Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Classical Cryptography Prof. Heejin Park. 2 Overview Classical cryptosystems The Shift Cipher The Affine Cipher The Substitution Cipher The Vigenère.

Similar presentations


Presentation on theme: "1 Classical Cryptography Prof. Heejin Park. 2 Overview Classical cryptosystems The Shift Cipher The Affine Cipher The Substitution Cipher The Vigenère."— Presentation transcript:

1 1 Classical Cryptography Prof. Heejin Park

2 2 Overview Classical cryptosystems The Shift Cipher The Affine Cipher The Substitution Cipher The Vigenère Cipher The Hill Cipher The Permutation Cipher Stream Ciphers Cryptanalysis of some classical cryptosystems

3 3 The Shift Cipher Encryption of plaintext wewillmeet with K = Convert each character to an integer 2. Add 11 mod 26 to each value. 3. Convert the value to its corresponding character. wewillmeet hphtwwxppe

4 4 The Shift Cipher Decryption of ciphertext hphtwwxppe Inverse of encryption Cryptanalysis of shift cipher Exhaustive key search The key space is too small: only 26 possible keys JBCRCLQRWCRVNBJE NBWRWN 0Jbcrclqrwcrvnbjenbwrwn 1Iabqbkpqvbqumaidmavqvm …… 9astitchintimesavesnine

5 5 The Affine Cipher Encryption Encryption of hot using Since h, o, t are the 7 th, 14 th, and 19 th characters, (7x7+3) mod 26 = 52 mod 26 = 0. (7x14+3) mod 26 = 101 mod 26 = 23. (7x19+3) mod 26 = 136 mod 26 = 6. if a =1, it becomes a Shift Cipher.

6 6 The Affine Cipher Encryption Decryption a should be an integer such that a -1 exists. a -1 exists if and only if a and 26 are relatively prime. 12 integers: 1,3,5,7,9,11,15,17,19,21,23, 25

7 7 The Affine Cipher Cryptanalysis The exhaustive key search: Count the number of keys Number of as? 12: 1,3,5,7,9,11,15,17,19,21,23, 25 Number of bs? 26 : because b can be any integer among 0,1,…, 25. We have 12 X 26 = 312 number of keys.

8 8 The Affine Cipher Cryptanalysis If the modulus is large, the exhaustive key search is infeasible. However, the Affine Cipher can be easily cryptanalyzed by other methods.

9 9 The Substitution Cipher Encryption Substitute each symbol in a plaintext using a permutation. abcdefghijklm XNYAHPOGZQWBT nopqrstuvwxyz SFLRCVMUEKJDI

10 10 The Substitution Cipher Decryption Substitute each symbol in a ciphertext using the inverse permutation. Quiz MGZVYZLGHCMHJMYXSSFMNHAHYCDLMHA ? The Shift Cipher is a special case of the Substitution Cipher. Is the Affine Cipher a special case of the Substitution Cipher?

11 11 The Substitution Cipher Cryptanalysis An exhaustive key search is infeasible. The number of possible permutation is 26! (> 4 x ). However, the Substitution Cipher can be cryptanalyzed by other methods.

12 12 The Vigenère Cipher Monoalphabetic cryptosystems The Shift Cipher and the Substitution Cipher. Each character is mapped to one character. Polyalphabetic cryptosystems The Vigenère Cipher A character can be mapped to one of characters.

13 13 The Vigenère Cipher Encryption m = 6, K = (2,8,15,7,4,7) Decryption Inverse of encryption plaintext key ciphertext

14 14 The Vigenère Cipher Formal Definition Let m be a positive integer. Define P = C = K = (Z 26 ) m. For a key K = (k 0, k 1, …, k m-1 ), we define e K (x 0, x 1, …, x m-1 ) = ( x 0 + k 0, x 1 + k 1, …, x m-1 + k m-1 ) d K (y 0, y 1, …, y m-1 ) = ( y 0 - k 0, y 1 - k 1, …, y m-1 – k m-1 ) Where all operations are performed in Z 26

15 15 The Vigenère Cipher Cryptanalysis The number of possible keys 26 m Exhaustive key search is infeasible if m is not too small. However, the Vigenère cipher can be cryptanalyzed by other methods.

16 16 The Hill Cipher Encryption key: m x m matrix

17 17 The Hill Cipher Encrypt the plaintext july with k = We partition july into ju and ly. ju: (9, 20) ly: (11, 24)

18 18 The Hill Cipher Decryption Use the inverse of key matrix

19 19 The Permutation Cipher Encryption key: a permutation of size m a permutation where m = 6 shesellsseashellsbytheseashore shesellsseashellsbytheseashore EESLSHSALSESLSHBLEHSYEETHRAEOS

20 20 The Permutation Cipher Decryption Use the inverse permutation of the key The Permutation Cipher is a special case of the Hill Cipher

21 21 Stream Ciphers Block ciphers Each plaintext element is encrypted using the same key K. Stream ciphers Plaintext elements are encrypted using key stream.

22 22 Stream Ciphers Key stream construction Synchronous stream ciphers The key stream is constructed from the key. Non-synchronous stream ciphers The key stream is constructed from the key, the plaintext, or the ciphertext.

23 23 Synchronous Ciphers The Vigenère Cipher is a kind of stream cipher. Encryption The is a synchronous stream cipher whose keystream is z 1 z 2 … such that

24 24 Synchronous Ciphers A stream cipher is a periodic stream cipher with period d if for all i 0. The Vigenère Cipher is a periodic stream cipher with period m. Stream cipher are often described in terms of binary alphabets ( P = C = K = Z 2 ) The encryption/decryption operations are just exclusive-or.

25 25 Synchronous Ciphers A method for generating binary key stream z 0 z 1 … Initialize z 0 …z m-1 using a binary tuple ( k 0, …, k m-1 ). z 0 = k 0, z 1 = k 1,…, z m-1 = k m-1 Generate z m z m+1 … using a linear recurrence of degree m for all i 0, where are specified constant

26 26 Synchronous Ciphers Example m = 4 and the keystream is generated using If starting with (1, 0, 0, 0), the keystream is … If starting with (0, 0, 0, 0), the keystream is … So, zero vector should be avoided for the key. If is chosen carefully, the period of the key stream can be 2 m -1.

27 27 Synchronous Ciphers LFSR (Linear feedback shift register) Use a shift register with m stages The vector ( k 1, …, k m ) is used to initialize the shift register At each time unit, the following operation is performed. k 1 becomes the next keystream bit k 2, …, k m are shifted to the left The new value of k m becomes K1K1 K2K2 K3K3 K4K4

28 28 Non-synchronous stream cipher Autokey Cipher z 0 = K, z 1 = x 0, z 2 = x 1,… z i = x i-1 … Encryption Decryption

29 29 Non-synchronous stream cipher K = 8 and the plaintext is rendexvous Convert the plaintext to integers Keystream Add corresponding elements modulo 26 Ciphertext is VRQHDUJIM

30 30 Non-synchronous stream cipher Decryption

31 31 Overview Classical cryptosystems The Shift Cipher The Affine Cipher The Substitution Cipher The Vigenère Cipher The Hill Cipher The Permutation Cipher Stream Ciphers Cryptanalysis of some classical cryptosystems The Affine Cipher The Substitution Cipher The Vigenère Cipher The Hill Cipher The LFSR Stream Ciphers

32 32 Cryptanalysis In general, it is assumed that the opponent knows the cryptosystem being used. Cryptanalysis Full cryptanalysis Find the key, i.e., generate the ciphertext string for any plaintext string. Partial cryptanalysis Generate the ciphertext strings for some plaintext strings.

33 33 Attacks Ciphertext only attack The opponent can see the ciphertext strings. Known plaintext attack The opponent can see some plaintext strings and their ciphertext strings. Chosen plaintext attack The opponent can temporary access to the encryption machinery. Hence he can choose some plaintext strings and construct their ciphertext strings. Chosen ciphertext attack The opponent can temporary access to the decryption machinery. Hence he can choose some ciphertext strings and construct their plaintext strings.

34 34 English Text The frequency of each character E: about 12% T, A, O, I, N, S, H, R: 6-9% D, L : about 4% C, U, M, W, F, G, Y, P, B: 1.5%-2.8% V, K, J, X, Q, Z:< 1% letter probability letter probability A.082N.067 B.015O.075 C.028P.019 D.043Q.001 E.127R.060 F.022S.063 G.020T.091 H.061U.028 I.070V.010 J.002W.023 K.008X.001 L.040Y.020 M.024Z.001

35 35 English Text It is also useful to consider sequences of two or three consecutive letters, called digrams and trigrams The 30 most common digrams are The twelve most common trigrams are TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND, OU, EA, NG, AS, OR, TI, IS, ET, IT, OF THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR, DTH

36 36 The Affine Cipher Ciphertext only attack Suppose opponent has intercepted the following ciphertext Frequency of occurrence of the 26 ciphertext letters FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDK APRKDLYEVLRHHR letterFrequencyLetterFrequency A2H5 B1I0 C0J0 D7K5 E5L2 F4M2 G0 letterFrequencyLetterFrequency N1U2 O1V4 P2W0 Q0X2 R8Y1 S3Z0 T0

37 37 The Affine Cipher Suppose opponent has intercepted the following ciphertext Frequency of occurrence of the 26 ciphertext letters FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDK APRKDLYEVLRHHR letterFrequencyLetterFrequency A2H5 B1I0 C0J0 D7K5 E5L2 F4M2 G0 letterFrequencyLetterFrequency N1U2 O1V4 P2W0 Q0X2 R8Y1 S3Z0 T0

38 38 The Affine Cipher The most frequent ciphertext characters are R (8 occurrences) D (7 occurrences) E, H, K (5 occurrences each) F, S, V (4 occurrences each) First guess: e K (e)=R, e K (t)=D. We have e K (4)=17 and e K (19)=3. Recall that e K ( x )= ax + b, where a and b are unknowns This system has the unique solution a = 6, b = 19 (in Z 26 ), but this is an illegal key, since gcd ( a, 26) = 2 > 1

39 39 The Affine Cipher Guess: e K (e)=R and e K (t)=E. Obtain a = 13, which is again illegal. Guess: e K (e)=R and e K (t)=H. This yields a = 8, again impossible. Guess: e K (e)=R and e K (t)=K. This produces a = 3, b = 5, which is at least a legal key. K = (3, 5) Perform decryption The given ciphertext decrypts to yield algorithmsarequitegeneraldefinitionsofarithmeticprocesses

40 40 The Substitution Cipher Ciphertext only attack Ciphertext obtained from a substitution cipher The frequency analysis of this ciphertext YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR letterFrequencyLetterFrequency A0H4 B1I5 C15J11 D13K1 E7L0 F11M16 G1 letterFrequencyLetterFrequency N9U5 O0V5 P1W8 Q4X6 R10Y S3Z20 T2

41 41 The Substitution Cipher Z occurs significantly more often than others. We might conjecture that e K (e)=Z. C, D, F, J, M, R, Y Occur at least ten times. We might expect that these letters are encryptions of t, a, o, i, n, s, h, r. But, not vary enough what the correspondence might be.

42 42 The Substitution Cipher We might look at digrams, especially those of the form – Z or Z– The most common digrams of this type DZ and ZW (four times each) NZ and ZU (three times each) RZ, HZ, XZ, FZ, ZR, ZV, ZC, ZD and ZJ (twice each) ZW occurs four times and WZ not at all W occurs less often than many other characters, The Common digrams e– : ER, ED, ES, EN, EA, ET expect letter {t, a, o, i, n, s, h, r} we might guess that d k (W) = d DZ occurs four times and ZD occurs twice The common digram –e : HE(EH not exist), RE, SE, TE

43 43 The Substitution Cipher If we proceed on the assumption that d k (Z) = e and d k (W) = d. ZRW(e-d) and RZW(-ed) both occurring near the beginning of the ciphertext and RW(-d) occurs again later on. Since R occurs frequently in the ciphertext and nd is a common digram, we might try d k (R) = n as the most likely possibility end e----ned---e YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ e----e nd---en----e----e NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ -e---n------n------ed---e---e--ne-nd-e-e- - NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ -ed----- n e----ed d---e--n XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

44 44 The Substitution Cipher Next step might be to try d K (N) = h NZ(he) is a common digram and ZN(eh) is not A common digram –e : HE(EH not exist), RE, SE, TE So, d K (N) = h If this is correct, then the segment of plaintext ne – ndhe suggests that d K (C) = a ZC(e-) is a common digram and CZ(-e) is not end-----a---e-a--nedh--e------a----- YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ h ea---e-a---a---nhad-a-en--a-e-h--e NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ he-a-n------n------ed---e---e--neandhe-e- - NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ -ed-a--- nh---ha---a-e----ed-----a-d--he--n XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

45 45 The Substitution Cipher We might consider M, the second most common ciphertext character The ciphertext segment RNM, which we believe decrypts to nh- Suggest that h- begins a word, so M probably represent a vowel We have already accounted for a and e expect letter {t, a, o, i, n, s, h, r} So, we expect that d K (M) = i or o Since ai is a much more likely digram than ao, so d K (M) = i first -----iend-----a-i-e-a-inedhi-e------a---i- YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ h-----i-ea-i-e-a---a-i-nhad-a-en--a-e-hi-e NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ he-a-n-----in-i----ed---e---e-ineandhe-e- - NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ -ed-a---inhi--hai--a-e-i--ed-----a-d--he--n XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

46 46 The Substitution Cipher Next, We might try to determine which letter is encrypted to o Since o is a common letter, we guess one of D, F, J, Y At least ten times characters : C, D, F, J, M, R, Y Y seem to be the possibility We would get long strings of vowels, namely aoi form CFM or CJM Hence, lets suppose d K (Y) = o The three most frequent remaining ciphertext letters are D, F, J, which we conjecture could decrypt to r, s, t in some order Two occurrences of the trigram NMD(hi-) suggest that d K (D) = s, giving the trigram his in the plaintext The segment HNCMF could be an encryption of chair, which would give d K (F) = r (and d K (H) = c) So we would then have d K (J) = t Process of elimination

47 47 The Substitution Cipher Now, we have The complete decryption is o-r-riend-ro--arise-a-inedhise--t---ass-it YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ hs-r-riseasi-e-a-orationhadta-en--ace-hi-e NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ he-asnt-oo-in-i-o-redso-e-ore-ineandhesett NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ -ed-ac--inhischair-aceti-ted--to-ardsthes-n XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR Our friend from Paris examined his empty glass with surprise, as if evaporation had taken place while he wasnt looking. I poured some more wine and he settled back in his chair, face tilted up towards the sun

48 48 The Vigenère Cipher Encryption m = 6, K = (2,8,15,7,4,7) We first compute m and then compute K. Techniques used Kasiski test The index of coincidence plaintext key ciphertext

49 49 The Vigenère Cipher Observation: Two identical segments of plaintext will be encrypted to the same ciphertext whenever their occurrence in the plaintext is δ positions apart, where. Kasiski test Search the ciphertext for pair of identical segments of length at least three. Record the distance between the starting positions of the two segments If we obtain several such distances, sayδ 1,δ 2, …, Then we would conjecture that m divides all of the δ i s Hence m divides the greatest common divisor of theδ i s

50 50 The Vigenère Cipher The distances from the first occurrence to other four occurrences are 165, 235, 275, 285. The greatest common divisor of these four integers is 5. (very likely keyword length) CHREEVOAHMAERATBIAXXWTNXBEEOPHBSQMQEQERBW RVXUOAKXAOSXXWEAHBWGJMMQMNKGRFVGXWTRZXWIAK LXFPSKAUTEMNDCMGTSXMXBTUIADNGMGPSRELXNJELX VRVPRTULHDNQWTWDTYGBPHXTFALJHASVBFXNGLLCHR ZBWELEKMSJIKNBHWRJGNMGJSGLXFEYPHAGNRBIEQJT AMRVLCRREMNDGLXRRIMGNSNRWCHRQHAEYEVTAQEBBI PEEWEVKAKOEWADREMXMTBHHCHRTKDNVRZCHRCLQOHP WQAIIWXNRMGWOIIFKEE

51 51 The Vigenère Cipher The index of coincidence Observe that a completely random string will have The two values and are quite apart. letterprobabilityletterprobability A.082N.067 B.015O.075 C.028P.019 D.043Q.001 E.127R.060 F.022S.063 G.020T.091 H.061U.028 I.070V.010 J.002W.023 K.008X.001 L.040Y.020 M.024Z.001

52 52 The Vigenère Cipher Using index of coincidence Define m substring of y, denoted y 1, y 2, …, y m, y 1 = y 1 y m +1 y 2 m +1 … y 2 = y 2 y m +2 y 2 m +2 … … y m = y m y 2 m y 3 m … If m is indeed the keyword length Each value I c (y i ) If m is not the keyword length The substrings y i will look much more random. Each value I c (y i )

53 53 The Vigenère Cipher Computation of indices of coincidence m = 1, index of coincidence is m = 2, we get and m = 3, we get 0.043, 0.050, and m = 4, we get , and m = 5, we get 0.063, 0.068, 0.069, 0.061, and 0.072

54 54 The Vigenère Cipher How to determine the key K = (k 1, k 2, …, k m ). Let p 0, …, p 25 denote the probabilities of A, B, …, Z in the string y i. Since substring y i is obtained by shift encryption of a subset of the plaintext using a shift k i, p 0 p 0+k, p 1 p 1+k, …

55 55 The Vigenère Cipher Compute for all 0 k 25. If k = k i, I If k k i, I

56 56 The Vigenère Cipher Y1Y Y2Y Y3Y Y4Y Y5Y

57 57 The Vigenère Cipher From the data in Table 1.4, the key is likely to be K = (9, 0, 13, 4, 19) Decrytion of the ciphertext The almond tree was in tentative blossom. The days were longer, often ending with magnificent evenings of corrugated pink skies. The hunting season was over, with hounds and guns put away for six months. The vineyards were busy again as the well-organized farm- ers treated their vines and the more lackadaisical neighbors hurried to do the pruning they should have done in November.

58 58 The Hill Cipher Encryption key K: m x m matrix The hill cipher can be difficult to break with a ciphertext- only attack, but it succumbs to a known plaintext attack. Assume that the opponent know the value of m.

59 59 Suppose he has m distinct plaintext-ciphertext pairs, for 0 j m-1. The Hill Cipher · ·

60 60 The Hill Cipher

61 61 The Hill Cipher Suppose the plaintext Friday is encrypted to the ciphertext PQCFKU using a Hill Cipher with m = 2. e K (5, 17) = (15, 16), e K (8, 3) = (2, 5), e K (0, 24) = (10, 20) We get the matrix equation So

62 62 What would the opponent do if he does not know m ? Assuming that m is not too big, he could simply try m = 2, 3, …., untill the key found. The Hill Cipher

63 63 The LFSR Stream Cipher Ciphertext is the exclusive-or of the plaintext and the keystream The keystream is produced from an initial m-tuple, ( z 0, …, z m-1 )=( k 0, …, k m-1 ), using the linear recurrence for all i 0, where

64 64 The LFSR Stream Cipher Known plaintext attack From the given paintext string x 1 x 2 …x n and the corresponding ciphertext string y 1 y 2 …y n, the keystream bits z 1 z 2 …z n. Suppose that opponent knows the value of m He needs only to compute c 0, …, c m-1.

65 65 The LFSR Stream Cipher If n 2m, then there are m linear equations in m unknowns, which can subsequently be solved.

66 66 The LFSR Stream Cipher Example Suppose the ciphertext string is and the plaintext string is Then the keystream bits are

67 67 The LFSR Stream Cipher If m = 5, Thus z i+5 = (z i +z i+3 ) mod 2


Download ppt "1 Classical Cryptography Prof. Heejin Park. 2 Overview Classical cryptosystems The Shift Cipher The Affine Cipher The Substitution Cipher The Vigenère."

Similar presentations


Ads by Google