Classical Cryptography Prof. Heejin Park

Overview Classical cryptosystems The Shift Cipher The Affine Cipher The Substitution Cipher The Vigenère Cipher The Hill Cipher The Permutation Cipher Stream Ciphers Cryptanalysis of some classical cryptosystems

The Shift Cipher Encryption of plaintext wewillmeet with K = 11 Convert each character to an integer Add 11 mod 26 to each value. Convert the value to its corresponding character. w e i l m t 22 4 8 11 12 19 22 4 8 11 12 19 7 15 23 7 15 19 22 23 4 h p t w x e

The Shift Cipher Decryption of ciphertext hphtwwxppe Inverse of encryption Cryptanalysis of shift cipher Exhaustive key search The key space is too small: only 26 possible keys JBCRCLQRWCRVNBJENBWRWN Jbcrclqrwcrvnbjenbwrwn 1 Iabqbkpqvbqumaidmavqvm … 9 astitchintimesavesnine

The Affine Cipher Encryption Encryption of hot using Since h, o, t are the 7th, 14th, and 19th characters, (7x7+3) mod 26 = 52 mod 26 = 0. (7x14+3) mod 26 = 101 mod 26 = 23. (7x19+3) mod 26 = 136 mod 26 = 6. if a =1, it becomes a Shift Cipher.

The Affine Cipher Encryption Decryption a should be an integer such that a-1 exists. a-1 exists if and only if a and 26 are relatively prime. 12 integers: 1,3,5,7,9,11,15,17,19,21,23, 25

The Affine Cipher Cryptanalysis The exhaustive key search: Count the number of keys Number of a’s? 12: 1,3,5,7,9,11,15,17,19,21,23, 25 Number of b’s? 26: because b can be any integer among 0,1,…, 25. We have 12 X 26 = 312 number of keys.

The Affine Cipher Cryptanalysis If the modulus is large, the exhaustive key search is infeasible. However, the Affine Cipher can be easily cryptanalyzed by other methods.

The Substitution Cipher Encryption Substitute each symbol in a plaintext using a permutation. a b c d e f g h i j k l m X N Y A H P O G Z Q W B T n o p q r s t u v w x y z S F L R C V M U E K J D I

The Substitution Cipher Decryption Substitute each symbol in a ciphertext using the inverse permutation. Quiz MGZVYZLGHCMHJMYXSSFMNHAHYCDLMHA ? The Shift Cipher is a special case of the Substitution Cipher. Is the Affine Cipher a special case of the Substitution Cipher?

The Substitution Cipher Cryptanalysis An exhaustive key search is infeasible. The number of possible permutation is 26! (> 4 x 1026). However, the Substitution Cipher can be cryptanalyzed by other methods.

The Vigenère Cipher Monoalphabetic cryptosystems The Shift Cipher and the Substitution Cipher. Each character is mapped to one character. Polyalphabetic cryptosystems The Vigenère Cipher A character can be mapped to one of characters.

The Vigenère Cipher plaintext key ciphertext Encryption Decryption m = 6, K = (2,8,15,7,4,7) Decryption Inverse of encryption plaintext 19 7 8 18 2 17 24 15 14 4 21 23 25 6 22 key ciphertext

eK(x0, x1, … , xm-1) = ( x0 + k0 , x1 + k1, … , xm-1 + km-1) The Vigenère Cipher Formal Definition Let m be a positive integer. Define P = C = K = (Z26)m. For a key K = (k0, k1, … , km-1), we define eK(x0, x1, … , xm-1) = ( x0 + k0 , x1 + k1, … , xm-1 + km-1) dK(y0, y1, … , ym-1) = ( y0 - k0 , y1 - k1, … , ym-1 – km-1) Where all operations are performed in Z26

The Vigenère Cipher Cryptanalysis The number of possible keys Exhaustive key search is infeasible if m is not too small. However, the Vigenère cipher can be cryptanalyzed by other methods.

The Hill Cipher Encryption key: m x m matrix

The Hill Cipher Encrypt the plaintext july with k = We partition july into ju and ly. ju: (9, 20) ly: (11, 24)

The Hill Cipher Decryption Use the inverse of key matrix

The Permutation Cipher Encryption key: a permutation of size m a permutation where m = 6 2 4 5 3 1 shesellsseashellsbytheseashore 012345 shesel lsseas hellsb ythese ashore EESLSH SALSES LSHBLE HSYEET HRAEOS

The Permutation Cipher Decryption Use the inverse permutation of the key The Permutation Cipher is a special case of the Hill Cipher. 2 4 5 3 1

Stream Ciphers Block ciphers Stream ciphers Each plaintext element is encrypted using the same key K. Stream ciphers Plaintext elements are encrypted using key stream .

Stream Ciphers Key stream construction Synchronous stream ciphers The key stream is constructed from the key. Non-synchronous stream ciphers The key stream is constructed from the key, the plaintext, or the ciphertext.

Synchronous Ciphers The Vigenère Cipher is a kind of stream cipher. Encryption The is a synchronous stream cipher whose keystream is z1z2… such that

Synchronous Ciphers A stream cipher is a periodic stream cipher with period d if for all i ≥ 0. The Vigenère Cipher is a periodic stream cipher with period m. Stream cipher are often described in terms of binary alphabets (P = C = K = Z2) The encryption/decryption operations are just exclusive-or.

Synchronous Ciphers A method for generating binary key stream z0z1… Initialize z0…zm-1 using a binary tuple (k0, …, km-1). z0 = k0 , z1 = k1,…, zm-1 = km-1 Generate zmzm+1… using a linear recurrence of degree m for all i ≥ 0, where are specified constant

Synchronous Ciphers Example m = 4 and the keystream is generated using If starting with (1, 0, 0, 0), the keystream is 10001001… If starting with (0, 0, 0, 0), the keystream is 00000000… So, zero vector should be avoided for the key. If is chosen carefully, the period of the key stream can be 2m-1.

Synchronous Ciphers LFSR (Linear feedback shift register) Use a shift register with m stages The vector (k1, … , km) is used to initialize the shift register At each time unit, the following operation is performed. k1 becomes the next keystream bit k2, … , km are shifted to the left The “new” value of km becomes K1 K2 K3 K4

Non-synchronous stream cipher Autokey Cipher z0 = K , z1 = x0, z2 = x1,… zi = xi-1… Encryption Decryption

Non-synchronous stream cipher K = 8 and the plaintext is rendexvous Convert the plaintext to integers Keystream Add corresponding elements modulo 26 Ciphertext is VRQHDUJIM 17 4 13 3 4 25 21 14 20 18 8 17 4 13 3 4 25 21 14 20 25 21 7 16 7 3 20 9 8 12

Non-synchronous stream cipher Decryption 25 21 7 16 7 3 20 9 8 12

Overview Classical cryptosystems The Shift Cipher The Affine Cipher The Substitution Cipher The Vigenère Cipher The Hill Cipher The Permutation Cipher Stream Ciphers Cryptanalysis of some classical cryptosystems The LFSR Stream Ciphers

Cryptanalysis In general, it is assumed that the opponent knows the cryptosystem being used. Cryptanalysis Full cryptanalysis Find the key, i.e., generate the ciphertext string for any plaintext string. Partial cryptanalysis Generate the ciphertext strings for some plaintext strings.

Attacks Ciphertext only attack Known plaintext attack The opponent can see the ciphertext strings. Known plaintext attack The opponent can see some plaintext strings and their ciphertext strings. Chosen plaintext attack The opponent can temporary access to the encryption machinery. Hence he can choose some plaintext strings and construct their ciphertext strings. Chosen ciphertext attack The opponent can temporary access to the decryption machinery. Hence he can choose some ciphertext strings and construct their plaintext strings.

English Text The frequency of each character E: about 12% T, A, O, I, N, S, H, R: 6-9% D, L : about 4% C, U, M, W, F, G, Y, P, B: 1.5%-2.8% V, K, J, X, Q, Z:< 1% letter probability A .082 N .067 B .015 O .075 C .028 P .019 D .043 Q .001 E .127 R .060 F .022 S .063 G .020 T .091 H .061 U I .070 V .010 J .002 W .023 K .008 X L .040 Y M .024 Z

English Text It is also useful to consider sequences of two or three consecutive letters, called digrams and trigrams The 30 most common digrams are The twelve most common trigrams are TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND, OU, EA, NG, AS, OR, TI, IS, ET, IT, OF THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR, DTH

The Affine Cipher Ciphertext only attack Suppose opponent has intercepted the following ciphertext Frequency of occurrence of the 26 ciphertext letters FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDK APRKDLYEVLRHHR letter Frequency Letter A 2 H 5 B 1 I C J D 7 K E L F 4 M G letter Frequency Letter N 1 U 2 O V 4 P W Q X R 8 Y S 3 Z T

The Affine Cipher Suppose opponent has intercepted the following ciphertext Frequency of occurrence of the 26 ciphertext letters FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDK APRKDLYEVLRHHR letter Frequency Letter A 2 H 5 B 1 I C J D 7 K E L F 4 M G letter Frequency Letter N 1 U 2 O V 4 P W Q X R 8 Y S 3 Z T

The Affine Cipher The most frequent ciphertext characters are R (8 occurrences) D (7 occurrences) E, H, K (5 occurrences each) F, S, V (4 occurrences each) First guess: eK(e)=R, eK(t)=D. We have eK(4)=17 and eK(19)=3. Recall that eK(x)=ax+b , where a and b are unknowns This system has the unique solution a = 6, b = 19 (in Z26), but this is an illegal key, since gcd (a, 26) = 2 > 1

algorithmsarequitegeneraldefinitionsofarithmeticprocesses The Affine Cipher Guess: eK(e)=R and eK(t)=E. Obtain a = 13, which is again illegal. Guess: eK(e)=R and eK(t)=H. This yields a = 8, again impossible. Guess: eK(e)=R and eK(t)=K. This produces a = 3, b = 5, which is at least a legal key. K = (3, 5) Perform decryption The given ciphertext decrypts to yield algorithmsarequitegeneraldefinitionsofarithmeticprocesses

The Substitution Cipher Ciphertext only attack Ciphertext obtained from a substitution cipher The frequency analysis of this ciphertext YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR letter Frequency Letter A H 4 B 1 I 5 C 15 J 11 D 13 K E 7 L F M 16 G letter Frequency Letter N 9 U 5 O V P 1 W 8 Q 4 X 6 R 10 Y S 3 Z 20 T 2

The Substitution Cipher Z occurs significantly more often than others. We might conjecture that eK(e)=Z. C, D, F, J, M, R, Y Occur at least ten times. We might expect that these letters are encryptions of t, a, o, i, n, s, h, r. But, not vary enough what the correspondence might be.

The Substitution Cipher We might look at digrams, especially those of the form –Z or Z– The most common digrams of this type DZ and ZW (four times each) NZ and ZU (three times each) RZ, HZ, XZ, FZ, ZR, ZV, ZC, ZD and ZJ (twice each) ZW occurs four times and WZ not at all W occurs less often than many other characters, The Common digrams e– : ER, ED, ES, EN, EA, ET expect letter {t, a, o, i, n, s, h, r} we might guess that dk(W) = d DZ occurs four times and ZD occurs twice The common digram –e : HE(EH not exist), RE, SE, TE

The Substitution Cipher If we proceed on the assumption that dk(Z) = e and dk(W) = d. ZRW(e-d) and RZW(-ed) both occurring near the beginning of the ciphertext and RW(-d) occurs again later on. Since R occurs frequently in the ciphertext and nd is a common digram, we might try dk(R) = n as the most likely possibility. ------end---------e----ned---e------------ YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ --------e----e---------n—d---en----e----e NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ -e---n------n------ed---e---e--ne-nd-e-e-- NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ -ed----- n ------------e----ed-------d---e--n XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

The Substitution Cipher Next step might be to try dK(N) = h NZ(he) is a common digram and ZN(eh) is not A common digram –e : HE(EH not exist), RE, SE, TE So, dK(N) = h If this is correct, then the segment of plaintext ne – ndhe suggests that dK(C) = a ZC(e-) is a common digram and CZ(-e) is not ------end-----a---e-a--nedh--e------a----- YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ h-------ea---e-a---a---nhad-a-en--a-e-h--e NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ he-a-n------n------ed---e---e--neandhe-e-- NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ -ed-a--- nh---ha---a-e----ed-----a-d--he--n XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

The Substitution Cipher We might consider M, the second most common ciphertext character The ciphertext segment RNM, which we believe decrypts to nh- Suggest that h- begins a word, so M probably represent a vowel We have already accounted for a and e expect letter {t, a, o, i, n, s, h, r} So, we expect that dK(M) = i or o Since ai is a much more likely digram than ao, so dK(M) = i first -----iend-----a-i-e-a-inedhi-e------a---i- YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ h-----i-ea-i-e-a---a-i-nhad-a-en--a-e-hi-e NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ he-a-n-----in-i----ed---e---e-ineandhe-e-- NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ -ed-a---inhi--hai--a-e-i--ed-----a-d--he--n XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

The Substitution Cipher Next, We might try to determine which letter is encrypted to o Since o is a common letter, we guess one of D, F, J, Y At least ten times characters : C, D, F, J, M, R, Y Y seem to be the possibility We would get long strings of vowels, namely aoi form CFM or CJM Hence, let’s suppose dK(Y) = o The three most frequent remaining ciphertext letters are D, F, J, which we conjecture could decrypt to r, s, t in some order Two occurrences of the trigram NMD(hi-) suggest that dK(D) = s, giving the trigram his in the plaintext The segment HNCMF could be an encryption of chair, which would give dK(F) = r (and dK(H) = c) So we would then have dK(J) = t Process of elimination

The Substitution Cipher Now, we have The complete decryption is o-r-riend-ro--arise-a-inedhise--t---ass-it YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ hs-r-riseasi-e-a-orationhadta-en--ace-hi-e NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ he-asnt-oo-in-i-o-redso-e-ore-ineandhesett NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ -ed-ac--inhischair-aceti-ted--to-ardsthes-n XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR Our friend from Paris examined his empty glass with surprise, as if evaporation had taken place while he wasn’t looking. I poured some more wine and he settled back in his chair, face tilted up towards the sun

The Vigenère Cipher plaintext key ciphertext Encryption m = 6, K = (2,8,15,7,4,7) We first compute m and then compute K. Techniques used Kasiski test The index of coincidence plaintext 19 7 8 18 2 17 24 15 14 4 21 23 25 6 22 key ciphertext

The Vigenère Cipher Observation: Two identical segments of plaintext will be encrypted to the same ciphertext whenever their occurrence in the plaintext is δ positions apart, where . Kasiski test Search the ciphertext for pair of identical segments of length at least three. Record the distance between the starting positions of the two segments If we obtain several such distances, sayδ1,δ2, … , Then we would conjecture that m divides all of the δi’s Hence m divides the greatest common divisor of theδi’s

The Vigenère Cipher CHREEVOAHMAERATBIAXXWTNXBEEOPHBSQMQEQERBW RVXUOAKXAOSXXWEAHBWGJMMQMNKGRFVGXWTRZXWIAK LXFPSKAUTEMNDCMGTSXMXBTUIADNGMGPSRELXNJELX VRVPRTULHDNQWTWDTYGBPHXTFALJHASVBFXNGLLCHR ZBWELEKMSJIKNBHWRJGNMGJSGLXFEYPHAGNRBIEQJT AMRVLCRREMNDGLXRRIMGNSNRWCHRQHAEYEVTAQEBBI PEEWEVKAKOEWADREMXMTBHHCHRTKDNVRZCHRCLQOHP WQAIIWXNRMGWOIIFKEE The distances from the first occurrence to other four occurrences are 165, 235, 275, 285. The greatest common divisor of these four integers is 5. (very likely keyword length)

The Vigenère Cipher The index of coincidence Observe that a completely random string will have The two values 0.065 and 0.038 are quite apart. letter probability A .082 N .067 B .015 O .075 C .028 P .019 D .043 Q .001 E .127 R .060 F .022 S .063 G .020 T .091 H .061 U I .070 V .010 J .002 W .023 K .008 X L .040 Y M .024 Z

The Vigenère Cipher Using index of coincidence Define m substring of y, denoted y1, y2, … , ym, y1 = y1ym+1y2m+1 … y2 = y2ym+2y2m+2 … … ym= ymy2my3m … If m is indeed the keyword length Each value Ic(yi) ≈ 0.065. If m is not the keyword length The substrings yi will look much more random. Each value Ic(yi) ≈ 0.038.

The Vigenère Cipher Computation of indices of coincidence m = 1, index of coincidence is 0.045 m = 2, we get 0.046 and 0.041 m = 3, we get 0.043, 0.050, and 0.047 m = 4, we get 0.042. 0.039. 0.046, and 0.040 m = 5, we get 0.063, 0.068, 0.069, 0.061, and 0.072

The Vigenère Cipher How to determine the key K = (k1, k2, … , km). Let p’0, … , p’25 denote the probabilities of A, B, …, Z in the string yi. Since substring yi is obtained by shift encryption of a subset of the plaintext using a shift ki , p0 ≈ p’0+k , p1 ≈ p’1+k , …

The Vigenère Cipher Compute for all 0 ≤ k ≤ 25. If k ≠ ki, I ≈ 0.038.

The Vigenère Cipher Y1 Y2 Y3 Y4 Y5 .035 .031 .036 .037 .035 .039 .028 .028 .048 .061 .039 .035 .040 .038 .038 .044 .036 .030 .042 .043 .036 .033 .049 .043 .041 .036 .000 Y2 .069 .044 .032 .035 .044 .034 .036 .033 .030 .031 .042 .045 .040 .045 .046 .042 .037 .032 .034 .037 .032 .034 .043 .032 .026 .047 .000 Y3 .048 .029 .042 .043 .044 .034 .038 .035 .032 .049 .035 .031 .035 .065 .035 .038 .036 .045 .027 .035 .034 .034 .037 .035 .046 .040 .000 Y4 .045 .032 .033 .038 .060 .034 .034 .034 .050 .033 .033 .043 .040 .033 .028 .036 .040 .044 .037 .050 .034 .034 .039 .044 .038 .035 .000 Y5 .034 .031 .035 .044 .047 .037 .043 .038 .042 .037 .033 .032 .035 .037 .036 .045 .032 .029 .044 .072 .036 .027 .030 .048 .036 .037 .000

The Vigenère Cipher From the data in Table 1.4, the key is likely to be K = (9, 0, 13, 4, 19) Decrytion of the ciphertext The almond tree was in tentative blossom. The days were longer, often ending with magnificent evenings of corrugated pink skies. The hunting season was over, with hounds and guns put away for six months. The vineyards were busy again as the well-organized farm- ers treated their vines and the more lackadaisical neighbors hurried to do the pruning they should have done in November.

The Hill Cipher Encryption key K: m x m matrix The hill cipher can be difficult to break with a ciphertext-only attack, but it succumbs to a known plaintext attack. Assume that the opponent know the value of m.

The Hill Cipher Suppose he has m distinct plaintext-ciphertext pairs , for 0 ≤ j ≤ m-1. · · · ·

The Hill Cipher

The Hill Cipher Suppose the plaintext Friday is encrypted to the ciphertext PQCFKU using a Hill Cipher with m = 2. eK(5, 17) = (15, 16), eK(8, 3) = (2, 5), eK(0, 24) = (10, 20) We get the matrix equation So

The Hill Cipher What would the opponent do if he does not know m? Assuming that m is not too big, he could simply try m = 2, 3, …. , untill the key found.

The LFSR Stream Cipher Ciphertext is the exclusive-or of the plaintext and the keystream The keystream is produced from an initial m-tuple, (z0, … , zm-1)=(k0, … , km-1), using the linear recurrence for all i ≥ 0, where

The LFSR Stream Cipher Known plaintext attack From the given paintext string x1x2…xn and the corresponding ciphertext string y1y2…yn, the keystream bits z1z2…zn . Suppose that opponent knows the value of m He needs only to compute c0, …, cm-1 .

The LFSR Stream Cipher If n ≥ 2m, then there are m linear equations in m unknowns, which can subsequently be solved.

The LFSR Stream Cipher Example Suppose the ciphertext string is 10110 10111 10011 and the plaintext string is 01100 11111 11000 Then the keystream bits are 11010 01000 01010

The LFSR Stream Cipher If m = 5, Thus zi+5 = (zi+zi+3) mod 2