How many can you identify?
History(or how I will give you hope of becoming world famous and earning $70 million along the way)
Disclaimer
http://explosm.net/comics/3557/
Cryptographyβs butt
AOUSATUPRSVNEG
SOURAV SEN GUPTA
USVRAO ENS PUTGA
Transposition Cipher
Caesar cipher
Simple shifting of letters.
Only 13 possible keys.
Easy to break exhaustively.
Substitution Cipher
Earliest mention in the Kama-sutra.
26! Number of keys.
88 bits of secrecy.
Arab Cryptanalysis
Al-Kindi βOn Deciphering Cryptographic Messagesβ
9th century
FREQUENY ANALYSIS
Structure of the English language
Move to digrams
and trigrams for
better results.
Mary Queen of Scots (16th Century)
Assassinate
Solved by Elizabethβs
cryptanalyst
Vigenère cipher (16th century)
Overcome the statistical weakness of ciphers?
Polyalphabetic ciphers
β A letter in the cipher can represent multiple letters from the plain text
Not broken till the 19th century.
How do we figure out the length?
Use properties of the English language.
π=0
25
ππ2 β 0.065
If ππ follow the letter frequencies. Else,
π=0
251
262β 0.038
Increase the keyword length?
Create a keyword that is as long as the message.
Canβt use the methods discussed previously.
Are we done?
Failed because the key wasnβt βrandomβ enough?
What is random?
https://xkcd.com/221/
http://dilbert.com/strip/2001-10-25
Why does it work?
Generate all possible plaintexts from a given ciphertext.
All the keys will look random.
Zodiac
Late 60s in the US.
Killer sent ciphers to solve.
βI LIKE KILLING PEOPLE BECAUSE IT IS SO MUCH FUN IT IS MORE
FUN THAN KILLING WILD GAME IN THE FORREST BECAUSE MAN
IS THE MOST DANGEROUE ANAMAL OF ALL TO KILL
SOMETHING GI..β
But who is the zodiac?
340 character cipher.
Unsolved to this day.
Beale cipher
3 cipher
- Location
- Contents
- Names of treasure owners
3 cipher
- Location
- Contents
- Names of treasure owners
Buried treasure of gold, silver and jewels estimated to be worth over US$63 million as of September 2011
Was it an elaborate
hoax?
Why has it withstood
cryptanalysis for
centuries?
Enigma
Marian Rejewski
Differential CryptanalysisWhere your disillusionment dies.
DES
L R
L R
Linear Operations
Linear Operations
Subkey
S-Box
S-Box
Substitution boxes
Non-Linear
Canβt represent output bits as linear operation of input bits.
S-Box
Substitution boxes
Non-Linear
Implemented by a table look-up
S-Box
S1(101011)
S-Box
S1(101011)
S-Box
S1(101011) = 7
How can we use an S-box?
Key
X
S
K
X
S
00 01 10 11
0 10 01 11 00
1 00 10 01 11
Inputs are known
π1 = 110 πππ π2 = 010Outputs of S-box known
π(π1 β πΎ) = 10 πππ π(π2 β πΎ ) = 01
K
X
S
00 01 10 11
0 10 01 11 00
1 00 10 01 11
Inputs are known
π1 = 110 πππ π2 = 010Outputs of S-box known
π(π1 β πΎ) = 10 πππ π(π2 β πΎ ) = 01
π1 β πΎ β 000,101βΉ πΎ β {110,011}
K
X
S
00 01 10 11
0 10 01 11 00
1 00 10 01 11
Inputs are known
π1 = 110 πππ π2 = 010Outputs of S-box known
π(π1 β πΎ) = 10 πππ π(π2 β πΎ ) = 01
π1 β πΎ β 000,101βΉ πΎ β {110,011}
π2 β πΎ β 001,110βΉ πΎ β {011,100}K=011
Differences
Focus on input and output differences.
We know the inputs π1and π2. But the input to the S-boxes are π1 βπΎ and π2 β πΎ.
XOR of the input to the S-box(π1β πΎ) β (π2β πΎ) = π1 β π2
The difference is independent of the key.
TINY DES (TDES)
L R
L R
ππ
SR
Expand
SL
8
12
126 6
44
8
8
8
πΉ π , πΎ = π(ππ₯ππππ π β πΎ)
ππππ 0 1 2 3 4 5 6 7 8 9 A B C D E F
0 C 5 0 A E 7 2 8 D 4 3 9 6 F 1 B
1 1 C 9 6 3 E B 2 F 8 4 5 D A 0 7
2 F A E 6 D 8 2 4 1 7 9 0 3 5 B C
3 0 A 3 C 8 2 1 E 9 7 F 6 B 5 D 4
πΎ1 = π2π4π5π6π7π1π10π11π12π14π15π8
πΎ2 = π4π6π7π0π1π3π11π12π13π15π8π9
πΎ3 = π6π0π1π2π3π5π12π13π14π8π9π10
πΎ4 = π0π2π3π4π5π7π13π14π15π9π10π11
ππππ 0 1 2 3 4 5 6 7 8 9 A B C D E F
0 C 5 0 A E 7 2 8 D 4 3 9 6 F 1 B
1 1 C 9 6 3 E B 2 F 8 4 5 D A 0 7
2 F A E 6 D 8 2 4 1 7 9 0 3 5 B C
3 0 A 3 C 8 2 1 E 9 7 F 6 B 5 D 4
πΎ1 = π2π4π5π6π7π1π10π11π12π14π15π8
πΎ2 = π4π6π7π0π1π3π11π12π13π15π8π9
πΎ3 = π6π0π1π2π3π5π12π13π14π8π9π10
πΎ4 = π0π2π3π4π5π7π13π14π15π9π10π11
ππ₯ππππ π = ππ₯ππππ π0π1 β― π7 = (π4π7π2π1π5π7π0π2π6π5π0π3)
π1 β π2 = 001000 βΉ ππ π1 β ππ π2 = 0010 with probability ΒΎ
If π1 β π2 = 000000 βΉ ππ π1 β ππ π2 = 0000 with probability 1
π = (πΏ0| π 0 πππ π = ( πΏ0|| π 0)
π β π = (πΏ0| π 0 β ( πΏ0|| π 0) = 0000 0000 0000 0010 = 0π₯0002
Chosen plaintext attack
ππ₯ππππ π1 β ππ₯ππππ π1 = ππ₯ππππ(π1 β π2)
π 0 β π 0 = 0000 0010 βΉ ππ₯ππππ π 0 β ππ₯ππππ π 0 = ππ₯ππππ π 0 β π 0
= ππ₯ππππ 0000 0010= 000000 001000
πΉ π 0, πΎ β πΉ π 0, πΎ = π π π 0 β πΎ β π(π π 0 β πΎ)
= 0000 0010 with probability ΒΎ
Is the βexpandβ function linear?
π 2 β π 2 = πΏ1 β πΉ π 1, πΎ2 β ( πΏ1 β πΉ( π 1, πΎ2))
= πΏ1 β πΏ1 β (πΉ π 1, πΎ2 β πΉ( π 1, πΎ2))
= π 0 β π 0 β (πΉ π 1, πΎ2 β πΉ( π 1, πΎ2))
= 0000 0010 β 0000 0010= 0000 0000
With probability 3
4Γ
3
4
Recovering the key
What do we have?
π β π βΉ (πΏ0β πΏ0)||(π 0β π 0)
πΆ β πΆ βΉ (πΏ4β πΏ4)||(π 4 β π 4)
π 4 = πΏ3 β πΉ π 3, πΎ4 πππ π 4 = πΏ3 β πΉ π 3, πΎ4
βΉ π 4= πΏ3 β πΉ πΏ4, πΎ4 πππ π 4 = πΏ3 β πΉ πΏ4, πΎ4
βΉ πΏ3= π 4 β πΉ πΏ4, πΎ4 πππ πΏ3 = π 4 β πΉ πΏ4, πΎ4
If
πΆ β πΆ = 0π₯0202,
with high probability,
πΏ3 = πΏ3
βΉ π 4 β πΉ πΏ4, πΎ4 = π 4 β πΉ πΏ4, πΎ4
βΉ π 4 β π 4 = πΉ πΏ4, πΎ4 β πΉ πΏ4, πΎ4
If
πΆ β πΆ = 0π₯0202,
with high probability,
πΏ3 = πΏ3
βΉ π 4 β πΉ πΏ4, πΎ4 = π 4 β πΉ πΏ4, πΎ4
βΉ π 4 β π 4 = πΉ πΏ4, πΎ4 β πΉ πΏ4, πΎ4
Let,
πΏ4 = π0π1π2π3π4π5π6π7 πππ πΏ4 = π0 π1 π2 π3 π4 π5 π6 π7
Then0000 0010 = ππΏ(π4π7π2π1π5π7 β π0π2π3π4π5π7)||ππ (π0π2π6π5π0π3 β π13π14π15π9π10π11)
β (ππΏ π4 π7 π2 π1 π5 π7 β π0π2π3π4π5π7 ||ππ π0 π2 π6 π5 π0 π3 β π13π14π15π9π10π11 )
Algorithm
1. Pick plaintext pairs with the given difference.
2. Run the algorithm with the unknown key to get ciphertext pairs.
3. Discard ciphertext pairs that donβt satisfy output difference.
4. For all possible values of the 6 key bits identified, check if the derived condition holds.
These key bits can be guessed separately from the others.
The remaining keys bits can be guessed by exhaustive search with one cipher text.
Thus an overall complexity of about 211 which is better than the exhaustive search over the entire keyspace.
Swept under the rug
What is a good probability?
How many plaintextpairs do we need?
Are there assumptions that weβve taken for granted?
Thank you