1. 1 Ch. 2 Classical Encryption Techniques

2. 2 Contents Symmetric Cipher Model Substitution Techniques Transposition Techniques Rotor Machines Steganography

3. 3 Symmetric Cipher Model Plaintext (or message)- The original message Ciphertext - The coded message Encipher (or encrypt) - Converting plaintext to ciphertext Decipher (or decrypt) - Restoring plaintext from ciphertext Key – Secret input to encryption and decryption.

4. 4 Symmetric Cipher Model Cryptography  A study on creating encryption schemes Cryptanalysis  A study on breaking encryption schemes Cryptology  Cryptograph + Cryptanalysis Cryptographic system (or a cipher)  An encryption scheme

5. 5 Symmetric Cipher Model Two requirements for symmetric ciphers  The encryption algorithm should be strong.  An opponent cannot decrypt a ciphertext and discover the key even if the opponent knows the encryption algorithm.  So, the encryption algorithm does not need to be kept secret.  This feature makes it convenient for widespread use  A secret key should be known only to sender and receiver.  Because if someone has the key, he can decrypt every ciphertext.

6. 6 Plaintext  X= [X 1, X 2, …, X m ] Ciphertext  Y= [Y 1, Y 2, …, Y n ] Formal Notations

7. 7 Secret Key  K= [K 1, K 2, …, K j ] Key source may be either a sender or a third party. Formal Notations

8. 8 Encryption: Y= E K (X) Decryption: X= D K (Y) Formal Notations

9. 9 A cryptanalyst tries to find either the plaintext or the secret key. Formal Notations

10. 10 Cryptography Classification of cryptographic system  The type of encryption operations  Substitution  Each element in the plaintext is mapped into another element.  A  C, B  F, …  Transposition  Elements in the plaintext are rearranged.  message  essgeam

11. 11 Cryptography Classification of cryptographic system  The number of keys  Single-key or secret-key or conventional encryptions  Both sender and receiver use the same key  Two-key or public-key encryptions  Sender and receiver use different keys.

12. 12 Cryptography Classification of cryptographic system  The way in which plaintext is processed  A block cipher  Processes the input one block of elements at a time.  Produces an output block for each input block.  A stream cipher  Processes the input elements continuously.  Produces output one element at a time.

13. 13 Cryptanalysis Types of cryptanalytic attacks  Based on the amount of information known to the cryptanalyst  Ciphertext only  Known plaintext  Chosen plaintext more information  Chosen ciphertext  Chosen text

14. 14 Ciphertext only  Known information  Encryption algorithm  Ciphertext Known plaintext  Known information.  Encryption algorithm  Ciphertext  One or more plaintext-ciphertext pairs Cryptanalysis

15. 15 Chosen plaintext  Known information.  Encryption algorithm  Ciphertext  One or more plaintext-ciphertext pairs where the opponent can choose the plaintext. Chosen ciphertext  Known information.  Encryption algorithm  Ciphertext  One or more plaintext-ciphertext pairs where the opponent can choose the ciphertext. Cryptanalysis

16. 16 Chosen text  Known information.  Encryption algorithm  Ciphertext  One or more plaintext-ciphertext pairs where the opponent can choose either the plaintext or the ciphertext. Cryptanalysis

17. 17 Unconditionally Secure An encryption scheme is unconditionally secure (Stinson)  If the ciphertext does not contain enough information  Ciphertext is generated by encryption scheme and information can be used to determine the uniquely corresponding to the plaintext  then opponent is impossible to decrypt the ciphertext

18. 18 Computationally Secure Computationally secure (stinson)  The cost of breaking the cipher exceeds the value of the encrypted information  The value of the contents of the encrypted original message is not big enough to decrypt  The time required to break the cipher exceeds the useful lifetime of the information  After the decryption, the message is no longer valuable

19. 19 Brute-force Attack Trying every possible key  until an intelligible translation of the ciphertext into plaintext is obtained  On average, half of all possible keys must be tried to achieve success. Key Size (bit)Number of Alternative Keys Time required at 1 encryption/ ㎲ Time required at 10 6 encryptions/ ㎲ 322 32 =4.3×10 9 2 31 ㎲ =35.8 minutes 2.15 milliseconds 56 (DES)2 56 =7.2×10 16 2 55 ㎲ =1142 years 10.01 hours 128 (AES)2 128 =3.4×10 38 2 127 ㎲ =5.4×10 24 years 5.4×10 18 years 168 (Triple DES)2 168 =3.7×10 50 2 167 ㎲ =5.9×10 36 years 5.9×10 30 years 26characters (permutation) 26!=4×10 26 2×10 26 ㎲ =6.4×10 12 years 6.4×10 6 years

20. 20 Contents Symmetric Cipher Model Substitution Techniques  Shift Cipher (Caesar Cipher)  Monoalphabetic Ciphers  Playfair Cipher  Hill Cipher  Polyalphabetic Ciphers  One-Time Pad Transposition Techniques Rotor Machines Steganography

21. 21 Shift Cipher A simple substitution cipher Substitution rule  Circular right shift by k alphabets where k is the key.  When k = 4, A  E, B  F, … X  B, Y  C, Z  D  Encryption of plaintext baby with k = 4 When k = 3, the shift cipher is called Caesar Cipher.

22. 22 Shift Cipher Decryption of ciphertext FEFC  Inverse of encryption Cryptanalysis of shift cipher  Brute-force approach  The key space is too small: only 26 possible keys JBCRCLQRWCRVNBJE NBWRWN 0Jbcrclqrwcrvnbjenbwrwn 1Iabqbkpqvbqumaidmavqvm …… 9astitchintimesavesnine

23. 23 Three important characteristics of to use a brute-force cryptanalysis  What generally makes brute-force cryptanalysis impractical is the use of an algorithm that employs a large number of keys 1.The encryption and decryption algorithms are known. 2.There are only 25 keys to try. 3.The language of the plaintext is known and easily recognizable.

24. 24 Monoalphabetic Cipher Encryption  Substitute each symbol in a plaintext using a permutation. abcdefghijklm XNYAHPOGZQWBT nopqrstuvwxyz SFLRCVMUEKJDI

25. 25 Monoalphabetic Cipher Decryption  Substitute each symbol in a ciphertext using the inverse permutation.  Quiz  MGZVYZLGHCMHJMYXSSFMNHAHYCDLMHA ? The Shift Cipher is a special case of monoalphabetic cipher.

26. 26 Monoalphabetic Cipher Brute-force attack is impossible.  26! possible permutation is available  4 × 10 26 possible keys Key Size (bit)Number of Alternative Keys Time required at 1 encryption/ ㎲ Time required at 10 6 encryptions/ ㎲ 322 32 = 4.3×10 9 2 31 ㎲ =35.8 minutes 2.15 milliseconds 56 (DES)2 56 = 7.2×10 16 2 55 ㎲ =1142 years 10.01 hours 128 (AES)2 128 = 3.4×10 38 2 127 ㎲ =5.4×10 24 years 5.4×10 18 years 168 (Triple DES)2 168 = 3.7×10 50 2 167 ㎲ =5.9×10 36 years 5.9×10 30 years 26 characters26! = 4×10 26 2×10 26 ㎲ =6.4×10 12 years 6.4×10 6 years

27. 27 Attack with frequency information If the cryptanalyst knows the nature of the plaintext, the analyst can exploit the regularities of the language.  Using a standard frequency distribution for English.

28. 28 The 1st step  Determine the relative frequency of the letters in ciphertext and compare them to a standard frequency distribution for English UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ Attack with frequency information P13.33H5.83F3.33B1.67C0.00 Z11.67D5.00W3.33G1.67K0.00 S8.33E5.00Q2.50Y1.67L0.00 U8.33V4.17T2.50I0.83N0.00 O7.50X4.17A1.67J0.83R0.00 M6.67

29. 29 English Letter Frequencies Relative Frequency of Letters in English Text P13.33H5.83F3.33B1.67C0.00 Z11.67D5.00W3.33G1.67K0.00 S8.33E5.00Q2.50Y1.67L0.00 U8.33V4.17T2.50I0.83N0.00 O7.50X4.17A1.67J0.83R0.00 M6.67

30. 30 Comparing this breakdown with Figure 2.5  Cipher text letters P plain letters e  and Z are the equivalent of and t But it is not certain which is which  The letter S,U,O,M and H ⇒ plain letters from the set {a, h, i, n, o, r, s} Attack with frequency information

31. 31 A powerful tool is to look at the frequency of two-letter combinations (as diagram)  The most common such diagram is th  In our ciphertext, the most common diagram is ZW  Guess ZW ⇒ th Most frequent trigrams (three-letter combination)  ZWP appears in the ciphertext, and translate that we sequence as “the” Attack with frequency information

32. 32 2nd step  Notice the sequence ZWSZ in the first line.  it is of the form th_t.  S => a The completed plaintext  it was disclosed yesterday that several informal but direct contacts have been made with political representatives of the viet cong in moscow Attack with frequency information

33. 33 A countermeasure by Carl Friedrich Gauss  Homophones  The number of symbols assigned to each letter is proportional to the relative frequency of that letter.  The letter e ⇒ 16, 74, 35 and 21  Frequency of each letter is ideal.  But multiple-letter patterns still survive in the ciphertext Attack with frequency information

34. 34 Playfair cipher Two methods to lessen the extent to which the structure of the plaintext survives in the ciphertext.  One is to encrypt multiple letters of plaintext.  The other is to use multiple cipher alphabets.

35. 35 Playfair cipher Key is a 5 x 5 matrix.  Key : MONARCHY  Filling in the letters of the keyword from (minus duplicates) left to right and from top to bottom.  Filling in the remainder of the matrix with the remaining letters in alphabetic order.  The letter I and J count as one letter. MONAR CHYBD EFGI/JK LPQST UVWXZ Treats diagrams (two letter) in the plaintext as single units and translates these units into ciphertext.

36. 36 Playfair cipher Encryption  Each plaintext letter is replaced by the letter that lies in its own row and the column of its pair.  hs : BP  ea ?  IM or JM  If two letters are in the same column or row?  rm ? MONAR CHYBD EFGI/JK LPQST UVWXZ

37. 37 Playfair cipher Two letters in the same row  Replace each letter by the letter to the right, circularly.  ar : RM Two letters in the same column.  Replace each letter by the letter beneath, circularly.  mu : CM Two letters in the pair are the same.  Separate them with a filler letter.  balloon : ba lx lo on MONAR CHYBD EFGI/JK LPQST UVWXZ

38. 38 Playfair cipher The strength of playfair cipher  A great advance over simple Monoalphabetic cipher  26 × 26 =676 diagrams  Making frequency analysis much more difficult.  However, it still leaves much of the structure of the plaintext language.  A few hundred letters of ciphertext are generally sufficient to break Playfair cipher.

39. 39 Playfair cipher

40. 40 Playfair cipher Let know the meaning of the horizontal axis and vertical axis  The number of occurrences of each letter in the text was counter  And the value of each letter was divided by the number of occurrences of the letter e (the most frequently used letter)

41. 41 Hill Cipher Take m successive plaintext letters and substitutes for them m ciphertext letters.

42. 42 Hill Cipher Encryption  key: m x m matrix

43. 43 Hill Cipher Encrypt the plaintext july with k =  We partition july into ju and ly.  ju: (9, 20)  ly: (11, 24)

44. 44 Hill Cipher Decryption  Use the inverse of key matrix

45. 45 Hill Cipher The hill cipher can be difficult to break with a ciphertext- only attack But it succumbs to a known plaintext attack.  Assume that the opponent know the value of m.

46. 46 Suppose he has m distinct plaintext-ciphertext pairs, for 0 ≤ j ≤ m-1. Hill Cipher · ·

47. 47 Hill Cipher

48. 48 Hill Cipher Suppose the plaintext Friday is encrypted to the ciphertext PQCFKU using a Hill Cipher with m = 2.  e K (5, 17) = (15, 16), e K (8, 3) = (2, 5), e K (0, 24) = (10, 20)  We get the matrix equation  So

49. 49 What would the opponent do if he does not know m?  Assuming that m is not too big, he could simply try m = 2, 3, …., untill the key found. Hill Cipher

50. 50 Polyalphabetic Ciphers Another way to improve monoalphabetic ciphers  To use multiple cipher alphabets  Vigenère cipher  A set of shift ciphers are used.

51. 51 Vigenère Cipher Encryption  m = 6, K = (2,8,15,7,4,7) Decryption  Inverse of encryption 197818217241519141824 2815741728157417 21152325680238212215 plaintext key ciphertext

52. 52 Vigenère Cipher Formal Definition  Let m be a positive integer. For a key K = (k 0, k 1, …, k m-1 ), we define e K (x 0, x 1, …, x m-1 ) = ( x 0 + k 0, x 1 + k 1, …, x m-1 + k m-1 ) d K (y 0, y 1, …, y m-1 ) = ( y 0 - k 0, y 1 - k 1, …, y m-1 – k m-1 ) Where all operations are performed in Z 26

53. 53 Vigenère Cipher Cryptanalysis  The number of possible keys  26 m  Exhaustive key search is infeasible if m is not too small.  However, the Vigenère cipher can be cryptanalyzed using the frequency of letters.

54. 54 Vigenère Cipher

55. 55 Vigenère Cipher Encryption  m = 6, K = (2,8,15,7,4,7) We first compute m and then compute K.  Techniques used  Kasiski test  The index of coincidence 197818217241519141824 2815741728157417 21152325680238212215 plaintext key ciphertext

56. 56 Vigenère Cipher Observation: Two identical segments of plaintext will be encrypted to the same ciphertext whenever their occurrence in the plaintext is δ positions apart, where. Kasiski test  Search the ciphertext for pair of identical segments of length at least three.  Record the distance between the starting positions of the two segments  If we obtain several such distances, sayδ 1,δ 2, …,  Then we would conjecture that m divides all of the δ i ’s  Hence m divides the greatest common divisor of theδ i ’s

57. 57 Vigenère Cipher  The distances from the first occurrence to other four occurrences are 165, 235, 275, 285.  The greatest common divisor of these four integers is 5. (very likely keyword length) CHREEVOAHMAERATBIAXXWTNXBEEOPHBSQMQEQERBW RVXUOAKXAOSXXWEAHBWGJMMQMNKGRFVGXWTRZXWIAK LXFPSKAUTEMNDCMGTSXMXBTUIADNGMGPSRELXNJELX VRVPRTULHDNQWTWDTYGBPHXTFALJHASVBFXNGLLCHR ZBWELEKMSJIKNBHWRJGNMGJSGLXFEYPHAGNRBIEQJT AMRVLCRREMNDGLXRRIMGNSNRWCHRQHAEYEVTAQEBBI PEEWEVKAKOEWADREMXMTBHHCHRTKDNVRZCHRCLQOHP WQAIIWXNRMGWOIIFKEE

58. 58 Vigenère Cipher  The index of coincidence  Observe that a completely random string will have  The two values 0.065 and 0.038 are quite apart. letterprobabilityletterprobability A.082N.067 B.015O.075 C.028P.019 D.043Q.001 E.127R.060 F.022S.063 G.020T.091 H.061U.028 I.070V.010 J.002W.023 K.008X.001 L.040Y.020 M.024Z.001

59. 59 Vigenère Cipher Using index of coincidence  Define m substring of y, denoted y 1, y 2, …, y m, y 1 = y 1 y m+1 y 2m+1 … y 2 = y 2 y m+2 y 2m+2 … … y m = y m y 2m y 3m …  If m is indeed the keyword length  Each value I c (y i ) ≈ 0.065.  If m is not the keyword length  The substrings y i will look much more random.  Each value I c (y i ) ≈ 0.038.

60. 60 Vigenère Cipher Computation of indices of coincidence  m = 1, index of coincidence is 0.045  m = 2, we get 0.046 and 0.041  m = 3, we get 0.043, 0.050, and 0.047  m = 4, we get 0.042. 0.039. 0.046, and 0.040  m = 5, we get 0.063, 0.068, 0.069, 0.061, and 0.072

61. 61 Vigenère Cipher How to determine the key K = (k 1, k 2, …, k m ).  Let p’ 0, …, p’ 25 denote the probabilities of A, B, …, Z in the string y i.  Since substring y i is obtained by shift encryption of a subset of the plaintext using a shift k i,  p 0 ≈ p’ 0+k, p 1 ≈ p’ 1+k, …

62. 62 Vigenère Cipher  Compute for all 0 ≤ k ≤ 25.  If k = k i, I ≈ 0.065.  If k ≠ k i, I ≈ 0.038.

63. 63 Vigenère Cipher Y1Y1.035.031.036.037.035.039.028.028.048.061.039.035.040.038.038.044.036.030.042.043.036.033.049.043.041.036.000 Y2Y2.069.044.032.035.044.034.036.033.030.031.042.045.040.045.046.042.037.032.034.037.032.034.043.032.026.047.000 Y3Y3.048.029.042.043.044.034.038.035.032.049.035.031.035.065.035.038.036.045.027.035.034.034.037.035.046.040.000 Y4Y4.045.032.033.038.060.034.034.034.050.033.033.043.040.033.028.036.040.044.037.050.034.034.039.044.038.035.000 Y5Y5.034.031.035.044.047.037.043.038.042.037.033.032.035.037.036.045.032.029.044.072.036.027.030.048.036.037.000 From the data in Table 1.4, the key is likely to be K = (9, 0, 13, 4, 19)

64. 64 Vigenère Cipher Decrytion of the ciphertext The almond tree was in tentative blossom. The days were longer, often ending with magnificent evenings of corrugated pink skies. The hunting season was over, with hounds and guns put away for six months. The vineyards were busy again as the well-organized farm- ers treated their vines and the more lackadaisical neighbors hurried to do the pruning they should have done in November.

65. 65 Autokey system The problem of Vigenère cipher  The periodic nature of the keyword  Vigenère proposed Autokey system  The periodic nature is eliminated by using a nonrepeating keyword.  The keyword is as long as the message itself.  After key is exhausted, keyword is concatenated with the plaintext itsself to provide a running key.

66. 66 Autokey system For example  Easy to break  Because key and plaintext share the same frequency distribution of letters  Statistical technique can be applied.  e enciphered with e would occur with a frequency of (0.1275) 2  0.0163, t enciphered with t would occur with a frequency of (0.0925) 2  0.0086, Key:deceptivewearediscoveredsav Plaintext:wearediscoveredsaveyourself Cipheretxt:ZICVTWQNGKZEIIGASXSTSLVVWLA

67. 67 Vernam cipher The ultimate way to prevented them choosing a keyword  The keyword is as long as the plaintext  And this has no statistical relationship By AT&T engineer named Gilbert Vernam in 1918  This system works on binary data rather than letters

68. 68 Vernam cipher  Encryption Algorithm  Decryption Algorithm  Proposed the use of a running loop of tape  This is eventually repeated the key.  It can be broken with sufficient ciphertext, the use of known or probable plaintext sequences, or both

69. 69 One-Time Pad  Use a random key that was truly as long as the message, with no repetitions  Unbreakable  Because it produce random output that bears no statistical relationship to the plaintext.  And the ciphertext contains no information whatsoever about plaintext

70. 70 One-Time Pad Two different decryptions using two different key  Using a Vigenère cipher scheme with 27 characters  The tableau of Vigenère be expanded to 27 Х27  Suppose that cryptanalyst to find these two keys  Two plausible plaintext are produced  How is the cryptanalyst to decide which is the correct decryption?  If the actual key were produced A truly random fashion,  Thus, there is no way to decide which key is correct

71. 71 One-Time Pad Two fundamental difficulties:  The practical problem of making large quantities of random keys  Any heavily used system might require millions of random characters on a regular basis.  The problem of key distribution and protection  For every message to be sent, a key of equal length is needed by both sender and receiver.  Because of these difficulties, the one-time pad is of limited utility

72. 72 Contents Symmetric Cipher Model Substitution Techniques  Shift Cipher (Caesar Cipher)  Monoalphabetic Ciphers  Playfair Cipher  Hill Cipher  Polyalphabetic Ciphers  One-Time Pad Transposition Techniques Rotor Machines Steganography

73. 73 Rail Fence  The simplest transposition technique  Encryption  Plaintext : meet me after the toga party  Write down as a sequence of diagonals  Read off as a sequence of rows  Ciphertext : mematrhtgpryetefeteoaat  Depth : 2 mematrhtgpry etefeteoaat

74. 74 A more complex scheme  To write the message in a rectangle, row by row, and read the message off column by column  n ⅹ m matrix A pure transposition cipher is easily recognized  It has the same letter frequencies as the original plaintext. key : 4 3 1 2 5 6 7 plaintext : a t t a c k p o s t p o n e d u n t i l t w o a m x y z ciphertext: TTNAAPTMTSUOAODWCOIXKNIYPETZ

75. 75 A more complex scheme The transposition cipher can be made significantly more secure by performing more than one stage of transposition.  Message is re-encrypted using the same algorithm. key : 4 3 1 2 5 6 7 plaintext : t t n a a p t m t s u o a o d w c o i x k n l y p e t z ciphertext: NSCYAUOPTTWLTMDNAOIEPAXTTOKZ key : 4 3 1 2 5 6 7 plaintext : a t t a c k p o s t p o n e d u n t i l t w o a m x y z ciphertext: TTNAAPTMTSUOAODWCOIXKNIYPETZ

76. 76 To visualize the result of this double transposition  Designate the letters in the original plaintext message by the numbers designating their position.  After the first transposition  Which has a somewhat regular structure  But after the second transposition

77. 77 Rotor Machine Multiple stages of substitution The basic principle  Set of independently rotating cylinders  Each cylinder has 26 input pins and 26 output pins

78. 78 Rotor Machine  If we associate each input and output with a letter of the alphabet  A single cylinder defines a monoalphabetic substitution  The cylinder rotates one position after an encryption of a letter.  The internal connection are shifted accordingly  Thus, a different monoalphabetic substitution cipher is defined

79. 79 Rotor Machine  After 26 letters, the cylinder would be back to the initial  Polyalphabetic permutation algorithm with period of 26  The output of one cylinder are connected to the input of the next

80. 80 Rotor Machine  The one farthest rotates one pin position with each keystroke  For every complete rotation of the outer cylinder, the middle cylinder rotates one pin position  For every complete rotation of the middle cylinder, the inner cylinder rotates one pin position  26 ⅹ 26 ⅹ 26 = 17,576

81. 81 Rotor Machine (Cont.)

82. 82 Steganography Steganography conceal the existence of the message

83. 83 STEGANOGRAPHY A simple form of steganography  For example  The sequence of first letters of each word of overall message spells out the hidden message  An example in which a subset of the words of the overall message is used to convey the hidden message

84. 84 STEGANOGRAPHY Classic techniques  Character marking : selected letters of printed or typewritten text are overwritten in pencil (light)  Invisible ink  Pin punctures : small pin punctures on selected letters (light)  Typewriter correction ribbon : Used between lines typed with a black ribbon, the results of typing with correction tape are visible only under a strong light.

85. 85 STEGANOGRAPHY Modern techniques  Using the Least Significant Bits (LSB) of frames on a CD  For example  Kodak Photo CD format’s maximum resolution is 2048 by 3072 pixels  Each pixel contains 24 bits of RGB color information.  LSB of each 24-bit pixel can be changed without greatly affecting the quality of the image.  The result, you can hide a 2.3-megabyte message in a single digital snapshot

86. 86 STEGANOGRAPHY Drawbacks of steganography  A lot of overhead to hide a relatively few bits of information  Once the system is discovered, it becomes virtually worthless  Alternatively, a message can be first encrypted and then hidden using steganography Advantage of steganography  To lose the fact of parties of secret communication be discovered