1. Classical Cryptography

Some Simple Cryptosystems • Shift Cipher, • Substitution Cipher, • Affine Cipher, • Vigenere Cipher, • Hill Cipher, • Permutation Cipher, • Stream Cipher Modular Arithmetic Cryptanalysis

1 Classical Cryptography

Definition 1.1 : A cryptosystem is a five-tuple ( P, C, H, E, D ), where the following conditions are satisfied: 1. P is a finite set of possible plaintexts 2. C is a finite set of possible ciphertexts 3. H the keyspace, is a finite set of possible keys

4. For each K ∈ H, there is an encryption rule eK∈ E : P → C and a corresponding decryption rule d K∈ D: C → P such that ∀ x∈ C, d K (eK(x)) = x Oscar x y x Alice Encrypter Decrypter Bob

Secure chanel K Key source

2 Modular Arithmetic Definition 1.2 : Suppose a and b are integers, and m is positive integer. Then we write a ≡ b (mod m) if m divides b-a.

• a ≡ b mod m if and only if ( a-b) = k×m for some k

•Zm the equivalence class under mod m • Canonical form Z m = {0,1,2,…,m-1}, we use the positive remainder as the standard representation. • -1 ≡ m -1 mod m

• (Z m, +, ×, 0, 1) is a ring
+, × are closed
Associative and commutative
Operation × distributes over +
0 is the identity for + and 1 for ×
Additive inverse and multiplicative inverse

3 Shift Cipher

Cryptosystem 1.1 : (Shift Cipher) Let P = C = H = Z 26 . For 0 ≤ K ≤ 25, define eK(x) = (x+K) mod 26 (x ∈Z26 ) and dK(y) = (y-K) mod 26 (y ∈Z26 )

A B C D E F G H I J K L M N 0 1 2 3 4 5 6 7 8 9 10 11 12 13 O P Q R S T U V W X Y Z 14 15 16 17 18 19 20 21 22 23 24 25

Example 1.1 : K=11 and the plaintext is wewillmeetatmidnight. Then the ciphertext is HPHTWWXPPELEXTOYTRSE.

1. eK and dK should be efficiently computable 2. An opponent, upon seeing a ciphertext string y, should be unable to determine the key K that was used, or the plaintext string x. 3. Process of attempting to compute the key K is called cryptanalysis . 4 Substitution Cipher

Cryptosystem 1.2 : (Substitution Cipher) Let P = C = Z 26 and H consist all permutations on Z 26 . For each permutation π ∈ H, define eπ (x) = π(x) -1 and dπ(y) = π (y) -1 where π is the inverse permutation to π and x,y ∈Z26 . A B C D E F G H I J K L M N 0 1 2 3 4 5 6 7 8 9 10 11 12 13 O P Q R S T U V W X Y Z 14 15 16 17 18 19 20 21 22 23 24 25

A permutation π can be x a b c d e f g h i j k l m n o p q r s t u v w x y z π(x) X N Y A H P O G Z Q W B T S F L R C V M U E K J D I

5 Congruence Equations

• Consider the congruence equation ax = b (mod m), a, b ∈ Zm • 5x = 8 mod 12  x = 4  a unique solution in Z 12 • 3x = 8 mod 12  no solution • 3x = 9 mod 12  x can be 3, 7, or 11

 multiple solutions in Z 12 • gcd(5,12) = 1 • gcd(3,12) = 3 Theorem 1.1: ax = b (mod m) has a unique solution in Z m for every number b in Z m iff gcd(a,m) = 1 Definition 1.3 : Suppose a ≥1 and m ≥2 are integers. If gcd(a,m)=1, then we say that a and m are relatively prime .

6 Multiplicative Inverses

Definition 1.4 : Suppose a ∈Zm. The multiplicative inverse of a modulo m is an element b ∈Zm such that ab=ba=1 mod m. 1. If the multiplicative inverse of a exists, it is unique. Denoted by a -1 2. If b is the inverse of a, then a is the inverse of b.

3. a in Z m has a multiplicative inverse in Z m if and only if gcd(a, m)=1 * Multiplication Group Z m = {a ∈Zm : gcd(a, m) = 1} * Euler phi function φ(m) = | Z m | n ei ei ei −1 Theorem 1.2 m = ∏ pi φ(m) = ∏( pi − pi ). i=1 * Z 26 = {1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25} * -1 (Z 26 ) = {1, 9, 21, 15, 3, 19, 7, 23, 11, 5, 17, 25}

* If p is a prime, then Z p = {1, 2, …, p-1}. Note: (Z p, +, ×, 0, 1) is a field . 7 Affine Cipher

* Cryptosystem 1.3 : (Affine Cipher) Let P = C = Z 26 and H = Z 26 ×Z26 . For each K=(a,b) ∈ H, define

eK (x) = (ax+b) mod 26 (x ∈Z26 ). and -1 dK(y) = a (y-b) mod 26 (y ∈Z26 ).

Example 1.3 Suppose that K=(a, b)=(7, 3)

eK (x) = ? dK(y) = ? dK(eK (x)) = ? Encrypt the plaintext hot .

8 Vigenère Cipher

Cryptosystem 1.4 : (Vigenere Cipher) Let m be a positive integer. Let m P = C = H = (Z 26 ) . For a K = (k 1, k 2, …, k m) ∈ H, define eK (x1, x 2, . . . , x m) = (x1+k1, x 2+ k2, …, x m+ km) and

dK(y 1, y 2 , . . . , y m) = (y 1-k1, y 2- k2, …, y m- km) where all operations are performed in Z26

Example 1.4 Suppose that m=6 and the key is CIPHER, i.e., K=(2, 8, 15, 7, 4, 17) Encrypt the plaintext Thiscryptosystemisnotsecure .

Polyalphabetic cryptosystem : The key of the system contains multiple alphabetic characters

9 Linear Transformation and Matrix y = (11x + 3x ) mod 26 11 8 1 1 2   (y1, y2 ) = (x1, x2 )  mod 26 y2 = 8( x1 + 7x2 ) mod 26  3 7

If A=(a i,j ) and B=(b i,j ) are two l×m matrixes, Then the sum A+B is defined as (ai,j +bi,j ).

If A=(a i,j ) is an l×m matrix and B=(b i,j ) is an m×n matrix , then the product AB = (c i,j ) is an l×n matrix and is defined by the formula m ci, j = ∑ai,k bk, j k =1

(Z 26 )n×n : all n×n matrixes over Z 26 . In : the n ×n identity matrix . For any A ∈(Z 26 )n×n, I nA=AI n=A. 0n: the n ×n zero matrix . For any A ∈(Z 26 )n×n, 0 n+A=A+0 n=A. ((Z 26 )n×n, 0 n, I n, +, ×) is a ring . 10 The Inverse of a Matrix

Definition : Suppose A ∈ (Z 26 )n×n. The inverse of A over (Z 26 )n×n is a matrix B ∈ (Z 26 )n×n such that AB=BA=I n. 1. If the inverse of A exists, it is unique. Denoted by A -1 2. If B is the inverse of A, then A is the inverse of B.

Definition 1.5 : Suppose A = (a i,j ) is an m×m matrix. For 1 ≤ i ≤ m, 1 ≤ j ≤ m, define A i,j to be the matrix obtained from A by deleting the ith row and the jth column.

The determinant of A , denoted det A, is the value of a 1,1 if m=1. If m > 1, the det A is computed recursively from the formula. n i+ j det A = ∑(− )1 ai, j det Ai,j , where i is fixed and 1 ≤ i ≤ n j=1 det A = a 11 a22 -a12 a21 if m=2 det A = a 11 a22 a33 +a 21 a32 a13 +a 31 a12 a23 -a13 a22 a31 -a12 a21 a33 -a11 a23 a32 if m=3 11 The Inverse of a Matrix

Properties : 1. det I n = 1. & 2. det (AB)= det A × det B

Theorem 1.3 : Suppose A = (a i,j ) is an m ×m matrix over Z n such that -1 -1 * det A is invertible in Z n. Then A =(det A) A , where A* is the adjoint * * * i+j matrix of A. That is A =(a i,j ), a i,j =(-1) det A j,i .  a a   a − a   1,1 2,1  −1 −1 2,2 2,1  A =   A = (det A)   a 1,2 a 2,2  − a 1,2 a 1,1 

Example 1.6 10 5 12   11 8 -1 A =   A-1=? A =  3 14 21 A =?  3 7      8 9 11

12 Hill Cipher

Cryptosystem 1.5 : (Hill Cipher) Let m ≥2 be an integer. Let m P = C = (Z 26 ) and H = GL(m, Z 26 ). For a key K, define eK (x) = xK -1 and dK(y) = yK where GL(m, Z 26 ) = {A ∈ (Z 26 )m×m : A is invertible} and all operations are performed in Z26 . 11 8 Example 1.5 : Suppose the key is K =   .  3 7 Want to encrypt the plaintext july   7 18 Since July = 9 20 11 24 −1   K =   23 11 11 8 ,9( 20)K = ,9( 20)  = )4,3( = DE The ciphertext is  3 7 DELW 11 8 (11,24)K = (11,24)  = (11,22) = LW  3 7 13 Permutation Cipher

Cryptosystem 1.6 : (Permutation Cipher) Let m be a positive integer. m Let P = C = (Z 26 ) and H consist all permutations of {1,…,m}. For a key π, define

eπ (x 1, x 2, …, x m) = (x π(1) , x π(2) , …, x π(m) ) and dπ (y1, y2 ,...ym ) = (yπ −1 )1( , yπ −1 )2( ,...yπ −1 (m) ) where π-1 is the inverse permutation to π.

Example 1.7 Suppose m=6 and the key is the following permutation π: x 1 2 3 4 5 6 π-1=? π(x) 3 5 1 6 4 2 Encrypt the following plaintext: shesellsseashellsbytheseashore

14 Stream Cipher

Block cipher: x=x 1x2… & a key K  y=y 1y2… = e K(x 1)e K(x 2)… Steam cipher : x=x 1x2… & a key K a key stream z=z 1z2…  y = y y ... = e (x )e (x )... 1 2 z1 1 z2 2 Definition 1.6 : A synchronous steam cipher is a tuple ( P, C, H, L, E, D ), together with a function g, such that the following conditions are satisfied: 1. P is a finite set of possible plaintexts 2. C is a finite set of possible ciphertexts 3. H the keyspace , is a finite set of possible keys 4. L is finite set called keystream alphabet 5. g is the keystream generator. g takes a key K as input, and generate an infinite string z 1z2…called the keystream, where z i ∈ L for all i ≥ 1. 6. For each z ∈ L, there is an encryption rule ez∈ E : P→C and a corresponding decryption rule d z∈D: C→P such that ∀ x∈P, d z (ez(x)) = x 15 Stream Cipher (Cont.)

The Vigenère cipher defined as a synchronous stream cipher

m • Let P=C=L=Z 26 , H=(Z 26 ) . • For K=(k 1, k 2,…,k m), define

ki mod m if i mod m ≠ 0 zi =  km if i mod m = 0

This generates the key stream k 1k2…k mk1k2…k mk1k2…k m… • For z ∈L define

ez(x)=(x+z) mod 26 and d z(y)=y-z mod 26

A stream cipher is a periodic stream cipher with period d

if z i+d =z i

16 Stream Cipher (Cont.)

Generating the keystream using linear recurrence of degree m m−1 z = c z mod 2 (z1,..., zm ) = (k1,...,km ) and i+m ∑ j i+ j j=0 for all i≥1, where c 0, …, c m-1 ∈ Z2 are constants and c 0≠0.

Encryption : y i = (x i+z i) mod 2 and Decryption : y i = (x i-zi) mod 2

Example 1.8 : m=4, z i+4 =(z i+z i+1 ) mod 2, K = (k 1, k 2, k 3, k 4) = (1, 0, 0, 0). The key stream z 1z2z3… = ? And period d = ? + Linear Feed Back Register (LFBR) k1 k2 k3 k4

17 Non-Synchronous Stream Cipher

A non-synchronous stream cipher is a stream cipher in which each

keystream element z i depends on previous plaintext or ciphertext elements (x 1…x i-1 and/or y 1…y i-1) as well as the key K.

Cryptosystem 1.7 : (Autokey Cipher) Let P=C=H=L=Z 26 . Let z 1=K, and define z i=x i-1 for all i ≥2. For 0 ≤ z ≤ 25, define ez (x) = (x+z) mod 26 and dz(y) = (y-z) mod 26 (x,y) ∈Z26

Example 1.9 : K = 8 and plaintext is rendezvous

The key stream z 1z2z3… = ? The ciphertext y 1y2…. = ?

18 Cryptanalysis Cryptanalysis : the process of attempting to compute the key K, given a string of ciphertext y Kerckhoffs’ principle : the opponent knows the cryptosystem being used. Common types of attack models • Ciphertext only attack The opponent possesses a string of ciphertext, y • Known plaintext attack The opponent possesses a string of plaintext, x, and the corresponding ciphertext, y. • Chosen plaintext attack The opponent can use the encryption machine. • Chosen ciphertext attack The opponent can use the decryption machine.

19 Cryptanalysis of the Affine Cipher

Statistical properties of the English language • Relatively frequencies of the 26 letters • Common sequences of two or three consecutive letters Example 1.10 Ciphertext obtained from an Affine Cipher R: 8 Occurrences, D: 7 Occurrences, E, H, K : 5 Occurrences

First guess: eR  eK(4)=17  4a+b=17  a=6 × tD  eK(19)=3  19a+b=3  b=19

Second guess: eR  eK(4)=17  4a+b=17  a=13 × tE  eK(19)=4  19a+b=4  b=9

Third guess: eR  eK(4)=17  4a+b=17  a=8 × tH  eK(19)=7  19a+b=7  b=?

Fourth guess: eR  eK(4)=17  4a+b=17  a=3 tK  eK(19)=10  19a+b=10  b=5 20 Cryptanalysis of the Hill Cipher Known plaintext attack on the Hill Cipher (m is known also)

/x 1…x m/x m+1 …x 2m /x 2m+1 …  /y 1…y m/y m+1 …y 2m /y 2m+1 a1 a2 a3 eK b1 b2 b3 −1 −1 b1   a1  b1   a1   a1  b1  −1      M   M   M   M  or K = M M   =  K K =                 a  b  bm  am  bm  am   m   m 

Example 1.13 : plaintext: friday  5 17 / 8 3 / 0 24 m=2 ciphertext: PQCFKU  15 16 / 2 5 / 10 20 15 16 5 17 eK(5, 17) = (15, 16)   =  K  2 5  8 3  eK(8, 3) = (2, 5)     −1 eK(0, 24) = (10, 20) 5 17 15 16 9 1 15 16 7 19 K =     =    =   8 3   2 5  2 15 2 5  8 3  21 Cryptanalysis of the LFSR Cipher

yi = (x i+z i) mod 2  zi = (y i–xi) mod 2 K  z1 z2 zm  m−1    z z L z  z = c z mod 2 (z , z ,..., z ) = (c ,c ,...,c ) 2 3 m+1 i+m ∑ j i+ j m+1 m+2 2m 0 1 m−1  M M M  j=0   −1  z z L z   z z K z   m m+1 2m−1   1 2 m   z z L z  (c ,c ,...,c ) = (z , z ,..., z ) 2 3 m+1 0 1 m−1 m+1 m+2 2m  M M M     L   zm zm+1 z2m−1  Example 1.14 : plaintext: 101101011110010 The key stream: m=5 ciphertext: 011001111111000 110100100001010

− 1  1 1 0 1 0   0 1 0 0 1       1 0 1 0 0   1 0 0 1 0      ( c 0 , c 1 ,..., c 4 ) = ( 0 0,1, 0, 0, ) 0 1 0 0 1 = ( 0 0,1, 0, 0, ) 0 0 0 0 1 = 0,1( 0, 0,1, )      1 0 0 1 0   0 1 0 1 1       0 0 1 0 0   1 0 1 1 0 

zi+5 = (z i + z i+3 ) mod 2 22