EE 418 Network Security and Cryptography Lecture #5 Outline: 1
Total Page:16
File Type:pdf, Size:1020Kb
EE 418 Network Security and Cryptography Lecture #5 October 13, 2016 Polyalphabetic Classical cryptosystems. Introduction to Cryptanalysis. Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Outline: 1. Review: The Vigen`ereCipher 2. The Hill Cipher 3. The Permutation Cipher 4. Introduction to Cryptanalysis 5. Cryptanalysis of the Shift Cipher 6. Remarks on Letter Distribution of the English Language 1 Review: The Vigen`ereCipher Last time, we talked about The Vigen`ere cipher, and we said that it is the first polyalphabetic cryptosystem that we are encountering in this course. A polyalphabetic cryptosystem is a cryptosystem where multiple alphabetic characters are encrypted at a time. In other words, each plaintext element is equivalent to m alphabetic characters. The idea behind this cryptosystem is to use a vector of m keys, i.e., K = (K1;K2; ::; Km). m m P = C = K = (Z26) where (Z26) is an m-tuple: y = eK (x1; x2; ::; xm) = (x1 + K1; x2 + K2; ::; xm + Km) mod 26; (1) dK (y1; y2; ::; ym) = (y1 − K1; y2 − K2; ::; ym − Km) mod 26: (2) Note: The difference between the Vigen`erecipher and the shift, substitution, and affine ciphers is that in the Vigen`erecipher each alphabetic character is not uniquely mapped to another alphabetic character. Example Let the plaintext be vector, and let m = 4; K = (2; 4; 6; 7). From the correspondence table we have x = (21; 4; 2; 19; 14; 17), and the cipher is shown in Table 1. PLAINTEXT: 21 4 2 19 14 17 KEY: 2 4 6 7 2 4 CIPHER: 23 8 8 0 16 21 XIIA QV To decrypt, we use the same keyword, but modulo subtraction is performed instead of modulo addition. The number of possible keywords of length m is 26m; so even for small m an exhaustive search attack requires a long time. Let's now consider two more polyalphabetic cryptosystems, the Hill cipher and the permutation cipher. 1 2 The Hill Cipher Consider the affine cipher, where e(a;b)(x) = ax + b mod m, and suppose that b = 0, so that encryption becomes equal to e(a;0)(x) = ax mod m, i.e. multiplication by the secret key a modulo m. Decryption is then −1 given by dK (y) = a y mod m, provided that gcd (a; m) = 1. Question: How can we generalize this from x corresponding to a single letter to x corresponding to a string of letters? Answer: The idea is to choose an integer m > 0, and then to define an m × m key matrix K. Example: Let consider an example where m = 2. We can define K as: 2 3 K = : (3) 5 7 In this cryptosystem, a plaintext is written as row matrices. For example, if plaintext is test, we write it as: 19 4 ; (4) 18 19 : (5) Encryption of te is: 2 3 19 4 = 38+20 57+28 = 6 7 mod 26: (6) 5 7 Encryption of st is: 2 3 18 19 = 20 21 mod 26: (7) 5 7 Hence, the cipher is: 6 7 20 21 ; (8) which is GHUV . To decrypt, we will use K−1 as the decryption key. This begs the following question. Question: What does it mean for a matrix to be invertible mod 26? Answer: Much like with numbers, there is an identity matrix over integers mod n. The m × m iden- tity matrix mod n (denoted Im) has 1's along the diagonal and 0's elsewhere. As with the reals, for any −1 matrix K, we have KIm = ImK = K. A matrix K is invertible mod n when there exists a matrix K such −1 −1 that KK = K K = Im. Recall that a matrix K is invertible over the real numbers when its determinant is non-zero (see Stin- son, 3rd ed, pg 16 for a definition of the determinant). Analogously, K is invertible over Zn when det K is invertible mod n, i.e. when gcd (det K; n) = 1. Question: How do we compute K−1 mod 26? Theorem 1. Let K be a matrix such that gcd (det K; n) = 1. Then K−1 mod n ≡ (det K)−1K∗ mod n (9) ∗ i+j where the (i; j)-th entry of K is equal to (−1) det Kji and Kji is obtained by deleting the j-th row and i-th column of K. 2 Example: When K is equal to the above encryption matrix, we have 2 3 K = (10) 5 7 and 7 −3 7 23 K∗ = ≡ mod 26 (11) −5 2 21 2 Furthermore, we have (det K)−1 mod 26 ≡ 25−1 mod 26 ≡ 25 mod 26 (12) Hence 7 23 K−1 mod 26 = (det K)−1K∗ mod 26 = 25 mod 26 (13) 21 2 175 575 19 3 = mod 26 = mod 26 (14) 525 50 5 24 To decrypt with the Hill cipher, we multiply the ciphertext by K−1. We leave it as an exercise to verify that yK−1 is equal to the original plaintext in this case. m Stated formally, the Hill cipher has P = C = (Z26) , where m ≥ 2. K =fset of all m × m invertible matrices over Z26g. For K 2 K: eK (x) = xK; (15) −1 dK (y) = yK : (16) 2.1 The Permutation Cipher The idea of the permutation cipher (also known as the transposition cipher) cryptosystem is to gener- ate the ciphertext by altering the positions of the characters in the plaintext, i.e. to rearrange the alphabets using a permutation. In contrast to the substitution cipher, there is no replacement of characters (it is sim- ilar to just scrambling the letters of a word). Formally, we describe the permutation cipher cryptosystem as follows. m Let P = C = (Z26) , where m is a positive integer. K includes all permutations of f1; :::; mg. For each permutation π 2 K: y = eπ(x1; :::; xm) = (xπ(1); :::; xπ(m)) (17) x = dπ(y1; :::; ym) = (yπ−1(1); :::; yπ−1(m)): (18) π−1 denotes inverse permutation to π. Example: For illustration, let's consider m = 6, and permutation (the key) π is as follows: To obtain π−1, j 1 2 3 4 5 6 π(j) 3 5 1 6 4 2 interchange the rows, and sort the columns such that the first row is in ascending order. We obtain: For encryption, if the plaintext is followashore, we first partition the plaintext into groups of six letters as: follow j ashore. Using the above key π, we re-arrange each group of six alphabets as: LOFWLO j HRAEOS. Similarly, the ciphertext can be decrypted using the inverse permutation π−1. 3 j 1 2 3 4 5 6 π−1(j) 3 6 1 5 2 4 Note: The permutation cipher is a special case of the Hill Cipher. Consider the above encryption rule π(x): It can be written as a Hill encryption matrix Kπ as follows: 0 0 0 1 0 0 0 1 B 0 0 0 0 0 1 C B C B 1 0 0 0 0 0 C Kπ = B C (19) B 0 0 0 0 1 0 C B C @ 0 1 0 0 0 0 A 0 0 0 1 0 0 and the decryption matrix is: 0 0 0 1 0 0 0 1 B 0 0 0 0 1 0 C B C T B 1 0 0 0 0 0 C K = B C (20) π B 0 0 0 0 0 1 C B C @ 0 0 0 1 0 0 A 0 1 0 0 0 0 Note that the decryption matrix is the transpose of the encryption matrix, i.e. we obtain the decryption matrix by interchanging the rows and columns of the encryption matrix. 3 Introduction to Cryptanalysis Now that we have defined some simple classical cryptosystems, we might be interested in how secure these cryptosystems are (or how could one go about breaking them). In doing so, we turn to cryptanalysis, and start by considering one of the most important assumptions in the modern cryptography, namely the Kerchoff's principle. 3.1 Kerchoff's Principle: The Kerchoff's principle was introduced in 1883 by A. Kerchoff, and it states that in assessing the security of a cryptosystem, one should always assume that an attacker knows the details of the cryptosystem being used. In other words, an attacker knows the tuple (P; C; K; E; D) defining the cryptosystem. Therefore, the security of the system should always be based on the key, and not on the obscurity of a cryptographic algorithm. 3.2 Attack models An attacker can have different goals when attacking a channel between communicating parties. For example, an attacker may wish to: 1. Read one specific message. 2. Find the encryption/decryption key, and thus read all of the exchanged messages. 3. Corrupt Alice's message into another message in such a way that Bob thinks that Alice has sent the altered message. 4. Masquerade as Alice in order to communicate with Bob such that Bob believes he is communicating with Alice. 4 For each of these goals, there are four main types of attacks that an attacker can use, and those types differ in the amount of information an attacker has available when trying to determine the key. Those four attack types are as follows. Type of attack Description Ciphertext only attack Eve only observes the ciphertext y Known plaintext attack Eve knows the ciphertext y corresponding to plaintext x Chosen plaintext attack Eve has temporary access to an encryption box.