EE 418 Network Security and Lecture #5 October 13, 2016

Polyalphabetic Classical . Introduction to . Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle

Outline:

1. Review: The Vigen`ereCipher 2. The Hill 3. The Permutation Cipher 4. Introduction to Cryptanalysis 5. Cryptanalysis of the Shift Cipher 6. Remarks on Letter Distribution of the English Language

1 Review: The Vigen`ereCipher

Last time, we talked about The Vigen`ere cipher, and we said that it is the first polyalphabetic that we are encountering in this course. A polyalphabetic cryptosystem is a cryptosystem where multiple alphabetic characters are encrypted at a time. In other words, each plaintext element is equivalent to m alphabetic characters.

The idea behind this cryptosystem is to use a vector of m keys, i.e., K = (K1,K2, .., Km). m m P = C = K = (Z26) where (Z26) is an m-tuple:

y = eK (x1, x2, .., xm) = (x1 + K1, x2 + K2, .., xm + Km) mod 26, (1)

dK (y1, y2, .., ym) = (y1 − K1, y2 − K2, .., ym − Km) mod 26. (2)

Note: The difference between the Vigen`erecipher and the shift, substitution, and affine is that in the Vigen`erecipher each alphabetic character is not uniquely mapped to another alphabetic character.

Example Let the plaintext be vector, and let m = 4, K = (2, 4, 6, 7). From the correspondence table we have x = (21, 4, 2, 19, 14, 17), and the cipher is shown in Table 1.

PLAINTEXT: 21 4 2 19 14 17 : 2 4 6 7 2 4 CIPHER: 23 8 8 0 16 21 XIIA QV

To decrypt, we use the same keyword, but modulo subtraction is performed instead of modulo addition. The number of possible keywords of length m is 26m, so even for small m an exhaustive search attack requires a long time. Let’s now consider two more polyalphabetic cryptosystems, the and the permutation cipher.

1 2 The Hill Cipher

Consider the affine cipher, where e(a,b)(x) = ax + b mod m, and suppose that b = 0, so that becomes equal to e(a,0)(x) = ax mod m, i.e. multiplication by the secret key a modulo m. Decryption is then −1 given by dK (y) = a y mod m, provided that gcd (a, m) = 1.

Question: How can we generalize this from x corresponding to a single letter to x corresponding to a string of letters?

Answer: The idea is to choose an integer m > 0, and then to define an m × m key matrix K.

Example: Let consider an example where m = 2. We can define K as:

 2 3  K = . (3) 5 7

In this cryptosystem, a plaintext is written as row matrices. For example, if plaintext is test, we write it as:

19 4  , (4)

18 19  . (5) Encryption of te is:  2 3  19 4  = 38+20 57+28  = 6 7  mod 26. (6) 5 7 Encryption of st is:  2 3  18 19  = 20 21  mod 26. (7) 5 7 Hence, the cipher is: 6 7 20 21  , (8) which is GHUV . To decrypt, we will use K−1 as the decryption key. This begs the following question.

Question: What does it mean for a matrix to be invertible mod 26?

Answer: Much like with numbers, there is an identity matrix over integers mod n. The m × m iden- tity matrix mod n (denoted Im) has 1’s along the diagonal and 0’s elsewhere. As with the reals, for any −1 matrix K, we have KIm = ImK = K. A matrix K is invertible mod n when there exists a matrix K such −1 −1 that KK = K K = Im. Recall that a matrix K is invertible over the real numbers when its determinant is non-zero (see Stin- son, 3rd ed, pg 16 for a definition of the determinant). Analogously, K is invertible over Zn when det K is invertible mod n, i.e. when gcd (det K, n) = 1.

Question: How do we compute K−1 mod 26?

Theorem 1. Let K be a matrix such that gcd (det K, n) = 1. Then

K−1 mod n ≡ (det K)−1K∗ mod n (9)

∗ i+j where the (i, j)-th entry of K is equal to (−1) det Kji and Kji is obtained by deleting the j-th row and i-th column of K.

2 Example: When K is equal to the above encryption matrix, we have

 2 3  K = (10) 5 7

and  7 −3   7 23  K∗ = ≡ mod 26 (11) −5 2 21 2 Furthermore, we have (det K)−1 mod 26 ≡ 25−1 mod 26 ≡ 25 mod 26 (12) Hence  7 23  K−1 mod 26 = (det K)−1K∗ mod 26 = 25 mod 26 (13) 21 2  175 575   19 3  = mod 26 = mod 26 (14) 525 50 5 24

To decrypt with the Hill cipher, we multiply the by K−1. We leave it as an exercise to verify that yK−1 is equal to the original plaintext in this case.

m Stated formally, the Hill cipher has P = C = (Z26) , where m ≥ 2. K ={set of all m × m invertible matrices over Z26}. For K ∈ K:

eK (x) = xK, (15) −1 dK (y) = yK . (16)

2.1 The Permutation Cipher The idea of the permutation cipher (also known as the ) cryptosystem is to gener- ate the ciphertext by altering the positions of the characters in the plaintext, i.e. to rearrange the alphabets using a permutation. In contrast to the , there is no replacement of characters (it is sim- ilar to just scrambling the letters of a word). Formally, we describe the permutation cipher cryptosystem as follows.

m Let P = C = (Z26) , where m is a positive integer. K includes all permutations of {1, ..., m}. For each permutation π ∈ K:

y = eπ(x1, ..., xm) = (xπ(1), ..., xπ(m)) (17)

x = dπ(y1, ..., ym) = (yπ−1(1), ..., yπ−1(m)). (18)

π−1 denotes inverse permutation to π.

Example: For illustration, let’s consider m = 6, and permutation (the key) π is as follows: To obtain π−1,

j 1 2 3 4 5 6 π(j) 3 5 1 6 4 2

interchange the rows, and sort the columns such that the first row is in ascending order. We obtain: For encryption, if the plaintext is followashore, we first partition the plaintext into groups of six letters as: follow | ashore. Using the above key π, we re-arrange each group of six alphabets as: LOFWLO | HRAEOS. Similarly, the ciphertext can be decrypted using the inverse permutation π−1.

3 j 1 2 3 4 5 6 π−1(j) 3 6 1 5 2 4

Note: The permutation cipher is a special case of the Hill Cipher. Consider the above encryption rule π(x). It can be written as a Hill encryption matrix Kπ as follows:

 0 0 1 0 0 0   0 0 0 0 0 1     1 0 0 0 0 0  Kπ =   (19)  0 0 0 0 1 0     0 1 0 0 0 0  0 0 0 1 0 0 and the decryption matrix is:

 0 0 1 0 0 0   0 0 0 0 1 0    T  1 0 0 0 0 0  K =   (20) π  0 0 0 0 0 1     0 0 0 1 0 0  0 1 0 0 0 0 Note that the decryption matrix is the transpose of the encryption matrix, i.e. we obtain the decryption matrix by interchanging the rows and columns of the encryption matrix.

3 Introduction to Cryptanalysis

Now that we have defined some simple classical cryptosystems, we might be interested in how secure these cryptosystems are (or how could one go about breaking them). In doing so, we turn to cryptanalysis, and start by considering one of the most important assumptions in the modern cryptography, namely the Kerchoff’s principle.

3.1 Kerchoff’s Principle:

The Kerchoff’s principle was introduced in 1883 by A. Kerchoff, and it states that in assessing the security of a cryptosystem, one should always assume that an attacker knows the details of the cryptosystem being used. In other words, an attacker knows the tuple (P, C, K, E, D) defining the cryptosystem. Therefore, the security of the system should always be based on the key, and not on the obscurity of a cryptographic algorithm.

3.2 Attack models

An attacker can have different goals when attacking a channel between communicating parties. For example, an attacker may wish to:

1. Read one specific message. 2. Find the encryption/decryption key, and thus read all of the exchanged messages. 3. Corrupt Alice’s message into another message in such a way that Bob thinks that Alice has sent the altered message. 4. Masquerade as Alice in order to communicate with Bob such that Bob believes he is communicating with Alice.

4 For each of these goals, there are four main types of attacks that an attacker can use, and those types differ in the amount of information an attacker has available when trying to determine the key. Those four attack types are as follows.

Type of attack Description Ciphertext only attack Eve only observes the ciphertext y Known plaintext attack Eve knows the ciphertext y corresponding to plaintext x Chosen plaintext attack Eve has temporary access to an encryption box. The encryption box takes as input any chosen plaintext x and outputs the ciphertext y Chosen ciphertext attack Eve has temporary access to a decryption box. The decryption box takes as input any chosen ciphertext y and outputs the plaintext x Based on these models, we can analyze the security of every cryptosystem.

4 Cryptanalysis of the Shift Cipher

– Ciphertext only: Let K = 3 and the plaintext be shift. We then get VKLIW as the cipher (for a right shift). Assume Eve knows only the ciphertext V KLIW . Eve also knows that a shift cipher algorithm is used for encryption. Given the small cardinality of the key space, Eve can try all the possible 26 shifts in right direction. Upon shifting, the following plaintexts are obtained:

1stleft shift 2ndleft shift 3rdleft shift vkliw −→ ujkhv −→ tijgu −→ shift, and so on. Since “shift” is the only dictio- nary word in the list of 26 possible words, Eve assumes that it is indeed the plaintext that was encrypted. Therefore, Eve can also infer the original key K = 3.

– Known plaintext: If Eve knows a (plaintext, ciphertext) pair, then Eve can find the key by subtracting the plaintext from the ciphertext mod 26. For instance, if Eve knows that plaintext b corresponds to ciphertext E, then Eve can determine that K = 3.

– Chosen plaintext: Choose letter a as plaintext; the resulting ciphertext will be the key. For example, if the ciphertext is P then K = 15.

– Chosen cipher: Choose A as the ciphertext. The plaintext is then the negative of the key K.

5 Remarks on Letter Distribution of the English Language

English language text has different frequencies for different alphabets. An estimate of relative frequencies (probabilities) of the 26 letters are as indicated in Table 5. Note that the letter e has the maximum relative frequency of 0.127.

Table 1. Probabilities of occurrence of the 26 letters of the English language alphabet.

A B C D E F G H I J K L M 0.082 0.015 0.028 0.043 0.127 0.022 0.020 0.061 0.070 0.002 0.008 0.040 0.024 N O P R S T U V W X Y Z 0.067 0.075 0.019 0.001 0.060 0.063 0.091 0.028 0.010 0.023 0.001 0.020 0.001

Similarly we can define frequencies of digrams, trigrams, initial letters, final letters, etc. More generally, we can then use the statistical properties of the English language to perform cryptanalysis. A key observation

5 here that the vowels ”a, e, i, o” and the letters ”t, s, b, h, d” have relatively high probability of appearance in the English language. Table 5 indicates the rank order of vowels based on their frequencies, and Table 5 the rank order of consonants ”t, s, d, n, h” based on their frequencies.

Table 2. Rank order of the probabilities of occurrence of the vowels.

E 0.127 A 0.082 I 0.075 O 0.070 U 0.028

Table 3. Probabilities of most frequently occurring consonants.

T 0.091 S 0.063 N 0.067 H 0.061 D 0.043

Sources for Today’s Lecture:

1. Douglas R. Stinson, Cryptography, Theory and Practice, 3rd edition. CRC Press, 2005, p. 1–39. 2. Wade Trappe and Lawrence C. Washington Introduction to Cryptography with Coding Theory. Prentice Hall, 2002, p. 1–26 and 59–74. 3. Neil Daswani, Christoph Kern, and Anita Kesavan Foundations of Security, What Every Programmer Needs to Know. Apress, 2007, p. 203–221.

6