Overview Menu Jefferson Wheel Cipher What Is Cryptology?

Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Overview Class 1: 1. Introduction, Pre-WWII cryptology 2. Lorenz Cipher (Fish) Introduction – Used by Nazis for high command messages and – First programmable electronic computer built Cryptography to break it 3. Enigma Cipher before – Used by German Navy, Army, Air Force World War II – Broken by team including Alan Turing 4. Post-WWII – Modern symmetric ciphers – Public-Key Cryptography Bletchley Park, Summer 2004

http://www.cs.virginia.edu/jillcrypto JILL WWII Crypto Spring 2006 - Class 1: Introduction 2

Menu Jefferson Wheel Cipher • Introduction to Cryptology – Terminology – Principles – Brief history of 4000 years of Cryptology • Cryptology before World War II – A simple substitution cipher – [Break] – Breaking substitution cipher – Vigenère Cipher

JILL WWII Crypto Spring 2006 - Class 1: Introduction 3 JILL WWII Crypto Spring 2006 - Class 1: Introduction 4

What is cryptology? Cryptology and Security • Greek: “krypto” = hide Cryptology is a branch of • Cryptology – science of hiding – Cryptography, Cryptanalysis – hide meaning of a mathematics . message – Steganography, Steganalysis – hide existence of a message Security is about people . • Cryptography – secret writing • Cryptanalysis – analyzing (breaking) secrets Cryptanalysis is what attacker does Attackers try find the weakest link. In Decipher or Decryption is what legitimate receiver most cases, this is not the mathematics. does

JILL WWII Crypto Spring 2006 - Class 1: Introduction 5 JILL WWII Crypto Spring 2006 - Class 1: Introduction 6

1 Introductions Introductions

Insecure Channel Insecure Channel Ciphertext Ciphertext Plaintext Encrypt Decrypt Plaintext Plaintext Encrypt Decrypt Plaintext

Eve Alice Alice (passive attacker) Bob Malice Bob (active attacker)

JILL WWII Crypto Spring 2006 - Class 1: Introduction 7 JILL WWII Crypto Spring 2006 - Class 1: Introduction 8

Cryptosystem Ciphertext = E(Plaintext) “The enemy knows the Required property: E must be invertible system being used.” Plaintext = D(Ciphertext)

Desired properties: Claude Shannon Without knowing D must be “hard” to invert E and D should be easy to compute Possible to have lots of different E and D

JILL WWII Crypto Spring 2006 - Class 1: Introduction 9 JILL WWII Crypto Spring 2006 - Class 1: Introduction 10

Kerckhoff’s Principle http://monticello.org/jefferson/wheel • French handbook of military cryptography, 1883 • Cryptography always involves:

– Transformation cipher/ – Secret • Security should depend only on the key • Don’t assume enemy won’t know algorithm – Can capture machines, find patents, etc. – Too expensive to invent new algorithm if it might have been compromised Axis powers often forgot this

JILL WWII Crypto Spring 2006 - Class 1: Introduction 11 JILL WWII Crypto Spring 2006 - Class 1: Introduction 12

2 Really Brief History Symmetric Cryptosystem First 4000 years Ciphertext = E (K, Message ) Message = D (K, Ciphertext ) Vigenère Desired properties: Babbage breaks Vigenère; 1.Kerckhoff’s: secrecy depends only on K Kasiski (1863) publishes Cryptographers 2.Without knowing K must be “hard” to invert Alberti – first polyalphabetic cipher 3.Easy to compute E and D monoalphabetics

Cryptanalysts All cryptosystems until 1970s were like this. al-Kindi - frequency analysis Asymmetric cryptosystems allow encryption and 3000BC decryption keys to be different. 900 1460 1854

JILL WWII Crypto Spring 2006 - Class 1: Introduction 13 JILL WWII Crypto Spring 2006 - Class 1: Introduction 14

Really Brief History - last 100+ years Themes

Mauborgne – one-time pad Quantum Crypto • Arms race: cryptographers vs. cryptanalysts ? – Often disconnect between two (e.g., Mary Queen of Linear, Differential Cryptanalysis Scots uses monoalphabetic cipher long after known Feistel block cipher, DES Enigma adds rotors, stops repeated key breakable) Turing’s loop attacks, Public-Key Colossus 1978 • Motivated by war (more recently: commerce) Rejewski repeated • Driven by advances in technology, message-key attack Cryptanalysts mathematics

Mechanical ciphers - Enigma – Linguists, classicists, mathematicians, computer Cryptographers scientists, physicists • Secrecy often means advances rediscovered 1854 1918 1939 1945 1973 and mis-credited 1895 – Invention of Radio

JILL WWII Crypto Spring 2006 - Class 1: Introduction 15 JILL WWII Crypto Spring 2006 - Class 1: Introduction 16

Types of Attacks Security vs. Pragmatics • Ciphertext-only - How much Ciphertext? • Trade-off between security and effort • Known Plaintext - often “Guessed Plaintext” – Time to encrypt, cost and size of equipment, key sizes, change frequency • Chosen Plaintext (get ciphertext) – One-time pad (1918) offers theoretically – Not as uncommon as it sounds! “perfect” security, but unacceptable cost • Chosen Ciphertext (get plaintext) • Compromises lead to insecurity (class 2) • Dumpster Diving • Commerce • Social Engineering – Don’t spend $10M to protect $1M – Don’t protect $1B with encryption that can be • “Rubber-hose cryptanalysis” broken for $1M – Cryptanalyst uses threats, blackmail, torture, • Military bribery to get the key – Values (and attacker resources) much harder to measure

JILL WWII Crypto Spring 2006 - Class 1: Introduction 17 JILL WWII Crypto Spring 2006 - Class 1: Introduction 18

3 Simple Substitution Cipher Key Space

• Substitute each letter based on • Number of possible keys mapping 26 (ways to choose what a maps to) • Key is alphabet mapping: * 25 (b can map to anything else) a → J, b → L, c → B, d → R, ..., z → F * 24 (c can map to anything else) … * 1 (only one choice left for z) • How secure is this cipher? = 26! = 403291461126605635584000000

If every person on earth tried one per second, it would take 5B years to try them all.

JILL WWII Crypto Spring 2006 - Class 1: Introduction 19 JILL WWII Crypto Spring 2006 - Class 1: Introduction 20

Really Secure? Monoalphabetic Cipher

• Key space gives the upper bound – Worst possible approach for the “XBW HGQW XS ACFPSUWG FWPGWXF cryptanalyst is to try all possible keys CF AWWKZV CDQGJCDWA CD BHYJD DJXHGW; WUWD XBW ZWJFX • Clever attacker may find better PHGCSHF YCDA CF GSHFWA LV XBW approach: KGSYCFW SI FBJGCDQ RDSOZWAQW – Eliminate lots of possible keys quickly OCXBBWZA IGSY SXBWGF.” – Find patters in ciphertext – Find way to test keys incrementally

JILL WWII Crypto Spring 2006 - Class 1: Introduction 21 JILL WWII Crypto Spring 2006 - Class 1: Introduction 22

Frequency Analysis Pattern Analysis

“XBW HGQW XS ACFPSUWG FWPGWXF CF “XBe HGQe XS ACFPSUeG FePGeXF CF AWWKZV CDQGJCDWA CD BHYJD DJXHGW; AeeKZV CDQGJCDeA CD BHYJD DJXHGe; WUWD XBW ZWJFX PHGCSHF YCDA CF eUeD XBe ZeJFX PHGCSHF YCDA CF GSHFWA LV XBW KGSYCFW SI FBJGCDQ GSHFeA LV XBe KGSYCFe SI FBJGCDQ RDSOZWAQW OCXBBWZA IGSY SXBWGF.” RDSOZeAQe OCXBBeZA IGSY SXBeGF.”

W: 20 “Normal” English: XBe = “the” C: 11 e 12% Most common trigrams in English: F: 11 t 9% the = 6.4% G: 11 a 8% and = 3.4%

JILL WWII Crypto Spring 2006 - Class 1: Introduction 23 JILL WWII Crypto Spring 2006 - Class 1: Introduction 24

4 Guessing Guessing

“the HGQe tS ACFPSUeG FePGetF CF “the HGQe to ACFPoUeG FePGetF CF AeeKZV CDQGJCDeA CD hHYJD DJtHGe; AeeKZV CDQGJCDeA CD hHYJD DJtHGe; eUeD the ZeJFt PHGCSHF YCDA CF eUeD the ZeJFt PHGCoHF YCDA CF GSHFeA LV the KGSYCFe SI FhJGCDQ GoHFeA LV the KGoYCFe oI FhJGCDQ RDSOZeAQe OCthheZA IGSY StheGF.” RDoOZeAQe OCthheZA IGoY otheGF.”

otheGF = “others” S = “o”

JILL WWII Crypto Spring 2006 - Class 1: Introduction 25 JILL WWII Crypto Spring 2006 - Class 1: Introduction 26

Guessing Guessing

“the HrQe to ACsPoUer sePrets Cs “the HrQe to ACscoUer secrets Cs AeeKZV CDQrJCDeA CD hHYJD DJtHre; AeeKZV CDQrJCDeA CD hHYJD DJtHre; eUeD the ZeJst PHrCoHs YCDA Cs eUeD the ZeJst cHrCoHs YCDA Cs roHseA LV the KroYCse oI shJrCDQ roHseA LV the KroYCse oI shJrCDQ RDoOZeAQe OCthheZA IroY others.” RDoOZeAQe OCthheZA IroY others.”

“sePrets” = “secrets” “ACscoUer” = “discover”

JILL WWII Crypto Spring 2006 - Class 1: Introduction 27 JILL WWII Crypto Spring 2006 - Class 1: Introduction 28

Guessing Monoalphabetic Cipher

“the HrQe to discover secrets is “The urge to discover secrets is deeply deeKZV iDQrJiDed iD hHYJD DJtHre; eveD the ZeJst cHrioHs YiDd is ingrained in human nature; even the roHsed LV the KroYise oI shJriDQ least curious mind is roused by the RDoOZedQe OithheZd IroY others.” promise of sharing knowledge withheld from others.” - John Chadwick, The Decipherment of Linear B

JILL WWII Crypto Spring 2006 - Class 1: Introduction 29 JILL WWII Crypto Spring 2006 - Class 1: Introduction 30

5 Why was it so easy? How to make it harder? • Doesn’t hide statistical properties of • Cosmetic plaintext • Hide statistical properties: • Doesn’t hide relationships in plaintext – Encrypt “e” with 12 different symbols, “t” with 9 different symbols, etc. (EE cannot match dg) – Add nulls, remove spaces • English (and all natural languages) is • Polyalphbetic cipher very redundant: about 1.5 bits of information per letter (~68% f ltrs r – Use different substitutions redndnt) • Transposition – Compress English with gzip – about 1:6 – Scramble order of letters

JILL WWII Crypto Spring 2006 - Class 1: Introduction 31 JILL WWII Crypto Spring 2006 - Class 1: Introduction 32

Ways to Convince Vigenère • “I tried really hard to break my cipher, but couldn’t. I’m a genius, so I’m sure no one else can break it either.” • Invented by Blaise de Vigenère, • “Lots of really smart people tried to break it, and ~1550 couldn’t.” • Considered unbreakable for 300 • Mathematical arguments – key size (dangerous!), years statistical properties of ciphertext, depends on some provably (or believed) hard problem • Broken by Charles Babbage but kept • Invulnerability to known cryptanalysis techniques secret to help British in Crimean War (but what about undiscovered techniques?) • Attack discovered independently by Friedrich Kasiski, 1863.

JILL WWII Crypto Spring 2006 - Class 1: Introduction 33 JILL WWII Crypto Spring 2006 - Class 1: Introduction 34

Vigenère Encryption 12345678901234567890123456789012345678901234567890123456 Plain: ThebiggerboysmadeciphersbutifIgotholdofafewwordsIusually Key: KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKE Key is a N-letter string. Cipher: DLCLMEQIPLSWCQYNIASTFOVQLYRSJGQSRRSJNSDKJCGAMBHQSYQEEJVC

EK (P) = C where 7890123456789012345678901234567890123456789012345678901234 C = (P + K ) mod Z Plain: foundoutthekeyTheconsequenceofthisingenuitywasoccasionally i i i mod N Key: YKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEY (size of alphabet) Cipher: DYYLNSSD XFO OCI XFO GMXWCAYCXGCYJRRMQSREORSSXWGEQYGAKWGYRYVPW E (“test”) = DIQD 5678901234567890123456789012345678901234567890123456789 “KEY” Plain: painfultheownersofthedetectedcipherssometimesthrashedme C = (‘t’ + ‘K’) mod 26 = ‘D’ Key: KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYK 0 Cipher: ZEGXJSV XFO SUXIPCSDDLCNIROGROHASTFOVQCSKOXGWIQDLPKWFOHKO C1 = (‘e’ + ‘E’) mod 26 = ‘I’ 012345678901234567890123456789012345 Charles Babbage thoughthefaultlayintheirownstupidity C2 = (‘s’ + ‘Y’) mod 26 = ‘Q’ Plain: Key: YKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKE (quoted in Simon XFO C3 = (‘t’ + ‘K’) mod 26 = ‘D’ Cipher: XFYYER JYEPRVEWSRRRIGBSUXWRETGNMRI Singh, The Code Book )

JILL WWII Crypto Spring 2006 - Class 1: Introduction 35 JILL WWII Crypto Spring 2006 - Class 1: Introduction 36

6 Babbage’s Attack Key length - Frequency

• Use repetition to guess key length: • Once you know key length, can slice Sequence XFO appears at 65, 71, ciphertext and use frequencies: 122, 176. L0: DLQLCNSOLSQRNKGBSEVYNDOIOXAXYRSOSGYKY Spacings = (71 – 65) = 6 = 3 * 2 VZXVOXCDNOOSOCOWDKOOYROEVSRBXENI (122 – 65) = 57 = 3 * 19 Frequencies: O: 12, S: 7, Guess O = e (176 – 122) = 54 = 3 * 18 Ci = (P i + Ki mod N) mod Z Key is probably 3 letters long. ‘O’ = (‘e’ + K0) mod 26 14 = 5 + 9 => K0 = ‘K’

JILL WWII Crypto Spring 2006 - Class 1: Introduction 37 JILL WWII Crypto Spring 2006 - Class 1: Introduction 38

Sometimes, not so lucky... Vigenère Simplification

L1: LMISQITVYJSSSJAHYECYSXOXGWYGJMRRXEGWRPEJXSI SLIGHTVSXILWHXYXJPERISWTM • Use binary alphabet {0, 1}: S: 9, X: 7; I: 6 guess S = ‘e’ Ci = (P i + Ki mod N) mod 2 ‘S’ = (‘e’ + K ) mod 26 ⊕ 1 Ci = P i Ki mod N 19 = 5 + 14 => K1 = ‘N’ • Use a key as long as P: ‘X’ = (‘e’ + K ) mod 26 ⊕ 1 Ci = P i Ki 24 = 5 + 19 => K1 = ‘M’ • One-time pad – perfect cipher! ‘I’ = (‘e’ + K1) mod 26

10 = 5 + 5 => K1 = ‘E’

JILL WWII Crypto Spring 2006 - Class 1: Introduction 39 JILL WWII Crypto Spring 2006 - Class 1: Introduction 40

Perfectly Secure Cipher: Why perfectly secure? One-Time Pad • Mauborgne/Vernam [1917] For any given ciphertext, all • XOR ( ⊕): plaintexts are equally possible. 0 ⊕ 0 = 0 1 ⊕ 0 = 1 01001 0 ⊕ 1 = 1 1 ⊕ 1 = 0 Ciphertext: Key1: 01001 ⊕ a a = 0 Plaintext1: 00000 a ⊕ 0 = a a ⊕ b ⊕ b = a Key2: 10110 • E(P, K) = P ⊕ K Plaintext2: 11111 D(C, K) = C ⊕ K = (P ⊕ K) ⊕ K = P

JILL WWII Crypto Spring 2006 - Class 1: Introduction 41 JILL WWII Crypto Spring 2006 - Class 1: Introduction 42

7 Next week: Perfect Security Solved? “One-Time” Pads in

• Cannot reuse K Practice – What if receiver has • Lorenz Machine ⊕ ⊕ C1 = P 1 K and C2 = P 2 K • Nazi high command ⊕ ⊕ ⊕ ⊕ C1 C2 = P 1 K P2 K in WWII ⊕ = P 1 P2 – Operator errors: • Need to generate truly random bit reused key sequence as long as all messages • Pad generated by 12 • Need to securely distribute key rotors – Not really random

JILL WWII Crypto Spring 2006 - Class 1: Introduction 43 JILL WWII Crypto Spring 2006 - Class 1: Introduction 44

Public Lecture Tonight • David Goldschmidt, “Communications Security: A Case History” – Director of Center for Communications Research, Princeton – Enigma and how it was broken • 7:30pm Tonight • UVa Physics Building, Room 203 We will cover some of the same material in the third class.

JILL WWII Crypto Spring 2006 - Class 1: Introduction 45