ECE 646 - Lecture 6
Historical Ciphers
Required Reading
• W. Stallings, Cryptography and Network Security,
Chapter 2, Classical Encryption Techniques
• A. Menezes et al., Handbook of Applied Cryptography,
Chapter 7.3 Classical ciphers and historical development
1 Why (not) to study historical ciphers?
AGAINST FOR
Not similar to Basic components became modern ciphers a part of modern ciphers Under special circumstances Long abandoned modern ciphers can be reduced to historical ciphers Influence on world events The only ciphers you can break!
Secret Writing
Steganography Cryptography (hidden messages) (encrypted messages)
Substitution Transposition Transformations Ciphers (change the order of letters) Codes Substitution Ciphers (replace words) (replace letters)
2 Selected world events affected by cryptology
1586 - trial of Mary Queen of Scots - substitution cipher
1917 - Zimmermann telegram, America enters World War I
1939-1945 Battle of England, Battle of Atlantic, D-day - ENIGMA machine cipher
1944 – world’s first computer, Colossus - German Lorenz machine cipher
1950s – operation Venona – breaking ciphers of soviet spies stealing secrets of the U.S. atomic bomb – one-time pad
Mary, Queen of Scots
• Scottish Queen, a cousin of Elisabeth I of England • Forced to flee Scotland by uprising against her and her husband • Treated as a candidate to the throne of England by many British Catholics unhappy about a reign of Elisabeth I, a Protestant • Imprisoned by Elisabeth for 19 years • Involved in several plots to assassinate Elisabeth • Put on trial for treason by a court of about 40 noblemen, including Catholics, after being implicated in the Babington Plot by her own letters sent from prison to her co-conspirators in the encrypted form
3 Mary, Queen of Scots – cont.
• cipher used for encryption was broken by codebreakers of Elisabeth I • it was so called nomenclator – mixture of a code and a substitution cipher • Mary was sentenced to death for treachery and executed in 1587 at the age of 44
Zimmermann Telegram
• sent on January 16, 1917 from the Foreign Secretary of the German Empire, Arthur Zimmermann, to the German ambassador in Washington • instructed the ambassador to approach the Mexican government with a proposal for military alliance against the U.S. • offered Mexico generous material aid to be used to reclaim a part of territories lost during the Mexican-American War of 1846-1848, specifically Texas, New Mexico, and Arizona • sent using a telegram cable that touched British soil • encrypted with cipher 0075, which British codebreakers had partly broken • intercepted and decrypted
4 Zimmermann Telegram
• British foreign minister passed the ciphertext, the message in German, and the English translation to the American Secretary of State, and he has shown it to the President Woodrow Wilson • A version released to the press was that the decrypted message was stolen from the German embassy in Mexico • After publishing in press, initially believed to be a forgery • On February 1, Germany had resumed "unrestricted" submarine warfare, which caused many civilian deaths, including American passengers on British ships • On March 3, 1917 and later on March 29, 1917, Arthur Zimmermann was quoted saying "I cannot deny it. It is true.� • On April 2, 1917, President Wilson asked Congress to declare war on Germany. On April 6, 1917, Congress complied, bringing the United States into World War I.
5 1996 (2nd ed) 1999
Ciphers used predominantly in the given period(1)
Cryptography Cryptanalysis
100 B.C. Shift ciphers
Frequency analysis al-Kindi, Baghdad IX c. Monoalphabetic substitution cipher
1586 Invention of the Vigenère Cipher Black chambers XVIII c. Homophonic ciphers
Vigenère cipher Kasiski�s method 1863 (Simple polyalphabetic substitution ciphers) 1919 Invention of rotor machines Index of coincidence 1918 William Friedman Electromechanical machine ciphers (Complex polyalphabetic substitution ciphers) 1926 Vernam cipher (one-time pad)
6 Ciphers used predominantly in the given period(2)
Cryptography Cryptanalysis
Reconstructing ENIGMA 1932 Rejewski, Poland Polish cryptological bombs, and perforated sheets 1949 Shennon�s theory 1939 of secret systems one-time pad British cryptological Stream Ciphers bombs, Bletchley Park, UK 1945 S-P networks Breaking Japanese �Purple� cipher 1977 Publication of DES 1977 DES
Triple DES 1990 DES crackers 2001 2001 AES
Substitution Ciphers (1) 1. Monalphabetic (simple) substitution cipher
M = m1 m2 m3 m4 . . . . mN C = f(m1) f(m2) f(m3) f(m4) . . . . f(mN)
Generally f is a random permutation, e.g.,
a b c d e f g h i j k l m n o p q r s t u v w x y z f = s l t a v m c e r u b q p d f k h w y g x z j n i o
Key = f Number of keys = 26! » 4 × 1026
7 Monalphabetic substitution ciphers Simplifications (1) A. Caesar Cipher
ci = f(mi) = mi + 3 mod 26 -1 mi = f (ci) = ci - 3 mod 26 No key B. Shift Cipher
ci = f(mi) = mi + k mod 26 -1 mi = f (ci) = ci - k mod 26 Key = k Number of keys = 26
Coding characters into numbers A Û 0 N Û 13 B Û 1 O Û 14 C Û 2 P Û 15 D Û 3 Q Û 16 E Û 4 R Û 17 F Û 5 S Û 18 G Û 6 T Û 19 H Û 7 U Û 20 I Û 8 V Û 21 J Û 9 W Û 22 K Û 10 X Û 23 L Û 11 Y Û 24 M Û 12 Z Û 25
8 Caesar Cipher: Example
Plaintext: I C A M E I S A W I C O N Q U E R E D 8 2 0 12 4 8 18 0 22 8 2 14 13 16 20 4 17 4 3
11 5 3 15 7 11 21 3 25 11 5 17 16 19 23 7 20 7 6
Ciphertext: L F D P H L V D Z L F R Q T X H U H G
Monalphabetic substitution ciphers Simplifications (2)
C. Affine Cipher
ci = f(mi) = k1 × mi + k2 mod 26
gcd (k1, 26) = 1
-1 -1 mi = f (ci) = k1 × (ci - k2) mod 26
Key = (k1, k2) Number of keys = 12×26 = 312
9 Most frequent single letters
Average frequency in a random string of letters: 1 = 0.038 = 3.8% 26
Average frequency in a long English text: E — 13% T, N, R, I, O, A, S — 6%-9% D, H, L — 3.5%-4.5% C, F, P, U, M, Y, G, W, V — 1.5%-3% B, X, K, Q, J, Z — < 1%
Most frequent digrams, and trigrams
Digrams:
TH, HE, IN, ER, RE, AN, ON, EN, AT
Trigrams: THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR, DTH
10 Relative frequency of letters in a long English text by Stallings
14 12.75 12
10 9.25 7.75 8.5 7.75 8 7.25 7.5 6 6 4.25 3.75 3.5 3.5 4 3 2.75 2.75 3 2 2.25 1.25 1.5 1.5 2 0.5 0.25 0.5 0.5 0.25 0 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
14 12 10 Character frequency 8 in a long English 6 plaintext 4 2
0 a b c d e f g h i j k l m n o p q r s t u v w x y z
14 12 10 Character frequency 8 in the corresponding 6 ciphertext 4 for a shift cipher 2
0 a b c d e f g h i j k l m n o p q r s t u v w x y z
11 14 12 10 Character frequency 8 in a long English 6 plaintext 4 2
0 a b c d e f g h i j k l m n o p q r s t u v w x y z 14 12 Character frequency 10 in the corresponding 8 ciphertext 6 for a general 4 monoalphabetic substitution cipher 2
0 a b c d e f g h i j k l m n o p q r s t u v w x y z
Frequency analysis attack: relevant frequencies
14 14 12 12 10 10 8 8 6 6 4 4 2 2
0 a b c d e f g h i j k lm n o p q r s t u v w x y z 0 a b c d e f g h I j k lm n o p q r s t u v w x y z Long English text T Short English message M
14 14 12 12 10 10 8 8 6 6 4 4 2 2
0 a b c d e f g h i j k lm n o p q r s t u v w x y z 0 a b c d e f g h I j k lm n o p q r s t u v w x y z Ciphertext of the long English text T Ciphertext of the short English message M
12 Frequency analysis attack (1)
Step 1: Establishing the relative frequency of letters in the ciphertext Ciphertext:
FMXVE DKAPH FERBN DKRXR SREFM ORUDS DKDVS HVUFE DKAPR KDLYE VLRHH RH
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
R - 8 D - 7 E, H, K - 5
Frequency analysis attack (2)
Step 2: Assuming the relative frequency of letters in the corresponding message, and deriving the corresponding equations
Assumption: Most frequent letters in the message: E and T
Corresponding equations:
E ® R f(E) = R T ® D f(T) = D
4 ® 17 f(4) = 17 19 ® 3 f(19) = 3
13 Frequency analysis attack (3)
Step 3: Verifying the assumption for the case of affine cipher f(4) = 17 f(19) = 3
4×k1 + k2 º 17 (mod 26) 19×k1 + k2 º 3 (mod 26)
15×k1 º -14 (mod 26)
15×k1 º 12 (mod 26)
Frequency analysis attack (4)
Step 4: Solving the equation of the form
a × x º b mod n for x = k1
15 × k1 º 12 (mod 26) gcd(15, 26) = 1 Thus, one solution
-1 k1 = (15 ) × 12 mod 26 = 7 × 12 mod 26 = 6
However, gcd(k1, 26) = 2 ≠ 1 Thus, our initial assumption incorrect.
14 Frequency analysis attack (2-2) Step 2-2: Assuming the relative frequency of letters in the corresponding message, and deriving the corresponding equations Second Assumption: Most frequent letters in the message: T and E
Corresponding equations:
T ® R f(T) = R E ® D f(E) = D
19 ® 17 f(19) = 17 4 ® 3 f(4) = 3
Frequency analysis attack (3)
Step 3-2: Verifying the assumption for the case of affine cipher f(19) = 17 f(4) = 3
19×k1 + k2 º 17 (mod 26) 4×k1 + k2 º 3 (mod 26)
15×k1 º 14 (mod 26)
15 Frequency analysis attack (4)
Step 4: Solving the equation of the form
a × x º b mod n for x = k1
15 × k1 º 12 (mod 26) gcd(15, 26) = 1 Thus, one solution
-1 k1 = (15 ) × 14 mod 26 = 7 × 14 mod 26 = 20
However, gcd(k1, 26) = 2 ≠ 1 Thus, our second assumption incorrect.
Substitution Ciphers (2) 2. Polyalphabetic substitution cipher
M = m1 m2 … md md+1 md+2 … m2d m2d+1 m2d+2 … m3d …..
C = f1(m1) f2(m2) … fd(md)
f1(md+1) f2(md+2) … fd(m2d ) f1(m2d+1 ) f2( m2d+2) … fd(m3d ) ….. d is a period of the cipher
Key = d, f1, f2, …, fd Number of keys for a given period d = (26!)d » (4 × 1026)d
16 14 12 10 Character frequency in a long English 8 plaintext 6 4 2
0 a b c d e f g h i j k l m n o p q r s t u v w x y z Character frequency 14 in the corresponding 12 ciphertext 10 for a polyalphabetic 8 substitution cipher 6 1 4 × 100% » 3.8 % 26 2
0 a b c d e f g h i j k l m n o p q r s t u v w x y z
Polyalphabetic substitution ciphers Simplifications (1)
A. Vigenère cipher: polyalphabetic shift cipher Invented in 1568
ci = fi mod d(mi) = mi + ki mod d mod 26
-1 mi = f i mod d(ci) = ci - ki mod d mod 26
Key = k0, k1, … , kd-1
Number of keys for a given period d = (26)d
17 Vigenère Cipher - Example
Plaintext: TO BE OR NOT TO BE Key: NSA
Encryption: T O B E O R N O T T O B E
Vigenère Square plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z
3 a b c d e f g h i j k l m n o p q r s t u v w x y z b c d e f g h i j k l m n o p q r s t u v w x y z a N S A c d e f g h i j k l m n o p q r s t u v w x y z a b d e f g h i j k l m n o p q r s t u v w x y z a b c T O B e f g h i j k l m n o p q r s t u v w x y z a b c d f g h i j k l m n o p q r s t u v w x y z a b c d e E O R g h i j k l m n o p q r s t u v w x y z a b c d e f h i j k l m n o p q r s t u v w x y z a b c d e f g N O T i j k l m n o p q r s t u v w x y z a b c d e f g h T O B j k l m n o p q r s t u v w x y z a b c d e f g h i k l m n o p q r s t u v w x y z a b c d e f g h i j E l m n o p q r s t u v w x y z a b c d e f g h i j k m n o p q r s t u v w x y z a b c d e f g h i j k l G G B 1 n o p q r s t u v w x y z a b c d e f g h i j k l m o p q r s t u v w x y z a b c d e f g h i j k l m n R G R p q r s t u v w x y z a b c d e f g h i j k l m n o q r s t u v w x y z a b c d e f g h i j k l m n o p A G T r s t u v w x y z a b c d e f g h i j k l m n o p q 2 s t u v w x y z a b c d e f g h i j k l m n o p q r G G B t u v w x y z a b c d e f g h i j k l m n o p q r s R u v w x y z a b c d e f g h i j k l m n o p q r s t v w x y z a b c d e f g h i j k l m n o p q r s t u w x y z a b c d e f g h i j k l m n o p q r s t u v x y z a b c d e f g h i j k l m n o p q r s t u v w y z a b c d e f g h i j k l m n o p q r s t u v w x z a b c d e f g h i j k l m n o p q r s t u v w x y
18 Vigenère Cipher - Example
Plaintext: TO BE OR NOT TO BE Key: NSA N S A Encryption: T O B E O R N O T T O B E G G B R G R A G T G G B R Ciphertext: GGBRGRAGTGGBR
Determining the period of the polyalphabetic cipher Kasiski�s method
Ciphertext: G G B R G R A G T G G B R
Distance = 9
Period d is a divisor of the distance between identical blocks of the ciphertext
In our example: d = 3 or 9
19 Index of coincidence method (1)
ni - number of occurances of the letter i in the ciphertext i = a .. z
N - length of the ciphertext
pi = probability that the letter of the ciphertext is equal to i
n p = lim i i N N® ¥ z = 1 å pi i=a
Index of coincidence method (2)
Measure of roughness:
z 2 z æ 1 ö 2 1 M.R. = ç p - ÷ = p - åè i 26 ø å i 26 i=a i=a
M.R. 0.028 0.014 0.006 0.003
period 1 2 5 10
20 Index of coincidence method (3)
Index of coincidence z The approximation of p 2 å i Definition: i=a Probability that two random elements of the ciphertext are identical z
ni (n -1) n Formula: z å i × i 2 I.C. = = i=a å N i=a (N -1) × N 2
Index of coincidence method (4)
Measure of roughness z (n -1) n å i × i i=a 1 M.R. = I.C. - 1 = - 26 (N -1) × N 26
M.R. 0.028 0.014 0.006 0.003
period 1 2 5 10
21 Polyalphabetic substitution ciphers Simplifications (2)
B. Rotor machines used before and during the WWII
Country Machine Period
Germany: Enigma d=26×25×26 = 16,900 U.S.A.: M-325, Hagelin M-209 Japan: �Purple� UK: Typex d=26×(26-k)×26, k=5, 7, 9 Poland: Lacida d=24×31×35 = 26,040
Military Enigma
22 Functional diagram & dataflow
23 Enigma Daily Keys
24 Order of rotors (Walzenlage)
6 combinations
Positions of rings (Ringstellung)
263 combinations
25 Plugboard Connections (Steckerverbindung)
~ 0.5 · 1015 combinations
Initial Positions of Rotors (Grundstellung)
263 combinations
26 Number of possible internal 3 · 10114 connections of Enigma
Estimated number of atoms 1080 in the universe
Total Number of Keys
3.6 · 1022 » 275
Larger number of keys than DES.
27 Broken by Polish Cryptologists 1932-1940
Marian Rejewski Jerzy Różycki Henryk Zygalski (born 1905) (born 1909) (born 1907)
Enigma Timetable: 1939
Jul 25-26, 1939: A secret meeting takes place in the Kabackie Woods near the town Pyry (South of Warsaw), where the Poles hand over to the French and British Intelligence Service their complete solution to the German Enigma cipher, and two replicas of the Enigma machine.
28 Improvements and new methods developed by British cryptologists 1939-1945
Alan Turing Gordon Welchman (born 1912) (born 1906)
29 Enigma Timetable: 1939-1940
1939-1940: Alan Turing develops an idea of the British cryptological �Bombe� based on the known-plaintext attack.
Gordon Welchman develops an improvement to the Turing�s idea called �diagonal board�.
Harold �Doc� Keen, engineer at British Tabulating Machines (BTM) becomes responsible for implementing British �Bombe�.
Original British cryptological “Bombe”
30 Reconstructed British cryptological “Bombe”
May, 1940: First British cryptological bombe developed to reconstruct daily keys goes into operation.
Over 210 Bombes are used in England throughout the war. Each bombe weighed one ton, and was 6.5 feet high, 7 feet long, 2 feet wide.
Machines were operated by members of the Women�s Royal Naval Service, �Wrens�.
31 Enigma Timetable: 1943
Apr, 1943: The production of the American Bombe starts in the National Cash Register Company (NCR) in Dayton, Ohio. The engineering design of the bombe comes from Joseph Desch.
Substitution Ciphers (3) 3. Running-key cipher
M = m1 m2 m3 m4 . . . . mN K = k1 k2 k3 k4 . . . . kN K is a fragment of a book
C = c1 c2 c3 c4 . . . . cN
ci = mi + ki mod 26
mi = ci - ki mod 26
Key: book (title, edition), position in the book (page, row)
32 14 12 10 Character frequency in a long English 8 plaintext 6 4 2
0 a b c d e f g h i j k l m n o p q r s t u v w x y z Character frequency 14 in the corresponding 12 ciphertext 10 for a running-key 8 cipher 6 1 × 100% » 3.8 % 4 26 2
0 a b c d e f g h i j k l m n o p q r s t u v w x y z
Substitution Ciphers (4) 4. Polygram substitution cipher
M = m1 m2 … md - M1 md+1 md+2 … m2d - M2 m2d+1 m2d+2 … m3d - M3 ….. C = c1 c2 … cd - C1 cd+1 cd+2 … c2d - C2 c2d+1 c2d+2 … c3d - C3 ….. d is the length of a message block -1 Ci = f(Mi) Mi = f (Ci) Key = d, f Number of keys for a given block length d = (26d)!
33 Playfair Cipher 1854 Key: PLAYFAIR IS A DIGRAM CIPHER
P L A Y F Convention 1 (Stallings) I R S D G message P O L A N D M C H E B ciphertext A K A Y Q R
K N O Q T Convention 2 (Handbook) U V W X Z message P O L A N D ciphertext K A A Y R Q
Hill Cipher 1929
Ciphering:
C[1xd] = M[1xd] · K[dxd]
k11, k12, …, k1d
(c1, c2, …, cd) = (m1, m2, …, md)
kd1, kd2, …, kdd
ciphertext block = message block · key matrix
34 Hill Cipher Deciphering:
-1 M[1xd] = C[1xd] · K [dxd]
message block = ciphertext block · inverse key matrix
where 1, 0, …, 0, 0 0, 1, …, 0, 0 -1 K[dxd] · K [dxd] = …………… 0, 0, …, 1, 0 0, 0, …, 0, 1
key matrix · inverse key matrix = identity matrix
Hill Cipher - Known Plaintext Attack (1)
Known:
C1 = (c11, c12, …, c1d) M1 = (m11, m12, …, m1d) C2 = (c21, c22, …, c2d) M2 = (m21, m22, …, m2d) ………………………………………………….
Cd = (cd1, cd2, …, cdd) Md = (md1, md2, …, mdd)
We know that:
(c11, c12, …, c1d) = (m11, m12, …, m1d) · K[dxd]
(c21, c22, …, c2d) = (m21, m22, …, m2d) · K[dxd] …………………………………………………
(cd1, cd2, …, cdd) = (md1, md2, …, mdd) · K[dxd]
35 Hill Cipher - Known Plaintext Attack (2)
k11, k12, …, k1d c11, c12, …, c1d m11, m12, …, m1d k , k , …, k c21, c22, …, c2d = m21, m22, …, m2d 21 22 2d ………………. ………………….. c , c , …, c m , m , …, m d1 d2 dd d1 d2 dd kd1, kd2, …, kdd
C[dxd] = M[dxd] · K[dxd]
-1 K[dxd] = M [dxd] · C[dxd]
Substitution Ciphers (5) 4. Homophonic substitution cipher
M = { A, B, C, …, Z } C = { 0, 1, 2, 3, …, 99 }
ci = f(mi, random number) -1 mi = f (ci)
f: E ® 17, 19, 27, 48, 64 A ® 8, 20, 25, 49 U ® 45, 68, 91 …… X ® 33
36 Transposition ciphers
M = m1 m2 m3 m4 . . . . mN C = mf(1) mf(2) mf(3) mf(4) . . . . mf(N)
Letters of the plaintext are rearranged without changing them
14 12 10 Character frequency 8 in a long English 6 plaintext 4 2
0 a b c d e f g h i j k l m n o p q r s t u v w x y z 14 12 10 Character frequency 8 in the corresponding 6 ciphertext 4 for a transposition cipher 2
0 a b c d e f g h i j k l m n o p q r s t u v w x y z
37 Transposition cipher Example
Plaintext: CRYPTANALYST Key: KRIS 2 3 1 4 Encryption: K R I S C R Y P T A N A L Y S T
Ciphertext: YNSCTLRAYPAT
One-time Pad Vernam Cipher
Gilbert Vernam, AT&T 1926 Major Joseph Mauborgne
ci = mi Å ki
mi 01110110101001010110101 ki 11011101110110101110110 ci 10101011011111111000011
All bits of the key must be chosen at random and never reused
38 One-time Pad Equivalent version
ci = mi + ki mod 26
mi TO BE OR NOT TO BE ki AX TC VI URD WM OF ci TL UG JZ HFW PK PJ
All letters of the key must be chosen at random and never reused
Perfect Cipher Claude Shannon Communication Theory of Secrecy Systems, 1948
" P(M=m | C=c) = P(M = m) m Î M c Î C
The cryptanalyst can guess a message with the same probability without knowing a ciphertext as with the knowledge of the ciphertext
39 Is substitution cipher a perfect cipher?
C = XRZ
P(M=ADD | C=XRZ) = 0
P(M=ADD) ¹ 0
Is one-time pad a perfect cipher?
C = XRZ
P(M=ADD | C=XRZ) ¹ 0
P(M=ADD) ¹ 0
M might be equal to CAT, PET, SET, ADD, BBC, AAA, HOT, HIS, HER, BET, WAS, NOW, etc.
40 S-P Networks
. S S . S . . S S . S . P P . . S S . S ...... S S . S
Basic operations of S-P networks
Substitution Permutation
0 1 0 0 0 1 0 1 0 0 0 1 1 1 1 0 1 1 1 0 1 1 1 1 0 0 0 0
S-box P-box
41 Avalanche effect
m1 ® m1 c1® c1 m2 . c2 ® c2 m3 S S S c . 3 m4 c4 .
m5 . c5 ® c5 m6 c6 m7 S S . S c7 ® c7 m8 . c8 ® c8 P P . m9 c9 m10 . c10 m11 S S . S c11 ® c11 m12 c12 ......
m61 . c61 ® c61 m62 c62 m63 S S . S c63 m64 c64 ® c64
Shannon Product Ciphers
• Computationally secure ciphers based on the idea of diffusion and confusion
• Confusion relationship between plaintext and ciphertext is obscured, e.g. through the use of substitutions
• Diffusion spreading influence of one plaintext letter to many ciphertext letters, e.g. through the use of permutations
42 Horst Feistel, Walt Tuchman LUCIFER IBM
k1,1 k1,2 k1,16 m1 c1 m2 S0 S0 . S0 c2 m 3 . c3 m4 S1 S1 S1 c4 . k2,1 k2,2 K2,16 m 5 . c5 m6 S0 S0 S0 c6 m7 . c7 m8 S1 S1 . S1 c8 k3,1 P K3,2 P . k3,16 m9 c9 m10 S0 S0 . S0 c10 m 11 . c11 m12 S1 S1 S1 c12 ...... k32,1 k32,2 . k32,16 m125 . c125 m126 S0 S0 S0 c126 m127 . c127 m128 S1 S1 S1 c128
16 rounds
LUCIFER- external look
plaintext block 128 bits
LUCIFER key 512 bits 128 bits
ciphertext block
43