary.Work Method Homophones table Length Result

[Fco13] GA known 511 letters

The ciphertext isperfectly or almostperfectly decryptedin 2 min 5 sec.

[Jos11] GA unknown 934 letters

In the best result,62.16 % of the let-ters matches withthe plaintext.

[Jos11] GA unknown 502 letters

In the best result,51.43 % of the let-ters matches withthe plaintext.

∙ The homophones table contains 99 two-digit numbers in the range of 01-99. Thesenumbers are arranged in 27 columns, where each column contain three or fournumbers.

∙ The initial position fulfils the same functionality as described in Section 2.1.

∙ The random alphabet is generated as explained in Section 2.1.

∙ The encryption and decryption process is performed in the same way as explainedin Section 2.2 and Section 2.3 respectively.

Please be aware that in the following sections we always refer to this variant.

3.2.3 AssumptionAs mentioned in Chapter 2, the main characteristic of homophonic ciphers is that aplaintext letter can map more than one ciphertext character.

In the SSC variant defined in the previous section, a plaintext letter maps 3 or 4homophones. This means that when encrypting a letter, we have to decide how one ofthe corresponding homophones is selected to substitute the letter.

In the article The Strip Cipher – The Spanish Official Method [Jos07], it is stated thatduring the encryption process, the homophones can be selected randomly or sequentially.Similarly, in the article Genetic Algorithms and Mathematical Programming to Crack theSpanish Strip Cipher [Fco13], to explain the encryption process, an example is providedin which the homophones are selected in sequential order.

Based on this information, we define the following assumption:

The homophones, which substitute the plaintext letters in the ciphertext during theencryption process, are selected sequentially.

16 3 Cryptanalysis

Formal Explanation

The following example formally explains the assumption defined above:

∙ Let 𝐻 be the set of all homophones.

∙ Let 𝐴 the set of random alphabet letters.

∙ Let 𝐶𝑎 be the set of homophones mapped by the letter 𝑎 with 𝐶𝑎 = {ℎ1𝑎, ℎ2

𝑎, ℎ3𝑎, ℎ4

𝑎},where 𝑎 ∈ 𝐴 and 𝐶𝑎 ⊂ 𝐻.

∙ Let’s say we want to encrypt the following text:

el sistem𝑎1 de cifr𝑎2do esp𝑎3ñol dur𝑎4nte l𝑎5 guerr𝑎6

To encrypt all the letters 𝑎, we proceed as follows:

𝑎1 ← ℎ1𝑎 𝑎2 ← ℎ2

𝑎 𝑎3 ← ℎ3𝑎

𝑎4 ← ℎ4𝑎 𝑎5 ← ℎ1

𝑎 𝑎6 ← ℎ2𝑎.

The same process is repeated for each of the plaintext letters.

3.2.4 OverviewAs shown in Figure 3.3, the attack against the SSC encompasses three phases: homophones-table analysis, letter-frequency analysis, and dictionary search.

Phase 1: Homophones-Table Analysis This phase aims to reconstruct some columnsof the homophones table from a given ciphertext. We explain the main idea of this phaseby analysing the following ciphertext:

27 22 07 20 39 03 97 99 59 78 06 21 73 36 10 08 94 46 56 27 24 17 11 42 59 7716 34 41 62 73 15 20 36 94 02 85 97 44 27 72 59 73 71 37 29 82 94 45 27 99

The homophones highlighted in bold form the column: {27 59 73 94}. Note thatthese homophones sequentially occur in the ciphertext (see assumption in Section 3.2.3).This feature can be exploited as follows:

1. First, we form sets by using the homophones that are between all the homophones27. The following sets can be built:𝑆27

1 = {22, 07, 20, 39, 03, 97, 99, 59, 78, 06, 21, 73, 36, 10, 08, 94, 46, 56}

𝑆272 = {24, 17, 11, 42, 59, 77, 16, 34, 41, 62, 73, 15, 20, 36, 94, 02, 85, 97, 44}

𝑆273 = {72, 59, 73, 71, 37, 29, 82, 94, 45}.

3.2 Analytical Attack against the SSC 17

Figure 3.3: Overview of the proposed analytical attack against the SSC.

2. Afterwards, we use the intersection operation in order to find the other threehomophones that are in the same column as the homophone 27:

𝑆271 ∩ 𝑆27

2 ∩ 𝑆273 = {59, 73, 94}.

In this way, we are able to reconstruct the column {27, 59, 73, 94}.

Please note that with this example, we only seek to explain the main idea of how ahomophones column can be recovered from a given plaintext. There are important issuesthat are considered in Chapter 4.

Phase 2: Letter-Frequency Analysis Once some of the columns of the homophonestable were reconstructed, the SSC algorithm turns into a substitution cipher in which aplaintext letter always maps a homophones column. Therefore, we perform in this phasea letter-frequency attack in order to find the plaintext letters that map the reconstructedcolumns. To accomplish this goal, the following two steps are performed:

1. First, we calculate the columns probabilities by using the letters frequencies in theSpanish language (see 5.4) and the binomial coefficient formula.

2. Then, by multiplying the columns probabilities, we obtain the joint probabilitieswhich are sorted in a list by decreasing order of probability. The entries of this listrepresent the possible columns-letters candidates.

18 3 Cryptanalysis

Phase 3: Dictionary Search This phase is carried out as follows:

1. First, each columns-letters candidate outputted by the Phase 2 is substituted inthe ciphertext. For example, if we have the mapping {27, 73, 94, 59} ← E, wesubstitute, in the ciphertext, the homophones 27, 73, 94, and 59 by the letter E.As result, a partially decrypted ciphertext is generated.

2. Thereafter, we split up the cipher-plaintext in order to build the word vectors. Thesevectors contains strings (formed by homophones and letters, or only homophones, oronly letters), which can possible match one or more words in the Spanish dictionary.These strings are called partially decrypted words.

3. Finally, the word vectors are used to build the plaintext trees. In a tree, a noderepresents a partially decrypted word and a branch represents a candidate plaintext.This phase is explained in detail in Chapter 6.

4 Phase 1: Homophones-Table Analysis

The homophones table is an element of the SSC secret key. It is formed by 27 columns,each containing 3 or 4 homophones.

As illustrated in Figure 4.1, Phase 1 aims to reconstruct some complete columns of thehomophones table from a given ciphertext.

This chapter explains in detail how this goal is achieved. It first offers an example, inwhich at most eight columns are reconstructed from a ciphertext with 201 homophones.Thereafter, a formal description of the method used in this phase is presented. Finally,the results of 600 ciphertexts of different lengths are shown. These results are analyzedwith the purpose of determining the effectiveness of the method employed in this phase.

Figure 4.1: Overview of Phase 1: Homophones-table analysis

4.1 ExampleThis section shows step by step, how the homophones-table analysis works. Below, welist some information about the plaintext and ciphertext used in this example:

∙ Plaintext Length The plaintext contains 201 letters. Numbers and other charac-ters were removed from the original text.

∙ Plaintext Source Spanish telegram that was sent during the Spanish Civil War[Art].

20 4 Phase 1: Homophones-Table Analysis

∙ Ciphertext-Generation Tool The ciphertext was generated with the SSC plug-in(see Section 7.1).

PlaintextEl ministro marina y aire a presidente gobierno vasco estamos examinando la idea deestablecer en bilbao una fabrica aviones en que se construiria bien el aparato americanomartin bombers y el fokker ruego le llame al ingeniero aeronautico

Ciphertext27 22 07 10 16 42 15 37 21 20 49 01 77 57 39 40 03 69 97 99 59 78 06 21 73 36 10 08 9446 56 27 24 17 11 42 59 77 16 34 41 01 71 14 62 73 15 79 40 67 20 36 94 02 69 85 57 3978 46 13 17 48 01 97 44 27 40 72 59 73 71 37 69 29 82 94 45 27 99 59 16 60 10 22 9078 34 12 39 01 19 40 11 21 42 68 69 78 65 57 62 46 73 15 94 16 09 47 27 36 59 93 2039 71 56 77 81 97 99 10 01 29 42 73 46 94 48 40 30 69 21 78 79 17 01 07 27 77 57 1440 16 34 49 69 99 37 97 39 60 62 67 90 59 21 15 38 73 82 43 20 18 26 94 77 99 12 2752 17 22 59 48 82 78 85 73 01 22 10 46 70 94 16 42 27 21 34 40 59 77 62 39 69 47 56 57 45 20

Please note that the original telegram contains 934 letters (see Appendix B). How-ever, in order to show the effectiveness of Phase 1, we only use the first 201 letters.

4.1.1 Reconstructing the Homophones Columns

Table 4.1 shows the homophones columns that were reconstructed using the code-breakertool which is described in Section 7.2. This section explains the most relevant stepsneeded to reconstruct these columns.

Table 4.1: Homophones columns that were reconstructed with the code-breaker tooldescribed in Section 7.2.

C1 C2 C3 C4 C5 C6 C7 C827 01 22 16 21 10 20 7159 40 48 39 77 42 17 1573 69 82 46 99 57 34 3694 78 97 62

Columns C1 and C2

In the following, we describe the employed procedure to find the columns: 𝐶1 ={27, 59, 73, 94} and 𝐶2 = {01, 40, 69, 78}.

Input Ciphertext.

1. First, we look for all the homophones 27 that occur in the ciphertext. We can

4.1 Example 21

see below that these homophones are highlighted in bold.

27 22 07 10 16 42 15 37 21 20 49 01 77 57 39 40 03 69 97 99 59 78 06 21 73 3610 08 94 46 56 27 24 17 11 42 59 77 16 34 41 01 71 14 62 73 15 79 40 67 20 36 94 02 6985 57 39 78 46 13 17 48 01 97 44 27 40 72 59 73 71 37 69 29 82 94 45 27 99 59 16 60 1022 90 78 34 12 39 01 19 40 11 21 42 68 69 78 65 57 62 46 73 15 94 16 09 47 27 36 59 9320 39 71 56 77 81 97 99 10 01 29 42 73 46 94 48 40 30 69 21 78 79 17 01 07 27 77 57 1440 16 34 49 69 99 37 97 39 60 62 67 90 59 21 15 38 73 82 43 20 18 26 94 77 99 12 2752 17 22 59 48 82 78 85 73 01 22 10 46 70 94 16 42 27 21 34 40 59 77 62 39 69 47 56 57 45 20

2. In this step, we form sets with the homophones that are between the homophones 27.The resulting sets are:

S271 = {22, 07, 10, 16, 42, 15, 37, 21, 20, 49, 01, 77, 57, 39, 40, 03, 69, 97, 99, 59, 78,

06, 21, 73, 36, 10, 08, 94, 46, 56}

S272 = {24, 17, 11, 42, 59, 77, 16, 34, 41, 01, 71, 14, 62, 73, 15, 79, 40, 67, 20, 36, 94,

02, 69, 85, 57, 39, 78, 46, 13, 17, 48, 01, 97, 44}

S273 = {40, 72, 59, 73, 71, 37, 69, 29, 82, 94, 45}

S274 = {99, 59, 16, 60, 10, 22, 90, 78, 34, 12, 39, 01, 19, 40, 11, 21, 42, 68, 69, 78, 65,

57, 62, 46, 73, 15, 94, 16, 09, 47}

S275 = {36, 59, 93, 20, 39, 71, 56, 77, 81, 97, 99, 10, 01, 29, 42, 73, 46, 94, 48, 40, 30,

69, 21, 78, 79, 17, 01, 07}

S276 = {77, 57, 14, 40, 16, 34, 49, 69, 99, 37, 97, 39, 60, 62, 67, 90, 59, 21, 15, 38, 73,

82, 43, 20, 18, 26, 94, 77, 99, 12}

S277 = {52, 17, 22, 59, 48, 82, 78, 85, 73, 01, 22, 10, 46, 70, 94, 16, 42}

3. Using the sets formed above, we perform the following operation:

S27 = 𝑆271 ∩ 𝑆27

2 ∩ 𝑆273 ∩ 𝑆27

4 ∩ 𝑆275 ∩ 𝑆27

6 ∩ 𝑆277 = {59, 73, 94}.

Due to the assumption defined in Section 3.2.3, we know that the set 𝑆27 must containthe other homophones that are in the same column as the homophone 27. Thus, wedefine a candidate column 𝐶1 as follows:

C1 = {27, 𝑆27} = {27, 59, 73, 94}.

From Section 3.2.2, we also know that a column can have 3 or 4 homophones. Since|𝐶1| = 4, there exist the possibility that one of the homophones of the set 𝑆27 is not inthe same column as 27. In order to find out this, we must calculate the sets 𝑆59, 𝑆73,and 𝑆94, in the same way as we calculated the set 𝑆27.


To simplify this example, we do not show the steps 1 and 2 for the homophones 59, 73,and 94, we directly provide the results as follows:

Result of the homophone 59: S59 = {73, 94, 27}Candidate column: C2 = {59, 𝑆59} = {59, 73, 94, 27}

Result of the homophone 73: S73 = {94, 27, 59}Candidate column: C3 = {73, 𝑆73} = {73, 94, 27, 59}

Result of the homophone 94: S94 = {27, 59, 73, 01}Candidate column: C4 = {94, 𝑆94} = {94, 27, 59, 73, 01}

As will be described in the next section, in order to confirm that a correct 4-homophonescolumn was found, 4 candidate columns must only have 4 homophones, and moreover,these homophones must be the same for each candidate. For example:

𝐶1 = 𝐶2 = 𝐶3 = 𝐶4.

So far, in our example this condition is not fulfilled. The problem is that 01 /∈ 𝐶1, 𝐶2,𝐶3; thus, 𝐶4 ̸= 𝐶1, 𝐶4 ̸= 𝐶2, and 𝐶4 ̸= 𝐶3.

Nonetheless, we can continue the search. Now, we have to calculate 𝑆01. Similarly asabove, only the results are shown.

Result of the homophone 01: S01 = {73, 94, 40, 69, 78}Candidate column: C5 = {01, 𝑆01} = {01, 73, 94, 40, 69, 78}

We also repeat the steps 1 and 2 for the homophones 40, 69, and 78.



Result of the homophone 78: S78 = {78, 01, 40, 69}Candidate column: C8 = {78, 𝑆78} = {78, 01, 40, 69}

4. In the previous steps, the following candidate columns were defined:

𝐶1 = {27, 𝑆27} = {27, 59, 73, 94} 𝐶5 = {01, 𝑆01} = {01, 73, 94, 40, 69, 78}𝐶2 = {59, 𝑆59} = {59, 73, 94, 27} 𝐶6 = {40, 𝑆40} = {40, 69, 78, 01, 27}𝐶3 = {73, 𝑆73} = {73, 94, 27, 59} 𝐶7 = {69, 𝑆69} = {69, 78, 01, 27, 40}𝐶4 = {94, 𝑆94} = {94, 27, 59, 73, 01} 𝐶8 = {78, 𝑆78} = {78, 01, 40, 69}

Note that if we removed the homophones coloured with red, we would have:

𝐶1 = 𝐶2 = 𝐶3 = 𝐶4 = {27, 59, 73, 94}

4.1 Example 23

and

𝐶5 = 𝐶6 = 𝐶7 = 𝐶8 = {78, 01, 40, 69}.

If this can be fulfilled, we would be able to confirm that {27, 59, 73, 94} and {78, 01, 40,69} are correct columns of the homophones table.

5 . We remove the homophones coloured with red as follows:

∙ Since 01 /∈ 𝑆73, we can remove 73 from 𝐶5. Due to our assumption (see Section3.2.3), if 73 were in the same column as 01, then 01 ∈ 𝑆73.

∙ Since 40 /∈ 𝑆27, we can remove 27 from 𝐶6. Due to our assumption, if 27 were inthe same column as 40, then 40 ∈ 𝑆27.

∙ Since 69 /∈ 𝑆27, we can remove 27 from 𝐶7. Due to our assumption, if 27 were inthe same column as 69, then 69 ∈ 𝑆27.

∙ To remove 01 form 𝐶4 and 94 form 𝐶5 is a bit trickier, because 01 ∈ 𝑆94 and also94 ∈ 𝑆01.Let’s assume that 01 and 94 were in the same column. If this were true, at least27, 59 or 73 ∈ 𝐶5. Otherwise, 𝐶4 = {94, 01}, and thus, 𝐶4 would be an invalidcolumn (a column must contain at least 3 homophones). As shown above, thehomophones 27 and 59 /∈ 𝐶5, and moreover, let’s remember that 73 was alreadyremoved from 𝐶5 so that 73 /∈ 𝐶5. Thus, it is not possible that 01 and 94 were inthe same column. By means of this contradiction, we are able to remove 01 from𝐶4, and similarly, 94 from 𝐶5.

Since we successfully removed the homophones coloured with red, we can confirm thatthe sets of homophones:

{27, 59, 73, 94} and {78, 01, 40, 69}

are correct columns of the homophones table.

Column C3

Input Ciphertext without the homophones of the found columns C1 and C2.

1. In the new ciphertext, we select each of the homophones 22.

22 07 10 16 42 15 37 21 20 49 77 57 39 03 97 99 06 21 36 10 08 46 56 24 17 1142 77 16 34 41 71 14 62 15 79 67 20 36 02 85 57 39 46 13 17 48 97 44 72 71 37 29 82 4599 16 60 10 22 90 34 12 39 19 11 21 42 68 65 57 62 46 15 16 09 47 36 93 20 39 71 56 7781 97 99 10 29 42 46 48 30 21 79 17 07 77 57 14 16 34 49 99 37 97 39 60 62 67 90 21 1538 82 43 20 18 26 77 99 12 52 17 22 48 82 85 22 10 46 70 16 42 21 34 77 62 39 47 56 57 45 20


2. With the homophones, which are between the homophones 22, we build the fol-lowing sets:

S221 = {07, 10, 16, 42, 15, 37, 21, 20, 49, 77, 57, 39, 03, 97, 99, 06, 21, 36, 10, 08, 46,

56, 24, 17, 11, 42, 77, 16, 34, 41, 71, 14, 62, 15, 79, 67, 20, 36, 02, 85, 57, 39,46, 13, 17, 48, 97, 44, 72, 71, 37, 29, 82, 45, 99, 16, 60, 10}

S222 = {90, 34, 12, 39, 19, 11, 21, 42, 68, 65, 57, 62, 46, 15, 16, 09, 47, 36, 93, 20, 39,

71, 56, 77, 81, 97, 99, 10, 29, 42, 46, 48, 30, 21, 79, 17, 07, 77, 57, 14, 16, 34,49, 99, 37, 97, 39, 60, 62, 67, 90, 21, 15, 38, 82, 43, 20, 18, 26, 77, 99, 12, 52,17}

S223 = {48, 82, 85}

3. Using the sets defined in the last step, we perform the following operation:

S22 = 𝑆221 ∩ 𝑆22

2 ∩ 𝑆223 = {48, 82}.

Then, we obtain the candidate column:

C1 = {22, 𝑆22} = {22, 48, 82}.

This is the easiest case to confirm that a column has been found. Since the candidate|𝐶1| = 3, it follows that 𝐶1 is a correct homophones column. This statement is truebecause:

∙ The set 𝑆22 must contain the homophones that are in the same column as thehomophone 22 (see Section 3.2.3).

∙ Every column of the homophones table must contains 3 or 4 homophones (seeSection 3.2.2). In this case, the candidate 𝐶1 contains 3 homophones. Hence, thereis no possibility that one of those homophones belongs to a different column.

Column C4

Input Ciphertext without the homophones of the columns C1, C2, and C3.

1. First, we select all the occurrences of the homophone 16 in the new ciphertext.

07 10 16 42 15 37 21 20 49 77 57 39 03 97 99 06 21 36 10 08 46 56 24 17 11 4277 16 34 41 71 14 62 15 79 67 20 36 02 85 57 39 46 13 17 97 44 72 71 37 29 45 99 16 6010 90 34 12 39 19 11 21 42 68 65 57 62 46 15 16 09 47 36 93 20 39 71 56 77 81 97 99 1029 42 46 30 21 79 17 07 77 57 14 16 34 49 99 37 97 39 60 62 67 90 21 15 38 43 20 18 2677 99 12 52 17 85 10 46 70 16 42 21 34 77 62 39 47 56 57 45 20

2. Next, with the homophones, which are between the homophones 16, we form the

4.1 Example 25

following sets:

S161 = {42, 15, 37, 21, 20, 49, 77, 57, 39, 03, 97, 99, 06, 21, 36, 10, 08, 46, 56, 24, 17,

11, 42, 77}

S162 = {34, 41, 71, 14, 62, 15, 79, 67, 20, 36, 02, 85, 57, 39, 46, 13, 17, 97, 44, 72, 71,

37, 29, 45, 99}

S163 = {60, 10, 90, 34, 12, 39, 19, 11, 21, 42, 68, 65, 57, 62, 46, 15}

S164 = {09, 47, 36, 93, 20, 39, 71, 56, 77, 81, 97, 99, 10, 29, 42, 46, 30, 21, 79, 17, 07,

77, 57, 14}

S165 = {34, 49, 99, 37, 97, 39, 60, 62, 67, 90, 21, 15, 38, 43, 20, 18, 26, 77, 99, 12, 52,

17, 85, 10, 46, 70}

3. Finally, we calculate 𝑆16 as shown below:

S16 = 𝑆161 ∩ 𝑆16

2 ∩ 𝑆163 ∩ 𝑆16

4 ∩ 𝑆165 = {39, 46}.

Since |𝑆16| = 2, it follows that

𝐶1 = {16, 𝑆16} = {16, 39, 46}

is a right column of the homophone table.

Column C5

Input Ciphertext without the homophones of the already constructed columns C1, C2,C3, and C4.

1. We first select all the homophones 21 that occur in the ciphertext.

07 10 42 15 37 21 20 49 77 57 03 97 99 06 21 36 10 08 56 24 17 11 42 77 34 4171 14 62 15 79 67 20 36 02 85 57 13 17 97 44 72 71 37 29 45 99 60 10 90 34 12 19 11 21 4268 65 57 62 15 09 47 36 93 20 71 56 77 81 97 99 10 29 42 30 21 79 17 07 77 57 14 34 49 9937 97 60 62 67 90 21 15 38 43 20 18 26 77 99 12 52 17 85 10 70 42 21 34 77 62 47 56 57 45 20

2. Next, we form the following sets:

S211 = {20, 49, 77, 57, 03, 97, 99, 06}

S212 = {36, 10, 08, 56, 24, 17, 11, 42, 77, 34, 41, 71, 14, 62, 15, 79, 67, 20, 36, 02, 85,

57, 13, 17, 97, 44, 72, 71, 37, 29, 45, 99, 60, 10, 90, 34, 12, 19, 11}


S213 = {42, 68, 65, 57, 62, 15, 09, 47, 36, 93, 20, 71, 56, 77, 81, 97, 99, 10, 29, 42, 30}

S214 = {79, 17, 07, 77, 57, 14, 34, 49, 99, 37, 97, 60, 62, 67, 90}

S215 = {15, 38, 43, 20, 18, 26, 77, 99, 12, 52, 17, 85, 10, 70, 42}

3. By means of the results above, we calculate:

S21 = 𝑆211 ∩ 𝑆21

2 ∩ 𝑆213 ∩ 𝑆21

4 ∩ 𝑆215 = {77, 99}.

Since |𝑆21| = 2, it follows that

𝐶1 = {21, 𝑆16} = {21, 77, 99}

is a right homophones column.

Column C6

Input Ciphertext without the homophones of the columns C1, C2, C3, C4, and C5.

1. First, we select all the homophones 10. In the following ciphertext these homo-phones are highlighted in bold:

07 10 42 15 37 20 49 57 03 97 06 36 10 08 56 24 17 11 42 34 41 71 14 62 15 7967 20 36 02 85 57 13 17 97 44 72 71 37 29 45 60 10 90 34 12 19 11 42 68 65 57 62 15 0947 36 93 20 71 56 81 97 10 29 42 30 79 17 07 57 14 34 49 37 97 60 62 67 90 15 38 43 2018 26 12 52 17 85 10 70 42 34 62 47 56 57 45 20

2. In this step, we form sets with the homophones that are between the homophonesselected in the previous step. These sets are shown below:

S101 = {42, 15, 37, 20, 49, 57, 03, 97, 06, 36}

S102 = {08, 56, 24, 17, 11, 42, 34, 41, 71, 14, 62, 15, 79, 67, 20, 36, 02, 85, 57, 13, 17,

97, 44, 72, 71, 37, 29, 45, 60}

S103 = {90, 34, 12, 19, 11, 42, 68, 65, 57, 62, 15, 09, 47, 36, 93, 20, 71, 56, 81, 97}

S104 = {29, 42, 30, 79, 17, 07, 57, 14, 34, 49, 37, 97, 60, 62, 67, 90, 15, 38, 43, 20,

18, 26, 12, 52, 17, 85}

3. Using the sets shown above, we perform the following operation:

S10 = 𝑆101 ∩ 𝑆10

2 ∩ 𝑆103 ∩ 𝑆10

4 = {42, 15, 20, 57, 97}.

Then, we define the following candidate column:

4.1 Example 27

C1 = {10, 𝑆10} = {10, 42, 15, 20, 57, 97}.

4. For each element of set 𝑆10, we repeat step 1, 2 and 3. To simplify this example, thesteps 1 and 2 are not shown.

Result of the homophone 42: S42 = {15, 20, 57, 97, 10}Candidate column: C2 = {42, 𝑆42} = {42, 15, 20, 57, 97, 10}

Result of the homophone 15: S15 = {37, 36, 10, 17, 42, 34, 71, 62}Candidate column: C3 = {15, 𝑆15} = {15, 37, 36, 10, 17, 42, 34, 71, 62}

Result of the homophone 20: S20 = {10, 17, 42, 34, 62, 20}Candidate column 𝐶4: C4 = {20, 𝑆20} = {20, 10, 17, 42, 34, 62, 20}



5. Analysis of the following candidate columns:

𝐶1 = {10, 42, 15, 20, 57, 97} 𝐶3 = {15, 37, 36, 10, 17, 42, 34, 71, 62}𝐶2 = {42, 15, 20, 57, 97, 10} 𝐶4 = {20, 10, 17, 42, 34, 62, 20}𝐶5 = {57, 97, 10, 17, 42}𝐶6 = {97, 10, 42, 34, 57}

If we remove the homophones coloured with red, we would obtain: 𝐶1 = 𝐶2 = 𝐶5 = 𝐶6,and thus, we could confirm that {10, 42, 57, 97} is a correct column. In contrast to thecase when we reconstructed the columns C1 and C2, in this case, we cannot remove thehomophones coloured with red. For instance, if we try to eliminate the homophone 15from 𝐶1, we cannot, because 10 ∈ 𝑆15 and 15 ∈ 𝑆10. Similarly, we cannot remove thehomophone 20 from the candidate 𝐶1, because 10 ∈ 𝑆20 and 20 ∈ 𝑆10.

Let’s remember that 𝐶1 = {10, 𝑆10}, 𝐶3 = {15, 𝑆15}, and 𝐶4 = {20, 𝑆20}; where 𝑆10,𝑆15, and 𝑆20 must contain the homophones that are in the same column as 10, 15, and20 respectively. If we had the situation, in which 10 /∈ 𝑆15, we would be sure that 15 isnot in the same column as the homophone 10, and thus, we could remove 15 form 𝐶1.Nevertheless, in this case, 10 ∈ 𝑆15 and also 15 ∈ 𝑆10.

6. In this step, we generate all possible 3-combinations of the sets 𝑆10, 𝑆42, 𝑆15,𝑆20, 𝑆57 and 𝑆97. Then, to each combination, the corresponding homophone is added.As result, we obtain the following new candidate columns:

New candidate columns generated with S15:


{15, 37, 36, 10} {15, 37, 17, 62} {15, 36, 17, 71} {15, 10, 42, 62}{15, 37, 36, 17} {15, 37, 42, 34} {15, 36, 17, 62} {15, 10, 34, 71}{15, 37, 36, 42} {15, 37, 42, 71} {15, 36, 42, 34} {15, 10, 34, 62}{15, 37, 36, 34} {15, 37, 42, 62} {15, 36, 42, 71} {15, 10, 71, 62}{15, 37, 36, 71} {15, 37, 34, 71} {15, 36, 42, 62} {15, 17, 42, 34}{15, 37, 36, 62} {15, 37, 34, 62} {15, 36, 34, 71} {15, 17, 42, 71}{15, 37, 10, 17} {15, 37, 71, 62} {15, 36, 34, 62} {15, 17, 42, 62}{15, 37, 10, 42} {15, 36, 10, 17} {15, 36, 71, 62} {15, 17, 34, 71}{15, 37, 10, 34} {15, 36, 10, 42} {15, 10, 17, 42} {15, 17, 34, 62}{15, 37, 10, 71} {15, 36, 10, 34} {15, 10, 17, 34} {15, 17, 71, 62}{15, 37, 10, 62} {15, 36, 10, 71} {15, 10, 17, 71} {15, 42, 34, 71}{15, 37, 17, 42} {15, 36, 10, 62} {15, 10, 17, 62} {15, 42, 34, 62}{15, 37, 17, 34} {15, 36, 17, 42} {15, 10, 42, 34} {15, 42, 71, 62}{15, 37, 17, 71} {15, 36, 17, 34} {15, 10, 42, 71} {15, 34, 71, 62}


{10, 42, 15, 20} {10, 42, 20, 57} {10, 15, 20, 57} {10, 20, 57, 97}{10, 42, 15, 57} {10, 42, 20, 97} {10, 15, 20, 97}{10, 42, 15, 97} {10, 42, 57, 97} {10, 15, 57, 97}


{42, 15, 20, 57} {42, 15, 57, 97} {42, 20, 57, 97} {42, 57, 97, 10}{42, 15, 20, 97} {42, 15, 57, 10} {42, 20, 57, 10}{42, 15, 20, 10} {42, 15, 97, 10} {42, 20, 97, 10}


{20, 10, 17, 42} {20, 10, 42, 34} {20, 17, 42, 34} {20, 42, 34, 62}{20, 10, 17, 34} {20, 10, 42, 62} {20, 17, 42, 62}{20, 10, 17, 62} {20, 10, 34, 62} {20, 17, 34, 62}


{57, 97, 10, 17} {57, 97, 10, 42} {57, 97, 17, 42} {57, 10, 17, 42}


{97, 10, 42, 34} {97, 10, 42, 57} {97 10, 34, 57} {97, 42, 34, 57}

7. As can be seen above, the four candidates coloured with blue contain the samehomophones. Thus, the set of homophones:

{10, 42, 57, 97}

is possibly a correct column. In the next section, we explain why in this situation wecannot be sure that this candidate is a correct column of the homophones table.

4.1 Example 29

Columns C7 and C8

Input: Ciphertext without the homophones of the columns C1, C2, C3, C4, C5, and C6.

1. First, we select all the homophones 20 in the new ciphertext.

07 15 37 20 49 03 06 36 08 56 24 17 11 34 41 71 14 62 15 79 67 20 36 02 85 1317 44 72 71 37 29 45 60 90 34 12 19 11 68 65 62 15 09 47 36 93 20 71 56 81 29 30 79 1707 14 34 49 37 60 62 67 90 15 38 43 20 18 26 12 52 17 85 70 34 62 47 56 45 20

2. Next, we form sets with the homophones that are between the highlighted homophones.

S201 = {49, 03, 06, 36, 08, 56, 24, 17, 11, 34, 41, 71, 14, 62, 15, 79, 67}

S202 = {36, 02, 85, 13, 17, 44, 72, 71, 37, 29, 45, 60, 90, 34, 12, 19, 11, 68, 65, 62, 15,

09, 47, 36, 93}

S203 = {71, 56, 81, 29, 30, 79, 17, 07, 14, 34, 49, 37, 60, 62, 67, 90, 15, 38, 43}

S204 = {18, 26, 12, 52, 17, 85, 70, 34, 62, 47, 56, 45}

3. Using the sets above, we perform the following operation:

S20 = 𝑆201 ∩ 𝑆20

2 ∩ 𝑆203 ∩ 𝑆20

4 = {17, 34, 62},

and then we define the following candidate column:

C1 = {20, 𝑆20} = {20, 17, 34, 62}.

4. For each homophone of the set 𝑆20, we repeat the steps 1, 2 and 3. To simplify thisexample, we only provide the results.

Result of the homophone 17: S17 = {34, 62, 15, 20}Candidate column 𝐶2: C2 = {17, 𝑆17} = {17, 34, 62, 15, 20}



As can be noticed, the homophone 15 does not allow us to confirm that the set {20, 17,34, 62} is a column of the homophones table. Therefore, we need to calculate the set 𝑆15.

Result of the homophone 15: S15 = {37, 20, 36, 17, 34, 71, 62}Candidate column 𝐶5: C5 = {15, 𝑆15} = {15, 37, 20, 36, 17, 34, 71, 62}


The result of the set 𝑆15 does not provide the needed scenario to remove the homophone15 from the candidates 𝐶2, 𝐶3 and 𝐶4. Thus, we also need to define the sets 𝑆36 and 𝑆71.

Result of the homophone 36: S36 = {17, 11, 34, 71, 62, 15}Candidate column 𝐶6: C6 = {36, 𝑆36} = {36, 17, 11, 34, 71, 62, 15}


5. Analysis of all the defined candidate columns:

𝐶1 = {20, 17, 34, 62} 𝐶5 = {15, 37, 20, 36, 17, 34, 71, 62}𝐶2 = {17, 34, 62, 15} 𝐶6 = {36, 17, 11, 34, 71, 62, 15}𝐶3 = {34, 62, 15} 𝐶7 = {71, 62, 15, 20, 36}𝐶4 = {62, 15, 20, 17, 34}

Note that by removing the homophones coloured with red we would obtain the columns:{20, 17, 34, 62} and {71, 15, 36}.

6. Removing homophones from candidate columns: Let’s first analyse the candidate𝐶7 = {71, 𝑆71}. Since 71 /∈ 𝑆62, we can remove 62 from 𝐶7. Similarly, we can removethe homophone 20 form 𝐶7. Therewith, the candidate 𝐶7 now only has the homophones71, 15, and 36 with |𝐶7| = 3. Therefore, we can confirm that 𝐶7 is a correct column ofthe homophones table.

Since we already found out, in which column the homophone 15 is, we can remove itfrom the candidates 𝐶2, 𝐶3, and 𝐶4; therefore, we can confirm that the set:

{20, 17, 34, 62}

is a correct column of the homophone table.

4.2 Formal Description

This section provides a formal description of the method employed to reconstruct thecolumns of the homophones table. It includes the general representation of the homo-phones table and the ciphertext. These representations are used to formally explain therole of the intersection operation when defining a candidate column. In the last sectionare explained four cases that are used to analyze a candidate column.

4.2.1 The Homophones-Table and the Ciphertext

This section seeks to provide a formal representation of the homophones table and theciphertext.

4.2 Formal Description 31

General Representation of the Homophones-Table

The general representation of the homophones table is shown in Figure 4.2, where:

∙ 𝐻 is the set of all homophones with |𝐻| = 99.

∙ 𝐶𝑖 ⊂ 𝐻 represents a column of the homophones table with |𝐶𝑖| = 3 or |𝐶𝑖| = 4, for1 ≤ 𝑖 ≤ 27.

∙ ℎ𝑗𝑖 ∈ 𝐶𝑖 represents a homophone, for 0 ≤ 𝑗 ≤ 2 when |𝐶𝑖| = 3 or 0 ≤ 𝑗 ≤ 3 when|𝐶𝑖| = 4.

∙ The structure of 𝐶𝑖 is defined below:

– 𝐶𝑖 = {ℎ𝑗𝑖 , ℎ𝑗+1 mod 3

𝑖 , ℎ𝑗+2 mod 3𝑖 }, for 0 ≤ 𝑗 ≤ 2 when |𝐶𝑖| = 3.

– 𝐶𝑖 = {ℎ𝑗𝑖 , ℎ𝑗+1 mod 4

𝑖 , ℎ𝑗+2 mod 4𝑖 , ℎ𝑗+3 mod 4

𝑖 }, for 0 ≤ 𝑗 ≤ 3 when |𝐶𝑖| = 4.

Figure 4.2: Gerneral representation of the homophones table

General Representation of the Ciphertext

The general representation of the ciphertext is defined as follows:

ℎ𝑗𝑖 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥⏟ ⏞

𝑆ℎ

𝑗𝑖

1

ℎ𝑗𝑖 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥⏟ ⏞

𝑆ℎ

𝑗𝑖

2

ℎ𝑗𝑖 · · · ℎ𝑗

𝑖 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥 𝑥⏟ ⏞ 𝑆

ℎ𝑗𝑖

𝑛

ℎ𝑗𝑖 𝑥 𝑥 𝑥,

where:

∙ ℎ𝑗𝑖 ∈ 𝐶𝑖 (as defined above).

∙ Each 𝑥 ∈ 𝐻 represents any homophone between the homophones ℎ𝑗𝑖 .

∙ 𝑆ℎ𝑗

𝑖1 , 𝑆

ℎ𝑗𝑖

2 · · ·𝑆ℎ𝑗

𝑖𝑛 ⊂ 𝐻. Each of these sets contains the homophones that are between

the homophones ℎ𝑗𝑖 .


4.2.2 The Intersection Operation and the Candidate Column Ca

In set theory, the intersection is an operation used to determine the common elements oftwo sets (e.g. 𝐴 and 𝐵). This operation is denoted as follows:

𝐴 ∩𝐵 = {𝑥|𝑥 ∈ 𝐴 and 𝑥 ∈ 𝐵}.

As mentioned before, the goal of the Phase 1 is to reconstruct the columns of thehomophones table. The intersection operation plays the main role in achieving this goal.

If we analyze the general representation shown in the previous section, and moreover,we consider the assumption defined in Section 3.2.3, we can realize that each of thesets: 𝑆

ℎ𝑗𝑖

1 , 𝑆ℎ𝑗

𝑖2 , and 𝑆

ℎ𝑗𝑖

𝑛 must contain the homophones: ℎ𝑗+1 mod 3𝑖 and ℎ𝑗+2 mod 3

𝑖 (when|𝐶𝑖| = 3); or ℎ𝑗+1 mod 4

𝑖 , ℎ𝑗+2 mod 4𝑖 , and ℎ𝑗+3 mod 4

𝑖 (when |𝐶𝑖| = 4).Nevertheless, these sets can also contain other homophones. If we identified these

homophones, we would be able to reconstruct the homophones column 𝐶𝑖. To accomplishthis, we proceed as follows:

1. First, we apply the intersection operation to form the following set:

𝑆ℎ𝑗𝑖 = 𝑆

ℎ𝑗𝑖

1 ∩ 𝑆ℎ𝑗

𝑖2 ∩ · · · ∩ 𝑆

ℎ𝑗𝑖

𝑛 .

Note that the set 𝑆ℎ𝑗𝑖 must contain the homophones that are in the same column as

ℎ𝑗𝑖 . Moreover, due to the intersection operation, the set 𝑆ℎ𝑗

𝑖 , with high likelihood,contains fewer homophones than the sets 𝑆

ℎ𝑗𝑖

1 , 𝑆ℎ𝑗

𝑖2 , and 𝑆

ℎ𝑗𝑖

𝑛 .

2. In this step, we define the following candidate column:

𝐶𝑎 = {ℎ𝑗𝑖 , 𝑆ℎ𝑗

𝑖 }.

We call the set 𝐶𝑎 candidate column, because we do know whether the set 𝑆ℎ𝑗𝑖 only

contains the homophones that are in the same column as ℎ𝑗𝑖 . This set could also

contain other homophones.

The next section provides an analysis of the candidate 𝐶𝑎. So far, the goal of the Phase1 has not been achieved yet.

4.2.3 Analysis of the Candidate Ca

In this section, we define four cases that are used to identify the homophones that arenot in the same column as ℎ𝑗

𝑖 , or to confirm that the candidate 𝐶𝑎 is, in fact, a columnof the homophones table.


Case 1: |𝐶𝑎| = 3.

If |𝐶𝑎| = 3, it directly follows that 𝐶𝑎 is a column of the homophones table.

Proof Let’s assume that 𝐶𝑎 with |𝐶𝑎| = 3 is not column of the homophones table. If thisassumption were true, it would follow that a homophone of the set 𝑆ℎ𝑗

𝑖 is not in thesame column as the homophone ℎ𝑗

𝑖 . If we removed that homophone, we would obtain anew candidate 𝐶

′𝑎 with |𝐶 ′

𝑎| = 2. However, from Section 3.2.2, we know that for all thecolumns of the homophones table, the following condition must be met:

3 ≤ |𝐶𝑖| ≤ 4, for 1 ≤ 𝑖 ≤ 27.

In the example provided in the previous section, this case was applied to reconstructthe columns C3, C4, and C5 (see Table 4.1).

Case 2: |𝐶𝑎| = 4.

As we already know, each column of the homophone table contains either 3 or 4 homo-phones. Therefore, if |𝐶𝑎| = 4, there exist the possibility that one of the homophones inthe set 𝑆ℎ𝑗

𝑖 is not in the same column as the homophone ℎ𝑗𝑖 .

Let’s suppose that 𝑆ℎ𝑗𝑖 = {𝑥, 𝑦, 𝑧}. In order to confirm that the homophones 𝑥, 𝑦, or

𝑧, are in the same column as the homophone ℎ𝑗𝑖 , we proceed as follows:

1. In the same way as we defined the sets: 𝑆ℎ𝑗

𝑖1 , 𝑆

ℎ𝑗𝑖

2 , · · ·𝑆ℎ𝑗𝑖

𝑛 ; we build the followingsets:∙ 𝑆𝑥

1 , 𝑆𝑥2 , · · · , 𝑆𝑥

𝑛.∙ 𝑆𝑦

1 , 𝑆𝑦2 , · · · , 𝑆𝑦

𝑛.∙ 𝑆𝑧

1 , 𝑆𝑧2 , · · · , 𝑆𝑧

𝑛.

2. In this step, we define the intersection sets of the sets above as follows:∙ 𝑆𝑥 = 𝑆𝑥

1 ∩ 𝑆𝑥2 ∩ · · · ∩ 𝑆𝑥

𝑛.∙ 𝑆𝑦 = 𝑆𝑦

1 ∩ 𝑆𝑦2 ∩ · · · ∩ 𝑆𝑦

𝑛.∙ 𝑆𝑧 = 𝑆𝑧

1 ∩ 𝑆𝑧2 ∩ · · · ∩ 𝑆𝑧

𝑛.Afterward, we define the following candidate columns:

𝐶𝑥 = {𝑥, 𝑆𝑥}, 𝐶𝑦 = {𝑦, 𝑆𝑦}, and 𝐶𝑧 = {𝑧, 𝑆𝑧}.

3. Finally, if 𝐶𝑎 = 𝐶𝑥 = 𝐶𝑦 = 𝐶𝑧, we confirm that

𝐶𝑎 = {ℎ𝑗𝑖 , 𝑥, 𝑦, 𝑧}

is a column of the homophones table.


Proof Let’s assume that 𝐶𝑎 is not a column of the homophones table despite: 𝐶𝑎 = 𝐶𝑥

= 𝐶𝑦 = 𝐶𝑧.If this were true, it would follow that 𝑥, 𝑦, or 𝑧, is not in the same column as the

homophone ℎ𝑗𝑖 .

Let’s suppose that the homophone 𝑥 is not the same column as ℎ𝑗𝑖 . Consequently, the

homophone ℎ𝑗𝑖 is not in the same column as 𝑥. Knowing this, we define the following

new candidate columns:

𝐶‘𝑎 = {ℎ𝑗𝑖 , 𝑦, 𝑧} and 𝐶‘𝑥 = {𝑥, 𝑦, 𝑧}.

Since |𝐶‘𝑎| = 3 and |𝐶‘𝑥| = 3, according to Case 1, both candidates are columns of thehomophones table. However, a homophone can only be in one column (a homophonemaps just one plaintext letter). As can be noticed, the homophones 𝑦 and 𝑧 are in thecandidate 𝐶‘𝑎 as well as in the candidate 𝐶‘𝑥.

Case 3: |𝐶𝑎| > 4.

Let’s suppose that 𝐶𝑎 = {ℎ𝑗𝑖 , 𝑥, 𝑦, 𝑧, 𝑤}, where 𝑥, 𝑦, 𝑧, 𝑤 ∈ 𝑆ℎ𝑗

𝑖 . Since |𝐶𝑎| = 5, neithercase 1 nor case 2 can be applied. Nonetheless, it is possible to identify which homophonesare not in the same column as ℎ𝑗

𝑖 . In this case, two homophones can belong to othercolumns. In order to identify these homophones, we proceed as follows:

1. First, we build the following sets (the procedure is exactly as that applied to formthe sets: 𝑆

ℎ𝑗𝑖

1 , 𝑆ℎ𝑗

𝑖2 , · · · , 𝑆

ℎ𝑗𝑖

𝑛 ):∙ 𝑆𝑥

1 , 𝑆𝑥2 , · · · , 𝑆𝑥

𝑛.∙ 𝑆𝑦

1 , 𝑆𝑦2 , · · · , 𝑆𝑦

𝑛.∙ 𝑆𝑧

1 , 𝑆𝑧2 , · · · , 𝑆𝑧

𝑛.∙ 𝑆𝑤

1 , 𝑆𝑤2 , · · · , 𝑆𝑤

𝑛 .

2. We calculate the following intersections sets:∙ 𝑆𝑥 = 𝑆𝑥

1 ∩ 𝑆𝑥2 ∩ · · · ∩ 𝑆𝑥

𝑛

∙ 𝑆𝑦 = 𝑆𝑦1 ∩ 𝑆𝑦

2 ∩ · · · ∩ 𝑆𝑦𝑛

∙ 𝑆𝑧 = 𝑆𝑧1 ∩ 𝑆𝑧

2 ∩ · · · ∩ 𝑆𝑧𝑛

∙ 𝑆𝑤 = 𝑆𝑤1 ∩ 𝑆𝑤

2 ∩ · · · ∩ 𝑆𝑤𝑛 ,

and then we define the following candidate columns:

𝐶𝑥 = {𝑥, 𝑆𝑥}, 𝐶𝑦 = {𝑦, 𝑆𝑦}, 𝐶𝑧 = {𝑧, 𝑆𝑧}, and 𝐶𝑤 = {𝑤, 𝑆𝑤}.

3. Finally, we verify if ℎ𝑗𝑖 ∈ 𝐶𝑥, 𝐶𝑦, 𝐶𝑧, and 𝐶𝑤. For instance, if ℎ𝑗

𝑖 /∈ 𝐶𝑥, we remove𝑥 from 𝐶𝑎. Since 𝐶𝑎 now contains 4 elements, we can apply Case 2.It is possible that not only ℎ𝑗

𝑖 /∈ 𝐶𝑥, but also, for example, ℎ𝑗𝑖 /∈ 𝐶𝑦; thus, we have

to remove 𝑦 from 𝐶𝑎. Since now |𝐶𝑎| = 3, we apply Case 1.


The question is: Why did we remove 𝑥 from 𝐶𝑎, provided that ℎ𝑗𝑖 /∈ 𝐶𝑥? The

answer is simple: If 𝑥 were in the same columns as ℎ𝑗𝑖 , then the homophone ℎ𝑗

𝑖

should also be in 𝐶𝑥. Since we supposed that ℎ𝑗𝑖 /∈ 𝐶𝑥, it follows that 𝑥 is not in

the same column as ℎ𝑗𝑖 , and hence, we can remove 𝑥 from 𝐶𝑎.

In Section 4.1, we used this case to reconstruct the columns C1, C2, C7 and C8.

Case 4: |𝐶𝑎| > 4. Generation of New Candidates

Let’s suppose that 𝐶𝑎 = {ℎ𝑗𝑖 , 𝑢, 𝑣, 𝑤, 𝑥, 𝑦, 𝑧}, where 𝑢, 𝑣, 𝑤, 𝑥, 𝑦, 𝑧 ∈ 𝑆ℎ𝑗

𝑖 . Since, |𝐶𝑎| = 7,neither Case 1 nor Case 2 can be applied.

There are situations in which is not possible to identify the homophones that are notin the same column as ℎ𝑗

𝑖 ; thus, Case 3 cannot be used to confirm that 𝐶𝑎 is a columnof the homophones table. In these situations, we perform the following steps:

1. For 𝑢, 𝑣, 𝑤, 𝑥, 𝑦, and 𝑧, we calculate 𝑆𝑢, 𝑆𝑣, 𝑆𝑤, 𝑆𝑥, 𝑆𝑦, and 𝑆𝑧. We do this in thesame manner as calculated 𝑆ℎ𝑗

𝑖 .

2. We generate all possible 3-combinations of the sets: 𝑆ℎ𝑗𝑖 , 𝑆𝑢, 𝑆𝑣, 𝑆𝑤, 𝑆𝑥, 𝑆𝑦, and 𝑆𝑧.

For example, a combination of the set 𝑆ℎ𝑗𝑖 is: {𝑣, 𝑥, 𝑧}. Note that a 3-combination

cannot contain repeated homophones (e.g. {𝑥, 𝑥, 𝑧} is not a valid combination).The number of combinations is given by the binomial coefficient. For example, thenumber of 3-combinations of the set 𝑆ℎ𝑗

𝑖 is calculated as follows:

(︀|𝑆ℎ𝑗𝑖 |

3)︀

= |𝑆ℎ𝑗𝑖 |!

3!(|𝑆ℎ𝑗𝑖 |−3)!

= 6!3!(6−3)! = 20.

3. Afterwards, to each 3-combination of the set 𝑆ℎ𝑗𝑖 , we add the homophone ℎ𝑗

𝑖 . Thus,20 new candidate columns are generated. We do the same with the 3-combinationsof the sets 𝑆𝑢, 𝑆𝑣, 𝑆𝑤, 𝑆𝑥, 𝑆𝑦, and 𝑆𝑧.

4. As we know, the set 𝑆ℎ𝑗𝑖 must contain the homophones that are in the same column

as ℎ𝑗𝑖 . Therefore, one of the new generated candidates is the correct 4-homophones

column.Since 𝑢, 𝑣, 𝑤, 𝑥, 𝑦, and 𝑧 ∈ 𝑆ℎ𝑗

𝑖 , three of the new generated candidates of the sets𝑆𝑢, 𝑆𝑣, 𝑆𝑤, 𝑆𝑥, 𝑆𝑦, and 𝑆𝑧, are also the correct 4-homophones column.In order to find this correct 4-homophones column, we compare each new candidateof the set 𝑆ℎ𝑗

𝑖 with all the new candidates of the sets 𝑆𝑢, 𝑆𝑣, 𝑆𝑤, 𝑆𝑥, 𝑆𝑦, and 𝑆𝑧. Ifwe find 4 identical candidates, then we can apply case 2.

Please note that it is possible to deliver wrong results when using this method. Forexample, let’s assume that we have the candidate 𝐶𝑎 = {𝑥, 𝑆𝑥}, where 𝑆𝑥 = {𝑦, 𝑧, 𝑣, 𝑤}.As explained above, we have to calculate the sets: 𝑆𝑣, 𝑆𝑤, 𝑆𝑦, and 𝑆𝑧. Let’s say that weobtain the following results (note that it is possible to have these results):


𝑆𝑦 = {𝑧, 𝑤, 𝑥}, 𝑆𝑧 = {𝑤, 𝑥, 𝑦}, 𝑆𝑣 = {𝑤, 𝑥, 𝑢}, and 𝑆𝑤 = {𝑢, 𝑣, 𝑥, 𝑦, 𝑧}.

From these sets, it is possible to generate the following new candidate columns:

∙ Candidate generated with the set 𝑆𝑥 : {𝑥, 𝑦, 𝑧, 𝑤}.

∙ Candidate generated with the set 𝑆𝑤 : {𝑤, 𝑥, 𝑦, 𝑧}.

∙ Candidate generated with the set 𝑆𝑦 : {𝑧, 𝑤, 𝑥, 𝑦}.

∙ Candidate generated with the set 𝑆𝑧 : {𝑦, 𝑧, 𝑤, 𝑥}.

As can be seen, the sets 𝑆𝑥, 𝑆𝑤, 𝑆𝑦, and 𝑆𝑧 can generate 4 identical candidates suchthat, according to Case 2, the homophones 𝑥, 𝑦, 𝑧 and 𝑤 would form a column of thehomophones table. Nonetheless, there exist the possibility that the homophone 𝑤 doesnot belong to that column. In fact, the correct column could be: {𝑥, 𝑦, 𝑧}. This ispossible because 𝑤 could belong to the column: {𝑢, 𝑣, 𝑤}. In this situation, the column{𝑥, 𝑦, 𝑧, 𝑤} would be wrong.

In order to decrease the possibility of delivering wrong results, first, we apply theCase 4 to generate new 3-homophones candidate columns. This means, we generate2-combinations of the corresponding sets, and moreover, we only have to look for 3identical new candidates.

In the example shown in Section 4.1, this case was used to reconstruct the column C6.In that example, C6 is a right column of the homophones table.

4.3 Ciphertext-Length AnalysisThis section provides the analysis of 600 ciphertexts that contain 80, 100, 150, 200, 250,and 300 symbols. To carry out this analysis, several Spanish texts were taken fromdifferent sources and contexts such as medicine, sports, art, politics, and technology.The texts were encrypted using the SSC plug-in (see Section 7.1). Afterwards, thecode-breaker tool (see Section 7.2) was employed to generate the results shown in: Figure4.3, Figure 4.4, Figure 4.5, Figure 4.6, Figure 4.7, and Figure 4.8

4.3.1 Analysis of the ResultsThe results show that the number of reconstructed columns is strongly related with theciphertext length. The longer the ciphertext is, the more columns can be reconstructed.

Additionally, in the first graphic (ciphertexts of length 80), there are 64 results inwhich no column was reconstructed. Similarly, the results of the ciphertexts of length 100show that in 34 ciphertexts no column was found. As seen in Figure 3.3, the inputs ofPhase 2 are the homophones columns delivered by this phase. Therefore, we can conclude

4.3 Ciphertext-Length Analysis 37

Figure 4.3: Number of reconstructed columns in 100 ciphertexts of length 80







4.3 Ciphertext-Length Analysis 39

that at least with 64 % and 34 % of the ciphertexts of length 80 and 100 respectively, itis not possible to continue with the attack proposed in this thesis.

However, as far as we know, the telegrams, which were encrypted during the Spanishcivil word, contain more than only 80 or 100 letters. For instance, the telegram, whichwas used in the first case study in [Jos11], contains 934 letters. From the ciphertext ofthis telegram, the code-breaker tool, was able to reconstruct 17 homophones columns.

Finally, one can see in the graphics that for all the lengths there are results with wrongcolumns (see Case 4, 4.2.3). Despite this, it is still possible to continue with the attacksuccessfully. We demonstrate this by analyzing the following result: As can be seen

Table 4.2: Result number 11 of the ciphertexts with 200 homophones.Column Correct/Wrong{69, 78, 01, 40} correct{99, 21, 77} correct{36, 71, 15} correct{27, 59, 73, 94} correct{34, 62, 20, 17} correct{08, 13, 44, 72} correct{16, 82, 39, 46} wrong

in this test, seven columns were found of which one is wrong. Before performing anattack with the code-breaker tool, we first have to set the number of columns that shouldbe taken into account in Phase 2. The tool sorts the columns by decreasing order ofoccurrences. Therefore, if we configure it so that only five columns should be considered,then the wrong column of this test would be excluded. As shown in the final results (seeTable 6.4), we can successfully perform an attack with five columns only.

The results of Phase 1 are in the DVD attached to this document. Appendix C offersa summary with the content of this DVD.

5 Phase 2: Letter-Frequency AnalysisNormal substitution ciphers, in which a plaintext letter only maps one ciphertext symbol,can be broken by performing a method called letter-frequency analysis. Such analyticalattack exploits the fact that the letter frequencies in a given language are closely relatedto the symbol frequencies in a ciphertext.

In this phase, we carry out a letter-frequency analysis by using the columns recon-structed in Phase 1. This is possible because a plaintext letter can just map one column;thus, the statistical properties of the plaintext are related with the column frequencies inthe ciphertext.

In this chapter, we first analyze, the relationship between column frequencies in aciphertext and the letter frequencies in the Spanish language (see Table 5.4). Afterwards,we provide the method applied in this thesis to perform the letter-frequency attack. Itbasically includes two steps:

1. First, we calculate the column probabilities by means of their number of occurrencesin the ciphertext, and the letter probabilities in the Spanish language.

2. In the step two, we multiply the column probabilities to obtain the joint probabilitieswhich represent the columns-letters candidates.

Figure 5.1 shows the overview of this phase, in which the correct columns-letters mappingis found at the position 298. Please be aware that in following sections we use theciphertext and the reconstructed columns of the example shown in Section 4.1 (Page 20).

Figure 5.1: Overview of Phase 2: letter-frequency analysis

42 5 Phase 2: Letter-Frequency Analysis

5.1 Frequencies Relationship

In this section, we show by means of an example the relationship between the frequencyof columns in a ciphertext, and the frequency of letters in the Spanish language. Theciphertext and the reconstructed columns employed in this example can be found inSection 4.1.

First, we calculate the frequency of a column by counting the occurrences of thehomophones in the ciphertext. For example, for the column C1 (see Table 5.3), wecount the occurrences of the homophones 27, 59, 73, and 94, and then we calculate theirfrequencies. The sum of the homophone frequencies represents the frequency of thecolumn. Table 5.1 illustrates this process and Table 5.3 shows the frequencies of all thereconstructed columns.

Table 5.1: Frequency of the column C1 in the ciphertext shown in Section 4.1 (Page 20).Homophone Occurrences Frequency (%)

27 8 3.9859 8 3.9873 7 3.4894 7 3.48

Total 30 14.92

If we relate the column frequencies of the Table 5.3 with the letter frequencies of theSpanish language (see Table 5.4), we would obtain the following results for the first threecolumns:

C1 = E, C2 = A, and C3 = O.

For the columns C1 and C2 the assignations are correct. However, for the column C3,the correct assignation is the letter I and not the letter O (see Table 5.2).

As seen in Table 5.3, the columns C4, C5, and C6 have the same frequencies. Likewise,the frequencies of the columns C7 and C8 are the same. Therefore, with these columns,we cannot proceed in the same way as with the columns C1, C2, and C3.

Table 5.2: Correct columns-letters mapping for the columns shown in Table5.3.Columns C1 C2 C3 C4 C5 C6 C7 C8Letters E A I O N R L S

In conclusion, we can clearly see that the relationship between the column frequenciesand the letter frequencies, in fact, exists. Nevertheless, as demonstrated, that is notenough to obtain the correct columns-letters mapping.

5.1 Frequencies Relationship 43

Table 5.3: Columns Frequencies in the ciphertext of the example shown in Section 4.1(Page 20).

Column Occurrences Frequency (%)C1: 27 59 73 94 30 14.92C2: 01 78 69 40 27 13.43C3: 10 42 57 97 19 9.45C4: 20 17 34 62 17 8.46C5: 16 39 46 17 8.46C6: 21 77 99 17 8.46C7: 22 48 82 10 4.97C8: 71 15 36 10 4.97

Table 5.4: Relative frequency of letters in the Spanish language.Letter Frequency (%) Letter Frequency (%)E 13.68 B 1.42A 12.53 G 1.01O 8.68 V 0.90S 7.98 Y 0.90R 6.87 Q 0.88N 6.71 H 0.70I 6.25 F 0.69D 5.86 Z 0.52L 4.97 J 0.44C 4.68 Ñ 0.31T 4.63 X 0.22U 3.93 W 0.02M 3.15 K 0.01P 2.51


5.2 Generation of the Columns-Letters Candidate ListIn the previous section, the necessity of a systematic process to find the correct columns-letters mapping was pointed out. This section explains a 2-step method that is employedto generate a list of columns-letters candidates, where the correct mapping should beon one of the first positions; therefore, the list must be sorted by decreasing order ofprobabilities.

A columns-letters candidate has the following form:C1 = E, C2 = A, C3 = O, C4 = R, C5 = S, C6 = N, C7 = I, and C8 = D.

1. Column Probabilities In this step, we calculate the column probabilities by meansof the binomial distribution formula as follows:

𝑃𝑟(𝐹𝑟𝑒𝑞(𝛽) = 𝑥𝑛 | 𝛽 = 𝛼) =

(︀𝑛𝑥

)︀(𝑃𝛼)𝑥(1− 𝑃𝛼)𝑛−𝑥,

where 𝛽 can be any of the reconstructed columns, 𝛼 can be any letter of the randomalphabet, 𝑛 is the number of ciphertext symbols, 𝑥 is the number of occurrences of thecolumn 𝛽 in the ciphertext, and 𝑃𝛼 is the probability of the letter 𝛼 (e.g for the letter Ewe calculate: 𝑃𝐸 = 13.68/100 = 0.1368 ).

Example 5.1. Probability that the frequency of the column C1 is equal to 30201 under the

condition that C1 = E.𝑃𝑟(𝐹𝑟𝑒𝑞(𝐶1) = 30

201 | 𝐶1 = 𝐸) =(︀201

30)︀(0.1368)30(1− 0.1368)201−30 = 0.069.

Please note that in this example we use the ciphertext and reconstructed columns of theexample shown in Section 4.1. Along this chapter the same ciphertext and columns areemployed.

Table 5.5: List of the best three probabilities of the columns C1, C2, and C3.C1 probabilities C2 probabilities C3 probabilities𝑃 𝐶1

𝐸 = 0.069 𝑃 𝐶2𝐸 = 0.081 𝑃 𝐶3

𝑂 = 0.088𝑃 𝐶1

𝐴 = 0.047 𝑃 𝐶2𝐴 = 0.076 𝑃 𝐶3

𝑆 = 0.072𝑃 𝐶1

𝑂 = 0.0012 𝑃 𝐶2𝑂 = 0.068 𝑃 𝐶3

𝐴 = 0.037

2. Joint Probabilities The joint probabilities are calculated by multiplying the columnprobabilities. Below, an example, which explains this step, is shown.

Example 5.2. Joint probabilities of the columns C1, C2, and C3 using their threebest probabilities (see Table 5.5). Please note that we have changed the notation form𝑃𝑟(𝐹𝑟𝑒𝑞(𝛽) = 𝑥

𝑛 | 𝛽 = 𝛼) to 𝑃 𝛽𝛼 .

Using the columns probabilities, we build the trees depicted in Figure 5.2. In order tocalculate a joint probability, we multiply a leaf by its parent and all its grandparents. Forexample, with the fourth leaf of the first tree, we obtain the following joint probability:

5.2 Generation of the Columns-Letters Candidate List 45

𝑃 𝐶3𝑂 · 𝑃 𝐶2

𝐴 · 𝑃 𝐶1𝐸 = (0.088) · (0.076) · (0.069) = 0.00046.

Figure 5.2: Joint probabilities tree.

The trees shown in Figure 5.2 deliver in total 27 = 33 joint probabilities. However, notethat the leaves coloured with red should not be taken into account. Let’s remember thata letter only maps one column of the homophones table; therefore, the joint probabilities,in which the probabilities of two different columns with the same letter is multiplied(e.g. 𝑃 𝐶3

𝑂 · 𝑃 𝐶2𝐸 · 𝑃 𝐶1

𝑂 ), are not valid for our purpose. Then, in this example, we have tocalculate 10 joint probabilities only.

Finally, the joint probabilities are sorted by decreasing order of probability in a list, inwhich the entries represent the columns-letters candidates. The results can be seen inTable 5.6.

5.2.1 Practical Relevance

In the Example 5.2, the list of columns-letters candidates was generated with just thethree best probabilities of the columns C1, C2, and C3. As result, none of the generatedcandidates corresponds to the correct columns-letters combination (compare Table 5.6with Table 5.2). This means that we need to use more than only three probabilities. Inparticular, if we want to generate columns-letters candidates for more columns.


Table 5.6: List of the columns-letters candidates of the columns C1, C2, and C3.Joint Probability Candidate

1 𝑃 𝐶3𝑂 · 𝑃 𝐶2

𝐴 · 𝑃 𝐶1𝐸 = 4.61 · 10−4 C1=E, C2=A, C3=O

2 𝑃 𝐶3𝑆 · 𝑃 𝐶2

𝐴 · 𝑃 𝐶1𝐸 = 4.02 · 10−4 C1=E, C2=A, C3=S

3 𝑃 𝐶3𝑆 · 𝑃 𝐶2

𝑂 · 𝑃 𝐶1𝐸 = 3.37 · 10−4 C1=E, C2=O, C3=S

4 𝑃 𝐶3𝑂 · 𝑃 𝐶2

𝐸 · 𝑃 𝐶1𝐴 = 3.35 · 10−4 C1=A, C2=E, C3=O

5 𝑃 𝐶3𝑆 · 𝑃 𝐶2

𝐸 · 𝑃 𝐶1𝐴 = 2.74 · 10−4 C1=A, C2=E, C3=S

6 𝑃 𝐶3𝑆 · 𝑃 𝐶2

𝑂 · 𝑃 𝐶1𝐴 = 2.30 · 10−4 C1=A, C2=O, C3=S

7 𝑃 𝐶3𝐴 · 𝑃 𝐶2

𝑂 · 𝑃 𝐶1𝐸 = 1.73 · 10−4 C1=E, C2=O, C3=A

8 𝑃 𝐶3𝑆 · 𝑃 𝐶2

𝐸 · 𝑃 𝐶1𝑂 = 6.99 · 10−5 C1=O, C2=E, C3=S

9 𝑃 𝐶3𝑆 · 𝑃 𝐶2

𝐴 · 𝑃 𝐶1𝑂 = 6.56 · 10−5 C1=O, C2=A, C3=S

10 𝑃 𝐶3𝐴 · 𝑃 𝐶2

𝐸 · 𝑃 𝐶1𝑂 = 3, 59 · 10−5 C1=O, C2=E, C3=A

The number of probabilities that are taken into account strongly affects the performanceand the memory capacity of our implementation. Let’s suppose that we want to generate alist of columns-letters candidates for 8 columns, and moreover, we use their 27 probabilities.Then, we would obtain a list with 278 joint probabilities approximately.

In our implementation, the joint probabilities are stored using the Java class BigDecimal.This means, a joint probability is stored in two 32-bit integers [Oraa]. Therefore, ifwe have ≈ 278 joint probabilities, we need around 2104 Gigabyte. Furthermore, thecomputational overhead, which is needed to sort the list, is considerably high.

Due to our limited computational resources (see Section 6.4.3), we decided to calculatethe joint probabilities only with the best eight probabilities of each column.

5.3 ResultsTable 5.7 provides the results of Phase 2, in which the second column gives the recon-structed columns used in each test, the third column shows the number of generatedcolumns-letters candidates, and the last column indicates the position of the correctcolumns-letters combination in the list. The columns used for this tests are given inTable 5.3.

As one can see, the eight best column probabilities are enough to generate the correctcolumns-letters combination at the first positions of the list. For example, in the sixthresult, 7980 candidates were generated, but however, the right columns-letters mappingcan be found at position 104. This means that only 1.30 % of the candidates will betested in Phase 3. In this way, the computational overhead is minimal.

By contrast, the results 10 and 11 show that if we use the best eight column probabilities,it is possible that the correct columns-letters combination is not generated. However,the results shown in Table 6.1 demonstrate that a plaintext can be reconstructed from a

5.3 Results 47

Table 5.7: Results of Phase 2 using the columns of the Table 5.3 and their best eightprobabilities.

Result Columns No. of Candidates Correct Combi-nation at Pos.

1 C1 C2 C3 336 92 C1 C2 C3 C4 1806 303 C1 C2 C3 C5 1806 404 C1 C2 C3 C6 1806 395 C1 C2 C3 C4 C5 7980 1126 C1 C2 C3 C4 C6 7980 1047 C1 C2 C3 C5 C6 7980 1608 C1 C2 C3 C4 C5 C6 27720 2989 C1 C2 C3 C4 C5 C6 C7 128880 142410 C1 C2 C3 C4 C5 C6 C8 128880 not found11 C1 C2 C3 C4 C5 C6 C7 C8 128880 not found

ciphertext, if we only take into account 5 or 6 homophones columns.The results of this tests can be found in the DVD attached to the printed version of

this thesis (see Appendix C).

6 Phase 3: Dictionary Search

This chapter deals with the dictionary search phase, in which three processes are described:the cipher-plaintext generation, the word-vectors generation, and the plaintext-treesgeneration.

In addition, the last section provides some results in which the whole attack is testedusing the code-breaker tool described in Section 7.2. Please be aware that we employedthe ciphertext shown in Section 4.1 to perform this test.

6.1 Cipher-Plaintext GenerationIn the Phase 2, the columns-letters candidates were generated. In this step, the lettersof a candidate are substituted by its corresponding homophones in the ciphertext. Theresult is a partially decrypted ciphertext which is called cipher-plaintext.

Example 6.1. This example shows the generation of a cipher-plaintext by means ofthe following columns-letters candidate:

{27, 59, 73, 94} = 𝐸,{01, 78, 69, 40} = 𝐴,{17, 34, 62, 20} = 𝑂.

For the ciphertext:

27 22 24 01 37 20,

the resulting cipher-plaintext is:

E 22 24 A 37 O.

Note that the homophone 27 was replaced by the letter E and the homophone 01 by theletter A.

6.2 Word-Vectors GenerationIn this process, the cipher-plaintext is split up into strings of different length which arecalled partially decrypted words. These words are stored in n-vectors, where 𝑛 is theciphertext length. The number of partially decrypted words is calculated as follows:∑︀𝑛

𝑖=1 𝑖.

50 6 Phase 3: Dictionary Search

The following steps describe how the cipher-plaintext is split up and then stored in thevectors:

1. At the first position of the first vector, we add the first symbol (letter or homophone)of the cipher-plaintext. In the second position, we add the second symbol. In thethird position, we add the second and the third symbol. We proceed in this wayuntil the end of the cipher-plaintext.

2. At the first position of the second vector, we put the first and the second symbolof the cipher-plaintext. In the second position, we add the third symbol. In thethird position, we store the third and the fourth symbol. We continue like this untilthe end of the cipher-plaintext.

3. For the remaining (n-2)-vectors, we proceed in the same manner.

Figure 6.1 shows the vectors that are created from the cipher-plaintext: E 22 24 A 37O (see Example 6.1). Since the cipher-plaintext has six symbols, six vectors containing21 partially decrypted words are generated. The vectors are sorted by levels, in whichthe number of each level is determined by the number of symbols that contain the firstelement of each vector.

Figure 6.1: Word vectors generated from the cipher-plaintext: E 22 24 A 37 O

6.3 Plaintext-Trees GenerationThe plaintext trees are generating using the word vectors. In total, (k-1)-trees can bebuilt, where 𝑘 is the number of vectors. For example, five trees can be built from thevectors shown in Figure 6.1.

Before explaining how a tree is generated, we first define the meaning of its elementsand two conditions needed when building a tree:

∙ Root Contains the first element of a word vector.

6.3 Plaintext-Trees Generation 51

∙ Node Represents a partially decrypted word. A candidate partially decryptedword is a string formed by homophones and letters, only homophones, or onlyletters.

∙ Discarded Node This element is a node that did not fulfil any of the conditionsdefined below.

∙ Full Branch Represents a candidate plaintext. A branch is called full, when thesum of its nodes symbols is equal to the ciphertext length.

∙ Uncompleted Branch A branch is called uncompleted, when one of its nodeswas discarded.

Next, we describe two conditions needed to build a tree:

∙ Condition One A node must match at least one word in the Spanish dictionary.For example, for the node “24A37O”, there must be at least one word that meetsthe following three requirements:

1. It has 4 letters.2. The second letter must be “A” and the last one “O”.3. The first and third letters cannot be “A”, “O”, or any of the plaintext letters

in the cipher-plaintext.For instance, the word GATO1 would meet these requirements.

∙ Condition Two Provided that the previous condition is fulfilled, the letters ofthis word, which can replace the homophones symbols of the node (in the exampleabove, G can replace 27 and T can replace 37), must also be a matching for atleast one word of all the previous nodes of the branch.Following the example above, let’s suppose that the parent of the node “24A37O”is the node “O37”. Then, there must be at least one matching of the node “O37”,in which the homophone 37 can be replaced by the letter "T" (in this case, the onlypossible matching would be OT).

A node is discarded, if it does not fulfil any of these conditions. In Figure 6.2, thediscarded nodes are coloured in red and the dotted lines represent the uncompletedbranches.

The Algorithm 6.3.1 shows how a tree is generated. In the following, we explain themost important lines of this algorithm:

1. For the first call (s=0): it is verified, whether the first element of the vector meetsthe Condition One (line 3). If so, this element is set as the root of the tree (line4) and the other elements are set as the children of the root (line 5). Then, thenumber of symbols is incremented (lines 6) and the function is called again (line 7).If the condition of line 3 is not met, the tree is not built (line 9).

1GATO in Spanish means cat.


2. For the next calls (s>0): For every node, it is verified, whether the Condition Oneand Condition Two are met (line 12). If so, the number of symbols is incremented(line 13) and then used to obtain a word vector (line 14) whose elements, exceptfor the first one, are set as the children of the node (line 15). If the condition ofthe line 12 is not fulfilled, this node is set as discarded (line 18).

3. Finally, the branches of the tree, which do not contain discarded nodes, representthe candidate plaintexts. In the example shown in Figure 6.2, the tree delivers fourcandidate plaintexts. For example, the candidate plaintext 4 is: E22 24A37O. Thiscandidate could match, for instance, the Spanish text EL GATO2.

Algorithm 6.3.1: generateTreeInput: word vector 𝑊𝑉 [0 . . . 𝑛], number of symbols 𝑠Output: tree 𝑇

1 begin2 if 𝑠 = 0 then3 if ConditionOne(𝑊𝑉 [0]) = 𝑂𝐾 then4 𝑇 ← setRoot(𝑊𝑉 [0])5 𝑇 ← setChildren(𝑊𝑉 [0], 𝑊𝑉 [1 · · ·𝑛])6 𝑠← 𝑠+ length(𝑊𝑉 [0])7 generateTree(𝑊𝑉 , 𝑠)

8 else9 𝑇 ← 𝑛𝑢𝑙𝑙

10 else11 for 𝑖← 1 to n do12 if ConditionOne(𝑊𝑉 [𝑖]) = 𝑂𝐾 and ConditionTwo(𝑊𝑉 [𝑖]) = 𝑂𝐾

then13 𝑠← 𝑠+ length(𝑊𝑉 [𝑖])14 𝑊𝑉 2[]← getWordVector(𝑠)15 𝑇 ← setChildren(𝑊𝑉 [𝑖], 𝑊𝑉 2[1 · · · 𝑗])16 generateTree(𝑊𝑉 2, 𝑠)

17 else18 𝑇 ← setDiscardedNode(𝑊𝑉 [𝑖])

19 return 𝑇

Note that Condition One and Conidtion Two aim to reduce the computational overheadof this phase. If the first element of a word vector does not meet the condition one, thetrees is not even built.

2EL GATO in Spanish means the cat.

6.4 Final Results 53

Figure 6.2 shows a plaintext tree generated from the second word vector shown inFigure 6.1. As can be seen, the first element of this vector is the tree’s root and theremaining elements are the root’s children. The labels on the arrows represent the numberof symbols of all the previous nodes of a branch. This number is used to get the childrenof a node.

Figure 6.2: Plaintext tree generated from the second vector of Figure 6.1

6.4 Final Results

Table 6.1 shows the results of the whole attack (Phase 1, Phase 2, and Phase 3). Thesecond column shows the number of words in the Spanish dictionaries. The third columnspecifies the number of the reconstructed columns used in a test. The fourth columngives the number of candidate plaintexts generated from the given ciphertext. The fifthcolumn indicates the success rate reached in a test and the last column shows the timeneeded by the code-breaker tool (see Section 7.2) to deliver the results.

The ciphertext used in these tests can be found in Section 4.1. The results of thePhase 1 and Phase 2 are provided in Table 4.1 and Table 5.7 respectively.

The results of this tests can be found in the DVD attached to the printed version of


Table 6.1: Results of the whole attack using a ciphertext with 201 symbols.

Result Dictionary Columns(Phase 1)

CandidatePlaintexts

Success (%) Time (min.)

1 4000 5 158 ≈ 90 1.282 6000 5 432 ≈ 83 2.233 8000 5 2592 ≈ 79 19.9584 10000 5 3024 ≈ 78 61.945 4000 6 144 ≈ 90 2.026 6000 6 144 ≈ 88 3.657 8000 6 576 ≈ 85 3.688 10000 6 1008 ≈ 85 5.879 12000 6 >34000 ≈ 83 >120

this thesis (see Appendix C).

6.4.1 Analysis of the Results

As seen in Table 6.1, the more entries the dictionary has, the more time it takes to deliverthe results. Furthermore, the success rate decreases as the dictionaries size grows.

Additionally, the number of columns also influences both the success rate and theexecution time. For example, one can see in the fourth result (5 reconstructed columns)that the candidate plaintexts were delivered in 61.94 minutes and the success is of 78 %approximately. On the other hand, we see in the result number eight (6 reconstructedcolumns) that the tool only took 5.87 minutes to output the plaintexts, and moreover,the success rate is around 7 points higher.

The number of plaintext candidates is also related with the dictionary size. The moreentries in the dictionary, the more candidate plaintexts are delivered. In spite of thenumber of plaintexts that are generated from a ciphertext, these results are similar eachother.

6.4.2 Analysis of a Candidate Plaintext

In this section we analyze a candidate plaintext that was taken from the result num-ber 4 (see Table 6.1). Note that this result has the worst success rate (≈ 78) of our results.

Next, we provide information that helps to understand the analyzed results:

∙ The letters coloured with red in the plaintext represent the mismatches with thecandidate plaintext.

∙ The strings, which are highlighted in bold in the candidate plaintext, represent thepartially decrypted words. Let’s remember that these strings are generated from

6.4 Final Results 55

the cipher-plaintext (see Section 6.3). In other words, this candidate plaintext is abranch of a tree and the partially decrypted words are the nodes (see Figure 6.2).

∙ The words, which are placed alongside the partially deciphered words, representthe matching of these strings in the Spanish dictionary.

To calculate success rate, we compare the letters of the plaintext with the letters of thecandidate plaintext. The following example illustrates this process:

el ministro marina y aireEL MINISTRO MARINA Y AIREEH HARINA

ZARINA

In this example, the lowercase text corresponds to the plaintext and the uppercase textcorresponds to the candidate plaintext. Note that a letter is considered a mismatch,if just one letter of the candidate letters (in uppercase) does not match with it. Forexample, the second letter of the plaintext has two candidate letters: the first one is amatch (l=L); however, the second one is a mismatch (l̸=H).

Based on the context of the analyzed telegram, some combinations could make moresense than other. For instance, the option EL MINISTRO MARINA Y AIRE (En-glish translation: the navy and air minister) sounds more suitable to context than theoption EL MINISTRO HARINA Y AIRE (English translation: the flour and air minister).

Plaintext

el ministro marina y aire a presidente gobierno vasco estamos examinando la ideade establecer en bilbao una fabrica aviones en que se construiria bien el aparato ameri-cano martin bombers y el fokker ruego le llame al ingeniero aeronautico

Candidate Plaintext

Result # 2023———————————————————————————————–E22: [EL, EH]07INI1537R20: [MINISTRO]49ARINA: [MARINA, HARINA, ZARINA]03: [Y]AIRE: [AIRE]A: [A]06RE36I08EN56E: [PRESIDENTE]241711IERN34: [GOBIERNO]41A711462: [VASCO, PABLO, BALDO, BALSO, BALTO, BAMBU, CACHO, CACTO,CADOZ, CALCO, CALDO, CALLO, CALMO, CALVO, CALZO, CAMBO, CAMPO,DAMOS, FALLO, FALSO, FALTO, FASTO, FATUO, GACHO, GALGO, GALLO,GASTO, HABUS, HACHO, JALDO, JAUDO, JAUTO, LAMPO, YAZGO, ZAMBO]


E1579A672036: [ESTAMOS, EMPACHO]E02A85INAN1317: [EXAMINANDO]48A: [LA, CA, FA, HA, KA, YA]I44EA72: [IDEAL]E: [E]E7137A2982E45ER: [ESTABLECER, EMBASTECER]EN: [EN]60I2290A34: [BILBAO, FISCAL]12NA: [UNA]19A11RI68A: [FABRICA, LAGRIMA]A65I62NE15: [AVIONES]EN: [EN]0947E: [QUE, VME, CHE, LUE]36E: [DE, SE, LE, FE, HE]9320N7156R81IRIA: [CONSTRUIRIA]29IEN: [BIEN]E48: [EL, EH]A30ARA7917: [APARATO]A07ERI14AN34: [AMERICANO]49AR37IN: [MARTIN, CARMIN, GARBIN, JARDIN]60626790ER15: [BOMBERS, CHUCERO, CHUFERO, YUGUERO]38E824320: [JESUS, DEBUT, DEMOS, FEUCO, FETCH, FEUDO, GESTO, HECTO,HEMOS, YELMO, YEZGO]1826ER: [BOER]R12E5217: [RUEGO]22E: [DE, SE, LE, FE, HE]4882A85E: [LLAME, CHALE, GLASE]A22: [AL]IN70ENIER34: [INGENIERO]AER62NA4756I4520: [AERONAUTICO]

This result can be found in the DVD attached to the printed version of this thesis(see Appendix C).

6.4.3 PlatformThe tests shown in Table 6.1 were carried out in a laptop with the following characteristics:

∙ Operating System: Windows 8 Pro 64-bit

∙ Processor: Intel(R) Core(TM) i7-3632QM CPU 2.20 GHz

∙ RAM: 4.00 GB

7 Implementation

In order to test the analytical attack proposed in this thesis, the following tools wereimplemented:

1. Encryption and Decryption Tool This tools implements the decryption anddecryption of the SSC.

2. Code-Breaker Tool This tool implements the three phases described in Chapters4, 5, and 6.

The next sections offer the most important aspects of these implementations, such asdevelopment tools, components, and main algorithms.

7.1 Encryption and Decryption ToolThe encryption and decryption algorithms of the SSC was implemented in the program-ming language C# and integrated as plug-in in the Open-Source Program for Cryptographyand Cryptanalysis CT2 [Cry]. This section describes the tools, requirements (functionaland non-functional), components, and main algorithms of this implementation.

7.1.1 Development ToolsDuring the development of the SSC plug-in, the following tools were employed:

∙ Microsoft Visual C# 2010 Express [Micb]: This free Integrated DevelopmentEnvironment (IDE) provided a source-code editor and a debugger needed to writeand test the components depicted in Figure 7.2.

∙ Microsoft .Net Framework 4.5 [Mica]: Supplied the necessary runtime envi-ronment, libraries, and services for the development and execution not only of theSSC plug-in but also for the whole CT2 solution.

∙ TortoiseSVN [Tor]: CT2 is a collaborative project with many developers; there-fore, all the plug-ins changes should be checked into the CT2 code repository. Inorder to fulfil this task this free client Subversion (SVN) was used.

7.1.2 RequirementsBasically, for the implementation of the SSC plug-in five functional and three non-functional requirements were established. The latter are the requirements that all theplug-ins in CT2 must meet.

58 7 Implementation

Functional Requirements

F1 Before encrypting or decrypting any input, the SSC plug-in must provide a con-figuration panel, in which the users are able to enter a keyword and an initialposition. By means of these parameters, the random alphabet should be generatedand shifted as described in Section 2.1.

F2 The SSC plug-in must provide the users with the possibility to select a homophonestable. There must be at least two options available: (1) a table with 99 homophones(01-99) and a table with 90 homophones (10-99).

F3 The SSC plug-in must offer the users two different alphabets: (1) the current officialSpanish alphabet with 27 letters (2) and an alphabet with 29 letters, in which thedigraphs “CH” and “LL” are included.

F4 The SSC plug-in must provide an input text box, where the users can enter theplaintext that have to be encrypted. The resulting ciphertext must be shown in anoutput text box. The encryption should be performed as described in Section 2.2.

F5 The SSC plug-in must offer and input text box, where the users can enter theciphertext that have to be decrypted. The result must be displayed in an outputtext box. The decryption must be implemented as described in Section 2.3.

Non-Functional Requirements

NF1 The SSC plug-in must offer a user documentation available in English and German.

NF2 There must be at least one template that shows and describes the main functionalityof the SSC plug-in.

NF3 All the labels and texts of the user interfaces must be available in English andGerman.

7.1.3 ComponentsThe SCC plug-in is formed by the following components:

∙ SpanishStripCipherSetting.cs: Implements the user interface that is shown inFigure 7.1. Additionally, this component implements the algorithms that generate(Algorithm 7.1.2) and shift (Algorithm 7.1.1) the random alphabet. Thereby, thefunctional requirements F1, F2, and F3, are fulfilled.

∙ SpanishStripCipher.cs: Implements the encryption (Algorithm 7.1.3) and de-cryption algorithm (Algorithm 7.1.4). Therefore, this component accomplishes thefunctional requirements F4 and F5.

∙ doc.xml: Provides a user documentation available in English and German (non-functional requirement NF1).

7.1 Encryption and Decryption Tool 59

Figure 7.1: User interface: parameters configuration

∙ SpanishStripCipher.cwm: Fulfils the non-functional requirement NF2.

∙ Resources.resx and Resources.de.resx: These components consist of XMLentries which provide to each label of the user interface a text and description eitherin English (Resources.resx) or in German (Resouces.de.resx). These componentsachieve the non-functional requirement NF3.

The components diagram depicted in Figure 7.2 shows the dependability between theabove described components and their organization inside the CT2 project.

Figure 7.2: Components diagram of the SSC Plug-in

60 7 Implementation

7.1.4 Algorithms

This section briefly describes the most important algorithms that were implemented inthe SSC plug-in. Please note these algorithms are written in pseudocode. The sourcecode can be downloaded from [Cry].

∙ Random-Alphabet-Generation (see 7.1.2) Generates the random alphabetas described in Section 2.1. This algorithm is performed when the user enters orchanges the keyword and when she or he selects a new alphabet.

∙ Initial-Position (see 7.1.1) This algorithm is needed to shift the random alphabetwhen the user changes the default initial position (A in A).

∙ SSC-Encryption (see 7.1.3) Encrypts a plaintext according to the descriptionprovided in Section 2.2.

∙ SSC-Decryption (see 7.1.4) Decrypts a ciphertext according to the descriptionprovided in Section 2.3.

Algorithm 7.1.1: Initial-PositionData: ordered alphabet 𝐴[0 . . . 26], random alphabet 𝑅[0 . . . 26], initial position 𝑃1

in 𝑃2Result: shifted random alphabet 𝑆𝑅[0 . . . 26]

1 begin2 𝑖𝑛𝑑𝑒𝑥𝑅𝑎𝑛𝑑𝑜𝑚𝐴𝑙𝑝ℎ𝑎𝑏𝑒𝑡← indexOf(𝑅, 𝑃1)3 𝑖𝑛𝑑𝑒𝑥𝑂𝑟𝑑𝑒𝑟𝑒𝑑𝐴𝑙𝑝ℎ𝑎𝑏𝑒𝑡← indexOf(𝐴, 𝑃2)4 if indexRandomAlphabet > indexOrderedAlphabet then56 𝑗 ← 𝑖𝑛𝑑𝑒𝑥𝑅𝑎𝑛𝑑𝑜𝑚𝐴𝑙𝑝ℎ𝑎𝑏𝑒𝑡− 𝑖𝑛𝑑𝑒𝑥𝑂𝑟𝑑𝑒𝑟𝑒𝑑𝐴𝑙𝑝ℎ𝑎𝑏𝑒𝑡7 for 𝑖← 0 to Length(𝑅) do8 𝑖𝑛𝑑𝑒𝑥← (𝑖 + 𝑗) mod 279 𝑆𝑅[𝑖]← 𝑅[𝑖𝑛𝑑𝑒𝑥]

10 else11 𝑗 ← 𝑖𝑛𝑑𝑒𝑥𝑂𝑟𝑑𝑒𝑟𝑒𝑑𝐴𝑙𝑝ℎ𝑎𝑏𝑒𝑡− 𝑖𝑛𝑑𝑒𝑥𝑅𝑎𝑛𝑑𝑜𝑚𝐴𝑙𝑝ℎ𝑎𝑏𝑒𝑡12 for 𝑖← 0 to Length(𝑅) do13 𝑖𝑛𝑑𝑒𝑥←(27-j+i) mod 2714 𝑆𝑅[𝑖]← 𝑅[𝑖𝑛𝑑𝑒𝑥]

15 return 𝑆𝑅

/* The function indexOf() in lines 2 and 3 searches for an element(P1) in an array (R) and returns its index. */

7.1 Encryption and Decryption Tool 61

Algorithm 7.1.2: Random-Alphabet-GenerationData: keyword 𝐾[0 . . . 𝑛], ordered alphabet 𝐴[0 . . . 26]Result: random alphabet 𝑅[0 . . . 26]

1 begin2 𝑡𝑒𝑚𝑝[0]← 𝐾[0]3 𝑖← 14 for 𝑗 ← 1 to Length(𝐾) do5 if Contain(temp, 𝐾[𝑗])== false then67 𝑡𝑒𝑚𝑝[𝑖]← 𝐾[𝑗]8 𝑖← 𝑖 + 1

9 𝑘𝑒𝑦𝑤𝑜𝑟𝑑𝐿𝑒𝑛𝑔𝑡ℎ𝑊𝑖𝑡ℎ𝑜𝑢𝑡𝑅𝑒𝑝𝑒𝑎𝑡𝑒𝑑𝐿𝑒𝑡𝑡𝑒𝑟𝑠← Length(𝑡𝑒𝑚𝑝)10 for 𝑗 ← 1 to Length(𝐴) do11 if Contain(temp, 𝐴[𝑗])== false then1213 𝑡𝑒𝑚𝑝[𝑖]← 𝐴[𝑗]14 𝑖← 𝑖 + 1

15 𝑅[0]← 𝑡𝑒𝑚𝑝[1]16 𝑐𝑜𝑙𝑢𝑚𝑛← 117 𝑖𝑛𝑑𝑒𝑥← 118 for 𝑖← 1 to Length(𝑡𝑒𝑚𝑝) do19 𝑖𝑛𝑑𝑒𝑥← 𝑖𝑛𝑑𝑒𝑥 + 𝑘𝑒𝑦𝑤𝑜𝑟𝑑𝐿𝑒𝑛𝑔𝑡ℎ𝑊𝑖𝑡ℎ𝑜𝑢𝑡𝑅𝑒𝑝𝑒𝑎𝑡𝑒𝑑𝐿𝑒𝑡𝑡𝑒𝑟𝑠20 if 𝑖𝑛𝑑𝑒𝑥> 26 then2122 𝑐𝑜𝑙𝑢𝑚𝑛← 𝑐𝑜𝑙𝑢𝑚𝑛 + 123 𝑖𝑛𝑑𝑒𝑥← 𝑐𝑜𝑙𝑢𝑚𝑛

24 𝑅[𝑖]← 𝑡𝑒𝑚𝑝[𝑖𝑛𝑑𝑒𝑥]25 return 𝑅

/* The function Contain() in lines 5 and 11 returns true if a letter(K[j]) exist in an array (temp), otherwise returns false. */

62 7 Implementation

Algorithm 7.1.3: SSC-EncryptionData: plaintext 𝑃 [0 . . . 𝑛], homophones table 𝐻[0 . . . 26][0 . . . 𝑛], shifted random

alphabet 𝑆𝑅[0 . . . 26]Result: ciphertext 𝐶[0 . . . 𝑛]

1 begin2 for 𝑖← 0 to Length(𝑃) do3 𝑖𝑛𝑑𝑒𝑥← indexOf(𝑆𝑅, 𝑃 [𝑖])4 ℎ𝑜𝑚𝑜𝑝ℎ𝑜𝑛𝑒← Shift(𝐻[𝑖𝑛𝑑𝑒𝑥])5 𝐶[𝑖]← ℎ𝑜𝑚𝑜𝑝ℎ𝑜𝑛𝑒6 Push(𝐻[𝑖𝑛𝑑𝑒𝑥], ℎ𝑜𝑚𝑜𝑝ℎ𝑜𝑛𝑒)

7 return 𝐶

/* The function indexOf() in line 3 searches for an element (P[i]) inan array (SR) and returns its index. */

/* The function Shift() in line 4 removes the first element of anarray (H[index]) */

/* The function Push() in line 6 inserts an element (homophone) atthe end of an array (H[index]) */

Algorithm 7.1.4: SSC-DecryptionData: ciphertext 𝐶[0 . . . 𝑛], homophones table 𝐻[0 . . . 26][0 . . . 𝑛], shifted random

alphabet 𝑆𝑅[0 . . . 26]Result: plaintext 𝑃 [0 . . . 𝑛]

1 begin2 for 𝑖← 0 to Length(𝐶) do3 𝑖𝑛𝑑𝑒𝑥← GetColumnNumber(𝐻, 𝐶[𝑖])4 𝑃 [𝑖]← 𝑆𝑅[𝑖𝑛𝑑𝑒𝑥]5 return 𝑃

/* The function GetColumnNumber() searches for an element (C[i]) in amatrix (H) and returns the number of the column where that elementwas found. */

7.2 Code-Breaker Tool 63

7.2 Code-Breaker ToolThe code-breaker tool performs the phases of the attack: homophones-table analysis,letter-frequency analysis, and dictionary search. The tool receives as input a ciphertextand then performs phase1. Afterward, it executes phase 2 with the reconstructed columnsoutputted in phase 1. Finally, it carries out phase 3 and, in case of success, outputs atext file containing the candidate plaintexts.

The implementation encompasses around 965 code-lines written in the multi-platformprogramming language Java [Orab]. The source code of this implementation can befound in the DVD attached to the printed version of this thesis (see Appendix C).

7.2.1 Development Tools

The following tools were employed during the development of the code-breaker tool:

∙ Eclipse [Ecl] Offered the IDE to write and debug the java code that implementsthe components shown in Figure 7.3.

∙ Java Platform, Standard Edition Development Kit (JDK) [Orac] Pro-vided the Java Runtime Environmen (JRE), the Java Virtual Machine (JVM), andlibraries that support the execution of the java files.

7.2.2 Components

In the following, we describe the main functionality accomplished by every component:

∙ GUI.java: Implements the user interface where a ciphertext is entered to startthe attack.

∙ HomophonesAnalysis.java: Implements the Phase 1 of the attack. It includesthe generation and analysis of the candidate columns.

Figure 7.3: Components diagram of the code-breaker tool

64 7 Implementation

∙ FrequencyAnalysis.java: Implements the Phase 2 of the attack. The mainfunctions and procedures are: calculation of the probabilities and the generation ofthe columns-letters candidates.

∙ Dictionary.java: Implements the Phase 3 of the attack. The most relevant func-tions of this component are: the generation of the cipher-plaintext, the word vectorsgeneration, and the generation of plaintext trees. Additionally, this component hasthe task of printing the final results.

∙ Dic.txt: Contains the dictionary entries that are read from the Dictionary.javacomponent.

∙ Results.txt: The Dictionary.java component uses this text file to write the aresults of the attack.

Figure 7.4 shows the classes that are implemented by the components depicted in Figure7.3. In both figures, the dependency between classes or components can be seen.

7.2 Code-Breaker Tool 65

Figure 7.4: Class diagram of the code-breaker tool

8 Conclusions

Although the huge key space of the SSC (≈ 2505), in this thesis, it was demonstratedthat this cryptosystem can efficiently be broken by means of an analytical attack. In thefollowing, we summarize the most relevant aspects and results of the phases of this attack.

Phase 1: Homophones-Table Analysis In Section 2.2, it was explained that thehomophones, which replace a plaintext letter in the ciphertext, can be sequentiallyselected during the encryption process. In this phase, it was shown that this featurerepresents a vulnerability that is exploited to reconstruct the columns of the homophonestable by applying set theory operations and combinatorial methods.

Table 6.1 shows that only 5 columns are necessary to perform the attack successfully.As seen in Section 4.3, the Phase 1 reconstructed at least 5 columns:

∙ in 22% of the ciphertexts with 150 homophones (see Figure 4.5),



∙ and in 94% of the ciphertexts with 300 homophones (see Figure 4.8).

Phase 2: Letter-Frequency Analysis Phase 2 provided a method to generate a listof columns-letters candidates. In order to accomplish this task, first, we analyzed thememory required to generate such a list. As mentioned in Section 5.2.1, if we have eightcolumns and we take into account the 27 probabilities of each one, we approximatelyneed 2014 Gigabytes to generate this list. Hence, to be able to test our attack, we decidedto only use the eight best probabilities of each column.

The results provided in Table 5.7 indicate that this decision could prevent from generat-ing the correct columns-letter mapping, and thus, it would not be possible to reconstructthe plaintext. However, as also seen in these results, it is possible to generate the correctmapping with seven (or less) of the eight reconstructed columns. As it was demonstratedin Section 6.4, we only need five columns to reconstruct around 90 % of the plaintext.

Phase 3: Dictionary Search In this phase, a search of the possible plaintext words ina Spanish dictionary is performed. The results show that with this method, the humanintervention to reconstruct a plaintext could almost be avoided completely (see Table6.1).

In conclusion, it is possible to obtain up 90 % of the plaintext form a ciphertextcontaining only 201. The analyzed telegrams of the Spanish Civil War (see Appendix B)contain more than 200 letters (the average of the analyzed telegrams is 486. See Table

68 8 Conclusions

B.1). Therefore, the attack proposed in this thesis could help to decrypt the telegramsthat still remain encrypted.

Table 8.1 illustrates the final results obtained in this thesis in comparison with theresults shown in [Fco13] and [Jos11]. As one can see, the main difference of this thesis,compared with these works, is the plaintext length. In [Fco13] and in the second resultshown in [Jos11], the plaintext is more than twice bigger than the plaintext used in ourtests. Additionally, in the first test of the paper [Jos11], the plaintext is even more thanfour times bigger than our plaintext.

Please note that the last column of the Table 8.1 indicates that the homophonestable in [Fco13] was considered known. Hence, in this attack, the SSC is not anymore ahomophonic cipher but a monoalphabetic one.

Table 8.1: Comparison with the results of previous works.Work Plaintext

Length% of Success Time (min.) Homophones-

Table[Fco13] 511 letters P 1 2.08 known[Jos11] 934 letters 62.16 -3 unknown[Jos11] 502 letters 51.43 -3 unknown

This thesis 2 201 letters ≈85 5.87 unknown

8.1 Attack Improvements

The major drawback of our attack is encountered in Phase 2. As seen in Table 5.7, forthe last two tests, the right columns-letters combination was not found. Therefore, themethod used in this phase must be improved or other solutions should be implemented.For instance, the algorithms, which are proposed in [Nic11] for an optimal key enumerationapplied to side-channel attacks, can be adapted and implemented to enhance our attack.

In addition, as shown in Section 4.3, up to 8 % of the results delivered in Phase 1contain wrong columns. Though, some of these results could still be used to perform theattack successfully, future improvements should be deemed to provide results with 0 %of wrong columns.

Improvements to this attack should be implemented, in order to break the SSCvariations, in which a letter map 3, 4, or 5 homophones. Furthermore, the possibility toreconstruct the homophones-table columns, when the homophones are randomly selectedduring the encryption, must be analyzed. Breaking this SSC variation, it still is achallenge.

1According to [Fco13] P = text is perfectly or almost perfectly decrypted.2In this test 6 columns and a dictionary with 10,000 words were used.3The time to obtain these results was not provided in the paper [Jos11].

8.2 Future Work 69

8.2 Future WorkWe recommend the development of a tool to scan the encrypted telegrams with thepurpose of obtaining the ciphertexts in digital form. Then, with this tool and the attackimplemented in this thesis, the process to try to decrypt the telegrams will be completelycomputerized.

The SSC is already available in the open-source software for cryptography and crypt-analysis CT2. We also recommend integrating the analytical attack into this widely-usedfree software.

A Acronyms

AES Advanced Encryption Standard

SSC Spanish Strip Cipher

CT2 CrypTool 2

SVN Subversion

IDE Integrated Development Environment

GA Genetic Algorithms

JDK Java Platform, Standard Edition Development Kit

JRE Java Runtime Environmen

JVM Java Virtual Machine

B Telegrams

Table B.1: Summary of the analyzed telegrams that were sent during the Spanish CivilWar (1936-1939).

Telegram length Source Reference125 letters [Art] Text B.1185 letters [Jos08] Figure B.1210 letters [Jos08] Figure B.2290 letters [Jos08] Figure B.3304 letters [Jos08] Figure B.4362 letters [Jos08] Figure B.5502 letters [Art] Text B.2744 letters [Jos08] Figure B.6934 letters [Art] Text B.41210 letters [Jos08] Figure B.7

Average: 486.6 letters

B.1 Telegram with 125 letters

El ministro Marina y Aire a gobernador general Santander. Por proximidad fecharecuérdole mis anteriores instrucciones sobre vapor "Mar Cantábrico".

B.2 Telegram with 502 letters

El ministro de Marina y Aire al presidente Gobierno vasco. Por Ministerio Estado se meha remitido telegrama del embajador España París fechado ayer que dice lo siguiente:Gobierno México en vista bloqueo y para evitar situaciones diplomáticas desairadas hadado órdenes representantes en extranjero para que no se despachen de puertos en quese encuentran actualmente barcos matriculados México a nuestros servicios, por tantobarcos en esta situación que se hallen en España no deben salir ya bajo pabellón mexicanoy deberán ser tomadas medidas con respecto a los que se encuentren en extranjero.

74 B Telegrams

B.3 Telegram with 735 lettersEl ministro de Marina y Aire al presidente Gobierno vasco. Embajador España en Méxicoen despacho recibido hoy me comunica lo siguiente: Me telegrafía vapor "Mar Cantábrico"diciendo llegará frente Santander lunes tarde y pregunta si es mejor entrar por la noche.Creyendo ese punto debe decidirlo V.E. se lo comunico para que haga transmitir susórdenes a barco la estación de Santander. Le digo que caso no recibir esas órdenes entrende noche. También me dice "Mar Cantábrico" que si es protegido por aviación convieneque aeroplanos no vuelen sobre el barco para evitar confusiones y corno añade que nocomunicará con estación Santander ni Bilbao más que en caso forzoso, creo convendríafuera ésta o escuadra quienes le llamaran para establecer contacto. Me permito encarecera V.E. emplee nuestros barcos de guerra para proteger "Mar Cantábrico", que seguramenteestará muy vigilado por el enemigo. (Fin.)

B.4 Telegram with 934 lettersEl ministro Marina y Aire a presidente Gobierno vasco. Estamos examinando la idea deestablecer en Bilbao una fábrica aviones en que se construiría bien el aparato americano"Martin Bombers" y el "Fokker 31". Ruégole llame al ingeniero aeronáutico Cerro deservicio en Lamiaco y exponiéndole esta idea nos diga dados los elementos que ahípodrían reunirse y clase materiales que han de emplearse en uno y otro modelo cualestima preferible para fabricación ahí, o si simultáneamente pudieran construirse ambos.Primera condición es encontrar local adecuado y en condiciones relativa seguridad y conterreno próximo que pueda acondicionarse para aeródromo. Sigue clave T. en T. Dícemeque en caso reúna ambas condiciones Zamudio donde instalóse fábrica Esperanza queantes se hallaba en Marquina y otro aspecto a estudiar inmediatamente es posibilidadreunir ahí con rapidez y urgencia caso requiere todo elemento mecánico para produccionesreferidas y suplico V.E. tome con máximo empeño esta iniciativa y me dé cuenta sudesarrollo v previamente deme seguridades que espero respecto posibilidad realizar esteproyecto. (Fin del comunicado.)

B.4 Telegram with 934 letters 75

Figure B.1: Telegram with 185 letters approx.


76 B Telegrams



B.4 Telegram with 934 letters 77



78 B Telegrams


C DVD Content

In the printed version of this thesis, a DVD with the results, source code, and the digitalversion of this thesis, is attached (see Table C.1).

Table C.1: Summary of the DVD content.File DescriptionLuis_Alberto_Benthin_MA.pdf Digital version of this thesis.Final_Results Final results that are summarized in Table 6.1.FrequencyAnalysisTestTool Source code of the tool used to perform the tests

shown in Table 5.7.HomophonesAnalysisTestTool Source code of the tool used to carried out the

ciphertext-length analysis given in Section 4.3.Results_Phase1 Results of the summarized ciphertext-length

analysis given in Section 4.3.Results_Phase2 Results of Phase 2 that are summarized in Table

5.7. Also in this file, the plaintexts used in thesetests can be found.

SSC_Plug-in Source code of the SSC Plug-in.SSC-Code-Breaker Source code of the SSC-Code-Breaker including

all the dictionaries.Telegrams Digital version of the telegrams shown in Ap-

pendix B.

List of Figures

2.1 Homophonic substitution cipher. This table was used by the nationalistside (XIV Division) during the Spanish civil war [Jos08]. . . . . . . . . . . 5

2.2 Original design of the Spanish Strip Cipher. In this key the keyword iscryptool and the initial position is B in C . . . . . . . . . . . . . . . . . . 6

2.3 Relation between the homophones {10, 37, 61, 81, 15, 51, 93} ∈ 𝐻 and therandom alphabet letters {𝑆, 𝑂} ∈ 𝐴 . . . . . . . . . . . . . . . . . . . . . 9

3.1 Brute-force attack against the SSC. . . . . . . . . . . . . . . . . . . . . . . 123.2 Ordered alphabet permutations. . . . . . . . . . . . . . . . . . . . . . . . 133.3 Overview of the proposed analytical attack against the SSC. . . . . . . . . 17

4.1 Overview of Phase 1: Homophones-table analysis . . . . . . . . . . . . . . 194.2 Gerneral representation of the homophones table . . . . . . . . . . . . . . 314.3 Number of reconstructed columns in 100 ciphertexts of length 80 . . . . . 374.4 Number of reconstructed columns in 100 ciphertexts of length 100 . . . . 374.5 Number of reconstructed columns in 100 ciphertexts of length 150 . . . . 374.6 Number of reconstructed columns in 100 ciphertexts of length 200 . . . . 384.7 Number of reconstructed columns in 100 ciphertexts of length 250 . . . . 384.8 Number of reconstructed columns in 100 ciphertexts of length 300 . . . . 38

5.1 Overview of Phase 2: letter-frequency analysis . . . . . . . . . . . . . . . 415.2 Joint probabilities tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

6.1 Word vectors generated from the cipher-plaintext: E 22 24 A 37 O . . . . 506.2 Plaintext tree generated from the second vector of Figure 6.1 . . . . . . . 53

7.1 User interface: parameters configuration . . . . . . . . . . . . . . . . . . . 597.2 Components diagram of the SSC Plug-in . . . . . . . . . . . . . . . . . . . 597.3 Components diagram of the code-breaker tool . . . . . . . . . . . . . . . . 637.4 Class diagram of the code-breaker tool . . . . . . . . . . . . . . . . . . . . 65

B.1 Telegram with 185 letters approx. . . . . . . . . . . . . . . . . . . . . . . . 75B.2 Telegram with 210 letters approx. . . . . . . . . . . . . . . . . . . . . . . . 75B.3 Telegram with 290 letters approx. . . . . . . . . . . . . . . . . . . . . . . . 76B.4 Telegram with 304 letters approx. . . . . . . . . . . . . . . . . . . . . . . . 76B.5 Telegram with 362 letters approx. . . . . . . . . . . . . . . . . . . . . . . . 77B.6 Telegram with 744 letters approx. . . . . . . . . . . . . . . . . . . . . . . . 77B.7 Telegram with 1210 letters approx. . . . . . . . . . . . . . . . . . . . . . . 78

List of Tables

3.1 Previous work summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.1 Homophones columns that were reconstructed with the code-breaker tooldescribed in Section 7.2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4.2 Result number 11 of the ciphertexts with 200 homophones. . . . . . . . . 39

5.1 Frequency of the column C1 in the ciphertext shown in Section 4.1 (Page20). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.2 Correct columns-letters mapping for the columns shown in Table5.3. . . . 425.3 Columns Frequencies in the ciphertext of the example shown in Section

4.1 (Page 20). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435.4 Relative frequency of letters in the Spanish language. . . . . . . . . . . . . 435.5 List of the best three probabilities of the columns C1, C2, and C3. . . . . 445.6 List of the columns-letters candidates of the columns C1, C2, and C3. . . 465.7 Results of Phase 2 using the columns of the Table 5.3 and their best eight

probabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6.1 Results of the whole attack using a ciphertext with 201 symbols. . . . . . 54

8.1 Comparison with the results of previous works. . . . . . . . . . . . . . . . 68

B.1 Summary of the analyzed telegrams that were sent during the SpanishCivil War (1936-1939). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

C.1 Summary of the DVD content. . . . . . . . . . . . . . . . . . . . . . . . . 79

List of Algorithms

6.3.1 generateTree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

7.1.1 Initial-Position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607.1.2 Random-Alphabet-Generation . . . . . . . . . . . . . . . . . . . . . . 617.1.3 SSC-Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627.1.4 SSC-Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Bibliography

[Ang07] Angelika Steger. Diskrete Strukturen, volume 2. Springer-Verlag, Berlin Heidel-berg, 2007.

[Art] Arturo Quirantes Sierra. Clave X: La Clave del Mar Cantábrico. http://www.ugr.es/~aquiran/cripto/museo/marcantabrico.htm.

[Bra] Brandi Dawn Brown. Enigma. German Machine Cipher "Broken" by PolishCryptologists. http://math.ucsd.edu/~crypto/students/enigma.html#pt5.

[Chr10] Christof Paar, Jan Pelzl. Understanding Cryptography. Springer-Verlag, BerlinHeidelberg, 2010.

[Cry] CrypTool 2. Open-Source Program for Cryptography and Cryptanalysis. http://www.cryptool.org/de/cryptool2.

[Ecl] Eclipse. Eclipse Java EE IDE for Web Developers. http://www.eclipse.org/webtools.

[Fco13] Fco. Alberto Campos, Alberto Gascón, Jesús María Latorre, and J. RamónSoler. Genetic Algorithms and Mathematical Programing to Crack the SpanishStrip Cipher. Cryptologia, 37(1):51–68, 2013.

[Jos07] José Ramón Soler Fuensanta, and Francisco Javier López-Brea Espiau. TheStrip Cipher - The Spanish Official Method. Cryptologia, 31(1):46–56, 2007.

[Jos08] José Ramón Soler Fuensanta, and Francisco Javier López-Brea Espriu. SoldadosSin Rostro. Inédita Editores, Folgueroles, Barcelona, 2008.

[Jos11] José Miguel Soriano de la Cámara. Criptoanálisis, Mediante Algoritmos Genéti-cos, de Textos Cifrados en la Guerra Civil Española con la Técnica de CintaMóvil. Diploma Thesis, Universidad Pontificia de Comillas - ICAI, Madrid, 2011.http://www.iit.upcomillas.es/pfc/resumenes/4e6552603553a.pdf.

[Jua13] Juan Luis López Martín. Software for Analyzing Pre-Electronic Ciphers. Bache-lor’s Thesis, Ruhr-University Bochum, Bochum, 2013.

[Mica] Microsoft. Microsoft .Net Framework 4.5. http://www.microsoft.com/de-de/download/details.aspx?id=30653.

[Micb] Microsoft. Microsoft Visual C# 2010 Express. http://www.microsoft.com/visualstudio/deu/products/visual-studio-2010-express.

http://www.ugr.es/~aquiran/cripto/museo/marcantabrico.htm

http://www.ugr.es/~aquiran/cripto/museo/marcantabrico.htm

http://math.ucsd.edu/~crypto/students/enigma.html#pt5

http://www.cryptool.org/de/cryptool2

http://www.cryptool.org/de/cryptool2

http://www.eclipse.org/webtools

http://www.eclipse.org/webtools

http://www.iit.upcomillas.es/pfc/resumenes/4e6552603553a.pdf

http://www.microsoft.com/de-de/download/details.aspx?id=30653

http://www.microsoft.com/de-de/download/details.aspx?id=30653

http://www.microsoft.com/visualstudio/deu/products/visual-studio-2010-express

http://www.microsoft.com/visualstudio/deu/products/visual-studio-2010-express

88 Bibliography

[Nic11] Nicolas Veyrat-Charvillon, Benoît Gérard, Mathieu Renauld, and François-Xavier Standaert. An optimal Key Enumeration Algorithm and its Applicationto Side-Channel Attacks. Cryptology ePrint Archive, Report 2011/610, 2011.http://eprint.iacr.org/.

[Oraa] Oracle. Class BigDecimal. http://docs.oracle.com/javase/1.5.0/docs/api/java/math/BigDecimal.html.

[Orab] Oracle. Java. http://www.oracle.com/us/technologies/java/overview/index.html.

[Orac] Oracle. Java Platform, Standard Edition 7 Development Kit. http://www.oracle.com/technetwork/java/javase/jdk-7-readme-429198.html.

[Rea] Real Academia Española. Exclusión de ch y ll del abecedario. http://rae.es/consultas/exclusion-de-ch-y-ll-del-abecedario.

[Tor] TortoiseSVN. Apache Subversion. http://tortoisesvn.net/.

http://eprint.iacr.org/

http://docs.oracle.com/javase/1.5.0/docs/api/java/math/BigDecimal.html

http://docs.oracle.com/javase/1.5.0/docs/api/java/math/BigDecimal.html

http://www.oracle.com/us/technologies/java/overview/index.html

http://www.oracle.com/us/technologies/java/overview/index.html

http://www.oracle.com/technetwork/java/javase/jdk-7-readme-429198.html

http://www.oracle.com/technetwork/java/javase/jdk-7-readme-429198.html

http://rae.es/consultas/exclusion-de-ch-y-ll-del-abecedario

http://rae.es/consultas/exclusion-de-ch-y-ll-del-abecedario

http://tortoisesvn.net/

Date post:	29-Oct-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Analyzing Spanish Civil War Ciphers by Combining …€¦ · Acknowledgements...

Documents