Introduction: Classical Cryptography

Guevara Noubir http://www.ccs.neu.edu/home/noubir/Courses/CSG252/F04

Textbook: —Cryptography: Theory and Applications“,

Douglas Stinson, Chapman & Hall/CRC Press, 2002

Reading: Chapter 1

Simple Cryptosystems

n Goal:

n Allow two entities (e.g., Alice, and Bob) to communicate over an insecure channel, such that an opponent (e.g., Oscar) cannot understand what is being communicated

Oscar

x y x Alice Encrypt Decrypt Bob

k Secure Channel

Key Source

CSG252 Classical Cryptography 2

Definition of Cryptosystem

n Definition:

n A cryptosystem is a five-tuple (P, C, K, E, D) s.t. the following conditions are satisfied: 1. P is a finite set of possible plaintexts 2. C is a finite set of possible ciphertexts 3. K, the keyspace, is a finite set of possible keys ∈ 4. For each key k, there exists an encryption rule ek E, and ∈ decryption rule dk E s.t. dk(ek) = Identity

n Encoding a message: → n x = x1x2 … xn y = x1x2 … xn = ek(x1)ek(x2)… ek(xn)

n Note:

n Each encryption function has to be injective

CSG252 Classical Cryptography 3

1 Review of Basics of Modular Arithmetic

n Congruence: n a, b: integers; m: positive integer n a ≡ b mod m iff m divides a-b n a is said to be congruent to b mod m n Example: 101 ≡ 3 mod 7 n Arithmetic modulo m:

n Zm={0, 1, …, m-1}; +, x operations 1.Addition is closed 2.Addition is commutative 3.Addition is associative 4.0 is an additive identity 5.Additive inverse of a is m-a 6.Multiplication is closed 7.Multiplication is commutative 8.Multiplication is associative 9.1 is a multiplicative identity 10.The distributive property is satisfied

n 1-5 Ω Zm is an abelian group n 1-10 Ω Zm is a ring n Other examples of rings: …

CSG252 Classical Cryptography 4

Shift Cipher

n Definition:

n P = C = K = Z26

n ek(x) = (x+k) mod 26

n dk(x) = (x-k) mod 26 n Example:

n k = 3 is often called Caesar Cipher

n Alphabet encoding:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

CSG252 Classical Cryptography 5

Desired Properties of Cryptosystems

n Encryption and Decryption function can be efficiently computed n Given a ciphertext y, it should be —difficult“ for an opponent to identify the encryption key k, and the plaintext x

n How about the security of the shift cipher? n Example:

n Average time to identify the encryption key? n Conclusion about the key space?

CSG252 Classical Cryptography 6

2 Substitution Cipher

n Definition:

n P = C = Z26 n K: set of all possible permutations of the P

n eπ(x) = π(x)

n dπ(y) = ?

n Example: a b c d e f g h i j k l m n o p q r s t u v w x y z P Y F R Z A L V E M B Q H U C O S G W I N D T K J X

n Key Space: n |K| = ?

CSG252 Classical Cryptography 7

Affine Cipher

n Encryption function of the form:

n e(x) = (ax + b) mod 26

n Conditions on (a, b)?

n Examples:

n (a, b) = (2, 5)

n (a, b) = (3, 5)

CSG252 Classical Cryptography 8

Affine Cipher

n Theorem:

n The congruence ax ≡ b (mod m) has a unique ∈ solution x Zm iff gcd(a, m) = 1

n Definition:

n For a>1, m ≥ 2, if gcd(a, m) = 1 then a and m are said to be relatively prime (co-prime).

n The number of integers in Zm that are relatively prime to m is denoted by φ(m): Euler phi-function (a.k.a totient function).

CSG252 Classical Cryptography 9

3 Affine Cipher

n Theorem: e1 e2 … en φ e1 e1-1 en en-1 n If m = p1 p2 pn Ω (m) = (p1 - p1 )…(pn - pn )

where pi‘s are distinct primes and the ei‘s are strictly positive integers n Corollary:

n The key space of affine ciphers is: mφ(m)

n Definition: ∈ -1 -1 ∈ n For a Zm, we denote by a the multiplicative inverse of a s.t. a Zm and a a-1 ≡ a-1a ≡ 1 mod m

n Theorem:

n a has an inverse iff gcd(a, m) = 1

n If m is prime every element of Zm has an inverse and Zm is called a field

CSG252 Classical Cryptography 10

Affine Cipher

n Definition:

n P = C = Z26 ∈ n K = {(a, b) Z26xZ26 : gcd(a, 26) = 1} n For k = (a, b) ∈ K

n ek(x) = (ax+b) mod m

n dk(y) = ?

n Example:

n k = (7, 3)

CSG252 Classical Cryptography 11

Vigenère Cipher

n Monoalphabetic cryptosystems:

n For a given key: each alphabetic character is mapped to a unique alphabetic Character

n E.g., shift cipher, substitution cipher, affine cipher

n Polyalphabetic crypotosystems

n Vigenere cipher m n m: positive integer; P = C = K = (Z26)

n For k = (k1, k2, …, km):

n ek(x1, …, xm) = (x1+k1, …, xm+km)

n dk(y1, …, ym) = (y1-k1, …, ym-km) n Key space:

CSG252 Classical Cryptography 12

4 Hill Cipher

≥ m n m 2 positive integer; P = C = (Z26) n Idea: take m linear combinations of the m alphabetic characters of the plaintext n Example: ≈11 8’ k = ∆ ÷ « 3 7◊

n Condition?

CSG252 Classical Cryptography 13

Hill Cipher

n Definition: m n m: positive integer; P = C = (Z26)

n K = {m x m invertible matrices over Z26}

n ek(x) = xk -1 n dk(y) = yk

n k-1 = ?

n det k = ?

CSG252 Classical Cryptography 14

Permutation Cipher

n Definition: m n m: positive integer; P = C = (Z26) n K = {π: permutation of {1…m}}

n ek(x1, …, xm) = (xπ(1), …, xπ(m))

n dk(y1, …, ym) = (yπ−1 (1), …, yπ−1(m)) n Example:

n Permutation matrix and it‘s inverse

CSG252 Classical Cryptography 15

5 Stream Ciphers

n Block Ciphers: y = y1 y2 … = ek(x1) ek(x2) … n Stream Ciphers:

n Generate a Keystream: z = z1z2… n Encryption: y = y1 y2… = ez1(x1) ez2(x2) … n Synchronous Stream Cipher: n Keystream does not depend on the plaintext n Definition of Synchronous Stream Cipher n A tuple (P, C, K, L, E, D), and a function g s.t.:

n P (resp. C): finite set of possible plaintexts (resp. ciphertexts)

n K: keyspace (finite set of possible keys)

n L: finite set called keystream alphabet ∈ n g: keystream generator s.t. g(k) = z1z2 … where zi L ∀ ∈ ∃ ∈ ∈ ° n z L ez E, dz D s.t. dz ez = Id n Example: Vigenere Cipher as a synchronous stream cipher

CSG252 Classical Cryptography 16

Stream Ciphers (Cont.)

n Periodic Stream Cipher with period d iff: ∀ ≥ n i 1 zi+d = zi n Example:

n Vigenere Cipher with keyword length m is a periodic stream cipher with period m

n Stream ciphers usually have L = Z2:

n ez(x) = (x+z) mod 2

n dz(x) = ?

CSG252 Classical Cryptography 17

Stream Ciphers: LFSR

n Linear Feedback Shift Register (LFSR) can generate a synchronous linear keystream: m−1 = n zi+m ƒc j zi+ j j=0 ∈ n cj Z2, and initializing the registers with k1, k2, km n Properties: n Linearity (linear combination of previous terms) n Degree m (depends only on the previous m terms)

n c0 = 1 n Key is: (k1, k2, …, km, c0, c1, …, cm-1) n (k1, k2, …, km) should be different from (0, 0, …, 0) ≠ n If (c0, c1, …, cm-1) is carefully chosen and (k1, k2, …, km) 0 then the period of the keystream is 2m-1

n Example: m=4, (c0, c1, c2, c3) = (1, 1, 0, 0) n Advantages of LFSR: easy to implement in HW,

CSG252 Classical Cryptography 18

6 Non-Synchronous Stream Cipher

n Example: Autokey Cipher

n P = C = K = L = Z26

n z1 = k; zi = xi-1 (for all i > 1)

n ez(x) = (x+z) mod 26

n dz(y) = (y-z) mod 26

n Drawback?

CSG252 Classical Cryptography 19

Cryptanalysis

n Kerckhoffs‘ Principle: n The opponent knows the cryptosystem being used (no security through obscurity) n Definition of attack models: n Ciphertext only attack

n Known plaintext attack n Chosen plaintext attack

n Chosen ciphertext attack n Objective of the opponent:

n Identify the secret key

CSG252 Classical Cryptography 20

Statistical Cryptanalysis

n Context:

n Cipher-text only attack

n Plaintext ordinary English (no punctuation, space)

n Letters‘ probabilities (Beker and Piper):

n A: 0.082, B: 0.015, C: 0.028, …

n E: 0.120; T, A, O, I, N, S, H, R: [0.06, 0.09]; D, L: 0.04; C, U, M, W, F, G, Y, P, B: [0.015, 0.028]

n V, K, J, X, Q, Z: < [0.01]

n 30 most common digrams: TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND, OU, EA, NG, AS, OR, TI, IS, ET, IT, AR, TE, SE, HI, OF

n 12 most common trigrams: THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR, DTH

CSG252 Classical Cryptography 21

7 Cryptanalysis of the Affine Cipher

n Example: n Ciphertext (57 characters)= FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDKAPRK DLYEVLRHHRH n Occurences: n R:8; D:7; E, H, K:5, F, S, V:4 n First guess: R: e; D: t n 4a + b = 17; 19a + b = 3 Ω (a, b) = (6, 19) but gcd(a, 26) = 2 > 1 illegal! n Second guess: R: e; E: t Ω a=13 illegal! n Third guess: R: e; H: t Ω illegal! n Fourth guess: R:e; K: t Ω (a, b) = (3, 5) n Results in plaintext = algorithmsarequitegeneraldefinitionsofarithmeticprocesses

CSG252 Classical Cryptography 22

Cryptanalysis of the Substitution Cipher

n Identify possible encryption of e (most common letter)

n t, a, o, i, n, s, h, r: will probably be difficult to differentiate

n Identify possible digrams starting/finishing with e: -e and e-

n Use trigrams

CSG252 Classical Cryptography 23

Cryptanalysis of the Vigenère Cipher

n First step: identify the keyword length (m)

n Kasiski test [Kasiski 1863, Babbage 1854]:

n Observation:

n two identical segments of plaintext are encrypted to the same ciphertext if they are δ positions apart s.t. δ = 0 mod m

n Test:

n Find all identical segments of length > 3 and record the δ δ distance between them: 1, 2, ... δ δ n m divides gcd( 1, 2, ... )

CSG252 Classical Cryptography 24

8 Index of Coincidence to Find keyword Length

n Index of coincidence:

n x = x1x2 … xn; Ic(x) is the probability that two random elements of x are identical n Let f0, f1, …, f26 be the number of occurrences of A, B, …, Z in the string x 25 ≈ f ’ 25 ∆ i ÷ − ƒ∆ ÷ ƒ fi ( fi 1) i=0 « 2 ◊ i=0 n I (x) = = c ≈n’ n(n −1) ∆ ÷ «2◊ n If x is a string of English text:

25 n For a mono-alphabetic cipher I (x) is unchanged ≈ 2 = c Ic (x) ƒ pi 0.065 i=0 n Try m = 1, 2, …

n Decompose y in substrings: y1ym+1y2m+1…; y2ym+2y2m+2…; … n If for all substrings: Ic is close to 0.065 then m might be the length ≈ 2 n If wrong m, then Ic 26 / 26 = 0.038

CSG252 Classical Cryptography 25

Cryptanalysis of the Vigenère Cipher (Cont.)

n Given the keyword length, each substring:

n Length: n‘=n/m

n Encrypted by a shift: k

n Probability distribution of letters: f0/n‘, f1/n‘, …, f25/n‘ n Therefore:

n fk/n‘, fk+1/n‘, …, fk+25/n‘ should be close to p0, …, p25

25 = n Let: M g ƒ p0 f g +i i=0 ≈ n If g = k, Mg 0.065 ≠ n If g k, Mg significantly smaller then 0.065

CSG252 Classical Cryptography 26

Cryptanalysis of the Hill Cipher

n More difficult to break with cipher-text only n Easy with known plaintext n Goal: Find secret Matrix K n Assumption: n Known: m n Known: m distinct plaintext-ciphertext pairs:

n (xi, yi = e(xi)) n xi = (x1i, …, xmi); yi = (y1i, …, ymi) : yi = xi K n Define: Y s.t. rows are yi (similarly X) n Y = XK n If X is invertible Ω K = X-1Y n What if X is not invertible?

CSG252 Classical Cryptography 27

9 Cryptanalysis of the Hill Cipher

n Example: n m = 2; n Plaintext: friday n Ciphertext: PQCFKU

≈5 17’ ≈15 16’ X = ∆ ÷;Y = ∆ ÷ «8 3 ◊ « 2 5 ◊

−1 ≈9 1 ’≈15 16’ K = X Y = ∆ ÷∆ ÷ «2 15◊« 2 5 ◊ ≈7 19’ K = ∆ ÷ «8 3 ◊

n Can be verified using the third plaintext-ciphertext pair

CSG252 Classical Cryptography 28

Cryptanalysis of the LFSR Stream Cipher

n Known-plaintext attack with known m

n Given: x1, …, xn and y1, …, yn

n Need to compute c0, …, cm-1

n x1, …, xn and y1, …, yn allow us to compute z1, …, zn

n If n ≥ 2m we can obtain m linear equations with m

unknowns using: m−1 = zi+m ƒc j zi+ j j=0

CSG252 Classical Cryptography 29

10