Generalising Shift Ciphers Affine Cipher Keys Modular Arithmetic

Generalising shift ciphers Aﬃne cipher keys

Aﬃne ciphers: for M = C = Zn, deﬁne • c = Ek (m) = (a · m + b) mod n 0 0 Not all keys in × are usable: Must choose k such that E is • m = Dk (c) = (a · c + b ) mod n Zn Zn k injective (reversible). where k is ha, bi and ha0, b0i, respecitively. Example: h2, 1i is not a good key in Z26: Example: In Z26, • (2 · 13 + 1) mod 26 = 1 • E3,11(“h”) = “G” since • (2 · 0 + 1) mod 26 = 1 (3 · 7 + 11) mod 26 = (21 + 11) mod 26 = 32 mod 26 = 6 Can’t decrypt the ciphertext1! • D9,5(“G”) = “h” since (9 · 6 + 5) mod 26 = (54 + 5) mod 26 = 59 mod 26 = 7 So which keys work?

Exercise: is this a proper crypto system? Give the 5-tuple. Hint: consider the keys h2, 1i or h4, 7i

1 2

Modular arithmetic: repetition Modular arithmetic cont

a ≡ b mod n if a − b = k · n for some k (integers) x is the multiplicative inverse of a modulo n, written a−1, if • e.g. 17 ≡ 7 mod 5 a · x ≡ 1 mod n. • e.g3 · 5 ≡ 1 mod 14, so3 −1 is5 mod 14. Write a mod n = r if a = n · k + r • only exists if gcd(a, n) = 1, and is then unique mod n. (r is the (positive) residue of a/n) a mod n = r implies a ≡ r mod n ∗ The reduced set of residues modulo n, written Zn, is {x ∈ − {0} : gcd(x, n) = 1}, (i.e. the relatively prime numbers). Let be an operation +, −, ·. Then Zn (a b) mod n = ((a mod n) (b mod n)) mod n ∗ Euler’s totient function ϕ(n) is the cardinality of Zn. ∗ • e.g. Z24 = {1, 5, 7, 11, 13, 17, 19, 23} (note: not 3), and thus (Zn, {+, −, ·}) is a commutative ring with the usual commutative, associative, distributive laws. (Note: no division.) ϕ(24) = 8.

3 4 Back to Aﬃne ciphers Aﬃne cipher keys

To choose a key s.t. encryption is injective, am + b ≡ c mod n, i.e. How many keys are usable for an affine cipher? am ≡ c − b mod n must have one solution for each m. • As x varies over Zn and gcd(a, n) = 1, (ax + b) mod n will have n different values, so ax ≡ b mod n has a unique solution for every value of b • if gcd(a, n) > 1, then e.g. am ≡ 0 mod n has two solutions m = 0 and m = n/ gcd(a, n) (e.g. gcd(4, 26) = 2, solution • The number of values of a s.t. gcd(a, n) = 1 is ϕ(n) (by def) m = 13) So the number of keys ha, bi of an affine cipher is n · ϕ(n). • if gcd(a, n) = 1, then suppose there are two solutions d and Example: an affine cipher on Z26 has 26 · 12 = 312 keys. d 0: then • ad ≡ ad 0 mod n, so a(d − d 0) ≡ 0 mod n so n|a(d − d 0), Note: one is not useful: h1, 0i. • since gcd(a, n) = 1, then n|(d − d 0) and d ≡ d 0 mod n, • thus the solution is unique! (modulo n)

5 6

Aﬃne cipher decryption Cryptanalysis of aﬃne ciphers

So which are the decryption keys?

Note that since gcd(a, n) = 1, there is a multiplicative inverse a−1 How can we break aﬃne ciphers? (mod n). c = am + b mod n (by def of encryption) Chosen plaintext: Find a and b easily by Ek (0) = b and am + b ≡ c mod n, i.e. Ek (1) = a + b mod n. am ≡ c − b mod n Known plaintext: given plaintexts x, y and corresponding a−1am ≡ a−1(c − b) mod n ciphertexts, Ek (x) − Ek (y) = (a · (x − y)) mod n; if −1 −1 1m ≡ a c − a b mod n x − y has an inverse mod n, then So given an encryption key ha, bi the decryption key is −1 a = (x − y) (Ek (x) − Ek (y)) mod n, and ha−1, −a−1bi. b = (Ek (x) − a · x) mod n. Example: In Z26, the encryption key h3, 11i has the decryption key Ciphertext only: frequency analysis. h9, 5i since3 −1 = 9 and −(9 · 11) = −99 ≡ 5 mod 26.

Later: how to compute multiplicative inverses.

7 8 Transposition ciphers Strengthening ciphers

Railfence: Try combining several keys: product ciphers t i t s • c = E (E (··· (E (m)) ··· )) = E 0 (m) h s s o a o e kn kn−1 k1 k • m = D (D (··· (D (c)) ··· )) = D0 (c) i n r k1 k2 kn k 0 0 Cipher: TITSHSSOAOEINR If Ek = Ek0 for some single k , the cipher is idempotent. Example: shift cipher. Columnar transposition: Exercise: is an aﬃne cipher also idempotent? Key: 3 1 4 2 Yes: Ea,b ◦ Ec,d = Eac,ad+b Plain: t h i s ? Two crypto systems S1 and S2 commute if S1S2 = S2S1, i.e. i s n o t a r o E 2 (E 1 (m)) = E 1 (E 2 (m)) k2 k1 k1 k2 s e f w Cipher: HSAESOOWTITSINRF A crypto system S is idempotent if S = SS

Breaking: by digram/trigram analysis. A function f is an involution if f (f (x)) = x.

9 10

Product ciphers

If S1 and S2 are idempotent and commute, then their product is also idempotent. • i.e. no strength is won • e.g. shift ciphers

So for a product cipher to increase cryptographic strength, its parts must not be idempotent. But if they are not, strength can be gained!

Note: while involution ciphers are very undesirable, the composition of two involutions is not necessarily an involution.

Uses: coming up next.