Saverchenko Ilya Classical Cryptography

Transcript Saverchenko Ilya Classical Cryptography

Introduction to
Cryptography
Historical
Cryptosystems
Classical Cryptography
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Presented by:
Ilya Saverchenko
Agenda
• Introduction to cryptography
– Historical overview
– Definition of a cryptosystem
• Historical cryptosystems
– Monoalphabetic cryptosystems
– Polyalphabetic cryptosystems
– Rotor machines
• Overview of various cryptoanalysis techniques
• Cryptanalysis of several historical cryptosystems
2
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Historical Overview
• Egyptians (4500 years ago)
Introduction to
Cryptography
• Military
Historical
Cryptosystems
• Religion; Christian New Testament
Introduction to
Cryptanalysis
• Romans; Julius Caesar
3
Joint Advanced Student School 2005
Breaking Historical
Cryptosystems
Cryptographic Goals
Introduction to
Cryptography
• Confidentiality
Historical
Cryptosystems
Secure
Communication
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
•
Data integrity
•
Authentication
•
Non-repudiation
4
Joint Advanced Student School 2005
Cryptosystem
• Definition:
Introduction to
Cryptography
A cryptosystem is a five-tuple {P,C, K , E, D}, where
the following conditions are satisfied:
1. P is a finite set of possible plaintexts
Historical
Cryptosystems
Introduction to
Cryptanalysis
2. C is a finite set of possible ciphertexts
3. K , the keyspace, is a finite set of possible keys
4. For each k  K , there is an encryption rule ek  E
and a corresponding decryption rule d k  D. Each
ek : P  C and d k : C  P are functions such that
d k (ek ( p ))  p for every plaintext element p  P.
5
Joint Advanced Student School 2005
Breaking Historical
Cryptosystems
Cryptosystem
• Description:
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
• The communicating parties are usually referred to
as Alice and Bob. The character who is
eavesdropping the communication channel is called
Eve. The goal of Alice and Bob is to exchange
messages in such way that Eve would be unaware
of their content.
6
Joint Advanced Student School 2005
Historical Cryptosystems
• Monoalphabetic ciphers:
– The Shift Cipher
– The Substitution Cipher
• Polyalphabetic ciphers:
– The Vigenére Cipher
– The Hill Cipher
• The Permutation Cipher
• Rotor machines
7
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Modular Arithmetic
• Definition:
Introduction to
Cryptography
Suppose a and b are integers, and m is a positive integer.
Then we write a  b(mod m) if m divides a  b. The phrase
a  b(mod m) is called a congruence, and it is read as "a is
congruent to b modulo m", m is called the modulus.
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
• For example:
2 ≡ 11(mod 3) as
2 mod 3 = 11 mod 3 = 2
12 ≡ -16(mod 7) as
12 mod 7 = -16 mod 7 = 5 (-16 = -3×7 + 5)
8
Historical
Cryptosystems
Joint Advanced Student School 2005
Modular Arithmetic
• Arithmetic modulo m is defined as follows:
m
Introduction to
Cryptography
is defined to be a set {0,..., m  1}, equiped with two
operations, + and ×. Addition and multiplication in
m
work exactly like real addition and multiplication, except
that the results are reduced modulo m.
• This definition satisfy most of the familiar arithmetic
rules, e.g. addition is closed, multiplication is
commutative, etc.
• For example:
9
for any a, b
m
for any a, b
m
, a  b
m
, ab  ba
Historical
Cryptosystems
m
Joint Advanced Student School 2005
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
The Equivalence Class
• The equivalence class of an integer a is a set of all
integers congruent to a mod m.
E.g. if m = 7, then 9 and 16 are in the same
equivalence class.
• If a = nm + r, where 0 ≤ r < m and n ≥ 0, then
a ≡ r (mod m). r is called the least residue of a mod
m. It can be seen that any integer a congruent
modulo m to a unique integer between 0 and m - 1.
For example:
13 ≡ 3 (mod 5)
3 is the least residue of 13 mod 5
10
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
The Shift Cipher
Let P  C  K 
26
. For 0  k  25, define
ek ( p )  ( p  k )mod26 ( p 
26
)
and
d k (c )  (c  k )mod26 (c 
26
)
• Once a key is chosen, this cipher maps each
alphabetic character to a unique alphabetic
character. Such ciphers are called monoalphabetic.
• The Shift Cipher has only 26 distinct keys!
• The famous Caesar Cipher is the Shift Cipher
with k = 3.
11
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
The Shift Cipher
•
•
12
A
B
C
D
E
F
G
H
I
J
K
L
M
0
1
2
3
4
5
6
7
8
9
10
11
12
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
13
14
15
16
17
18
19
20
21
22
23
24
25
In order to encrypt a plaintext string, using a given key,
we have to perform the following operations:
– Convert the string to a sequence of integers
– Add value of the key to each integer, reducing each
sum modulo 26
– Convert the sequence of integers to a ciphertext
string
Decryption works in a similar way. However to decrypt a
ciphertext one should subtract value of the key from each
integer instead of adding it.
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
The Shift Cipher
Example:
• We will encrypt “julius” using the Shift Cipher with
key k = 3.
• First convert the plaintext to a sequence of integers
(9 20 11 8 20 18)
• Next, we add 3 to each value, reducing each sum
modulo 26 if needed
(12 23 14 11 23 21)
• The last step is to convert the integers to
alphabetical characters
“MXOLXV”
13
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
The Substitution Cipher
Let P  C. K consists of all possible permutations
of the 26 symbols 1,2,3,...,25. For each permutation
Introduction to
Cryptography
k  K , define
Historical
Cryptosystems
ek ( p )  k ( p )
Introduction to
Cryptanalysis
and
d k (c )  k 1( p )
where k 1 is the inverse permutation to k.
• The Substitution Cipher is a monoalphabetic cipher.
• It is one of the oldest known ciphers.
• 26! possible keys. Yet it is not difficult to break.
Especially if the given ciphertext length is greater
than 50 symbols.
14
Joint Advanced Student School 2005
Breaking Historical
Cryptosystems
The Substitution Cipher
a
b
c
d
e
f
g
h
i
j
k
l
m
M
I
B
A
U
P
E
G
Z
S
C
Y
W
n
o
p
q
r
s
t
u
v
w
x
y
z
Q
F
D
R
T
V
X
H
O
K
J
L
N
• To encrypt a plaintext message one has to
substitute all letters in the original text with the
corresponding ciphertext letters, using the
permutation function.
• For decryption the inverse permutation is used.
• Using the table above one can encipher “secret” to
“VUBTUX”.
15
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
The Vigenère Cipher
Let m be a positive integer. Define P  C  K  (
m
26 ) .
For a key k  (k1, k2 ,..., k m ), we define
ek ( p1, p2 ,..., pm )  ( p1  k1, p2  k 2 ,..., pm  k m )
and
d k (c1, c2 ,..., cm )  (c1  k1, c2  k 2 ,..., cm  k m ),
where all operations are performed in
26
.
• The Vigenère Cipher is a polyalphabetic cipher.
Thus the cipher can map an alphabetic character to
several other characters.
• This cipher is named after Blaise de Vigenère (16th
century). Yet it was first described by Giovan Batista
Belaso in 1553.
• The number of possible keywords of length m is
26m.
16
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
The Vigenère Cipher
A
B
C
D
E
F
G
H
I
J
K
L
M
0
1
2
3
4
5
6
7
8
9
10
11
12
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
13
14
15
16
17
18
19
20
21
22
23
24
25
• To encipher a message we again make use of the
table
– Both the key and the original plaintext have to be
written as sequence of integers.
– An integer string corresponding to the message is
split on n blocks of size m, where m is length of
the key.
– The keyword is added (modulo 26) to each block.
• Decryption is similar, except that the keyword is
subtracted (modulo 26) from each ciphertext block.
17
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
The Vigenère Cipher
A simple example:
• The plaintext is “attackatdawn” and the keyword is
“cipher”, thus m = 6.
• The numerical equivalent of k is (2 8 15 7 4 17).
The plaintext can be written using integers as
(0 19 19 0 2 10 0 19 3 14 22 13).
• Now we split the plaintext message in two blocks of
six, and add the keyword modulo 26 to each of them
0 19 19 0 2 10 0 19 3 14 22 13
2 8 15 7 4 17 2 8 15 7 4 17
2 1 8 7 6 1 2 1 18 21 0 4
• Thus the ciphertext is “CBIHGBCBSVAE”.
18
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
The Vigenère Cipher
A simple example (cont.):
• To decrypt the ciphertext “CBIHGBCBSVAE”, we
follow the same sequence of steps.
Introduction to
Cryptography
• The numerical equivalent of k is (2 8 15 7 4 17).
The ciphertext can be written using integers as
(2 1 8 7 6 1 2 1 18 21 0 4).
Introduction to
Cryptanalysis
• Now subtract the keyword modulo 26 from the
ciphertext
2 1 8 7 6 1 2 1 18 21 0 4
2 8 15 7 4 17 2 8 15 7 4 17
0 19 19 0 2 10 0 19 3 14 22 13
• We were able to recover the original plaintext, which
is “attackatdawn”.
19
Joint Advanced Student School 2005
Historical
Cryptosystems
Breaking Historical
Cryptosystems
The Hill Cipher
Let m  2 be an integer. Let P  C  (
m
)
and let
26
K  {m  m invertible matrices over
26
}
For a key k, we define
ek ( p )  pk
d k (c )  ck 1,
26
.
• As well as Vigenère, this cipher is polyalphabetic.
• It was invented by Lester S. Hill in 1929.
20
Historical
Cryptosystems
Introduction to
Cryptanalysis
and
where all operations are performed in
Introduction to
Cryptography
Joint Advanced Student School 2005
Breaking Historical
Cryptosystems
The Hill Cipher
A
B
C
D
E
F
G
H
I
J
K
L
M
0
1
2
3
4
5
6
7
8
9
10
11
12
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
13
14
15
16
17
18
19
20
21
22
23
24
25
• To encrypt a message using the Hill Cipher one
should perform the following sequence of steps:
– Using the table, plaintext message has to be
expressed as sequence of integers in such a
way that p = (p1, …, pm)
– The key is an m×m matrix
– The resulting ciphertext c = ek(p) = p×k will be a
string (c1, …, cm) of length m
• To decrypt the ciphertext one should apply the
inverse linear transformation. In other words
p = c×k-1, where kk-1 mod 26 = I.
21
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
The Hill Cipher
Example:
•
•
Encrypting a message using the Hill Cipher is very simple.
Decryption however is more challenging.
We are given the following ciphertext “CKHUMD”, with
 11 3 
k 

 8 7
•
To decrypt the ciphertext produced with the Hill Cipher,
one should apply the inverse linear transformation k-1.
 7 3   7 23 
k 1  (11 7  3  8)1 
 =
,

8
11
18
11

 

where (11 7  3  8)1 is the reciprocal of the residue
of (11 7  3  8)1(mod26)
•
22
After k-1 is found, it is easy to find the corresponding
plaintext, which is “matrix” in our case.
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
The Permutation Cipher
Let m be a positive integer. Let P  C  (
26
)m and
Introduction to
Cryptography
let K consist of all permutations of {1,..., m}. For a key k
(e.g. a permutation), we define
ek ( p1,..., pm )  ( pk (1),..., pk ( m ) )
and
d k (c1,..., cm )  (ck 1 (1),..., ck 1( m ) ),
where k 1 is the inverse permutation to k.
• This cryptosystem is really old.
• It was described in book by Giovanni Porta written
in 1563.
• “Rail-fence” cipher is an example of permutation
cipher.
23
Joint Advanced Student School 2005
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
The Permutation Cipher
• In order to use the cipher a permutation has to be
defined. Let us use the following permutation as
example:
p
1 2 3 4 5 6
c
1 2 3 4 5 6
k(p)
5 1 6 3 2 4
k-1(c)
2 5 4 6 1 3
• Since m = 6, the original message has to be broken
on n groups of six letters each. If last group is
shorter, necessary number of dummy letters can be
appended to the end.
• Each group is rearranged according to the
permutation defined previously.
• To decrypt a ciphertext message inverse
permutation should be applied in a similar way.
24
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Rotor Machines
• In the beginning of twentieth century mechanical
encryption devices started to be developed, in order
to automate encryption/decryption process.
Introduction to
Cryptography
• Rotor machines were using a substitution cipher,
which was rotated each cycle. Actually this idea was
already used during the American Civil War.
Introduction to
Cryptanalysis
• The best well known rotor
machine is Enigma.
25
Joint Advanced Student School 2005
Historical
Cryptosystems
Breaking Historical
Cryptosystems
Rotor Machines, Enigma
• Enigma used three rotors chosen from a set of five.
The three rotors were interconnected, so first rotor
would turn the second each full iteration, and
second would turn the third.
• A number of additional mechanisms
were used to make the cipher more
secure.
• However incorrect usage of the device allowed
Allies to break the code.
26
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis
• The general assumption is that an opponent, Eve,
knows the cryptosystem being used. This is referred
to as Kerchkhoffs’ principle.
Introduction to
Cryptography
• Goal of a cryptanalyst is to recover the original
plaintext message without knowing the key being
used or to deduce the key itself.
Introduction to
Cryptanalysis
• Common attack models are:
– Ciphertext only attack
– Known plaintext attack
– Chosen plaintext attack
– Adaptive-chose plaintext attack
– Chosen ciphertext attack
– Adaptive-chosen ciphertext attack
27
Joint Advanced Student School 2005
Historical
Cryptosystems
Breaking Historical
Cryptosystems
Ciphertext Only Attack
• The cryptanalyst possesses a string of ciphertext.
Introduction to
Cryptography
• Given:
c = ek(p)
Determine:
p or k (the key being used)
Historical
Cryptosystems
• Any cryptosystem vulnerable to this type of attack is
considered to be completely insecure.
28
Joint Advanced Student School 2005
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Known Plaintext Attack
• The cryptanalyst possesses a plaintext message
and corresponding ciphertext.
• Given:
p and c = ek(p)
Determine:
k (the key used for encrypting the plaintext
message)
or a function that would produce correct
plaintext for a given ciphertext
29
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Chosen and Adaptive-chosen
Plaintext Attack
• The cryptanalyst can choose a message to be
encrypted. In case of adaptive-chosen plaintext
attack, the cryptanalyst has obtained temporary
access to the encryption machine. So he can
choose a message to be encrypted based on
previously achieved results.
• Given:
p1, c1 = ek(p1), p2, c2 = ek(p2), …, pn, cn = ek(pn)
Determine:
k (the key used for encrypting the plaintext
message)
or a function that would produce correct
plaintext for a given ciphertext
30
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Chosen and Adaptive-chosen
Ciphertext Attack
• The cryptanalyst can choose a ciphertext and obtain
corresponding plaintext message. In case of
adaptive-chosen ciphertext attack, the cryptanalyst
has obtained temporary access to the decryption
machine. So he can select ciphertext based on
previously achieved results.
• Given:
c1, p1 = dk(c1), c2, p2 = dk(c2), …, cn, pn = dk(cn)
Determine:
k (the key used for encrypting the plaintext
message)
or a function that would produce correct
plaintext for a given ciphertext
31
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Breaking Historical Cryptosystems
• Now we will apply the knowledge acquired and
break several cryptosystems described earlier.
• Yet before we need to talk about statistical
properties of English language, since it is being
used by many techniques of cryptanalysis.
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
32
Joint Advanced Student School 2005
Statistics
• Following are statistics for single letters:
letter
prob
letter
prob
letter
prob
A
B
C
D
E
F
G
H
I
.082
.015
.028
.043
.127
.022
.020
.061
.070
J
K
L
M
N
O
P
Q
R
.002
.008
.040
.024
.067
.075
.019
.001
.060
S
T
U
V
W
X
Y
Z
.063
.091
.028
.010
.023
.001
.020
.001
• Most common digrams are: TH, HE, IN, ER, AN,
RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND, OU,
EA, NG, AS, OR, TI, IS, ET, IT, AR, TE, SE, HI, OF
• Most common trigrams are: THE, ING, AND, HER,
ERE, ENT, THA, NTH, WAS, ETH, FOR, DTH
33
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of
the Substitution Cipher
• We will try to break the Substitution Cipher using
ciphertext-only attack.
• Here is the intercepted ciphertext:
BTLDXFETMDGLGMVMYFQEMQAPMVBZQMXZQEGZVXFTL
XGUWFVXBFWDYUXUQFQXUBGQZBMYMBBFHQXFPXGU
VHISUBXZVCMGQVXGUBFAUITUMCUTVXGZVIFFCXTMBUV
BTLDXFETMDGLPTFWZXVZQZXZMYMQAYZWZXUAHVUIL
XGUUELDXZMQVVFWUPFHTXGFHVMQALUMTVMEFXFXGU
XKUQXZUXGBUQXHTLKGUTUZXDYMLUAMBTHBZMYTFYU
ZQXGUFHXBFWUFPIFXGKFTYAKMTVBFWDYUXUAZQ
QZQUXUUQVZJXLXGTUUXGUIFFCBFOUTVXGFVUMVDUBXV
FPXGUGZVXFTLKGZBGKUTUWFVXVZEQZPZBMQXXFXGU
AUOUYFDWUQXFPXGUVHISUBX
34
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of
the Substitution Cipher
• Statistics for single letter of the ciphertext
letter
prob
letter
prob
letter
prob
A
B
C
D
E
F
G
H
I
.023
.054
.010
.026
.018
.090
.066
.023
.018
J
K
L
M
N
O
P
Q
R
.003
.015
.030
.061
.000
.005
.020
.059
.000
S
T
U
V
W
X
Y
Z
.005
.054
.120
.066
.023
.118
.028
.064
• Most common digrams are: XG (16), GU (11), XF
(8), QX (7), VX (7), BF (6), UX (6), ZQ (6)
• Most common trigrams are: XGU (10), BFW, FPX,
FXG, GZV, LDX, LXG, MQA, PXG, UBX, UQX,
UXU, VXG - all appear three times in the text
35
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of
the Substitution Cipher
• Now we can make a few assumptions. U and X
appear the most often in the ciphertext. We can
assume that this letters correspond with E and T in
the original message.
• The most common digram in the ciphertext is XG.
That means X = T and then G = H. THE is the most
common trigram in English, so we can conclude that
U = E.
• XF is a common digrams. We know that X = T. So
XF can be TO or TI. O is a bit more frequent in
English than I, so F = O.
36
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of
the Substitution Cipher
• Now our ciphertext looks as follows:
Introduction to
Cryptography
BTLDtoETMDhLhMVMYoQEMQAPMVBZQMtZQEhZVtoTL
theWoVtBoWDYeteQoQteBhQZBMYMBBoHQtoPthe
VHISeBtZVCMhQVtheBoAeITeMCeTVthZVIoCtTMBeV
BTLDtoETMDhLPToWZtVZQZtZMYMQAYZWZteAHVeIL
theeELDtZMQVVoWePoHTthoHVMQALeMTVMEotothe
tKeQtZethBeQtHTLKheTeZtDYMLeAMBTHBZMYToYe
ZQtheoHtBoWeFPIothKoTYAKMTVBoWDYeteAZQ
QZQeteeQVZJtLthTeetheIooCBFOeTVthFVeMVDeBtV
oPthehZVtoTLKhZBhKeTeWoVtVZEQZPZBMQttothe
AeOeYoDWeQtoPtheVHISeBt
Historical
Cryptosystems
• X = T, G = H, U = E, F = O
37
Joint Advanced Student School 2005
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of
the Substitution Cipher
• Let’s analyze QX and UQX. QX can be AT, NT, or IT.
However if we consider UQX trigram, we can see
that most likely Q = N.
Introduction to
Cryptography
• MQA is a common trigram. Taking into account that
Q = N, we say that MQA = AND. Hence M = A and A
= D.
Introduction to
Cryptanalysis
• By now we know that Q = N, M = A, A = D, X = T, G
= H, U = E, F = O. Proceeding in the same way it is
not difficult to recover the complete message.
38
Joint Advanced Student School 2005
Historical
Cryptosystems
Breaking Historical
Cryptosystems
Cryptanalysis of
the Substitution Cipher
• The recovered plaintext message (with spaces
added) is:
Introduction to
Cryptography
Historical
Cryptosystems
cryptography has a long and fascinating history
the most complete nontechnical account of the
subject is kahns the codebreakers this book traces
cryptography from its initial and limited use by
the egyptians some four thousand years ago to the
twentieth century where it played a crucial role
in the outcome of both world wars completed in
nineteen sixty three the book covers those aspects
of the history which were most significant to the
development of the subject
(Taken from Handbook of Applied Cryptography, by A. Menezes, P. van
Oorschot, and S. Vanstone)
39
Joint Advanced Student School 2005
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of the Vigenère Cipher
• The Vigenère Cipher is polyalphabetic, so additional
cryptoanalysis techniques should be used.
Historical
Cryptosystems
• The ciphertext is:
MRGFNIATXZQVFFNUXFFYBTCETYXIIXGZKACJLRGKQYEIX
OYYAUAPXYIJLHPRGVTSFPAYNNYURZOPHXWYXLFRNUTZBR
FKAHFWFZESYUWZMOLLBSBZBJHFPLXKHVIVMZTZHUIWAET
IUEDFGLXDIEXIYJIUXPNNEIXABVCINTVCIEZYYDAZGZIW
TYXJIKTRZLMFFKALGZNVKZXIIMXUUNAPGVXFUSMISKHVY
VOCRVXRIWTYXZOIRFNUXZNXLDUDPZGVHVOWMOYJERLAUG
LVTUXTHRBUQZTYTXORNKBASFFXGHQVDSHUYJSYHDYUWYX
YYKHVTUCDACAHXSEVGJIEFZGLXRSBXSYKOEPPNYAKTUAC
EFYILFWEAHCIAUALLZNXMVCKLRRHGFNXMOYUESKPM
40
Introduction to
Cryptography
Joint Advanced Student School 2005
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of the Vigenère Cipher
• As mentioned above, the Vigenère Cipher makes
use of a keyword of length m.
• Our first step is to determine the key. After that
decryption of the message is easy.
• There are two techniques that can be employed.
Namely the Kasiski test and the index of
coincidence.
41
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of the Vigenère Cipher
•
•
•
42
The Kasiski test was introduced in 1863 by a Prussian
military officer Friedrich Kasiski. The method is based on
the observation that two identical segments of plaintext
will be encrypted to the same ciphertext as long as they
are δ positions apart (δ ≡ 0 (mod m)).
Our goal is to find several identical pieces of text, each of
length at least three, and record the distance between
their starting position. m divides all of the distances δ1, δ2,
…, δn. Hence m divides the greatest common divisor of
the δi’s.
In the ciphertext trigram TYX occurs 3 times. The starting
positions are 25, 181, and 235. The distance between the
first and the second is 156 symbols, between the first and
the third 210. The gcd of these two numbers is 6, so we
can assume that the keyword length is also 6.
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of the Vigenère Cipher
•
•
Now we will use the index of coincidence to see if it gives
the same result.
The index of coincidence is defined as follows:
Suppose x  x1x2 ...xn is a string of n alphabetic
characters. The index of coincedence of x,
denoted Ic ( x ), is defined to be the probability that
two random elements of x are identical.
•
If we denote the frequencies of A, B, C, …, Z in x by f1, f2,
f3, …, f25. We can choose two elements of x in
n
  ways.
 2
There are  fi  ways of choosing two same elements.
 2
Hence, we have the formula
 fi  25

   fi (fi  1)
i 0 2
Ic ( x )     i  0
n(n  1)
n
 
2
43
25
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of the Vigenère Cipher
• Index of coincidence of a string written in English is
approximately equal to 0.065.
25
Ic ( x )   p  0.065
i 0
2
i
• The same reasoning applies if x is a ciphertext
string obtained using a monoalphabetic cipher.
• Now we rewrite the ciphertext c in the following way
c1
c2
cm
 c1cm 1c2m 1 ...
 c2cm  2cm  2 ...
...
 cm c2m c3 m ...
• If c1, c2, …, cm are constructed in such a way that m
is the keyword length, then each Ic(ci) should be
approximately equal to 0.065
44
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of the Vigenère Cipher
• On the other hand, if m is not the keyword length,
the strings ci would look much more random. A
completely random string would have
2
1
 1 
Ic  26   
 0.038
26
 26 
• Following table contains Ic for different values of m:
m
Ic
1
0.043
2
0.052; 0.051
3
0.05; 0.059; 0.045
4
0.049; 0.053; 0.052; 0.051
5
0.034; 0.05; 0.048; 0.038; 0.045
6
0.063; 0.07; 0.083; 0.062; 0.071; 0.048
7
0.033; 0.041; 0.038; 0.046; 0.041; 0.04; 0.047
• This method also shows that m = 6.
45
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of the Vigenère Cipher
• To determine the keyword itself we use a method
similar to the index of coincidence.
• Each substring ci was produced using a
monoalphabetic cipher. Thus defining a shift g we
can use the following formula
25
pi fi g
i 0
n
Mg  
where f1, f2, …, fi denotes the frequencies of A, B,
…, Z in the substring ci, and n is the length of the
substring.
• If g is the correct shift value, Mg would be roughly
equal to 0.065
• Now we have to the most suitable value of Mg for
each of the substrings.
46
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of the Vigenère Cipher
i
Mg
1
0.062; 0.042; 0.033; 0.035; 0.041; 0.039; 0.030; 0.040; 0.036; 0.039;
0.026; 0.040; 0.043; 0.046; 0.038; 0.046; 0.032; 0.033; 0.042; 0.043;
0.037; 0.029; 0.047; 0.035; 0.032; 0.036
2
0.033; 0.037; 0.035; 0.035; 0.046; 0.042; 0.048; 0.040; 0.032; 0.028;
0.043; 0.040; 0.038; 0.046; 0.037; 0.026; 0.042; 0.065; 0.037; 0.033;
0.041; 0.044; 0.029; 0.036; 0.038; 0.034
3
0.038; 0.030; 0.038; 0.029; 0.043; 0.041; 0.052; 0.034; 0.041; 0.041;
0.036; 0.033; 0.040; 0.040; 0.028; 0.050; 0.031; 0.025; 0.036; 0.073;
0.039; 0.035; 0.034; 0.044; 0.033; 0.038
4
0.040; 0.043; 0.034; 0.047; 0.038; 0.031; 0.042; 0.064; 0.037; 0.027;
0.030; 0.042; 0.036; 0.036; 0.038; 0.039; 0.043; 0.041; 0.040; 0.034;
0.044; 0.042; 0.040; 0.033; 0.027; 0.034
5
0.030; 0.037; 0.034; 0.030; 0.046; 0.047; 0.041; 0.036; 0.035; 0.043;
0.047; 0.035; 0.038; 0.035; 0.033; 0.036; 0.049; 0.034; 0.027; 0.044;
0.065; 0.037; 0.026; 0.044; 0.045; 0.028
6
0.031; 0.039; 0.041; 0.041; 0.038; 0.044; 0.044; 0.034; 0.030; 0.037;
0.039; 0.036; 0.035; 0.039; 0.034; 0.034; 0.042; 0.059; 0.043; 0.029;
0.036; 0.043; 0.037; 0.033; 0.039; 0.035
• We have found the keyword, which is ARTHUR.
47
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of the Vigenère Cipher
• The recovered plaintext message (with spaces
added) is:
Introduction to
Cryptography
Historical
Cryptosystems
many traces we found of him in the boggirt island where
he had hid his savage ally a huge drivingwheel and a
shaft halffilled with rubbish showed the position of an
abandoned mine beside it were the crumbling remains of
the cottages of the miners driven away no doubt by the
foul reek of the surrounding swamp in one of these a
staple and chain with a quantity of gnawed bones showed
where the animal had been confined a skeleton with a
tangle of brown hair adhering to it lay among the debris.
(Taken from Hound of the Baskervilles, by Arthur Conan Doyle)
48
Joint Advanced Student School 2005
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Cryptanalysis of the Hill Cipher
• We will break the Hill Cipher using a known plaintext
attack, since it can be difficult to break using only
ciphertext.
Introduction to
Cryptography
• Suppose we possess m distinct plaintext-ciphertext
pairs pj = (p1,j, p2,j, …, pm,j) and
cj = (c1,j, c2,j, …, cm,j), where m is the key dimension.
Introduction to
Cryptanalysis
• Let us define two m×m matrices X = (ci,j) and Y =
(pi,j). Then Y = Xk.
• Now it is easy to find the key, k = X-1Y,
where XX-1 mod 26 = I.
49
Joint Advanced Student School 2005
Historical
Cryptosystems
Breaking Historical
Cryptosystems
Cryptanalysis of the Hill Cipher
• Assume we have ciphertext “IKNQYB” and we know
that the plaintext is “cipher”.
• Assume m = 2. ek(2, 8) = (8, 10), ek(15, 7) = (13,
16), and ek (4, 17) = (24, 1). Using the second and
the third plaintext-ciphertext pairs, we come up with
the following equation in the form Y = Xk
 13 16  15 7 


k
24
1
4
17

 

• To find the key, we need inverse modulo of X
1
 15 7 
 5 1





4
17
8
9




• Now
 5 1  13 16  11 3 
k 



8
9
24
1
8
7


 

50
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Other Types of Attacks
• Brute force attack. This kind of attack can be
effectively used if keyspace of a cryptosystem
allows it. For example it is easy to break the Caesar
Cipher using the brute force attack, since there are
only 26 available keys.
Introduction to
Cryptography
• “Rubber hose” cryptography. Has nothing to do with
cryptography. This kind of attack includes bribery,
blackmail, and other alike methods. Yet it is one of
the most effective kind of attacks on modern
cryptosystems.
Breaking Historical
Cryptosystems
51
Joint Advanced Student School 2005
Historical
Cryptosystems
Introduction to
Cryptanalysis
The Historical Cryptosystems
in Our Days
• The cryptosystems described in this presentation
are not only interesting from the historical point of
view.
Introduction to
Cryptography
• Many similar concepts are being used in many
modern cryptosystems.
Introduction to
Cryptanalysis
Historical
Cryptosystems
Breaking Historical
Cryptosystems
• For example the DES (Data Encryption Standard)
employs substitution and permutation operations. As
we already know many the same principals are
used in many historical cryptosystems.
52
Joint Advanced Student School 2005
Exercise 1
• Calculate:
Introduction to
Cryptography
1547 mod 31
Historical
Cryptosystems
-1547 mod 31
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
28 mod 31
-28 mod 31
53
Joint Advanced Student School 2005
Exercise 2
• Your are given the following ciphertext:
KYVUVMZCJRXVEKJDRPSVFWIWCVJYREUSCFFUDRPKY
VPEFKKYVIVRIVKNFHLVJKZFEJNRZKZEXWFILJRKKY
VFLKJVKKYVFEVZJNYVKYVIREPTIZDVYRJSVVETFDD
ZKKVURKRCCKYVJVTFEUZJNYRKZJKYVTIZDVREUYFN
NRJZKTFDDZKKVU
letter
prob
letter
prob
letter
prob
A
B
C
D
E
F
G
H
I
.000
.000
.028
.045
.056
.073
.000
.006
.039
J
K
L
M
N
O
P
Q
R
.073
.129
.017
.006
.034
.000
.022
.000
.079
S
T
U
V
W
X
Y
Z
.017
.028
.039
.140
.017
.011
.073
.067
• Please determine what cipher was used to encrypt
the message. Find the key and he original plaintext.
54
Joint Advanced Student School 2005
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems
Exercise 2
• Some more statistics:
• The most common digrams are: YV (9), KY (8), KK
(5), ZK (4), EU, FE, JN, KZ, RE, RK, TF, VF, VJ, VK,
VU, YR, ZJ - all appear three times in the text.
Introduction to
Cryptography
Historical
Cryptosystems
Introduction to
Cryptanalysis
• The most common trigrams are: KYV (8), KKY (3),
DDZ, DRP, DZK, FDD, IZD, JNY, KKV, KVU, REU,
TFD, TIZ, YVF, YVI, ZDV, ZJN, ZKK - all appear
twice in the ciphertext.
55
Joint Advanced Student School 2005
Breaking Historical
Cryptosystems
Exercise 2
• Solution:
Introduction to
Cryptography
the devils agents may be of flesh and blood may
they not there are two questions waiting for us at the
outset the one is whether any crime has been
committed at all the second is what is the crime and
how was it committed
(Taken from Hound of the Baskervilles, by Arthur Conan Doyle)
56
Joint Advanced Student School 2005
Historical
Cryptosystems
Introduction to
Cryptanalysis
Breaking Historical
Cryptosystems