Classical Cryptography

CSG 252 Fall 2006

Riccardo Pucella
 Goals of Cryptography
Alice wants to send message X to Bob

Oscar is on the wire, listening to communications

Alice and Bob share a key K

Alice encrypts X into Y using K

Alice sends Y to Bob

Bob decrypts Y back X using K

Want to protect message X from Oscar

Much better: protect key K from Oscar

 Shift Cipher

Given a string M of letters

For simplicity, assume only capital letters of English
Remove spaces
Key k: a number between 0 and 25
To encrypt, replace every letter by the letter k places
down the alphabet (wrapping around)
To decrypt, replace every letter by the letter k places
up the alphabet (wrapping around)
Example: k=10, THISISSTUPID ➔ DRSCSCCDEZSN
 Definition of Cryptosystem
A cryptosystem is a tuple (P,C,K,E,D) such that:
1. P is a finite set of possible plaintexts
2. C is a finite set of possible ciphertexts
3. K is a finite set of possible keys (keyspace)
4. For every k, there is an encryption function ek E and
decryption function dk D such that dk(ek(x)) = x for all
plaintexts x.
Encryption function assumed to be injective
Encrypting a message:
x = x1 x2 ... xn ➔ ek(x) = ek(x1) ek(x2) ... ek(xn)
Properties of Cryptosystems
Encryption and decryption functions can be efficiently
computed

Given a ciphertext, it should be difficult for an

opponent to identify the encryption key and the
plaintext

For the last to hold, the key space must be large

enough!

Otherwise, may be able to iterate through all keys

 Shift Cipher, Revisited

P = Z26 = {0,1,2,...,25} (where A=0,B=1,...,Z=25)

C = Z26

K = Z26

ek = ?

Add k, and wraparound...

 Modular Arithmetic
Congruence
a, b: integers m: positive integer
a = b (mod m) iff m divides a-b
a congruent to b modulo m
Examples: 75 = 11 (mod 8) 75 = 3 (mod 8)
Given m, every integer a is congruent to a unique
integer in {0,...,m-1}

Written a (mod m)

Remainder of a divided by m
 Modular Arithmetic

Zm = { 0, 1, ..., m-1 }
Define a + b in Zm to be a + b (mod m)
Define a x b in Zm to be a x b (mod m)
Obeys most rules of arithmetic
+ commutative, associative, 0 additive identity
x commutative, associative, 1 mult. identity
+ distributes over x
Formally, Zm forms a ring
For a prime p, Zp is actually a field
 Shift Cipher, Finished

P = Z26 = {0,1,2,...,25} (where A=0, B=1,..., Z=25)

C = Z26

K = Z26

ek(x) = x + k (mod 26)

dk(y) = y - k (mod 26)

Size of the keyspace? Is this enough?

 Affine Cipher
Let’s complicate the encryption function a little bit

K = Z26 x Z26 (tentatively)

ek(x) = (ax + b) mod 26, where k=(a,b)

How do you decrypt?

Given a,b, and y, can you find x Z26 such that

(ax+b) = y (mod 26)?

 Affine Cipher, Continued
Note: ax+b = y (mod m) is the same as ax = y-b (mod m)

Theorem: ax = y (mod m) has a unique solution x Zm iff gcd

(a,m)=1

In order to decrypt, need to find a unique solution

Must choose only keys (a,b) such that gcd(a,26)=1

Let a-1 be the solution of ax = 1 (mod m)

Then a-1b is the solution of ax = b (mod m)

 Affine Cipher, Formally
P = C = Z26

K = { (a,b) | a,b Z26, gcd(a,26)=1 }

e(a,b)(x) = ax + b (mod 26)

d(a,b)(y) = ?

What is the size of the keyspace?

(Number of a’s with gcd(a,26)=1) x 26

φ(26) X 26
 Substitution Cipher

P = Z26
C = Z26
K = all possible permutations of Z26
A permutation P is a bijection from Z26 to Z26
ek(x) = k(x)
dk(x) = k-1(x)
Example
Shift cipher, affine cipher
Size of keyspace?
 Cryptanalysis
Kerckhoff’s Principle:
The opponent knows the cryptosystem being used
No “security through obscurity”
Objective of an attacker
Identify secret key used to encrypt a ciphertext
Different models are considered:
Ciphertext only attack
Known plaintext attack
Chosen plaintext attack
Chosen ciphertext attack
Cryptanalysis of Substitution Cipher

Statistical cryptanalysis

Ciphertext only attack

Again, assume plaintext is English, only letters

Goal of the attacker: determine the substitution

Idea: use statistical properties of English text

Statistical Properties of English

Letter probabilities (Beker and Piper, 1982): p0, ..., p25

A: 0.082, B: 0.015, C: 0.028, ...
More useful: ordered by probabilities:
E: 0.120
T,A,O,I,N,S,H,R: [0.06, 0.09]
D,L: 0.04
C,U,M,W,F,G,Y,P,B: [0.015, 0.028]
V,K,J,X,Q,Z: < 0.01
Most common digrams: TH,HE,IN,ER,AN,RE,ED,ON,ES,ST...
Most common trigrams: THE,ING,AND,HER,ERE,ENT,...
 Statistical Cryptanalysis

General recipe:
Identify possible encryptions of E (most common English letter)

T,A,O,I,N,S,H,R: probably difficult to differentiate

Identify possible digrams starting/finishing with E (-E and E-)

Use trigrams

Find ‘THE’

Identify word boundaries

 Polyalphabetic Ciphers

Previous ciphers were monoalphabetic

Each alphabetic character mapped to a unique

alphabetic character

This makes statistical analysis easier

Obvious idea

Polyalphabetic ciphers

Encrypt multiple characters at a time

 Vigenère Cipher

Let m be a positive integer (the key length)

P = C = K = Z26 x ... x Z26 = (Z26)m

For k = (k1, ..., km):

ek(x1, ..., xm) = (x1 + k1 (mod 26), ..., xm + km (mod m))

dk(y1, ..., ym) = (y1 - k1 (mod 26), ..., ym - km (mod m))

Size of keyspace?
Cryptanalysis of Vigenère Cipher

Thought to thwart statistical analysis, until mid-1800

Main idea: first figure out key length (m)

Two identical segments of plaintext are encrypted

to the same ciphertext if they are δ position
apart, where δ = 0 (mod m)

Kasiski Test: find all identical segments of length >

3 and record the distance between them: δ1, δ2, ...

m divides gcd(δ1), gcd(δ2), ...

 Index of Coincidence
We can get further evidence for the value of m as follows

The index of coincidence of a string X = x1...xn is the probability that two

random elements of X are identical

Written Ic(X)

Let fi be the frequency of letter i in X; Ic(X) = ?

For an arbitrary string of English text, Ic(X) ≈ 0.065

If X is a shift ciphertext from English, Ic(X) ≈ 0.065

For m=1,2,3,... decompose ciphertext into substrings yi of all mth letters;

compute Ic of all substrings

Ics will be ≈ 0.065 for the right m

Ics will be ≈ 0.038 for wrong m
 Then what?
Once you have a guess for m, how do you get keys?

Each substring yi:

Has length n’ = n/m

Encrypted by a shift ki

Probability distribution of letters: f0/n’, ..., f25/n’

f0+ki (mod 26)/n’, ..., f25+ki (mod 26)/n’ should be close to p0, ..., p25

Let Mg = ∑i=0,...,25 pi (fi+g (mod 26) / n’)

If g = ki, then Mg ≈ 0.065

If g ≠ ki, then Mg is usually smaller

15 minutes break
 Hill Cipher
A more complex form of polyalphabetic cipher

Again, let m be a positive integer

P = C = (Z26)m

To encrypt: (case m=2)

Take linear combinations of plaintext (x1, x2)

E.g., y1 = 11 x1 + 3 x2 (mod 26)

y2 = 8 x1 + 7 x2 (mod 26)

Can be written as a matrix multiplication (mod 26)

 Hill Cipher, Continued
K = Mat (Z26, m) (tentatively)

ek (x1, ..., xm) = (x1, ..., xm) k

dk (y1, ..., ym) = ?

Similar problem as for affine ciphers

Want to be able to reconstruct plaintext

Solve m linear equations (mod 26)

Equivalently, find a matrix k-1 such that kk-1 is the

identity matrix

Need a key k to have an inverse matrix k-1

 Cryptanalysis of Hill Cipher
Much harder to break with ciphertext only
Easy with known plaintext
Recall: want to find secret matrix K
Assumptions:
m is known
Construct m distinct plaintext-ciphertext pairs
(X1, Y1), ..., (Xm, Ym)
Define matrix Y with rows Y1, ..., Ym
Define matrix X with rows X1, ..., Xm
Verify: Y = X K
If X is invertible, then K = X-1 Y!
 Stream Ciphers
The cryptosystems we have seen until now are block
ciphers
Characterized by ek(x1, ..., xn) = ek(x1), ..., ek(xn)
An alternative is stream ciphers
Generate a stream of keys Z = z1, ..., zn
Encrypt x1, ..., xn as ez1(x1), ..., ezn(xn)
Stream ciphers come in two flavors
Synchronous stream ciphers generate a key stream from
a key independently from the plaintext
Non-synchronous stream ciphers can depend on plaintext
 Synchronous Stream Ciphers

A synchronous stream cipher is a tuple (P,C,K,L,E,D) and a

function g such that:
P and C are finite sets of plaintexts and ciphertexts
K is the finite set of possible keys
L is a finite set of keystream elements
g is a keystream generator, g(k)=z1z2z3..., zi L

For all z L, there is ez E and dz D such that

dz(ez(x)) = x for all plaintexts x
Vigenère Cipher as a Stream Cipher
P = C = L = Z26

K = (Z26)m

ez(x) = x + z (mod 26)

dz(y) = y - z (mod 26)

g(k1, ..., km) = k1k2...kmk1k2...kmk1k2...km...

This is a periodic stream cipher with period m

zi+m = zi for all i ≥ 1

 Linear Feedback Cipher
Here is a way to generate a synchronous stream cipher
Take P = C = L = Z2 = { 0, 1 } (binary alphabet)
Note that addition mod 2 is just XOR
K = (Z2)2m
A key is of the form (k1, ..., km, c0, ..., cm-1)
ez(x) = x + z (mod 2) dz(y) = y - z (mod 2)
g(k1,...,km,c0,...,cm-1)=z1z2z3... defined as follows:

z1 = k1, ..., zm = km; zi+m = ∑j=0,...,m-1 cjzi+j (mod 2)

If c0,...,cm-1 are carefully chosen, period of the keystream is 2m-1
Advantage: can be implemented very efficiently in hardware
For fixed c0, ..., cm-1
Cryptanalysis of Linear Feedback Cipher

Just like Hill cipher, susceptible to a known plaintext

attack
And for the same reason: based on linear algebra
Given m, and pairs x1,x2,...,xn and y1,y2,...,yn of
plaintexts and corresponding ciphertexts
Suppose n ≥ 2m
Note that zi = xi + yi (mod 2) by properties of XOR
This gives k1,...,km; remains to find c0,...,cm-1

∑
Using zi+m = j=0,...,m-1 cjzi+j (mod 2), we get m linear
equations in m unknowns (c0,...,cm-1), which we can solve
 Autokey Cipher
A simple example of a non-synchronous stream cipher
P = C = K = L = Z26
ez(x) = x + z (mod 26)
dz(x) = x - z (mod 26)
The keystream corresponding to key k is
z1 = k
zi = xi-1 for all i ≥ 2.
where x1, x2, x3, ... is the sequence of plaintext

What’s the problem?