Terminology Monoalphabetic ciphers Shift Affine Permutation Cipher Vigenere
- Terminology - Monoalphabetic ciphers (Shift, Affine) - Permutation Cipher; Vigenere - Substitution Cipher and one-time pad Classical Ciphers CSCI 283 Fall 2005 Lecture 5 Part 1 GWU CS 283/Fall 05/GWU/Vora/Classical Ciphers
From Schneier Some terminology A sender encrypts a plaintext message to get ciphertext which is sent to the receiver who decrypts it to obtain the plaintext. e(P) = C d(C) = P d(e(P)) = P; d e = I e one-to-one For the application of secret communication between two parties, it should not be possible for an eavesdropper to decrypt the message. i. e d should be easy for the (legitimate) receiver, not for anyone else. 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 2
From Schneier: Some terminology - contd. • Cipher: is the cryptographical algorithm/mathematical function used to encrypt • A restricted cipher is one whose security depends on keeping the algorithm secret. Inadequate, because doing so does not provide a systematic way of simulated attack/vulnerability analysis by external experts - which typically improves security. 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 3
From Schneier: Some terminology - contd. • A key is used as a parameter in some ciphers. The security of ciphers that use keys is based on keeping the key(s), and not the cipher, secret. e. K 1(P) = C; d. K 2(C) = P • Keyspace: set of all possible keys. • Cryptosystem: algorithm + all ciphertexts + all plaintexts + all keys 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 4
From Stinson Formal definition: cryptosystem A cryptosystem consists of: P set of all plaintext C set of all ciphertext K set of all keys E set of encryption rules, e. K: P C D set of decryption rules d. K : C P d. K e. K(x) = x d. K e. K invertible and inverses of each other 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 5
Typical Scenario • Alice and Bob randomly choose a key, K K when they are unobserved or communicating on a secure channel • If Alice wants to send Bob a message, x 1 x 2 x 3 x 4…xn She sends: y 1 y 2 y 3 y 4…yn Where yi = e. K(xi) xi is a symbol from the alphabet 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 6
Shift cipher on English alphabet Classical Substitution Cipher A 0 B 1 C 2 D 3 E 4 F 5 G 6 H 7 I 8 J 9 K L M N 10 11 12 13 O P Q R S T U V W X Y Z 14 15 16 17 18 19 20 21 22 23 24 25 Key = k (add 10, so A goes to 10, i. e. k) ABCDEFGHIJKLMNOPQRSTUVWXYZ Klmnopqrstuvwxyzabcdefghij Encryption example 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 7
Some more definitions • Substitution cipher: A letter in the plaintext is substituted with another letter from the same alphabet • Transposition Cipher: Plaintext positions are changed, but letters are not. 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 8
From Schneier Some terminology - Cryptanalysis • Cryptanalysis is an (usually vulnerability) analysis of a cipher. • Loss of key through means other than cryptanalysis (storage of key in an insecure fashion, for example) is a compromise. • An attempt at cryptanalysis is an attack Kerckhoff’s assumption is that security resides entirely in the key, i. e. cipher not restricted in any way. This assumption is useful for external/open vulnerability analysis of different ciphers and for determining their security. 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 9
From Schneier Cryptanalysis - types of attacks • Known-plaintext: m and c known When a known message/expected message is encrypted, as in file headers in known file-types (jpeg, tiff) • Chosen-plaintext: m chosen by attacker Attacker manages to make naïve encrypter encrypt a chosen message • Adaptive-chosen-plaintext: m chosen by attacker as attack proceeds • Chosen-key: k chosen 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 10
From Schneier Cryptanalysis - types of attacks – contd. • Ciphertext-only: c known Any eavesdropping/wire tapping/message interception • Chosen-ciphertext: c chosen by attacker (as when the attacker has access to the decryption, for example DVD players for watermarking, or decrypting of a message encrypted with a public key) • Rubber-hose (Physical threat to key-holder) 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 11
Caesar cipher; key = 3 or D ABCDEFGHIJKLMNOPQRSTUVWXYZ defghijklmnopqrstuvwxyzabc E(A) =d; Key = 3 (or Key = d) E(M) = M 3 mod 26 D(c) = c-3 mod 26 EKey(symbol) = symbol Key mod alphabet size Dkey(symbol) = symbol - Key mod alphabet size 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 12
Shift cipher - cryptanalysis Decrypt (encrypted with a shift cipher): Beeakfydjxuqyhyjiqryhtyjiqfbqduyjiikfuhcqd • Deciphering exactly one symbol in the ciphertext is enough to break the cipher. Serious weakness. • Can decipher by targeting specific statistical properties of the language of the message – for example, single-lettered words in english can only be “a” or “I” • Can decipher easily by brute-force, need to try only 26 keys. 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 13
Shift cipher – weaknesses and strengths • Strengths: – Computationally efficient to encrypt and decrypt – No storage requirements – Ciphertext not longer than plaintext • Weaknesses: – Vulnerable to brute force: a given ciphertext can correspond to only 26 messages (or messages equal to the length of the alphabet) – Even more vulnerable when the language has statistical properties, because some keys will be quickly apparent as unlikely/impossible given ciphertext 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 14
Shift cipher - Lessons learnt • Need cipher that takes more keys than length of language alphabet, so brute force is more difficult • Key should not be determinable from decrypting a single symbol • How about two variables in the key, not 1? 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 15
Affine cipher - definition e(x) = ax + b mod m d(y) = a-1(y-b) mod m Is this possible for all a? Try on example: m = 6. Find a-1 for all a Zm 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 16
GCD: definition The gcd (Greatest Common Divisor) of two integers m and n denoted gcd(m, n) is the largest non-negative integer that divides both m and n. In other words it is the unique positive integer x that satisfies: y|m and y|n y|x y 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 17
Affine Cipher P = C = Zm K = {(a, b) Zm X Zm gcd(a, m) =1} e. K(x) = (ax+b) mod m d. K(y) = a-1(y-b) mod m 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 18
Affine cipher examples Encrypt firstletstrythekasiskitest Using key: 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 19
Complexity of attacks Brute Force attack for alphabet of size n How difficult is it to break this? How many possible keys? m 2? m? 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 20
Vigenère Cipher E k: Z m n v v + k mod m Long strings of letters k, such as lines from poems. Example. No index of coincidence. 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 21
Permutation Cipher x 1 2 3 4 5 (x) 3 2 5 1 4 x 1 2 3 4 5 -1(x) Encrypt: canwegohomenow 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 22
Definition: Permutation Cipher P = C = (Zm)n K = { | a permutation of {1, 2, …. n}} e (x 1, x 2, …xn) = (x (1), x (2), …x (n)) d (x 1, x 2, …xn) = (x -1(1), x -1(2), …x -1(n)) 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 23
Special Permutation Cipher perhaps the oldest known cipher classisboringtoday ciidlsnaabgysotrsrox What was the permutation? History 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 24
How about a cipher with many, many possible keys? CS 283/Fall 05/GWU/Vora/Classical Ciphers
How about using many, many keys? ABCDEFGHIJKLMNOPQRSTUVWXYZ cjmzuvywrdbunjoxaeslptfghi Different key for each letter in the alphabet? A letter goes to another one. Each time a letter appears in the message it encrypts to the same letter in the ciphertext 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 26
Substitution cipher P = C = Zm K = all permutations of Zm e (x) = (x) d (y) = -1(y) The key is the table: 26! Keys Brute force could be expensive 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 27
Substitution cipher - cryptanalysis lxr rwq zoazqgr sfuqb bqabq virw gxlkiz uqnb, vwqjq ir b. Isgkn sqfab fggkniay rwq gjicfrq rjfabmojsfrioa mijbr fad rwqa rwq gxlkiz oaq. wq wfcq aorqd rwfr f sfeoj gjolkqs virw gjicfrq uqnb ib rwq bwqqj axslqj om uqnb f biaykq xbqj wfb ro brojq fad rjfzu. virw gxlkiz uqnb, oakn rvo uqnb fjq aqqdqd gqj xbqj: oaq gxlkiz fad oaq gjicfrq. Kqr xb bqq vwfr dimmejqazq rwib sfuqb ia rwq axslqj om uqnb aqqdqd. 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 28
Substitution cipher - cryptanalysis • • • • a 22 b 24 c 4 d 9 e 2 f 21 g 13 h i 20 j 16 k 10 l 8 m 6 9/30/2020 • • • • n 9 o 15 p q 51 r 28 s 9 t u 9 v 7 w 16 x 10 y 2 z 8 CS 283/Fall 05/GWU/Vora/Classical Ciphers 29
From Stinson Frequency of occurence • • English (every 1000) E 127 T 91 A 82 O 75 I 70 N 67 S 63 H 61 R 60 D 43 L 40 C 28 9/30/2020 U 28 M 24 W 23 F 22 G 20 Y 20 P 19 B 15 V 10 K 8 J 2 Q 1 X 1 Z 1 Ciphertext q 51 r 28 b 24 a 22 f 21 i 20 j 16 w 16 o 15 g 13 x 10 k 10 d 9 CS 283/Fall 05/GWU/Vora/Classical Ciphers u 9 n 9 s 9 l 8 z 8 v 7 m 6 c 4 e 2 y 2 h 0 t 0 p 0 30
q=E lxr rw. E zoaz. Egr sfu. Eb b. Eab. E virw gxlkiz u. Enb, vw. Ej. E ir b. Isgkn s. Efab fggkniay rw. E gjicfr. E rjfabmojsfrioa mijbr fad rw. Ea rw. E gxlkiz oa. E. v. E wfc. E aor. Ed rwfr f sfeoj gjolk. Es virw gjicfr. E u. Enb ib rw. E bw. EEj axsl. Ej om u. Enb f biayk. E xb. Ej wfb ro broj. E fad rjfzu. virw gxlkiz u. Enb oakn rvo u. Enb fj. E a. EEd. Ed g. Ej xb. Ej: oa. E gxlkiz fad oa. E gjicfr. E. k. Er xb b. EE vwfr dimmej. Eaz. E rwib sfu. Eb ia rw. E axsl. Ej om u. Enb a. EEd. 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 31
From Stinson Digram/Trigram occurence • Digram TO TH NT HE HA IN ND ER OU AN EA RE NG ED AS ON OR ES TI ST IS EN ET AT 9/30/2020 IT AR TE SE HI OF • Trigram THE ING AND HER ERE ENT THA NTH WAS ETH FOR DTH CS 283/Fall 05/GWU/Vora/Classical Ciphers 32
q=E lxr rw. E zoaz. Egr sfu. Eb b. Eab. E virw gxlkiz u. Enb vw. Ej. E ir b. Isgkn s. Efab fggkniay rw. E gjicfr. E rjfabmojsfrioa mijbr fad rw. Ea rw. E gxlkiz oa. E. v. E wfc. E aor. Ed rwfr f sfeoj gjolk. Es virw gjicfr. E u. Enb ib rw. E bw. EEj axsl. Ej om u. Enb f biayk. E xb. Ej wfb ro broj. E fad rjfzu. Virw gxlkiz u. Enb, oakn rvo u. Enb fj. E a. EEd. Ed g. Ej xb. Ej: oa. E gxlkiz fad oa. E gjicfr. E. k. Er xb b. EE vwfr dimmej. Eaz. E rwib sfu. Eb ia rw. E axsl. Ej om u. Enb a. EEd. En 6 Ej 6 Ed 5 Ea 2 Eb 2 Er 1 Ef 1 Es 1 Eg 1 ER ED ES EN EA ET u. E 8 w. E 8 a. E 5 b. E 5 r. E 4 k. E 3 j. E 3 d. E 2 z. E 2 g. E 1 v. E 1 c. E l. E 1 s. E 1 HE RE TE SE TAOI NSHRD r b af i j wogxkd j=R; d = D; b or a = S; w = H; 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 33
q = E; j=R; w=H; d=D lxr r. HE zoaz. Egr sfu. Eb b. Eab. E vir. H gxlkiz u. Enb v. HERE ir b. Isgkn s. Efab fggkniay r. HE g. Ricfr. E r. Rfabmo. Rsfrioa mi. Rbr fad r. HEa r. HE gxlkiz oa. E. v. E Hfc. E aor. Ed r. Hfr f sfeo. R g. Rolk. Es vir. H gjicfr. E u. Enb ib r. HE b. HEER axsl. ER om u. Enb f biayk. E xb. ER Hfb ro bro. RE fad r. Rfzu. Hir. H gxlkiz u. Enb, oakn rvo u. Enb f. RE a. EEd. Ed g. ER xb. ER: oa. E gxlkiz fad oa. E g. Ricfr. E. k. Er xb b. EE v. Hfr dimme. REaz. E r. Hib sfu. Eb ia r. HE axsl. ER om u. Enb a. EEd. TAOI NS r b af i og r=T 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 34
q = E; j=R; w=H; r=T; d=D lx. T THE z. ONz. Egr MAu. ES SENSE WITH gxlk. Iz u. En. S WHERE IT SIMgkn MEANS Aggkn. INy THE g. RIc. ATE TRANSFORMATION FIRST AND THEN THE gxlk. Iz ONE. WE HAVE NOTED THAT A MAJOR PROlk. EM WITH PRIVATE u. En. S IS THE SHEER Nx. Ml. ER OF u. En. S A SIayk. E x. SER HAS TO STORE AND TRAzu. WITH gxlk. Iz u. En. S, ONkn TWO u. En. S ARE NEEDED g. ER x. SER: ONE Pxlk. Iz AND ONE PRIVATE. k. ET x. S SEE WHAT DImme. RENz. E THIS s. Au. ESIN THE Nx. Bl. ER OF u. En. S NEEDED. O NS b a og v=W; i=I; f=A; b=S; o=O; m=F; a=N; s=M; c=V; g=P; e=J; 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 35
Substitution cipher - cryptanalysis ABCDEFGH IJ KLMNOPQRSTUVWXYZ f l zd qmyw ie uk s ao g t j b r x c v h np BUT THE CONCEPT MAKES SENSE WITH PUBLIC KEYS WHERE IT SIMPLY MEANS APPLYING THE PRIVATE TRANSFORMATION FIRST AND THEN THE PUBLIC ONE. WE HAVE NOTED THAT A MAJOR PROBLEM WITH PRIVATE KEYS IS THE SHEER NUMBER OF KEYS A SINGLE USER HAS TO STORE AND TRACK. WITH PUBLIC KEYS ONLY TWO KEYS ARE NEEDED PER USER ONE PUBLIC AND ONE PRIVATE. LET US SEE WHAT DIFFERENCE THIS MAKES IN THE NUMBER OF KEYS NEEDED. 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 36
Substitution cipher – cryptanalysis algorithm • Look for “a”/”I” • Compute frequency of single letters; compare to that of English • Compute frequency of digrams, compare to that of English • Compute frequency of trigrams, compare to that of English • Etc. 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 37
Substitution cipher – strengths and weaknesses • Strengths: – Not vulnerable to brute force attacks – Encryption and decryption requires low computational overhead, though more than Shift cipher – Ciphertext not longer than plaintext • Weaknesses: – Vulnerable to statistical attack if language/message has statistical structure – Requires storage of key table 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 38
Substitution cipher – lessons learnt • In spite of 26! possible keys, can break, because of structure of message • Can we make message without statistical structure? • Examples? Images in well-compressed form. What about zip files? 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 39
Perfect Cipher One time pad Example over English alphabet Example over binary alphabet Perfect because, after knowing ciphertext, a random guess is as good as any other. 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 40
Doesn’t need a computer 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 41
Doesn’t need a computer 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 42
Doesn’t need a computer 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 43
Basic Pixels (from Douglas Stinson’s website) 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 44
What about biased one-time pad Suppose the probability of a 0 in the key is p. Is the onetime pad perfectly secret? 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 45
One-time pad inefficient Need to get the entire key secretly to the message receiver Need a cryptosystem where managing keys is easier. 9/30/2020 CS 283/Fall 05/GWU/Vora/Classical Ciphers 46
- Slides: 46