sign in sign up
<<
Home , Babington plot, Enigma machine, Gilbert Vernam, Henryk Zygalski, Hill cipher, Index of coincidence

ECE 646 - Lecture 6 Required Reading

• W. Stallings, and Network Security,

Chapter 2, Classical Techniques Historical • A. Menezes et al., Handbook of Applied Cryptography,

Chapter 7.3 Classical ciphers and historical development

Why (not) to study historical ciphers? Secret Writing

AGAINST FOR Cryptography (hidden messages) (encrypted messages) Not similar to Basic components became modern ciphers a part of modern ciphers Under special circumstances modern ciphers can be Substitution Transposition Long abandoned Ciphers reduced to historical ciphers Transformations (change the order Influence on world events of letters) Codes Substitution The only ciphers you Ciphers can break! (replace words) (replace letters)

Selected world events affected by cryptology Mary, Queen of Scots

1586 - trial of Mary Queen of Scots - substitution • Scottish Queen, a cousin of Elisabeth I of England • Forced to flee Scotland by uprising against 1917 - Zimmermann telegram, America enters her and her husband • Treated as a candidate to the throne of England by many British Catholics unhappy about 1939-1945 Battle of England, Battle of Atlantic, D-day - a reign of Elisabeth I, a Protestant machine cipher • Imprisoned by Elisabeth for 19 years • Involved in several plots to assassinate Elisabeth 1944 – world’s first , Colossus - • Put on trial for treason by a court of about German Lorenz machine cipher 40 noblemen, including Catholics, after being implicated in the Babington Plot by her own 1950s – operation Venona – breaking ciphers of soviet spies letters sent from prison to her co-conspirators stealing secrets of the U.S. atomic bomb in the encrypted form – one-time pad

1 Mary, Queen of Scots – cont. Zimmermann Telegram • cipher used for encryption was broken by codebreakers of Elisabeth I • sent on January 16, 1917 from the Foreign Secretary • it was so called nomenclator – mixture of a and a substitution of the , Arthur Zimmermann, to the German cipher ambassador in Washington • Mary was sentenced to death for treachery and executed in 1587 • instructed the ambassador to approach the Mexican government at the age of 44 with a proposal for military alliance against the U.S. • offered Mexico generous material aid to be used to reclaim a part of territories lost during the Mexican-American War of 1846-1848, specifically Texas, New Mexico, and Arizona • sent using a telegram cable that touched British soil • encrypted with cipher 0075, which British codebreakers had partly broken • intercepted and decrypted

Zimmermann Telegram

• British foreign minister passed the , the message in German, and the English translation to the American Secretary of State, and he has shown it to the President Woodrow Wilson • A version released to the press was that the decrypted message was stolen from the German embassy in Mexico • After publishing in press, initially believed to be a forgery • On February 1, Germany had resumed "unrestricted" warfare, which caused many civilian deaths, including American passengers on British ships • On March 3, 1917 and later on March 29, 1917, Arthur Zimmermann was quoted saying "I cannot deny it. It is true. • On April 2, 1917, President Wilson asked Congress to declare war on Germany. On April 6, 1917, Congress complied, bringing the United States into World War I.

Ciphers used predominantly in the given period(1)

Cryptography

100 B.C. Shift ciphers

Frequency analysis al-Kindi, Baghdad IX c. Monoalphabetic

1586 Invention of the Vigenère Cipher chambers XVIII c. Homophonic ciphers

Vigenère cipher Kasiskis method 1863 (Simple polyalphabetic substitution ciphers) 1919 Invention of rotor machines 1918 William Friedman Electromechanical machine ciphers (Complex polyalphabetic substitution ciphers) 1926 Vernam cipher (one-time pad) 1996 (2nd ed) 1999

2 Ciphers used predominantly in the given period(2) Substitution Ciphers (1)

Cryptography Cryptanalysis 1. Monalphabetic (simple) substitution cipher

Reconstructing ENIGMA 1932 Rejewski, M = m1 m2 m3 m4 . . . . mN Polish cryptological bombs, and perforated sheets C = f(m1) f(m2) f(m3) f(m4) . . . . f(mN) 1949 Shennons theory 1939 of secret systems one-time pad British cryptological Stream Ciphers bombs, Park, UK 1945 S-P networks Breaking Japanese Generally f is a random , e.g., Purple cipher 1977 Publication of DES 1977 DES a b c d e f g h i j k l m n o p r s t u v w x y z f = Triple DES 1990 s l t a v m c e r u b q p d f k h w y g x z j n i o DES crackers 2001 2001 AES = f Number of keys = 26! » 4 × 1026

Monalphabetic substitution ciphers Coding characters into numbers Simplifications (1) A Û 0 N Û 13 A. B Û 1 O Û 14 C Û 2 P Û 15 c = f(m ) = m + 3 mod 26 i i i D Û 3 Q Û 16 -1 mi = f (ci) = ci - 3 mod 26 E Û 4 R Û 17 F Û 5 S Û 18 No key G Û 6 T Û 19 B. Shift Cipher H Û 7 U Û 20

ci = f(mi) = mi + k mod 26 I Û 8 V Û 21 J Û 9 W Û 22 m = f-1(c ) = c - k mod 26 i i i K Û 10 X Û 23 Key = k L Û 11 Y Û 24 Number of keys = 26 M Û 12 Z Û 25

Caesar Cipher: Example Monalphabetic substitution ciphers Simplifications (2)

C. : I C A M E I S A W I C O N Q U E R E D 8 2 0 12 4 8 18 0 22 8 2 14 13 16 20 4 17 4 3 ci = f(mi) = k1 × mi + k2 mod 26 11 5 3 15 7 11 21 3 25 11 5 17 16 19 23 7 20 7 6 gcd (k1, 26) = 1

Ciphertext: L F D P H L V D Z L F R Q T X H U H G -1 -1 mi = f (ci) = k1 × (ci - k2) mod 26

Key = (k1, k2) Number of keys = 12×26 = 312

3 Most frequent single letters Most frequent digrams, and trigrams Average frequency in a random string of letters: 1 Digrams: = 0.038 = 3.8% 26 TH, HE, IN, ER, RE, AN, ON, EN, AT Average frequency in a long English text: Trigrams: E — 13% THE, ING, AND, HER, ERE, ENT, THA, NTH, T, N, R, I, O, A, S — 6%-9% WAS, ETH, FOR, DTH D, H, L — 3.5%-4.5% C, F, P, U, M, Y, G, W, V — 1.5%-3% B, X, K, Q, J, Z — < 1%

Relative frequency of letters in a long English text 14 12 by Stallings 10 Character frequency 8 14 12.75 in a long English 6 plaintext 12 4 2 10 9.25 7.75 8.5 0 7.75 a b c d e f g h i j k l m n o p q r s t u v w x y z 7.25 7.5 8 14 6 6 12 4.25 3.75 10 Character frequency 3.5 3.5 4 3 2.75 2.75 3 8 in the corresponding 2 2.25 1.25 1.5 1.5 6 ciphertext 2 0.5 0.25 0.5 0.5 0.25 4 for a shift cipher 0 2 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 a b c d e f g h i j k l m n o p q r s t u v w x y z

14 attack: relevant frequencies 12 14 14 10 Character frequency 12 12 8 in a long English 10 10 6 8 8 plaintext 6 6 4 4 4 2 2 2 0 0 0 a b c d e f g h i j k l m n o p q r s t u v w x y z a b c d e f g h i j k l m n o p q r s t u v w x y z a b c d e f g h I j k l m n o p q r s t u v w x y z 14 Long English text T Short English message M 12 Character frequency 14 14 12 12 10 in the corresponding 10 10 8 ciphertext 8 8 6 for a general 6 6 4 4 4 monoalphabetic substitution cipher 2 2 0 0 2 a b c d e f g h i j k l m n o p q r s t u v w x y z a b c d e f g h I j k l m n o p q r s t u v w x y z 0 Ciphertext of the long English text T Ciphertext of the short English message M a b c d e f g h i j k l m n o p q r s t u v w x y z

4 Frequency analysis attack (1) Frequency analysis attack (2)

Step 1: Establishing the relative frequency of letters Step 2: Assuming the relative frequency of letters in the ciphertext in the corresponding message, and deriving the corresponding equations Ciphertext: Assumption: Most frequent letters in the message: E and T FMXVE DKAPH FERBN DKRXR SREFM ORUDS DKDVS HVUFE DKAPR KDLYE VLRHH RH Corresponding equations:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z E ® R f(E) = R T ® D f(T) = D

R - 8 4 ® 17 f(4) = 17 D - 7 19 ® 3 f(19) = 3 E, H, K - 5

Frequency analysis attack (3) Frequency analysis attack (4)

Step 3: Verifying the assumption for the case Step 4: Solving the equation of the form of affine cipher a × x º b mod n for x = k1 f(4) = 17 f(19) = 3 15 × k1 º 12 (mod 26) gcd(15, 26) = 1

4×k1 + k2 º 17 (mod 26) Thus, one solution 19×k1 + k2 º 3 (mod 26) -1 k1 = (15 ) × 12 mod 26 = 7 × 12 mod 26 = 6 15×k º -14 (mod 26) 1 However, gcd(k1, 26) = 2 ≠ 1 Thus, our initial assumption incorrect.

15×k1 º 12 (mod 26)

Frequency analysis attack (2-2) Frequency analysis attack (3) Step 2-2: Assuming the relative frequency of letters in the corresponding message, and deriving Step 3-2: Verifying the assumption for the case of affine cipher the corresponding equations Second Assumption: f(19) = 17 Most frequent letters in the message: T and E f(4) = 3

Corresponding equations: 19×k1 + k2 º 17 (mod 26) 4×k1 + k2 º 3 (mod 26) T ® R f(T) = R E ® D f(E) = D 15×k1 º 14 (mod 26) 19 ® 17 f(19) = 17 4 ® 3 f(4) = 3

5 Frequency analysis attack (4) Substitution Ciphers (2) Step 4: Solving the equation of the form 2. Polyalphabetic substitution cipher a × x º b mod n for x = k1 M = m1 m2 … md md+1 md+2 … m2d 15 × k1 º 12 (mod 26) m2d+1 m2d+2 … m3d ….. gcd(15, 26) = 1 C = f1(m1) f2(m2) … fd(md) Thus, one solution f1(md+1) f2(md+2) … fd(m2d ) f1(m2d+1 ) f2( m2d+2) … fd(m3d ) -1 k1 = (15 ) × 14 mod 26 = 7 × 14 mod 26 = 20 ….. d is a period of the cipher However, gcd(k1, 26) = 2 ≠ 1 Key = d, f , f , …, f Thus, our second assumption incorrect. 1 2 d Number of keys for a given period d = (26!)d » (4 × 1026)d

14 Polyalphabetic substitution ciphers 12 10 Character frequency Simplifications (1) in a long English 8 plaintext 6 A. Vigenère cipher: polyalphabetic shift cipher 4 Invented in 1568 2 0 a b c d e f g h i j k l m n o p q r s t u v w x y z ci = fi mod d(mi) = mi + ki mod d mod 26 Character frequency 14 in the corresponding -1 12 ciphertext mi = f i mod d(ci) = ci - ki mod d mod 26 10 for a polyalphabetic 8 substitution cipher 6 Key = k0, k1, … , kd-1 1 4 × 100% » 3.8 % 26 d 2 Number of keys for a given period d = (26) 0 a b c d e f g h i j k l m n o p q r s t u v w x y z

Vigenère Cipher - Example Vigenère plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z Plaintext: TO BE OR NOT TO BE 3 a b c d e f g h i j k l m n o p q r s t u v w x y z b c d e f g h i j k l m n o p q r s t u v w x y z a N S A c d e f g h i j k l m n o p q r s t u v w x y z a b Key: NSA d e f g h i j k l m n o p q r s t u v w x y z a b c T O B e f g h i j k l m n o p q r s t u v w x y z a b c d f g h i j k l m n o p q r s t u v w x y z a b c d e T O B E O R g h i j k l m n o p q r s t u v w x y z a b c d e f Encryption: N O T h i j k l m n o p q r s t u v w x y z a b c d e f g E O R i j k l m n o p q r s t u v w x y z a b c d e f g h T O B j k l m n o p q r s t u v w x y z a b c d e f g h i N O T k l m n o p q r s t u v w x y z a b c d e f g h i j E l m n o p q r s t u v w x y z a b c d e f g h i j k T O B m n o p q r s t u v w x y z a b c d e f g h i j k l 1 E G G B n o p q r s t u v w x y z a b c d e f g h i j k l m o p q r s t u v w x y z a b c d e f g h i j k l m n R G R p q r s t u v w x y z a b c d e f g h i j k l m n o q r s t u v w x y z a b c d e f g h i j k l m n o p A G T r s t u v w x y z a b c d e f g h i j k l m n o p q 2 G G B s t u v w x y z a b c d e f g h i j k l m n o p q r t u v w x y z a b c d e f g h i j k l m n o p q r s R u v w x y z a b c d e f g h i j k l m n o p q r s t v w x y z a b c d e f g h i j k l m n o p q r s t u w x y z a b c d e f g h i j k l m n o p q r s t u v x y z a b c d e f g h i j k l m n o p q r s t u v w y z a b c d e f g h i j k l m n o p q r s t u v w x z a b c d e f g h i j k l m n o p q r s t u v w x y

6 Vigenère Cipher - Example Determining the period of the Plaintext: TO BE OR NOT TO BE Kasiskis method Key: NSA N S A Ciphertext: G G B R G R A G T G G B R Encryption: T O B E O R N O T Distance = 9 T O B E Period d is a divisor of the distance between G G B identical blocks of the ciphertext R G R A G T G G B In our example: d = 3 or 9 R Ciphertext: GGBRGRAGTGGBR

Index of coincidence method (1) Index of coincidence method (2)

ni - number of occurances of the letter i in the ciphertext Measure of roughness: i = a .. z z 2 z æ 1 ö 2 1 N - length of the ciphertext M.R. = ç p - ÷ = p - åè i 26 ø å i 26 pi = probability that the letter of the ciphertext is equal to i i=a i=a

ni pi = lim M.R. 0.028 0.014 0.006 0.003 N® ¥ N z period 1 2 5 10 = 1 å pi i=a

Index of coincidence method (3) Index of coincidence method (4)

Index of coincidence Measure of roughness z z The approximation of 2 pi å (ni -1) × ni i=a å Definition: 1 i=a 1 M.R. = I.C. - = - Probability that two random elements of the ciphertext 26 (N -1) × N 26 are identical z n Formula: z i å (ni -1) × ni M.R. 0.028 0.014 0.006 0.003 2 I.C. = = i=a å N period 1 2 5 10 i=a (N -1) × N 2

7 Polyalphabetic substitution ciphers Military Enigma Simplifications (2)

B. Rotor machines used before and during the WWII

Country Machine Period

Germany: Enigma d=26×25×26 = 16,900 U.S.A.: M-325, Hagelin M-209 Japan: Purple UK: d=26×(26-k)×26, k=5, 7, 9 Poland: d=24×31×35 = 26,040

Functional diagram & dataflow

Enigma Daily Keys

8 Order of rotors (Walzenlage) Positions of rings (Ringstellung)

263 combinations 6 combinations

Plugboard Connections Initial Positions of Rotors (Steckerverbindung) (Grundstellung)

~ 0.5 · 1015 3 combinations 26 combinations

Total Number of Keys

3.6 · 1022 » 275 Number of possible internal 3 · 10114 connections of Enigma Larger number of keys than DES.

Estimated number of atoms 1080 in the universe

9 Broken by Polish Cryptologists Enigma Timetable: 1939 1932-1940

Jul 25-26, 1939: A secret meeting takes place in the Kabackie Woods near the town Pyry (South of ), where the hand over to the French and British Intelligence Service their complete solution to the German Enigma cipher, and two replicas of the .

Marian Rejewski Jerzy Różycki (born 1905) (born 1909) (born 1907)

Improvements and new methods developed by British cryptologists 1939-1945

Alan Turing (born 1912) (born 1906)

Enigma Timetable: 1939-1940 Original British cryptological “

1939-1940: develops an idea of the British cryptological Bombe based on the known-plaintext attack.

Gordon Welchman develops an improvement to the Turings idea called diagonal board.

Harold Doc Keen, engineer at British Tabulating Machines (BTM) becomes responsible for implementing British Bombe.

10 Reconstructed British cryptological “Bombe” May, 1940: First British cryptological bombe developed to reconstruct daily keys goes into operation.

Over 210 are used in England throughout the war. Each bombe weighed one ton, and was 6.5 feet high, 7 feet long, 2 feet wide.

Machines were operated by members of the Womens Royal Naval Service, Wrens.

Enigma Timetable: 1943 Substitution Ciphers (3) 3. Running-key cipher Apr, 1943: The production of the American Bombe starts in the National Cash Register Company (NCR) M = m1 m2 m3 m4 . . . . mN in Dayton, Ohio. The engineering design K = k1 k2 k3 k4 . . . . kN of the bombe comes from Joseph Desch. K is a fragment of a book

C = c1 c2 c3 c4 . . . . cN

ci = mi + ki mod 26

mi = ci - ki mod 26

Key: book (title, edition), position in the book (page, row)

14 Substitution Ciphers (4) 12 10 Character frequency 4. Polygram substitution cipher in a long English 8 plaintext M = m1 m2 … md - M1 6 md+1 md+2 … m2d - M2 4 m2d+1 m2d+2 … m3d - M3 2 ….. 0 C = c1 c2 … cd - C1 a b c d e f g h i j k l m n o p q r s t u v w x y z Character frequency 14 cd+1 cd+2 … c2d - C2 in the corresponding 12 c2d+1 c2d+2 … c3d - C3 ciphertext 10 for a running-key ….. 8 cipher d is the length of a message block 6 -1 1 Ci = f(Mi) Mi = f (Ci) × 100% » 3.8 % 4 26 2 Key = d, f 0 a b c d e f g h i j k l m n o p q r s t u v w x y z Number of keys for a given block length d = (26d)!

11 1854 1929 Key: PLAYFAIR IS A DIGRAM CIPHER Ciphering:

P L A Y F C = M · K Convention 1 (Stallings) [1xd] [1xd] [dxd] I R S D G message P O L A N D k11, k12, …, k1d M C H E B ciphertext A K A Y Q R (c1, c2, …, cd) = (m1, m2, …, md) K N O Q T Convention 2 (Handbook) k , k , …, k U V W X Z d1 d2 dd message P O L A N D ciphertext K A A Y R Q ciphertext block = message block · key

Hill Cipher Hill Cipher - Known Plaintext Attack (1) Deciphering: Known:

-1 M[1xd] = C[1xd] · K [dxd] C1 = (c11, c12, …, c1d) M1 = (m11, m12, …, m1d) C2 = (c21, c22, …, c2d) M2 = (m21, m22, …, m2d) message block = ciphertext block · inverse key matrix ………………………………………………….

Cd = (cd1, cd2, …, cdd) Md = (md1, md2, …, mdd) where 1, 0, …, 0, 0 0, 1, …, 0, 0 We know that: -1 K[dxd] · K [dxd] = …………… (c11, c12, …, c1d) = (m11, m12, …, m1d) · K[dxd]

0, 0, …, 1, 0 (c21, c22, …, c2d) = (m21, m22, …, m2d) · K[dxd] 0, 0, …, 0, 1 ………………………………………………… (c , c , …, c ) = (m , m , …, m ) · K key matrix · inverse key matrix = identity matrix d1 d2 dd d1 d2 dd [dxd]

Hill Cipher - Known Plaintext Attack (2) Substitution Ciphers (5) 4. Homophonic substitution cipher

k11, k12, …, k1d c11, c12, …, c1d m11, m12, …, m1d M = { A, B, C, …, Z } c21, c22, …, c2d = m21, m22, …, m2d k21, k22, …, k2d C = { 0, 1, 2, 3, …, 99 } ………………. ………………….. cd1, cd2, …, cdd md1, md2, …, mdd ci = f(mi, random number) kd1, kd2, …, kdd -1 mi = f (ci)

f: E ® 17, 19, 27, 48, 64 A ® 8, 20, 25, 49 C[dxd] = M[dxd] · K[dxd] U ® 45, 68, 91 K = M-1 · C …… [dxd] [dxd] [dxd] X ® 33

12 Transposition ciphers 14 12 10 Character frequency M = m1 m2 m3 m4 . . . . mN 8 in a long English C = mf(1) mf(2) mf(3) mf(4) . . . . mf(N) 6 plaintext 4 2 0 Letters of the plaintext are rearranged without a b c d e f g h i j k l m n o p q r s t u v w x y z changing them 14 12 10 Character frequency 8 in the corresponding 6 ciphertext 4 for a 2 0 a b c d e f g h i j k l m n o p q r s t u v w x y z

Transposition cipher One-time Pad Example Vernam Cipher Gilbert Vernam, AT&T 1926 Plaintext: CRYPTANALYST Major Joseph Mauborgne Key: KRIS ci = mi Å ki 2 3 1 4 Encryption: K R I S mi 01110110101001010110101 C R Y P ki 11011101110110101110110 T A N A ci 10101011011111111000011 L Y S T

Ciphertext: YNSCTLRAYPAT All of the key must be chosen at random and never reused

One-time Pad Perfect Cipher Equivalent version Communication Theory of Secrecy Systems, 1948

ci = mi + ki mod 26 " P(M=m | C=c) = P(M = m) m Î M c Î C mi TO BE OR NOT TO BE ki AX TC VI URD WM OF ci TL UG JZ HFW PK PJ The cryptanalyst can guess a message with the same probability without knowing a ciphertext as with the knowledge of the ciphertext All letters of the key must be chosen at random and never reused

13 Is substitution cipher a perfect cipher? Is one-time pad a perfect cipher?

C = XRZ C = XRZ P(M=ADD | C=XRZ) ¹ 0 P(M=ADD | C=XRZ) = 0 P(M=ADD) ¹ 0 P(M=ADD) ¹ 0

M might be equal to CAT, PET, SET, ADD, BBC, AAA, HOT, HIS, HER, BET, WAS, NOW, etc.

S-P Networks Basic operations of S-P networks

. S S . S Substitution Permutation . . 0 1 0 0 S S . S 0 1 0 1 . 0 0 0 1 P P . 1 1 1 0 1 1 1 0 . S S S 1 1 1 1 . 0 0 0 0 ...... S-box P-box S S . S

Avalanche effect Shannon Product Ciphers m1 ® m1 c1® c1 m2 . c2 ® c2 m3 S S S c3 • Computationally secure ciphers based on the m4 . c4 . idea of diffusion and confusion m5 . c5 ® c5 c6 m7 S S . S c7 ® c7 • Confusion c8 ® c8 . relationship between plaintext and ciphertext is P P . m9 c9 obscured, e.g. through the use of substitutions m10 . c10 m11 S S S c11 ® c11 m12 . c12 • Diffusion ...... spreading influence of one plaintext letter to many m61 . c61 ® c61 ciphertext letters, e.g. through the use of m62 c62 m63 S S . S c63 m64 c64 ® c64

14 Horst Feistel, Walt Tuchman IBM LUCIFER- external look

k1,1 k1,2 k1,16 m1 S0 c1 m2 S0 S0 . c2 m3 c3 plaintext block m4 S1 S1 . S1 c4

k2,1 k2,2 . K2,16 m5 . c5 128 bits m6 S0 S0 S0 c6 m7 . c7 m8 S1 S1 c8 S1 . k3,1 P K3,2 P k3,16 LUCIFER key m9 . c9 10 S0 m S0 . S0 c10 m11 c11 512 bits m12 S1 S1 . S1 c12 ...... 128 bits k32,1 k32,2 . k32,16 m125 S0 . c125 ciphertext block m126 S0 S0 c126 m127 . c127 m128 S1 S1 S1 c128

16 rounds

15