Introduction: Classical Cryptography
Guevara Noubir http://www.ccs.neu.edu/home/noubir/Courses/CSG252/F04
Textbook: —Cryptography: Theory and Applications“,
Douglas Stinson, Chapman & Hall/CRC Press, 2002
Reading: Chapter 1
Simple Cryptosystems
n Goal:
n Allow two entities (e.g., Alice, and Bob) to communicate over an insecure channel, such that an opponent (e.g., Oscar) cannot understand what is being communicated
Oscar
x y x Alice Encrypt Decrypt Bob
Key Source
CSG252 Classical Cryptography 2
Definition of Cryptosystem
n Definition:
n A cryptosystem is a five-tuple (P, C, K, E, D) s.t. the following conditions are satisfied: 1. P is a finite set of possible plaintexts 2. C is a finite set of possible ciphertexts 3. K, the keyspace, is a finite set of possible keys ∈ 4. For each key k, there exists an encryption rule ek E, and ∈ decryption rule dk E s.t. dk(ek) = Identity
n Encoding a message: → n x = x1x2 … xn y = x1x2 … xn = ek(x1)ek(x2)… ek(xn)
n Note:
n Each encryption function has to be injective
CSG252 Classical Cryptography 3
1 Review of Basics of Modular Arithmetic
n Congruence: n a, b: integers; m: positive integer n a ≡ b mod m iff m divides a-b n a is said to be congruent to b mod m n Example: 101 ≡ 3 mod 7 n Arithmetic modulo m:
n Zm={0, 1, …, m-1}; +, x operations 1.Addition is closed 2.Addition is commutative 3.Addition is associative 4.0 is an additive identity 5.Additive inverse of a is m-a 6.Multiplication is closed 7.Multiplication is commutative 8.Multiplication is associative 9.1 is a multiplicative identity 10.The distributive property is satisfied
n 1-5 Ω Zm is an abelian group n 1-10 Ω Zm is a ring n Other examples of rings: …
CSG252 Classical Cryptography 4
Shift Cipher
n Definition:
n P = C = K = Z26
n ek(x) = (x+k) mod 26
n dk(x) = (x-k) mod 26 n Example:
n k = 3 is often called Caesar Cipher
n Alphabet encoding:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
CSG252 Classical Cryptography 5
Desired Properties of Cryptosystems
n Encryption and Decryption function can be efficiently computed n Given a ciphertext y, it should be —difficult“ for an opponent to identify the encryption key k, and the plaintext x
n How about the security of the shift cipher? n Example:
n Average time to identify the encryption key? n Conclusion about the key space?
CSG252 Classical Cryptography 6
n Definition:
n P = C = Z26 n K: set of all possible permutations of the P
n eπ(x) = π(x)
n dπ(y) = ?
n Example: a b c d e f g h i j k l m n o p q r s t u v w x y z P Y F R Z A L V E M B Q H U C O S G W I N D T K J X
n Key Space: n |K| = ?
CSG252 Classical Cryptography 7
Affine Cipher
n Encryption function of the form:
n e(x) = (ax + b) mod 26
n Conditions on (a, b)?
n Examples:
n (a, b) = (2, 5)
n (a, b) = (3, 5)
CSG252 Classical Cryptography 8
Affine Cipher
n Theorem:
n The congruence ax ≡ b (mod m) has a unique ∈ solution x Zm iff gcd(a, m) = 1
n Definition:
n For a>1, m ≥ 2, if gcd(a, m) = 1 then a and m are said to be relatively prime (co-prime).
n The number of integers in Zm that are relatively prime to m is denoted by φ(m): Euler phi-function (a.k.a totient function).
CSG252 Classical Cryptography 9
3 Affine Cipher
n Theorem: e1 e2 … en φ e1 e1-1 en en-1 n If m = p1 p2 pn Ω (m) = (p1 - p1 )…(pn - pn )
where pi‘s are distinct primes and the ei‘s are strictly positive integers n Corollary:
n The key space of affine ciphers is: mφ(m)
n Definition: ∈ -1 -1 ∈ n For a Zm, we denote by a the multiplicative inverse of a s.t. a Zm and a a-1 ≡ a-1a ≡ 1 mod m
n Theorem:
n a has an inverse iff gcd(a, m) = 1
n If m is prime every element of Zm has an inverse and Zm is called a field
CSG252 Classical Cryptography 10
Affine Cipher
n Definition:
n P = C = Z26 ∈ n K = {(a, b) Z26xZ26 : gcd(a, 26) = 1} n For k = (a, b) ∈ K
n ek(x) = (ax+b) mod m
n dk(y) = ?
n Example:
n k = (7, 3)
CSG252 Classical Cryptography 11
Vigenère Cipher
n Monoalphabetic cryptosystems:
n For a given key: each alphabetic character is mapped to a unique alphabetic Character
n E.g., shift cipher, substitution cipher, affine cipher
n Polyalphabetic crypotosystems
n Vigenere cipher m n m: positive integer; P = C = K = (Z26)
n For k = (k1, k2, …, km):
n ek(x1, …, xm) = (x1+k1, …, xm+km)
n dk(y1, …, ym) = (y1-k1, …, ym-km) n Key space:
CSG252 Classical Cryptography 12
≥ m n m 2 positive integer; P = C = (Z26) n Idea: take m linear combinations of the m alphabetic characters of the plaintext n Example: ≈11 8’ k = ∆ ÷ « 3 7◊
n Condition?
CSG252 Classical Cryptography 13
Hill Cipher
n Definition: m n m: positive integer; P = C = (Z26)
n K = {m x m invertible matrices over Z26}
n ek(x) = xk -1 n dk(y) = yk
n k-1 = ?
n det k = ?
CSG252 Classical Cryptography 14
Permutation Cipher
n Definition: m n m: positive integer; P = C = (Z26) n K = {π: permutation of {1…m}}
n ek(x1, …, xm) = (xπ(1), …, xπ(m))
n dk(y1, …, ym) = (yπ−1 (1), …, yπ−1(m)) n Example:
n Permutation matrix and it‘s inverse
CSG252 Classical Cryptography 15
5 Stream Ciphers
n Block Ciphers: y = y1 y2 … = ek(x1) ek(x2) … n Stream Ciphers:
n Generate a Keystream: z = z1z2… n Encryption: y = y1 y2… = ez1(x1) ez2(x2) … n Synchronous Stream Cipher: n Keystream does not depend on the plaintext n Definition of Synchronous Stream Cipher n A tuple (P, C, K, L, E, D), and a function g s.t.:
n P (resp. C): finite set of possible plaintexts (resp. ciphertexts)
n K: keyspace (finite set of possible keys)
n L: finite set called keystream alphabet ∈ n g: keystream generator s.t. g(k) = z1z2 … where zi L ∀ ∈ ∃ ∈ ∈ ° n z L ez E, dz D s.t. dz ez = Id n Example: Vigenere Cipher as a synchronous stream cipher
CSG252 Classical Cryptography 16
Stream Ciphers (Cont.)
n Periodic Stream Cipher with period d iff: ∀ ≥ n i 1 zi+d = zi n Example:
n Vigenere Cipher with keyword length m is a periodic stream cipher with period m
n Stream ciphers usually have L = Z2:
n ez(x) = (x+z) mod 2
n dz(x) = ?
CSG252 Classical Cryptography 17
Stream Ciphers: LFSR
n Linear Feedback Shift Register (LFSR) can generate a synchronous linear keystream: m−1 = n zi+m ƒc j zi+ j j=0 ∈ n cj Z2, and initializing the registers with k1, k2, km n Properties: n Linearity (linear combination of previous terms) n Degree m (depends only on the previous m terms)
n c0 = 1 n Key is: (k1, k2, …, km, c0, c1, …, cm-1) n (k1, k2, …, km) should be different from (0, 0, …, 0) ≠ n If (c0, c1, …, cm-1) is carefully chosen and (k1, k2, …, km) 0 then the period of the keystream is 2m-1
n Example: m=4, (c0, c1, c2, c3) = (1, 1, 0, 0) n Advantages of LFSR: easy to implement in HW,
CSG252 Classical Cryptography 18
6 Non-Synchronous Stream Cipher
n Example: Autokey Cipher
n P = C = K = L = Z26
n z1 = k; zi = xi-1 (for all i > 1)
n ez(x) = (x+z) mod 26
n dz(y) = (y-z) mod 26
n Drawback?
CSG252 Classical Cryptography 19
Cryptanalysis
n Kerckhoffs‘ Principle: n The opponent knows the cryptosystem being used (no security through obscurity) n Definition of attack models: n Ciphertext only attack
n Known plaintext attack n Chosen plaintext attack
n Chosen ciphertext attack n Objective of the opponent:
n Identify the secret key
CSG252 Classical Cryptography 20
Statistical Cryptanalysis
n Context:
n Cipher-text only attack
n Plaintext ordinary English (no punctuation, space)
n Letters‘ probabilities (Beker and Piper):
n A: 0.082, B: 0.015, C: 0.028, …
n E: 0.120; T, A, O, I, N, S, H, R: [0.06, 0.09]; D, L: 0.04; C, U, M, W, F, G, Y, P, B: [0.015, 0.028]
n V, K, J, X, Q, Z: < [0.01]
n 30 most common digrams: TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND, OU, EA, NG, AS, OR, TI, IS, ET, IT, AR, TE, SE, HI, OF
n 12 most common trigrams: THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR, DTH
CSG252 Classical Cryptography 21
7 Cryptanalysis of the Affine Cipher
n Example: n Ciphertext (57 characters)= FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDKAPRK DLYEVLRHHRH n Occurences: n R:8; D:7; E, H, K:5, F, S, V:4 n First guess: R: e; D: t n 4a + b = 17; 19a + b = 3 Ω (a, b) = (6, 19) but gcd(a, 26) = 2 > 1 illegal! n Second guess: R: e; E: t Ω a=13 illegal! n Third guess: R: e; H: t Ω illegal! n Fourth guess: R:e; K: t Ω (a, b) = (3, 5) n Results in plaintext = algorithmsarequitegeneraldefinitionsofarithmeticprocesses
CSG252 Classical Cryptography 22
Cryptanalysis of the Substitution Cipher
n Identify possible encryption of e (most common letter)
n t, a, o, i, n, s, h, r: will probably be difficult to differentiate
n Identify possible digrams starting/finishing with e: -e and e-
n Use trigrams
CSG252 Classical Cryptography 23
Cryptanalysis of the Vigenère Cipher
n First step: identify the keyword length (m)
n Kasiski test [Kasiski 1863, Babbage 1854]:
n Observation:
n two identical segments of plaintext are encrypted to the same ciphertext if they are δ positions apart s.t. δ = 0 mod m
n Test:
n Find all identical segments of length > 3 and record the δ δ distance between them: 1, 2, ... δ δ n m divides gcd( 1, 2, ... )
CSG252 Classical Cryptography 24
8 Index of Coincidence to Find keyword Length
n Index of coincidence:
n x = x1x2 … xn; Ic(x) is the probability that two random elements of x are identical n Let f0, f1, …, f26 be the number of occurrences of A, B, …, Z in the string x 25 ≈ f ’ 25 ∆ i ÷ − ƒ∆ ÷ ƒ fi ( fi 1) i=0 « 2 ◊ i=0 n I (x) = = c ≈n’ n(n −1) ∆ ÷ «2◊ n If x is a string of English text:
25 n For a mono-alphabetic cipher I (x) is unchanged ≈ 2 = c Ic (x) ƒ pi 0.065 i=0 n Try m = 1, 2, …
n Decompose y in substrings: y1ym+1y2m+1…; y2ym+2y2m+2…; … n If for all substrings: Ic is close to 0.065 then m might be the length ≈ 2 n If wrong m, then Ic 26 / 26 = 0.038
CSG252 Classical Cryptography 25
Cryptanalysis of the Vigenère Cipher (Cont.)
n Given the keyword length, each substring:
n Length: n‘=n/m
n Encrypted by a shift: k
n Probability distribution of letters: f0/n‘, f1/n‘, …, f25/n‘ n Therefore:
n fk/n‘, fk+1/n‘, …, fk+25/n‘ should be close to p0, …, p25
25 = n Let: M g ƒ p0 f g +i i=0 ≈ n If g = k, Mg 0.065 ≠ n If g k, Mg significantly smaller then 0.065
CSG252 Classical Cryptography 26
Cryptanalysis of the Hill Cipher
n More difficult to break with cipher-text only n Easy with known plaintext n Goal: Find secret Matrix K n Assumption: n Known: m n Known: m distinct plaintext-ciphertext pairs:
n (xi, yi = e(xi)) n xi = (x1i, …, xmi); yi = (y1i, …, ymi) : yi = xi K n Define: Y s.t. rows are yi (similarly X) n Y = XK n If X is invertible Ω K = X-1Y n What if X is not invertible?
CSG252 Classical Cryptography 27
9 Cryptanalysis of the Hill Cipher
n Example: n m = 2; n Plaintext: friday n Ciphertext: PQCFKU
≈5 17’ ≈15 16’ X = ∆ ÷;Y = ∆ ÷ «8 3 ◊ « 2 5 ◊
−1 ≈9 1 ’≈15 16’ K = X Y = ∆ ÷∆ ÷ «2 15◊« 2 5 ◊ ≈7 19’ K = ∆ ÷ «8 3 ◊
n Can be verified using the third plaintext-ciphertext pair
CSG252 Classical Cryptography 28
Cryptanalysis of the LFSR Stream Cipher
n Known-plaintext attack with known m
n Given: x1, …, xn and y1, …, yn
n Need to compute c0, …, cm-1
n x1, …, xn and y1, …, yn allow us to compute z1, …, zn
n If n ≥ 2m we can obtain m linear equations with m
unknowns using: m−1 = zi+m ƒc j zi+ j j=0
CSG252 Classical Cryptography 29
10