1. Classical Cryptography
Prof. Heejin Park

2. Overview Classical cryptosystems
The Shift Cipher
The Affine Cipher
The Substitution Cipher
The Vigenère Cipher
The Hill Cipher
The Permutation Cipher
Stream Ciphers
Cryptanalysis of some classical cryptosystems

3. The Shift Cipher Encryption of plaintext wewillmeet with K = 11
Convert each character to an integer
Add 11 mod 26 to each value.
Convert the value to its corresponding character. w e i l m t 22 4 8 11 12 19 22 4 8 11 12 19 7 15 23 7 15 19 22 23 4 h p t w x e

4. The Shift Cipher Decryption of ciphertext hphtwwxppe
Inverse of encryption
Cryptanalysis of shift cipher
Exhaustive key search
The key space is too small: only 26 possible keys
JBCRCLQRWCRVNBJENBWRWN
Jbcrclqrwcrvnbjenbwrwn 1
Iabqbkpqvbqumaidmavqvm … 9
astitchintimesavesnine

5. The Affine Cipher Encryption Encryption of hot using
Since h, o, t are the 7th, 14th, and 19th characters,
(7x7+3) mod 26 = 52 mod 26 = 0.
(7x14+3) mod 26 = 101 mod 26 = 23.
(7x19+3) mod 26 = 136 mod 26 = 6.
if a =1, it becomes a Shift Cipher.

6. The Affine Cipher Encryption Decryption
a should be an integer such that a-1 exists.
a-1 exists if and only if a and 26 are relatively prime.
12 integers: 1,3,5,7,9,11,15,17,19,21,23, 25

7. The Affine Cipher Cryptanalysis
The exhaustive key search: Count the number of keys
Number of a’s?
12: 1,3,5,7,9,11,15,17,19,21,23, 25
Number of b’s?
26: because b can be any integer among 0,1,…, 25.
We have 12 X 26 = 312 number of keys.

8. The Affine Cipher Cryptanalysis
If the modulus is large, the exhaustive key search is infeasible.
However, the Affine Cipher can be easily cryptanalyzed by other methods.

9. The Substitution Cipher
Encryption
Substitute each symbol in a plaintext using a permutation. a b c d e f g h i j k l m X N Y A H P O G Z Q W B T n o p q r s t u v w x y z S F L R C V M U E K J D I

10. The Substitution Cipher
Decryption
Substitute each symbol in a ciphertext using the inverse permutation.
Quiz
MGZVYZLGHCMHJMYXSSFMNHAHYCDLMHA ?
The Shift Cipher is a special case of the Substitution Cipher.
Is the Affine Cipher a special case of the Substitution Cipher?

11. The Substitution Cipher
Cryptanalysis
An exhaustive key search is infeasible.
The number of possible permutation is 26! (> 4 x 1026).
However, the Substitution Cipher can be cryptanalyzed by other methods.

12. The Vigenère Cipher Monoalphabetic cryptosystems
The Shift Cipher and the Substitution Cipher.
Each character is mapped to one character.
Polyalphabetic cryptosystems
The Vigenère Cipher
A character can be mapped to one of characters.

13. The Vigenère Cipher plaintext key ciphertext Encryption Decryption
m = 6, K = (2,8,15,7,4,7)
Decryption
Inverse of encryption
plaintext 19 7 8 18 2 17 24 15 14 4 21 23 25 6 22
key
ciphertext

14. eK(x0, x1, … , xm-1) = ( x0 + k0 , x1 + k1, … , xm-1 + km-1)
The Vigenère Cipher
Formal Definition
Let m be a positive integer. Define P = C = K = (Z26)m. For a key K = (k0, k1, … , km-1), we define
eK(x0, x1, … , xm-1) = ( x0 + k0 , x1 + k1, … , xm-1 + km-1)
dK(y0, y1, … , ym-1) = ( y0 - k0 , y1 - k1, … , ym-1 – km-1)
Where all operations are performed in Z26

15. The Vigenère Cipher Cryptanalysis The number of possible keys
Exhaustive key search is infeasible if m is not too small.
However, the Vigenère cipher can be cryptanalyzed by other methods.

16. The Hill Cipher
Encryption
key: m x m matrix

17. The Hill Cipher Encrypt the plaintext july with k =
We partition july into ju and ly.
ju: (9, 20)
ly: (11, 24)

18. The Hill Cipher
Decryption
Use the inverse of key matrix

19. The Permutation Cipher
Encryption
key: a permutation of size m
a permutation where m = 6 2 4 5 3 1
shesellsseashellsbytheseashore
012345
shesel
lsseas
hellsb
ythese
ashore
EESLSH
SALSES
LSHBLE
HSYEET
HRAEOS

20. The Permutation Cipher
Decryption
Use the inverse permutation of the key
The Permutation Cipher is a special case of the Hill Cipher. 2 4 5 3 1

21. Stream Ciphers Block ciphers Stream ciphers
Each plaintext element is encrypted using the same key K.
Stream ciphers
Plaintext elements are encrypted using key stream

22. Stream Ciphers Key stream construction Synchronous stream ciphers
The key stream is constructed from the key.
Non-synchronous stream ciphers
The key stream is constructed from the key, the plaintext, or the ciphertext.

23. Synchronous Ciphers The Vigenère Cipher is a kind of stream cipher.
Encryption
The is a synchronous stream cipher whose keystream is z1z2… such that

24. Synchronous Ciphers
A stream cipher is a periodic stream cipher with period d
if for all i ≥ 0.
The Vigenère Cipher is a periodic stream cipher with period m.
Stream cipher are often described in terms of binary alphabets (P = C = K = Z2)
The encryption/decryption operations are just exclusive-or.

25. Synchronous Ciphers A method for generating binary key stream z0z1…
Initialize z0…zm-1 using a binary tuple (k0, …, km-1).
z0 = k0 , z1 = k1,…, zm-1 = km-1
Generate zmzm+1… using a linear recurrence of degree m
for all i ≥ 0, where are specified constant

26. Synchronous Ciphers Example m = 4 and the keystream is generated using
If starting with (1, 0, 0, 0), the keystream is …
If starting with (0, 0, 0, 0), the keystream is …
So, zero vector should be avoided for the key.
If is chosen carefully, the period of the key stream can be 2m-1.

27. Synchronous Ciphers LFSR (Linear feedback shift register)
Use a shift register with m stages
The vector (k1, … , km) is used to initialize the shift register
At each time unit, the following operation is performed.
k1 becomes the next keystream bit
k2, … , km are shifted to the left
The “new” value of km becomes K1 K2 K3 K4

28. Non-synchronous stream cipher
Autokey Cipher
z0 = K , z1 = x0, z2 = x1,… zi = xi-1…
Encryption
Decryption

29. Non-synchronous stream cipher
K = 8 and the plaintext is rendexvous
Convert the plaintext to integers
Keystream
Add corresponding elements modulo 26
Ciphertext is VRQHDUJIM

30. Non-synchronous stream cipher
Decryption

31. Overview Classical cryptosystems
The Shift Cipher
The Affine Cipher
The Substitution Cipher
The Vigenère Cipher
The Hill Cipher
The Permutation Cipher
Stream Ciphers
Cryptanalysis of some classical cryptosystems
The LFSR Stream Ciphers

32. Cryptanalysis
In general, it is assumed that the opponent knows the cryptosystem being used.
Cryptanalysis
Full cryptanalysis
Find the key, i.e., generate the ciphertext string for any plaintext string.
Partial cryptanalysis
Generate the ciphertext strings for some plaintext strings.

33. Attacks Ciphertext only attack Known plaintext attack
The opponent can see the ciphertext strings.
Known plaintext attack
The opponent can see some plaintext strings and their ciphertext strings.
Chosen plaintext attack
The opponent can temporary access to the encryption machinery. Hence he can choose some plaintext strings and construct their ciphertext strings.
Chosen ciphertext attack
The opponent can temporary access to the decryption machinery. Hence he can choose some ciphertext strings and construct their plaintext strings.

34. English Text The frequency of each character E: about 12%
T, A, O, I, N, S, H, R: 6-9%
D, L : about 4%
C, U, M, W, F, G, Y, P, B: 1.5%-2.8%
V, K, J, X, Q, Z:< 1%
letter
probability A
.082 N
.067 B
.015 O
.075 C
.028 P
.019 D
.043 Q
.001 E
.127 R
.060 F
.022 S
.063 G
.020 T
.091 H
.061 U I
.070 V
.010 J
.002 W
.023 K
.008 X L
.040 Y M
.024 Z

35. English Text
It is also useful to consider sequences of two or three consecutive letters, called digrams and trigrams
The 30 most common digrams are
The twelve most common trigrams are
TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND, OU, EA, NG, AS, OR, TI, IS, ET, IT, OF
THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR, DTH

36. The Affine Cipher Ciphertext only attack
Suppose opponent has intercepted the following ciphertext
Frequency of occurrence of the 26 ciphertext letters
FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDK APRKDLYEVLRHHR
letter
Frequency
Letter A 2 H 5 B 1 I C J D 7 K E L F 4 M G
letter
Frequency
Letter N 1 U 2 O V 4 P W Q X R 8 Y S 3 Z T

37. The Affine Cipher
Suppose opponent has intercepted the following ciphertext
Frequency of occurrence of the 26 ciphertext letters
FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDK APRKDLYEVLRHHR
letter
Frequency
Letter A 2 H 5 B 1 I C J D 7 K E L F 4 M G
letter
Frequency
Letter N 1 U 2 O V 4 P W Q X R 8 Y S 3 Z T

38. The Affine Cipher The most frequent ciphertext characters are
R (8 occurrences)
D (7 occurrences)
E, H, K (5 occurrences each)
F, S, V (4 occurrences each)
First guess: eK(e)=R, eK(t)=D.
We have eK(4)=17 and eK(19)=3.
Recall that eK(x)=ax+b , where a and b are unknowns
This system has the unique solution a = 6, b = 19 (in Z26), but this is an illegal key, since gcd (a, 26) = 2 > 1

39. algorithmsarequitegeneraldefinitionsofarithmeticprocesses
The Affine Cipher
Guess: eK(e)=R and eK(t)=E.
Obtain a = 13, which is again illegal.
Guess: eK(e)=R and eK(t)=H.
This yields a = 8, again impossible.
Guess: eK(e)=R and eK(t)=K.
This produces a = 3, b = 5, which is at least a legal key.
K = (3, 5)
Perform decryption
The given ciphertext decrypts to yield
algorithmsarequitegeneraldefinitionsofarithmeticprocesses

40. The Substitution Cipher
Ciphertext only attack
Ciphertext obtained from a substitution cipher
The frequency analysis of this ciphertext
YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ
XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR
letter
Frequency
Letter A H 4 B 1 I 5 C 15 J 11 D 13 K E 7 L F M 16 G
letter
Frequency
Letter N 9 U 5 O V P 1 W 8 Q 4 X 6 R 10 Y S 3 Z 20 T 2

41. The Substitution Cipher
Z occurs significantly more often than others.
We might conjecture that eK(e)=Z.
C, D, F, J, M, R, Y Occur at least ten times.
We might expect that these letters are encryptions of t, a, o, i, n, s, h, r.
But, not vary enough what the correspondence might be.

42. The Substitution Cipher
We might look at digrams, especially those of the form –Z or Z–
The most common digrams of this type
DZ and ZW (four times each)
NZ and ZU (three times each)
RZ, HZ, XZ, FZ, ZR, ZV, ZC, ZD and ZJ (twice each)
ZW occurs four times and WZ not at all
W occurs less often than many other characters,
The Common digrams e– : ER, ED, ES, EN, EA, ET
expect letter {t, a, o, i, n, s, h, r}
we might guess that dk(W) = d
DZ occurs four times and ZD occurs twice
The common digram –e : HE(EH not exist), RE, SE, TE

43. The Substitution Cipher
If we proceed on the assumption that dk(Z) = e and dk(W) = d.
ZRW(e-d) and RZW(-ed) both occurring near the beginning of the ciphertext and RW(-d) occurs again later on.
Since R occurs frequently in the ciphertext and nd is a common digram, we might try dk(R) = n as the most likely possibility.
------end e----ned---e
YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ
e----e n—d---en----e----e NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ
-e---n------n------ed---e---e--ne-nd-e-e-- NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ
-ed----- n e----ed d---e--n
XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

44. The Substitution Cipher
Next step might be to try dK(N) = h
NZ(he) is a common digram and ZN(eh) is not
A common digram –e : HE(EH not exist), RE, SE, TE
So, dK(N) = h
If this is correct, then the segment of plaintext ne – ndhe suggests that dK(C) = a
ZC(e-) is a common digram and CZ(-e) is not
------end-----a---e-a--nedh--e------a-----
YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ
h ea---e-a---a---nhad-a-en--a-e-h--e NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ
he-a-n------n------ed---e---e--neandhe-e-- NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ
-ed-a--- nh---ha---a-e----ed-----a-d--he--n
XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

45. The Substitution Cipher
We might consider M, the second most common ciphertext character
The ciphertext segment RNM, which we believe decrypts to nh-
Suggest that h- begins a word, so M probably represent a vowel
We have already accounted for a and e
expect letter {t, a, o, i, n, s, h, r}
So, we expect that dK(M) = i or o
Since ai is a much more likely digram than ao, so dK(M) = i first
-----iend-----a-i-e-a-inedhi-e------a---i-
YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ
h-----i-ea-i-e-a---a-i-nhad-a-en--a-e-hi-e NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ
he-a-n-----in-i----ed---e---e-ineandhe-e-- NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ
-ed-a---inhi--hai--a-e-i--ed-----a-d--he--n
XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

46. The Substitution Cipher
Next, We might try to determine which letter is encrypted to o
Since o is a common letter, we guess one of D, F, J, Y
At least ten times characters : C, D, F, J, M, R, Y
Y seem to be the possibility
We would get long strings of vowels, namely aoi form CFM or CJM
Hence, let’s suppose dK(Y) = o
The three most frequent remaining ciphertext letters are D, F, J, which we conjecture could decrypt to r, s, t in some order
Two occurrences of the trigram NMD(hi-) suggest that dK(D) = s, giving the trigram his in the plaintext
The segment HNCMF could be an encryption of chair, which would give dK(F) = r (and dK(H) = c)
So we would then have dK(J) = t
Process of elimination

47. The Substitution Cipher
Now, we have
The complete decryption is
o-r-riend-ro--arise-a-inedhise--t---ass-it
YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ
hs-r-riseasi-e-a-orationhadta-en--ace-hi-e NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ
he-asnt-oo-in-i-o-redso-e-ore-ineandhesett NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ
-ed-ac--inhischair-aceti-ted--to-ardsthes-n
XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR
Our friend from Paris examined his empty glass with surprise, as if evaporation had taken place while he wasn’t looking. I poured some more wine and he settled back in his chair, face tilted up towards the sun

48. The Vigenère Cipher plaintext key ciphertext
Encryption
m = 6, K = (2,8,15,7,4,7)
We first compute m and then compute K.
Techniques used
Kasiski test
The index of coincidence
plaintext 19 7 8 18 2 17 24 15 14 4 21 23 25 6 22
key
ciphertext

49. The Vigenère Cipher
Observation: Two identical segments of plaintext will be encrypted to the same ciphertext whenever their occurrence in the plaintext is δ positions apart, where
Kasiski test
Search the ciphertext for pair of identical segments of length at least three.
Record the distance between the starting positions of the two segments
If we obtain several such distances, sayδ1,δ2, … ,
Then we would conjecture that m divides all of the δi’s
Hence m divides the greatest common divisor of theδi’s

50. The Vigenère Cipher
CHREEVOAHMAERATBIAXXWTNXBEEOPHBSQMQEQERBW
RVXUOAKXAOSXXWEAHBWGJMMQMNKGRFVGXWTRZXWIAK
LXFPSKAUTEMNDCMGTSXMXBTUIADNGMGPSRELXNJELX
VRVPRTULHDNQWTWDTYGBPHXTFALJHASVBFXNGLLCHR
ZBWELEKMSJIKNBHWRJGNMGJSGLXFEYPHAGNRBIEQJT
AMRVLCRREMNDGLXRRIMGNSNRWCHRQHAEYEVTAQEBBI
PEEWEVKAKOEWADREMXMTBHHCHRTKDNVRZCHRCLQOHP
WQAIIWXNRMGWOIIFKEE
The distances from the first occurrence to other four occurrences are 165, 235, 275, 285.
The greatest common divisor of these four integers is 5. (very likely keyword length)

51. The Vigenère Cipher The index of coincidence
Observe that a completely random string will have
The two values and are quite apart.
letter
probability A
.082 N
.067 B
.015 O
.075 C
.028 P
.019 D
.043 Q
.001 E
.127 R
.060 F
.022 S
.063 G
.020 T
.091 H
.061 U I
.070 V
.010 J
.002 W
.023 K
.008 X L
.040 Y M
.024 Z

52. The Vigenère Cipher Using index of coincidence
Define m substring of y, denoted y1, y2, … , ym,
y1 = y1ym+1y2m+1 …
y2 = y2ym+2y2m+2 … …
ym= ymy2my3m …
If m is indeed the keyword length
Each value Ic(yi) ≈
If m is not the keyword length
The substrings yi will look much more random.
Each value Ic(yi) ≈

53. The Vigenère Cipher Computation of indices of coincidence
m = 1, index of coincidence is 0.045
m = 2, we get and 0.041
m = 3, we get 0.043, 0.050, and 0.047
m = 4, we get , and 0.040
m = 5, we get 0.063, 0.068, 0.069, 0.061, and 0.072

54. The Vigenère Cipher How to determine the key K = (k1, k2, … , km).
Let p’0, … , p’25 denote the probabilities of A, B, …, Z in the string yi.
Since substring yi is obtained by shift encryption of a subset of the plaintext using a shift ki ,
p0 ≈ p’0+k , p1 ≈ p’1+k , …

55. The Vigenère Cipher Compute for all 0 ≤ k ≤ 25. If k ≠ ki, I ≈ 0.038.

56. The Vigenère Cipher Y1 Y2 Y3 Y4 Y5 Y2 Y3 Y4 Y5

57. The Vigenère Cipher From the data in Table 1.4,
the key is likely to be K = (9, 0, 13, 4, 19)
Decrytion of the ciphertext
The almond tree was in tentative blossom. The days were longer, often ending with magnificent evenings of corrugated pink skies. The hunting season was over, with hounds and guns put away for six months. The vineyards were busy again as the well-organized farm- ers treated their vines and the more lackadaisical neighbors hurried to do the pruning they should have done in November.

58. The Hill Cipher Encryption
key K: m x m matrix
The hill cipher can be difficult to break with a ciphertext-only attack, but it succumbs to a known plaintext attack.
Assume that the opponent know the value of m.

59. The Hill Cipher Suppose he has m distinct plaintext-ciphertext pairs
, for 0 ≤ j ≤ m-1.
· ·
· ·

60. The Hill Cipher

61. The Hill Cipher
Suppose the plaintext Friday is encrypted to the ciphertext PQCFKU using a Hill Cipher with m = 2.
eK(5, 17) = (15, 16), eK(8, 3) = (2, 5), eK(0, 24) = (10, 20)
We get the matrix equation So

62. The Hill Cipher What would the opponent do if he does not know m?
Assuming that m is not too big, he could simply try m = 2, 3, …. , untill the key found.

63. The LFSR Stream Cipher
Ciphertext is the exclusive-or of the plaintext and the keystream
The keystream is produced from an initial m-tuple, (z0, … , zm-1)=(k0, … , km-1), using the linear recurrence for all i ≥ 0, where

64. The LFSR Stream Cipher Known plaintext attack
From the given paintext string x1x2…xn and the corresponding ciphertext string y1y2…yn, the keystream bits z1z2…zn .
Suppose that opponent knows the value of m
He needs only to compute c0, …, cm-1 .

65. The LFSR Stream Cipher
If n ≥ 2m, then there are m linear equations in m unknowns, which can subsequently be solved.

66. The LFSR Stream Cipher Example Suppose the ciphertext string is
and the plaintext string is
Then the keystream bits are

67. The LFSR Stream Cipher
If m = 5,
Thus zi+5 = (zi+zi+3) mod 2