Computer and Data Security Class 4 ﺳﻜﻴﻨﺔ ﺣﺴﻦ هﺎﺷﻢ . د: أﺳﺘﺎذة اﻟﻤﺎدة

Home , Bifid cipher, Book cipher, Tap code, Trifid cipher

Save from: www.uotechnology.edu.iq/dep‐cs

Computer and Data security 4th Class أﺳﺘﺎذة اﻟﻤﺎدة: د. ﺳﻜﻴﻨﺔ ﺣﺴﻦ هﺎﺷﻢ

Introduction to Data Security

Basic Terminology

Suppose that someone wants to send a message to a receiver, and wants to be sure that no-one else can read the message. However, there is the possibility that someone else opens the letter or hears the electronic communication.

In cryptographic terminology, the message is called plaintext or cleartext. Encoding the contents of the message in such a way that hides its contents from outsiders is called encryption. The encrypted message is called the ciphertext. The process of retrieving the plaintext from the ciphertext is called decryption. Encryption and decryption usually make use of a key, and the coding method is such that decryption can be performed only by knowing the proper key.

Cryptography is the art or science of keeping messages secret. Cryptanalysis is the art of breaking ciphers, i.e. retrieving the plaintext without knowing the proper key. People who do cryptography are cryptographers, and practitioners of cryptanalysis are cryptanalysts.

Cryptography deals with all aspects of secure messaging, authentication, digital signatures, electronic money, and other applications. Cryptology is the branch of mathematics that studies the mathematical foundations of cryptographic methods.

Basic Cryptographic Algorithms

A method of encryption and decryption is called a cipher. Some cryptographic methods rely on the secrecy of the algorithms; such algorithms are only of historical interest and are not adequate for real-world needs. All modern algorithms

use a key to control encryption and decryption; a message can be decrypted only if the key matches the encryption key. The key used for decryption can be different from the encryption key, but for most algorithms they are the same.

There are two classes of key-based algorithms, symmetric (or secret-key) and asymmetric (or public-key) algorithms. The difference is that symmetric algorithms use the same key for encryption and decryption (or the decryption key is easily derived from the encryption key), whereas asymmetric algorithms use a different key for encryption and decryption, and the decryption key cannot be derived from the encryption key.

Symmetric algorithms can be divided into stream ciphers and block ciphers. Stream ciphers can encrypt a single bit of plaintext at a time, whereas block ciphers take a number of bits (typically 64 bits in modern ciphers), and encrypt them as a single unit.

Asymmetric ciphers (also called public-key algorithms or generally public-key cryptography) permit the encryption key to be public (it can even be published in a newspaper), allowing anyone to encrypt with the key, whereas only the proper recipient (who knows the decryption key) can decrypt the message. The encryption key is also called the public key and the decryption key the private key or secret key.

Modern cryptographic algorithms cannot really be executed by humans. Strong cryptographic algorithms are designed to be executed by computers or specialized hardware devices. In most applications, cryptography is done in computer software, and numerous cryptographic software packages are available.

Generally, symmetric algorithms are much faster to execute on a computer than asymmetric ones. In practice they are often used together, so that a public-key algorithm is used to encrypt a randomly generated encryption key, and the random key is used to encrypt the actual message using a symmetric algorithm.

Many good cryptographic algorithms are widely and publicly available in any major bookstore, scientific library, or patent office, and on the Internet. Well- known symmetric functions include DES and IDEA.RSA is probably the best known asymmetric algorithm. Thebooks page lists several good textbooks on cryptography and related topics.

Digital Signatures

Some public-key algorithms can be used to generate digital signatures. A digital signature is a block of data that was created using some secret key, and there is a public key that can be used to verify that the signature was really generated using the corresponding private key. The algorithm used to generate the signature must be such that without knowing the secret key it is not possible to create a signature that would verify as valid.

Digital signatures are used to verify that a message really comes from the claimed sender (assuming only the sender knows the secret key corresponding to his/her public key). They can also be used to timestamp documents: a trusted party signs the document and its timestamp with his/her secret key, thus testifying that the document existed at the stated time.

Digital signatures can also be used to testify (or certify) that a public key belongs to a particular person. This is done by signing the combination of the key and the information about its owner by a trusted key. The reason for trusting that key may again be that it was signed by another trusted key. Eventually some key must be a root of the trust hierarchy (that is, it is not trusted because it was signed by somebody, but because you believe a priori that the key can be trusted). In a centralized key infrastructure there are very few roots in the trust network (e.g., trusted government agencies; such roots are also called certification authorities). In a distributed infrastructure there need not be any universally accepted roots, and each party may have different trusted roots (such of the party's own key and any keys signed by it). This is the web of trust concept used e.g. in PGP.

A digital signature of an arbitrary document is typically created by computing a message digest from the document, and concatenating it with information about the signer, a timestamp, etc. The resulting string is then encrypted using the private key of the signer using a suitable algorithm. The resulting encrypted block of bits is the signature. It is often distributed together with information about the public key that was used to sign it. To verify a signature, the recipient first determines whether it trusts that the key belongs to the person it is supposed to belong to (using the web of trust or a priori knowledge), and then decrypts the signature using the public key of the person. If the signature decrypts properly and the information matches that of the message (proper message digest etc.), the signature is accepted as valid.

Several methods for making and verifying digital signatures are freely available. The most widely known algorithm is RSA.

Cryptographic Hash Functions

Cryptographic hash functions are typically used to compute the message digest when making a digital signature. A hash function compresses the bits of a message to a fixed-size hash value in a way that distributes the possible messages evenly among the possible hash values. A cryptographic hash function does this in a way that makes it extremely difficult to come up with a message that would hash to a particular hash value.

Cryptographic hash functions typically produce hash values of 128 or more bits. This number is vastly larger than the number of different messages likely to ever be exchanged in the world.

Many good cryptographic hash functions are freely available. Well-known ones include MD5 and SHA.

Cryptographic Random Number Generators

Cryptographic random number generators generate random numbers for use in cryptographic applications, such as for keys. Conventional random number generators available in most programming languages or programming environments are not suitable for use in cryptographic applications (they are designed for statistical randomness, not to resist prediction by cryptanalysts).

In the optimal case, random numbers are based on true physical sources of randomness that cannot be predicted. Such sources may include the noise from a semiconductor device, the least significant bits of an audio input, or the intervals

between device interrupts or user keystrokes. The noise obtained from a physical source is then "distilled" by a cryptographic hash function to make every bit depend on every other bit. Quite often a large pool (several thousand bits) is used to contain randomness, and every bit of the pool is made to depend on every bit of input noise and every other bit of the pool in a cryptographically strong way.

When true physical randomness is not available, pseudorandom numbers must be used. This situation is undesirable, but often arises on general purpose computers. It is always desirable to obtain some environmental noise - even from device latencies, resource utilization statistics, network statistics, keyboard interrupts, or whatever. The point is that the data must be unpredictable for any external observer; to achieve this, the random pool must contain at least 128 bits of true entropy.

Cryptographic pseudorandom generators typically have a large pool ("seed value") containing randomness. Bits are returned from this pool by taking data from the pool, optionally running the data through a cryptographic hash function to avoid revealing the contents of the pool. When more bits are needed, the pool is stirred by encrypting its contents by a suitable cipher with a random key (that may be taken from an unreturned part of the pool) in a mode which makes every bit of the pool depend on every other bit of the pool. New environmental noise should be mixed into the pool before stirring to make predicting previous or future values even more impossible.

Even though cryptographically strong random number generators are not very difficult to built if designed properly, they are often overlooked. The importance of

the random number generator must thus be emphasized - if done badly, it will easily become the weakest point of the system.

Strength of Cryptographic Algorithms

Good cryptographic systems should always be designed so that they are as difficult to break as possible. It is possible to build systems that cannot be broken in practice (though this cannot usually be proved). This does not significantly increase system implementation effort; however, some care and expertise is required. There is no excuse for a system designer to leave the system breakable. Any mechanisms that can be used to circumvent security must be made explicit, documented, and brought into the attention of the end users.

In theory, any cryptographic method with a key can be broken by trying all possible keys in sequence. If using brute force to try all keys is the only option, the required computing power increases exponentially with the length of the key. A 32 bit key takes 2^32 (about 10^9) steps. This is something any amateur can do on his/her home computer. A system with 40 bit keys (e.g. US-exportable version of RC4) takes 2^40 steps - this kind of computing power is available in most universities and even smallish companies. A system with 56 bit keys (such as DES) takes a substantial effort, but is quite easily breakable with special hardware. The cost of the special hardware is substantial but easily within reach of organized criminals, major companies, and governments. Keys with 64 bits are probably breakable now by major governments, and will be within reach of organized criminals, major companies, and lesser governments in a few years. Keys with 80 bits may become breakable in future. Keys with 128 bits will probably remain 7

unbreakable by brute force for the foreseeable future. Even larger keys are possible; in the end we will encounter a limit where the energy consumed by the computation, using the minimum energy of a quantum mechanic operation for the energy of one step, will exceed the energy of the mass of the sun or even of the universe.

However, key length is not the only relevant issue. Many ciphers can be broken without trying all possible keys. In general, it is very difficult to design ciphers that could not be broken more effectively using other methods. Designing your own ciphers may be fun, but it is not recommended in real applications unless you are a true expert and know exactly what you are doing.

One should generally be very wary of unpublished or secret algorithms. Quite often the designer is then not sure of the security of the algorithm, or its security depends on the secrecy of the algorithm. Generally, no algorithm that depends on the secrecy of the algorithm is secure. Particularly in software, anyone can hire someone to disassemble and reverse-engineer the algorithm. Experience has shown that a vast majority of secret algorithms that have become public knowledge later have been pitifully weak in reality.

The key lengths used in public-key cryptography are usually much longer than those used in symmetric ciphers. There the problem is not that of guessing the right key, but deriving the matching secret key from the public key. In the case of RSA, this is equivalent to factoring a large integer that has two large prime factors. In the case of some other cryptosystems it is equivalent to computing the discrete logarithm modulo a large integer (which is believed to be roughly comparable to factoring). Other cryptosystems are based on yet other problems.

To give some idea of the complexity, for the RSA cryptosystem, a 256 bit modulus is easily factored by ordinary people. 384 bit keys can be broken by university research groups or companies. 512 bits is within reach of major governments. Keys with 768 bits are probably not secure in the long term. Keys with 1024 bits and more should be safe for now unless major algorithmic advances are made in factoring; keys of 2048 bits are considered by many to be secure for decades. More information on RSA key length is in an article by Bruce Schneier.

It should be emphasized that the strength of a cryptographic system is usually equal to its weakest point. No aspect of the system design should be overlooked, from the choice algorithms to the key distribution and usage policies.

Cryptanalysis and Attacks on Cryptosystems

Cryptanalysis is the art of deciphering encrypted communications without knowing the proper keys. There are many cryptanalytic techniques. Some of the more important ones for a system implementor are described below.

• Ciphertext-only attack: This is the situation where the attacker does not know anything about the contents of the message, and must work from ciphertext only. In practice it is quite often possible to make guesses about the plaintext, as many types of messages have fixed format headers. Even ordinary letters and documents begin in a very predictable way. It may also be possible to guess that some ciphertext block contains a common word.

• Known-plaintext attack: The attacker knows or can guess the plaintext for some parts of the ciphertext. The task is to decrypt the rest of the ciphertext

blocks using this information. This may be done by determining the key used to encrypt the data, or via some shortcut.

• Chosen-plaintext attack: The attacker is able to have any text he likes encrypted with the unknown key. The task is to determine the key used for encryption. Some encryption methods, particularly RSA, are extremely vulnerable to chosen-plaintext attacks. When such algorithms are used, extreme care must be taken to design the entire system so that an attacker can never have chosen plaintext encrypted.

• Man-in-the-middle attack: This attack is relevant for cryptographic communication and key exchange protocols. The idea is that when two parties are exchanging keys for secure communications (e.g., using Diffie- Hellman), an adversary puts himhelf between the parties on the communication line. The adversary then performs a separate key exchange with each party. The parties will end up using a different key, each of which is known to the adversary. The adversary will then decrypt any communications with the proper key, and encrypt them with the other key for sending to the other party. The parties will think that they are communicating securely, but in fact the adversary is hearing everything.

One way to prevent man-in-the-middle attacks is that both sides compute a cryptographic hash function of the key exchange (or at least the encryption keys), sign it using a digital signature algorithm, and send the signature to the other side. The recipient then verifies that the signature came from the desired other party, and that the hash in the signature matches that computed locally. This method is used e.g. in Photuris.

• Timing Attack: This very recent attack is based on repeatedly measuring the exact execution times of modular exponentiation operations. It is relevant to at least RSA, Diffie-Hellman, and Elliptic Curve methods. More information is available in the original paper and various followup articles.

There are many other cryptographic attacks and cryptanalysis techniques. However, these are probably the most important ones for a practical system designer. Anyone contemplating to design a new encryption algorithm should have a much deeper understanding of these issues.

Disclaimer: Any opinions and evaluations presented here are speculative, and the author cannot be held responsible for their correctness.

U ﺍﻟﻔﺼﻞ ﺍﻟﺨﺎﻣﺲ

ﺃﻟﺨﻠﻔﻴﺔ ﺍﻟﺮﻳﺎﺿﻴﺔ Mathematical Background

:1-5 - ﺍﻟﻤﻘﺪﻣﺔ ﺃﺻﺒﺤﺖ ﺍﻟﻤﻮﺍﺿﻴﻊ ﺍﻟﺮﻳﺎﺿﻴﺔ ﻭﻣﻦ ﺿﻤﻨﻬﺎ ﺍﻟﺤﻘﻮﻝ ﺍﻟﻤﺤﺪﺩﺓ Finite Fields ﺗﻠﻌﺐ ﺩﻭﺭﺁ ﻛﺒﻴﺮﺁ ﻭﻣﻬﻤﺂ ﻓﻲ ﺍﻟﺘﺸﻔﻴﺮ. ﺗﻌﺘﻤﺪ ﺍﻟﻌﺪﻳﺪ ﻣﻦ ﺧﻮﺍﺭﺯﻣﻴﺎﺕ ﺍﻟﺘﺸﻔﻴﺮ ﺑﻘﻮﺓ ﻋﻠﻰ ﺧﺼﺎﺋﺺ ﺍﻟﺤﻘﻮﻝ ﺍﻟﻤﺤﺪﺩﺓ، ﻭﻣﻨﻬﺎ ﺍﻟﺘﺸﻔﻴﺮ ﺍﻟﻘﻴﺎﺳﻲ ﺍﻟﻤﺘﻘﺪﻡ AES )Advanced Encryption Standard ) ﻭﺗﺸﻔﻴﺮ ﺍﻟﻜﻴﺮﻑ ﺍﻟﺒﻴﻀﻮﻱ Curve Elliptic .

ﺃﻥ ﻣﻔﺎﻫﻴﻢ ﻭﺗﻘﻨﻴﺎﺕ ﻋﺪﺩ ﻣﻦ ﺍﻟﻨﻈﺮﻳﺎﺕ ﻫﻲ ﻣﺨﺘﺼﺮﺓ ﺗﻤﺎﻣﺂ، ﻭﻣﻦ ﺍﻟﺼﻌﺐ ﺩﺍﺋﻤﺂ ﻓﻬﻤﻬﺎ ﺑﺪﻭﻥ ﺃﻣﺜﻠﺔ. ﻟﺬﻟﻚ ﻳﺤﺘﻮﻱ ﻫﺬﺍ ﺍﻟﻔﺼﻞ ﻋﻠﻰ ﻛﺜﻴﺮ ﻣﻦ ﺍﻻﻣﺜﻠﺔ ﺍﻟﺘﻲ ﺗﻮﺿﺢ ﻫﺬﻩ ﺍﻟﻤﻔﺎﻫﻴﻢ.

ﺗﺴﺘﺨﺪﻡ ﺷﻔﺮﺓ ﺍﻟﻤﻔﺘﺎﺡ ﺍﻟﻌﺎﻡ ﺍﻟﻜﺜﻴﺮ ﻣﻦ ﺍﻟﻤﻔﺎﻫﻴﻢ ﺍﻟﺮﻳﺎﺿﻴﺔ ﻣﺜﻞ ﺍﻻﻋﺪﺍﺩ ﺍﻻﻭﻟﻴﺔ ﻓﻲ ﺗﻜﻮﻳﻦ ﺍﻟﻤﻔﺘﺎﺡ ﺍﻟﺨﺎﺹ ﻭﺍﻟﻤﻔﺘﺎﺡ ﺍﻟﻌﺎﻡ ﻭﺃﻣﻨﻴﺔ ﻫﺬﺍ ﺍﻟﻨﻮﻉ ﻣﻦ ﺍﻟﺘﺸﻔﻴﺮ ﺗﻌﺘﻤﺪ ﻋﻠﻰ ﺍﻻﻋﺪﺍﺩ ﺍﻻﻭﻟﻴﺔ ﻭﺑﺎﻗﻲ ﺍﻟﻘﺴﻤﺔ ﻭﺍﻟﻤﻌﻜﻮﺱ ﻭﻣﻌﺎﺩﻻﺕ ﺃﻭﻳﻠﺮ.

ﻟﻬﺬﺍ ﺃﺭﺗﺄﻳﻨﺎ ﺗﻘﺪﻳﻢ ﻫﺬﻩ ﺍﻟﻤﻔﺎﻫﻴﻢ ﺍﻟﺮﻳﺎﺿﻴﺔ ﻓﻲ ﻓﺼﻞ ﻣﻨﻔﺼﻞ ﻟﻴﻜﻮﻥ ﻣﻘﺪﻣﺔ ﻟﻠﻔﺼﻞ ﺍﻟﻼﺣﻖ ﺍﻟﺬﻱ ﻳﺸﺮﺡ ﺷﻔﺮﺓ ﺍﻟﻤﻔﺘﺎﺡ ﺍﻟﻌﺎﻡ.

5 2- - ﺃﻻﻋﺪﺍﺩ ﺃﻻﻭﻟﻴﺔ Prime Numbers:

ﺃﻟﻌﺪﺩ ﺍﻻﻭﻟﻲ ﻫﻮ ﺃﻱ ﻋﺪﺩ ﺃﻛﺒﺮ ﻣﻦ ﻭﺍﺣﺪ ﻭﺍﻟﺬﻱ ﻳﻘﺒﻞ ﺍﻟﻘﺴﻤﺔ ( ﺑﺤﻴﺚ ﻳﻜﻮﻥ ﺍﻟﺒﺎﻗﻲ ﺻﻔﺮ) ﻋﻠﻰ ﻧﻔﺴﻪ ﻭﻋﻠﻰ ﻭﺍﺣﺪ ﻓﻘﻂ. ﻣﺜﻶ ﺍﻻﻋﺪﺍﺩ 2،3،5،7،ﻭ 11 ﻫﻲ ﻛﻠﻬﺎ ﺃﻋﺪﺍﺩ ﺃﻭﻟﻴﺔ.

ﻧﻈﺮﻳﺔ ﺍﻟﻌﺪﺩ ﺍﻻﻭﻟﻲ، ﺃﻓﺮﺽ ﺃﻥ (x) ∏ ﻳﺤﺪﺩ ﻋﺪﺩ ﺍﻻﻋﺪﺍﺩ ﺍﻻﻭﻟﻴﺔ ﻭﺍﻟﺘﻲ ﻫﻲ x ≥ ﻟﺬﻟﻚ:

∏ (x) Lim x ------= 1 X ------ln (x)

ﻭﻫﺬﺍ ﻳﻌﻨﻲ ﺍﻟﻰ ﺍﻟﻘﻴﻢ ﺍﻟﻜﺒﻴﺮﺓ ﻝ X ، ﻓﺄﻥ ( x) ∏ ﻳﻘﺮﺏ ﺑﺼﻮﺭﺓ ﺗﻘﺮﻳﺒﻴﺔ ﻣﻦ ﺧﻼﻝ ﺍﻟﺘﻌﺒﻴﺮ ﺍﻟﺮﻳﺎﺿﻲ ﺍﻟﺘﺎﻟﻲ: X / ln (x)

ﻣﺜﺎﻝ: ﺃﺣﺴﺐ ﺍﻟﻌﺪﺩ M ﻭﺍﻟﺬﻱ ﻳﺘﻜﻮﻥ ﻣﻦ 200 ﺭﻗﻢ ﻋﺸﺮﻱ ﻣﻦ ﺍﻻﻋﺪﺍﺩ ﺍﻻﻭﻟﻴﺔ.

200 200 X 10 P P 10 P

200 197 N (10 P )P = ------= ------= ------= 2.17147* 10 P 200 Ln(x) ln(10 P )P 460.5 199 199 X 10 P P 10 P 199 196 N (10 P )P = ------= ------= ------= 2.1823*10 P 199 Ln (x) ln (10 P )P 458.214

200 199 197 M = N (10 P )P – N (10 P )P = 1.95 * 10 P

3-5 - ﺍﻟﻘﺎﺳﻢ ﺍﻟﻤﺸﺘﺮ ﻙ ﺍﻻﻛﺒﺮ (Greatest Common Divisor(GCD

ﺇﺫﺍ ﻛﺎﻥ ﻟﺪﻳﻨﺎ ﻋﺪﺩﻳﻦ (a, b ) ﻭﺍﻟﻘﺎﺳﻢ ﺍﻟﻤﺸﺘﺮﻙ D ﻓﺎﻥ ﺍﻟﻌﺪﺩﻳﻦ a, b ﺗﻘﺒﻞ ﺍﻟﻘﺴﻤﺔ ﻋﻠﻰ D ﺑﺪﻭﻥ ﺑﺎﻗﻲ ﺍﻱ a mod D =0 and b mod D = 0 ﻣﺜﺎﻝ ﺍﻟﻘﺎﺳﻢ ﺍﻟﻤﺸﺘﺮﻙ ﺍﻻﻛﺒﺮ ﻟﻠﻌﺪﺩﻳﻦ 10ﻭ15 ﻫﻮ ﺍﻟﻌﺪﺩ 5 5 GSD(10,15) = 5 ﺍﻟﻌﺪﺩ 10 ﻳﻘﺒﻞ ﺍﻟﻘﺴﻤﺔ ﻋﻠﻰ 5 ﺑﺪﻭﻥ ﺑﺎﻗﻲ ﺍﻟﻌﺪﺩ 15 ﻳﻘﺒﻞ ﺍﻟﻘﺴﻤﺔ ﻋﻠﻰ 5 ﺑﺪﻭﻥ ﺑﺎﻗﻲ ﻛﻤﺎ ﺍﻥ GCD(a, b) =GCD(b, a)

ﺍﺫﺍ ﻛﺎﻥ a, b ﻋﺪﻳﻦ ﺍﻭﻟﻴﻴﻦ ( prime number) ﻓﺎﻥ GCD( a, b) = 1

ﻭﺍﺫﺍ ﻛﺎﻥ a ﻋﺪﺩ ﺍﻭﻟﻲ ﻭﻟﻴﻜﻦ b ﻳﻤﺜﻞ ﻛﻞ ﺍﻻﻋﺪﺍﺩ ﺍﻟﺘﻲ ﺍﻗﻞ ﻣﻦ (a > b a ) ﻓﺎﻥ: GCD(a ,b) = 1

ﻃﺮﻕ ﺍﻻﺣﺘﺴﺎﺏ ﻻﺣﺘﺴﺎﺏ ﻗﻴﻤﺔ ﺍﻟﺮﻗﻤﻴﻦ ﻧﺴﺘﺨﺪﻡ ﺍﻟﻘﺎﻧﻮﻥ ﺍﻟﺘﺎﻟﻲ: GCD(a, b) = GCD(b, a mod b) ﻣﺜﺎﻝ: ﺃﻭﺟﺪ ﺍﻟﻘﺎﺳﻢ ﺍﻟﻤﺸﺘﺮﻙ ﺍﻻﻋﻈﻢ (GCD( 39,36

GCD(93,36) = GCD(36,93 mod 36 ) = GCD (36,21) GCD(36,21) = GCD(21,36 mod 21 ) = GCD (21,15) GCD(21,15) = GCD(15,21 mod 15 ) = GCD (15,6) GCD(15,6) = GCD(6,15 mod 6 ) = GCD (6,3) GCD(6,3) = GCD(3,6 mod 3 ) = GCD (3,0)

GCD(93,36) = 3

-1 ﻧﺴﺘﺨﺪﻡ ﺍﻟﻄﺮﻳﻘﺔ ﺍﻟﺘﺎﻟﻴﺔ : :

GCD (A1,B1)=

A1 = B1 * Q1 + R1

A2 = B2 * Q2 + R2

A3 = B3 * Q3 + R3

A4 = B4 * Q4 + R4

...... An = Bn * Qn + Rn ……………1

GCD (A1,B1) = Bn ﺣﻴﺚ ﺍﻥ A1 ﺍﻟﻤﻘﺴﻮﻡ ﻋﻠﻴﻪ B1 ﺍﻟﻘﺎﺳﻢ Q1 ﻧﺎﺗﺞ ﺍﻟﻘﺴﻤﺔ R1 ﺑﺎﻗﻲ ﺍﻟﻘﺴﻤﺔ

ﻣﺜﺎﻝ ﺍﻭﺟﺪ (GCD( 1970,1066

1970 = 1066 * 1 + 904 …………. GCD(1970,1066) 1066 = 904 * 1 + 162 ………….. GCD(1066,904) 904 = 162 * 5 + 94 …………… GCD(904,162) 162 = 94 * 1 + 68 GCD(94 , 68) 94 = 68 * 1 + 26 ……………….. GCD( 68 ,26) 86 = 26 * 2 + 16 ………………. GCD( 26,16) 16 = 10 * 1 + 6 ……………… GCD(16,10) 10 = 6 * 1 + 4 ……………… GCD(10,6) 6 = 4 * 1 + 2 ……………… GCD(6,4) 4 = 2* 2 + 0 ……………… GCD(4,2)

GCD(1970,1066) = 2 Bn

4-5 - ﺃﻟﻤﻀﺎﻋﻒ ﺍﻟﻤﺸﺘﺮﻙ ﺃﻻﺻﻐﺮ (Least Common Multiple (LCM 1- ﺃﻟﻤﻀﺎﻋﻒ ﺍﻟﻤﺸﺘﺮﻙ ﺍﻻﺻﻐﺮ ﻫﻮ ﺍﺻﻐﺮ ﻋﺪﺩ ﻣﻮﺟﺐ ﻳﻘﺒﻞ ﺍﻟﻘﺴﻤﺔ ﻋﻠﻰ ﻋﺪﺩﻳﻦ ﺑﺪﻭﻥ ﺑﺎﻗﻲ ﻭﻳﺘﻢ ﺍﺣﺘﺴﺎﺑﻪ ﺑﺎﻟﻤﻌﺎﺩﻟﺔ ﺍﻟﺘﺎﻟﻴﺔ: ﻣﺜﺎﻝ: ﺃﻭﺟﺪ (LCM(4864,3458

LCM(a, b) = |a * b | GCD(a, b)

GCD(4864,3458)

4864 = 3458 * 1 + 1406 3458= 1046 *2 + 646 1406 = 646 *2 + 114 646 = 114* 5 + 76 114 = 67 * 1 + 38 76 = 38 *2 + 0

GCD(4864,3458) = 38

LCM(3864,3458) = |3864 * 3458 | / GCD(4864,3458) = 16819712 / 38 = 442624

2- ﺍﻟﻄﺮﻳﻘﺔ ﺍﻻﻋﺘﻴﺎﺩﻳﺔ ﺗﻌﺘﻤﺪ ﻋﻠﻰ ﺗﺤﻠﻴﻞ ﻛﻞ ﺭﻗﻢ ﺍﻟﻰ ﻋﻮﺍﻣﻠﻪ ﺍﻻﻭﻟﻴﺔ ﻭﺧﺬ ﺣﺎﺻﻞ ﺿﺮﺏ ﺍﻋﻠﻰ ﻗﻮﺓ ﻣﺸﺘﺮﻙ ﻭﺍﻟﻌﻮﺍﻣﻞ ﻏﻴﺮ ﺍﻟﻤﺸﺘﺮﻛﺔ ﻣﺜﺎﻝ: ﺃﻭﺟﺪ (LCM(4864,3458

2 4864 2 3458 2 2432 7 1729 2 1216 13 247 2 608 19 19 2 304 1 2 152 2 76 2 38 2 19 19 1

8 4864 = 2P P * 19 3458 = 2 * 7 * 13 * 19 3459 8 LCM(4864,3458) = 2P P * 7 * 13 * 19 = 442624

ﻣﺜﺎﻝ: ﺍﻭﺟﺪ (LCM(93,36

LCM(93,36) = |93 * 36| / GCD(93,36) = 3348 / 3

= 1116

5-5 - ﺑﺎﻗﻲ ﺍﻟﻘﺴﻤﺔ Modular

ﻋﻨﺪ ﻗﺴﻤﺔ ﻋﺪﺩ ﻋﻠﻰ ﻋﺪﺩ ﺍﺧﺮ ﻓﺎﻥ ﺑﺎﻗﻲ ﺍﻟﻘﺴﻤﺔ ﻳﺪﻋﻰ Modular ﻭﻳﺘﻢ ﺍﺣﺘﺴﺎﺑﻪ ﺑﺎﻟﻤﻌﺎﺩﻟﺔ ﺍﻟﺘﺎﻟﻴﺔ C = a MOD b ﺣﻴﺚ ﺍﻥ:

a ﺍﻟﻘﺎﺳﻢ b ﺍﻟﻤﻘﺴﻮﻡ ﻋﻠﻴﻪ C ﺑﺎﻗﻲ ﺍﻟﻘﺴﻤﺔ ﻣﻦ ﺍﻟﻤﻌﺎﺩﻟﺔ ﺍﺫﺍ ﻛﺎﻥ ﻗﻴﻤﺔ ﻛﻼ ﻣﻦ a , n ﻣﻌﻠﻮﻣﺔ ﺍﻟﻘﻴﻢ ﻓﺎﻥ : : q = a / n a = q n + r 0 ≤ r < n r = a – q * n ﻣﺜﺎﻝ: ﺍﺫﺍ ﻛﺎﻧﺖ ﻗﻴﻤﺔ ﻛﻼ ﻣﻦ a = 11 , n = 7 ﺍﻭﺟﺪ ﻛﻼ ﻣﻦ q , r q = a / n = 11/ 7 = 1 r = 11 – 1 * 7 = 4 11 = 1 * 7 + 4

ﻣﺜﺎﻝ: ﺍﺫﺍ ﻛﺎﻧﺖ ﻗﻴﻤﺔ ﻛﻼ ﻣﻦ a = -11 , n = 7 ﺍﻭﺟﺪ ﻛﻼ ﻣﻦ q , r q = a / n = -11 / 7 = -1 r = a - q * n = -11 - (-1) * 7 = -4 -11 = -1 * 7 + (-4) = -11 6-5 - ﺭﻳﺎﺿﻴﺎﺕ ﺑﺎﻗﻲ ﺍﻟﻘﺴﻤﺔ:

C = a mod b C = Remainder of dividing a by b. C = 25 mod 6 C = 1 ﺍﺫﺍ ﻛﺎﻥ ﻟﺪﻳﻨﺎ ﻋﺪﺩ ﻣﻮﺟﺐ ﻫﻮ n ﻭﺍﻱ ﺭﻗﻢ ﺍﺧﺮ a، ﻓﺄﺫﺍ ﻗﺴﻤﻨﺎ a ﻋﻠﻰ n ، ﻓﺄﻧﻨﺎ ﻧﺤﺼﻞ ﻋﻠﻰ ﺭﻗﻢ ﻧﺎﺗﺞ ﺍﻟﻘﺴﻤﺔ ﻫﻮ q ﻭﺭﻗﻢ ﺑﺎﻗﻲ ﺍﻟﻘﺴﻤﺔ ﻫﻮ r ﻭﺍﻟﺬﻱ ﻳﺤﻘﻖ ﺍﻟﻌﻼﻗﺔ ﺍﻟﺘﺎﻟﻴﺔ:

A = qn + r 0 ≤ r < n ; q = ⌠ a/n ⌡

ﻣﺜﺎﻝ:

A = 11; n = 7; 11 = 1 * 7 + 4; r = 4

A = -11; n = 7; -11 = (-2) * 7 + 4; r = 3

11 mod 7 = 4; -11 mod 7 = 3;

ﻋﺪﺩﻳﻦ ﻫﻤﺎ a ﻭ b ﻳﻘﺎﻝ ﻟﻬﻤﺎ ﺑﺎﻗﻴﺎ ﺍﻟﻘﺴﻤﺔ ﺍﻟﻰ n ، ﻭﺍﺫﺍ ﻛﺎﻥ.(a mod n) = (b mode n) ﻓﺄﻧﻬﺎ ﺗﻜﺘﺐ ﻛﻤﺎ ﻳﻠﻲ .as a = b mod n

37 ≡ 4 mod 23; 21 ≡ -9 mod 10

ﺧﺼﺎﺋﺺ ﻣﻌﺎﻣﻞ ﺑﺎﻗﻲ ﺍﻟﻘﺴﻤﺔ: ﻟﻤﻌﺎﻣﻞ ﺑﺎﻗﻲ ﺍﻟﻘﺴﻤﺔ ﺍﻟﺨﺼﺎﺋﺺ ﺍﻟﺘﺎﻟﻴﺔ:

1- a ≡ b mod n if n ⌠ (a-b). 2- a ≡ b mod n implies b ≡ a mod n. 3- a ≡ b mod n and b ≡ c mod n imply a ≡ c mod n

U ﻣﺜﺎﻝ: 23 ≡ 8 (mod 5) because 23-8 = 15 = 5*3 -11≡ 5(mod 8) because -11-5=-16=8*(-2) 81 ≡ 0 (mod 27) because 81-0 = 81 = 27*3

ﺍﻟﻌﻤﻠﻴﺎﺕ ﺍﻟﺮﻳﺎﺿﻴﺔ ﻟﺒﺎﻗﻲ ﺍﻟﻘﺴﻤﺔ: ﺗﺘﻀﻤﻦ ﺭﻳﺎﺿﻴﺎﺕ ﺑﺎﻗﻲ ﺍﻟﻘﺴﻤﺔ ﺍﻟﺼﻔﺎﺕ ﺍﻟﺘﺎﻟﻴﺔ:

1- [(a mod n)]+(b mod n)] mod n =(a + b) mod n 2- [(a mod n)]-(b mod n)] mod n =(a - b) mod n 3- [(a mod n)]*(b mod n)] mod n =(a *b) mod n

U ﻣﺜﺎﻝ: 11 mod 8 =3; 15 mod 8 =7 [(11 mod 8 )+(15 mod 8)] mod 8 =10 mod 8 =2 (11+15) mod 8 = 26 mod 8 =2

[(11 mod 8 )-(15 mod 8)] mod 8 = -4 mod 8 =4 (11-15) mod 8 = -4 mod 8 =4

[(11 mod 8 )*(15 mod 8)] mod 8=21 mod 8 =5 (11*15) mod 8 = 165 mod 8 = 5

U ﻣﺜﺎﻝ:

To find 117 mod 13 , we can proceed as follows:

117 mod 13 112 = 121= 4 mod 13 114 = 42 = 3 mod 13 117=11*4*3 ≡ 132 ≡ 2 mod 13 = 2

7-5 - ﺩﺍﻟﺔ ﺍﺅﻳﻠﺮ Euler Function:

ﻫﻲ ﺍﻟﺪﺍﻟﺔ ﺍﻟﺘﻲ ﺗﻌﻄﻲ ﻋﺪﺩ ﺍﻟﻌﻨﺎﺻﺮ ﻓﻲ ﻣﺠﻤﻮﻋﺔ ﺍﻟﺒﻮﺍﻗﻲ ( reduce ) ﻭﺍﻟﺘﻲ ﺗﺤﺘﻮﻱ ﻫﺬﺓ ﺍﻟﻤﺼﻔﻮﻓﺔ ﻋﻠﻰ ﺍﻋﺪﺍﺩ ﺻﺤﻴﺤﺔ . ﻟﻴﻜﻦ m ﻋﺪﺩ ﺻﺤﻴﺢ ﻭﺍﻥ k ﺗﻤﺜﻞ ﻋﺪﺩ ﻋﻨﺎﺻﺮ ﻣﺠﻤﻮﻋﺔ ﺍﻟﺒﻮﺍﻗﻲ ﻓﺎﻥ m > k ﻭﺍﻥ gcd(k, m) = 1 ﻭﻳﺘﻢ ﺍﺣﺘﺴﺎﺏ ﺩﺍﻟﺔ ﺍﻭﻳﻠﺮ ﺑﺎﻟﻄﺮﻕ ﺍﻟﺘﺎﻟﻴﺔ:

-1 ﺍﺫﺍ ﻛﺎﻥ ﻋﺪﺩ ﺃﻭﻟﻰ ﻓﺎﻥ Ф(m) = m - 1 ﻣﺜﺎﻝ: ﺍﻭﺟﺪ (Ф(5 Ф(5) = m -1= 5 - 1 = 4 ﻣﺠﻤﻮﻋﺔ ﺍﻟﺒﻮﺍﻗﻲ = {4 ,3 ,2 ,1 }

Gcd(5,1) = 1 gcd(5,2) = 1 gcd(5,3) =1 gcd(5,4) =1

-2 ﺍﺫﺍ ﻛﺎﻥ m ﻋﺪﺩ ﻏﻴﺮ ﺃﻭﻟﻰ ﻓﺎﻥ

r r-1 Ф(mP )P = mP (mP -1) 3 ﻣﺜﺎﻝ: ﺍﻭﺟﺪ Ф(3 P ) P ( 3 2 Ф(3 P )=3P P P (3-1) =9*2 = 18 ﻣﺠﻤﻮﻋﺔ ﺍﻟﺒﻮﺍﻗﻲ =

{ 1,2,3,4,5,7,8,10,11,13,14,16,17,19,20,22,23,24,25,26}

3- ﺍﺫﺍ ﻛﺎﻥ m1 , m2 ﻋﺪﺩﺍﻥ ﺍﻭﻟﻴﺎﻥ ﻓﺎﻥ:

Ф(m1*m2) =(m1-1)(m2-1) ﻣﺜﺎﻝ : (Ф(10 Ф(10) = ( 2 * 5 ) = (2 -1) (5-1) = 1* 4 = 4 ﻣﺠﻤﻮﻋﺔ ﺍﻟﺒﻮﺍﻗﻲ = {1,3,7,9 } m 4- ﺇﺫﺍ ﻛﺎﻥ ﻋﺪﺩ ﺯﻭﺟﻲ ﻧﺠﺪ ﻋﻮﺍﻣﻠﻪ ﺍﻷﻭﻟﻴﺔ ﻭﻧﻄﺒﻖ ﻋﻠﻴﻪ ﺍﻟﻘﺎﻧﻮﻥ ﺍﻟﺘﺎﻟﻲ: t e−1 Ф(m) = ∏ i ∑ PP i −1 i=1

r r1 Ф(m) = Ф(pR1 RP ,pP R2RP )P r r1 = Ф(pR1RP )*P Ф(pR2RP )P r-1 r1-1 = Ф(pR1RP )(pP R1 R-1)* Ф(p R2RP )(pP R2R-1) ﻣﺜﺎﻝ (Ф(20 2 1 Ф(20)= Ф(2P P ) * Ф(5 P )P 2-1 1-1 =(2P )(2P -1)(5P )(5P -1) = (2)(1)(1)(4) = 2*4= 8 ﻣﺠﻤﻮﻋﺔ ﺍﻟﺒﻮﺍﻗﻲ ={1,3,9,11.13.17.19 }

5 8- - ﺧﻮﺍﺭﺯﻣﻴﺔ ﺍﻟﻤﻌﻜﻮﺱ (Inverse Algorithm (inv

ﻻﻳﺠﺎﺩ ﻗﻴﻤﺔ ﺍﻟﻤﻔﺘﺎﺡ X ﻣﻦ ﺍﻟﻤﻌﺎﺩﻟﺔ ﺍﻟﺘﺎﻟﻴﺔ ﻣﻊ ﺍﻟﻌﻠﻢ ﺍﻥ ﻗﻴﻤﺔ ﻛﻞ ﻣﻦ ﺍﻟﻤﺘﻐﻴﺮﺍﺕ ﺍﻟﺘﺎﻟﻴﺔ ﻣﻌﻠﻮﻣﺔ a , n ,b . . a X mod n = b , gcd (a, n) =1

X=[ b * inv(a , n ) ] mod n

ﺳﻨﺴﺘﺨﺪﻡ ﺍﻟﺪﺍﻟﺔ inv ﻻﻳﺠﺎﺩ ﻗﻴﻤﺔ X ﻣﻦ ﺍﻟﻤﻌﺎﺩﻟﺔ

Algorithm inv(a ,n); { ' Return x such that ax mod n = 1 where 0 < a < n '

gR0R = n ; g R1R = a ;

uR0R= 1 ; vR0R= 0;

uR1R = 0; vR1R = 1; i=1;

while gRiR <> 0 do "gRiR=uRiR *n + vRiR *a; {

y= gRi-1R div g RiR ;

gRi+1R = gRi-1R – y * g RiR ;

uR i+1R = uR i-1R – y * u RiR ;

vR i+1R = vR i-1R –y * v R iR; i = i + 1 } x= vi-1; if x >= 0 then inv = x else inv = x + n; }

ﻣﺜﺎﻝ: ﺍﻭﺟﺪ ﻗﻴﻤﺔ X ﻣﻦ ﺍﻟﻤﻌﺎﺩﻟﺔ ﺍﻟﺘﺎﻟﻴﺔ : X mod 26 = 6 3

ﺣﻴﺚ ﺍﻥ a= 3 n= 26 b = 6 Inv(3,26)

gR0R= 26 gR1R = 3

UR0R = 1 VR0R = 0

UR1R =0 vR1R =1 i=1 g1 <> 0 y =gR0 R div g R1R = 26 div 3 = 8 gR2R = gR0R – y * g R1R = 26 – 8*3 =26 -24 =2

uR2R = uR0R – y * u R1 R = 1 – 8 * 0 = 1- 0 =1 vR2R = vR0R - y * v R1R = 0 – 8 * 1 = 0 – 8 = - 8 i=i+1 = 1+1 = 2 y= g R1R div g R2R = 3 div 2 = 1 gR3R = gR1R – y * gR2R = 3 – 1 * 2 = 3 – 2 = 1 u R3R = uR1 R – y * u R2R = 0 – 1 * 1 = 0 – 1 = -1 vR3R = vR1R - y * v R2R = 1 – 1 * -8 = 1 + 8 = 9 i=i+1 = 1+2 = 3 y= g R2R div g R3R = 2 div 1 = 2 gR4R = gR2R – y * gR 3R = 3 – 1 * 2 = 3 – 2 = 1 u R4R = uR2 R – y * u R3R = 0 – 1 * 1 = 0 – 1 = -1 vR4R = vR2R - y * v R3R = 1 – 1 * -8 = 1 + 8 = 9 i=i+1 = 1+3 = 4 gR4R= 0 x = v Ri-1R = vR 3R = 9 if x >= 0 then inv = x=9

X=[ b * inv(a , n ) ] mod n = [ 6 * 9 ] mod 26 = 54 mod 26 = 2

ﻻﺛﺒﺎﺕ ﻧﺎﺗﺞ ﺻﺤﺔ ﺍﻟﻤﻌﺎﺩﻟﺔ ﺍﻟﺘﺎﻟﻴﺔ 3 X mod 26 = 6 3* 2 mod 26 = 6 5 9- -ﺧﻮﺍﺭﺯﻣﻴﺔﺍﻟﻘﻮﺓ ﺍﻟﺴﺮﻳﻌﺔ fast exponentiation algorithm

Algorithm fastexp(a,z,n) Begin "return x = az nod n " A1 = a ; z1 = z ; X = 1 ;

While z1 ≠ 0 { while z1 mod 2 = 0 { z1 = z1 div 2 a1 = (a1 * a1 ) mod n } z1 = z1 - 1 x = ( x * a1 ) mod n } fastexp = x end

ﻣﺜﺎﻝ: ﺍﻭﺟﺪ ﻗﻴﻤﺔ ﺍﻟﻤﻌﺎﺩﻟﺔ ﺍﻟﺘﺎﻟﻴﺔ ﺑﺎﺳﺘﺨﺪﺍﻡ ﺧﻮﺍﺭﺯﻣﻴﺔ ﺍﻻﺳﻴﺔ ﺍﻟﺴﺮﻳﻌﺔ 3 X mod 26 = 6 n= 26 n= 2 *13 (1-1) (1-1) Ф(n)= 2P P *(-2)*13 P P *(13-1) = 12 Ф(n)-1 = 12 - 1 = 11 fastexp(a, Ф(n)-1,n) fastexp(3,11,26) a1= 3 z1 = 11 n=26 first ilt x = 1 while z1 mod 2 = 0 false z1 = z1 v- 1 = 11-1 = 10 x = (x * a1 ) nod n = (1 * 2 ) nod 26 = 3 second while while z1 mod 2 = 0 true z1 = z1 div 2 = 10 div 2 = 5 a1 = ( a1 * a1 ) mod n = ( 3 * 3 ) mod 26 = 9 z1 = z1 -1 = 5 - 1 = 4 x = ( x * a1 ) mod n = ( 3 * 9 ) mod 26 = 1 third ilt while z1 mod 2 = 0 true z1 = z1 div 2 = 2

a1 = (a1 * a1 ) mod n = ( 9 * 9 ) mod 26 = 3 while z1 mod 2 = 0 true z1 = z1 div 2 = 2 div 2 = 1 a1 =( a1 * a1 ) mod n = ( 3 * 3 ) mod 26 = 9

z1 =z1-1 = 1- 1 = 0 final x = 9 x= b * fastexp(a, Ф(n) -1,n ) mod n = 6 * 9 mod 26 = 3 ﻣﺜﺎﻝ ﺍﺳﺘﺨﺪﻡ ﺧﻮﺍﺭﺯﻣﻴﺔ ﺍﻟﻘﻮﺓ ﺍﻟﺴﺮﻳﻊﺓ ﻻﺣﺘﺴﺎﺏ ﻗﻴﻤﺔ X ﻣﻦ ﺍﻟﻤﻌﺎﺩﻟﺔ ﺍﻟﺘﺎﻟﻴﺔ 3 X= 2P P mod 5 z1 X = a1P P mod n a1 = 2 z1 = 3 x = 1 n = 5 First ilt while z1 mod 2 = 0 false z1 = z1 – 1 = 3 – 1 = 2 x = ( x * a1 ) mod n = ( 1 * 2 ) mod 5 = 2 second ilt while z1 mod 2 = 0 true z1 = z1 div 2 = 2 div 2 = 1 a1 = ( a1 * a1 ) mod n = ( 2 * 2 ) mod 5 = 4 while z1 mod 2 = 0 false z1 = z1 -1 = 1 – 1 = 0 x = ( x * a1 ) mod n = ( 2 * 4 ) mod 5 = 3 3 fastexp = X= 2P P mod 5 = 3 modular Arithmetic Operations 1- [ ( a mod n] + ( b mod n ) ] mod n = (a + b ) mod n

11 mod 8 = 3 , 15 mod 8 = 7 [ ( 11mod 8] + ( 15 mod 8 ) ] mod 8 = ( 11 + 15 ) mod 8 = 26 mod 8 = 2 2- [ ( a mod n] - ( b mod n ) ] mod n = (a + b ) mod n [ ( 11mod 8] - ( 15 mod 8 ) ] mod 8 = ( 11 - 15 ) mod 8 = -4 mod 8 = 4 3- [ ( a mod n] * ( b mod n ) ] mod n = (a *b ) mod n [ ( 11mod 8] * ( 15 mod 8 ) ] mod 8 = ( 11 * 15 ) mod 8 = 165 mod 8 = 5

ﻳﻤﻜﻦ ﺍﺳﺘﺨﺪﺍﻡ ﺭﻳﺎﺿﻴﺎﺕ ﻳﺪﻭﻳﺔ ﺳﺮﻳﻌﺔ ﻻﺣﺘﺴﺎﺏ 7 P 4P P P mod 11 = ( 4 * 4 + 4*4 + 4*4 + 4 ) mod 11 4 * 4 mod 11 = 16 mod 11 = 5 5 * 5 mod 11 = 25 mod 11 = 3 3 * 5 mod 11 = 15 mod 11 = 4 4 * 4 mod 11 = 5 7 4P P mod 11 = 5

10-5 ﺍﻟـﻘـﻮﺍﻧﻴﻦ ﺍﻟـﻌـﺎﻣـﺔ ﻟـﺒـﺎﻗـﻲ ﺍﻟـﻘـﺴـﻤـﺔ

ﻗﺎﻧﻮﻥ ﺍﻟﺘﺒﺎﺩﻟﻲ w+x) mod n = ( x + w ) mod n) = ( x * w ) mod n Commutative ﺍﻟﻘﺎﻧﻮﻥ w + x) + y ] mod n = [ w + ( x + y ) ] mod n )] ﺍﻟﺘﺮﺍﺑﻄﻲ w * x) * y ] mod n = [ w * ( x * y ) ] mod n Associative )] ﺍﻟﻘﺎﻧﻮﻥ w * x( + y) ] mod n = [ (w * x) + ( w * y ) ] mod n ] ﺍﻟﺘﻮﺯﻳﻌﻲ w + x( * y) ] mod n = [ (w + x) * ( w + y ) ] mod n Distributive ] ﺍﻻﺣﺎﺩﻱ w ) mod n = w mod n Identities + 0 ) ( 1 * w ) mod n = w mod n

ﻭﻛﺬﺍﻟﻚ ﺗﺤﺘﻮﻱ ﻋﻠﻰ ﻣﺠﻤﻮﻋﺔ ﻣﻦ ﺍﻟﺼﻔﺎﺕ

X+Y MOD 7

+ 0 1 2 3 4 5 6 0 0 1 2 3 4 5 6

1 1 2 3 4 5 6 0

2 2 3 4 5 6 0 1 3 3 4 5 6 0 1 2 4 4 6 6 0 1 2 3 5 5 0 0 1 2 3 4

X*Y MOD 7

* 0 0 0 0 0 0 0 0 0 1 2 3 4 5 6

1 0 2 3 4 5 6 0

2 0 3 4 5 6 0 1 3 0 4 5 6 0 1 2 4 0 6 6 0 1 2 3 5 5 0 0 1 2 3 4

11-5 ﻣﻌﻜﻮﺱ ﺍﻟﻤﺼﻔﻮﻓﺔ

ﻹﻳﺠﺎﺩ ﻣﻌﻜﻮﺱ ﻣﺼﻔﻮﻓﺔ ﺑﺎﺳﺘﺨﺪﺍﻡ ﻧﺎﺗﺞ ﺍﻟﻘﺴﻤﺔ ( Mod ) ﺣﻴﺚ ﻳﺘﻢ ﺇﻳﺠﺎﺩ ﻣﻌﻜﻮﺱ ﻣﺼﻔﻮﻓﺔ ﺑﺎﻟﻄﺮﻕ ﺍﻟﺮﻳﺎﺿﻴﺔ ﺍﻻﻋﺘﻴﺎﺩﻳﺔ . ﻣﻦ ﺍﻟﻤﻌﻠﻮﻡ ﺭﻳﺎﺿﻴﺎ ﻹﻳﺠﺎﺩ ﻣﻌﻜﻮﺱ ﺍﻟﻤﺼﻔﻮﻓﺔ ﻳﺠﺐ ﺇﻥ ﺗﻜﻮﻥ ﺍﻟﻤﺼﻔﻮﻓﺔ ﻣﺮﻳﻌﺔ ﺃﻱ ﻋﺪﺩ ﺻﻔﻮﻓﻬﺎ ﻳﺴﺎﻭﻱ ﻋﺪﺩ ﺃﻋﻤﺪﺗﻬﺎ . ﺇﻥ ﻗﺎﻧﻮﻥ ﻣﻌﻜﻮﺱ ﻣﺼﻔﻮﻓﺔ ( 2x2 :( :( 2x2

-1 a b P P 1 d -b c d = -c a ad – bc ﻣﺜﺎﻝ : ﻟﻴﻜﻦ ﻟﺪﻳﻨﺎ ﺍﻟﻤﺼﻔﻮﻓﺔ ﺍﻟﺘﺎﻟﻴﺔ A= 1 2 3 4 det(A) = ad – bc = 1*4 – 3*2 = 4 – 6 = -2 1/det (A) mod 11 = 1/-2 mod 11 = ( 5*(-2)) mod 11 ≡ 1 mod 11

-1 1 2 P P 1 4 -2 4 -2 ≡ ---- ≡ 5 mod 11 3 4 2 -3 1 -3 1

5*4 mod 11 = 20 mod 11 = 9 5 * -2 mod 11 = -10 mod 11 =( z + 10 ) mod 11 = 1 5 * -3 mod 11 = -15 mod 11 = (z+15) mod 11 = 7 5 * 1 mod 11 = 5

-1 1 2 P P 9 1 ≡ 3 4 7 5

1 2 9 1 23 11 1 0 * = mod 11= 3 4 7 5 55 23 0 1

ﺇﻥ ﺍﻟﻄﺮﻳﻘﺔ ﺍﻟﻌﺎﻣﺔ ﻹﻳﺠﺎﺩ ﻣﻌﻜﻮﺱ ﻣﺼﻔﻮﻓﺔ ﻣﻜﻮﻧﺔ ﻣﻦ ( 3*3 ) ﻓﺄﻛﺜﺮ ﻫﻲ: 3*3 -1 i,j [AP ]P R i,j R = (-1 ) P P DR i,j R / det(A)

DR i,j R ﻳﺘﻢ ﺍﺣﺘﺴﺎﺏ ﺣﺬﻑ ﺻﻒ i ﻭﻋﻤﻮﺩ j ﻣﻦ ﺍﻟﻤﺼﻔﻮﻓﺔ ﻟﻨﺤﺼﻞ ﻋﻠﻰ ﻣﺼﻔﻮﻓﺔ ﻣﻜﻮﻧﺔ ﻣﻦ ﺻﻔﻴﻦ ﻭﻋﻤﻮﺩﻳﻦ (det(A ﻣﺤﺪﺩ ﺍﻟﻤﺼﻔﻮﻓﺔ -1 AP P ﻣﻌﻜﻮﺱ ﺍﻟﻤﺼﻔﻮﻓﺔ ﻟﻴﻜﻦ ﺍﻟﻤﺼﻔﻮﻓﺔ

KR11R kR12R kR13

A = kR21R kR22R kR23R

KR31R kR32R kR33R

Det(A) = (K R11R * kR22R *kR33R + k R21R * kR32R * R R kR13 R +R RKR31R* kR12 R* kR23R ) –

(KR31 * RkR22 * RkR13 R + kR21R *kR12R * kR33 R+ KR11R * kR32 * RkR23R)

1 1 1 M= 1 2 3 n= 11 1 7 9

det(A) = ( 1* 2 *9 + 1*4*1 + 1*1*3 ) –(1*2*1 + 1*1*9 + 1*4*3) = 25 – 23 = 2 -1 1/det(A ) mod n = 1/2 mod 11 = 2P P mod 11 (z * 2 ) mod 11 ≡ 1 mod 11 z = 6 1/ det(A) = 6

2 3

KR11R = (-1) 1+1 4 9

= abs( 18 – 12 ) = 6

KR11R mod n = 6 mod 11 = 6

1 3 kR12R = (-1) 1+2 1 9

= -1 abs (9-3 ) = -6 kR12R mod n = - 6 mod 11

1 2 kR13R = (-1) 1+3 1 3

= (3 -2 ) = 1

1 1 kR21R = (-1) 2+1 4 9

= - ( 9 - 4 ) = -5

1 1 kR22R = (-1) 2+2 1 9

= ( 9 - 1 ) = 8

1 1 kR23R = ( -1 ) 2+3 1 4

= -1 ( 4 -1 ) = -1 * 3 = -3

1 1

KR31R = (-1) 3+1 2 3

= ( 3 - 2 ) = 1

1 1 kR32R = ( -1 ) 3+2 1 3

= (-1) ( 3 – 1 ) = -2

1 1 kR33R =(-1) 3+3 1 2

= ( 2 - 1 ) = 1

6 -6 2 D = -5 8 -3 1 -8 -1

6 -5 1 D = -6 8 -2 2 -3 1

-1 aP PR11 R= 1/det (a) *K R11 Rmod 11 = (6 * 6 ) mod 11 = 36 mod 11 = 3

-1 aP PR12R = 1/det(A) * kR12 R mod 11 = (6 * (-5) ) mod 11 = - 30 mod 11 = 30 + z mod 11 ≡ 0 mod 11 = 3

-1 aP PR13R= 1/det(A) * kR13 Rmod 11 =( 6 * 1 ) mod 11 = 6 mod 11 =6

-1 aP PR21R = 1/det(A) * kR21R mod 11 =( 6 * -6 ) mod 11 = -36 mod 11 = z + 36 mod 11 = 8 -1 aP PR22R = 1/det(A) * kR22 Rmod 11 = (6 * 8 ) mod 11 = 48 mod 11 = 4 -1 aP P R23R = 1/det (A) * kR23R mod 11

= ( 6 * -2 ) mod 11 = -12 mod 11 = (z+ 12) mod 11 = 10 -1 aP PR31R = 1/ det (A) * KR31R mod 11 R

R R= ( 6 * 2 ) mod 11 = 1 -1 aP PR32R = 1/det(A) * kR23R mod 11 = (6 * -3 ) mod 11 = -18 mod 11 = (z+18) mod 11 = 4 -1 aP PR33R = 1/det(A) * kR33R mod 11 = ( 6* 1 ) mod 11 = 6 mod 11 = 6

Classical Encryption

Codes, Ciphers, Encryption and Cryptography

Cryptography is the discipline of using codes and ciphers to encrypt a message and make it unreadable unless the recipient knows the secret to decrypt it. Encryption has been used for many thousands of years. The following codes and ciphers can be learned and used to encrypt and decrypt messages by hand.

Monoalphabetic Ciphers

A monoalphabetic cipher uses the same substitution across the entire message. For example, if you know that the letter A is enciphered as the letter K, this will hold true for the entire message. These types of messages can be cracked by using frequency analysis, educated guesses or trial and error.

• Caesar Cipher

• Atbash Cipher

• Keyword Cipher

• Pigpen / Masonic Cipher

• Polybius Square

Polyalphabetic Ciphers

In a polyalphabetic cipher, the substitution may change throughout the message. In other words, the letter A may be encoded as the letter K for part of the message, but later on it might be encoded as the letter W.

• Vigenère Cipher

• Beaufort Cipher

• Autokey Cipher

• Running Key Cipher

Polygraphic Ciphers

Instead of substituting one letter for another letter, a polygraphic cipher performs substitutions with two or more groups of letters. This has the advantage of masking the frequency distribution of letters, which makes frequency analysis attackes much more difficult.

• Playfair Cipher

• Bifid Cipher

• Trifid Cipher

• Four-square cipher

Transposition Ciphers

Unlike substitution ciphers that replace letters with other letters, a transposition cipher keeps the letters the same, but rearranges their order according to a specific algorithm.

• Rail Fence

• Route Cipher

• Columnar Transposition

Other Ciphers and Codes

• Book Cipher

• Beale Cipher

• Morse Code

• Tap Code

• One-time Pad

• Scytale

• Semaphore

• ASCII

• Steganography

Transposition Ciphers

Rail Fence

In the rail fence cipher, the plaintext is written downwards on successive "rails" of an imaginary fence, starting a new column when the bottom is reached. The message is then read off in rows. For example, if we have 3 rails and a message of "This is a secret message", you would write out:

T S A C T S G H I S R M S E I S E E E A J

The last J is just a random letter to fill in the space. The secret message is then condensed and regrouped.

TSACT SGHIS RMSEI SEEEA JGURL

To decipher a message you must know the number of rails that were used to encipher it. You then break up the letters into equal groups for each rail. For example, if you are using 3 rails, you would break the secret message into 3 equal groups. Now you stack the groups on top of each other and read off the message vertically. If you get gibberish, then there are probably some extra letters tacked on the end of the message that are throwing off the grouping. Try removing one letter from the end and try again.

Rail Fence Encoder / Decoder

Number of rails: 3

Plaintext Ciphertext

This is a secret message TSACTSGHISRMSEISEEEAJ

Encipher Decipher

Route Cipher

A Route Cipher is very similar to a Rail Fence cipher with one exception. You still write the message vertically in columns, but instead of reading off the secret message horizontally, you read it off using a predetermined pattern. For example, lets use a spiral pattern for this one:

T S A C T S G H I S R M S E I S E E E A J

The last J is just a random letter to fill in the space. If we are using a clockwise spiral to read off the message, then it becomes:

TSACTSGEJAEEESIHISRMSE

A more complex pattern could be, "every other letter going backwards to the front and then every other letter going forwards to the end again", which would give you a secret message of:

JEEISRIGTATSCSHSMESEA

The complex pattern makes this algorithm difficult to decipher unless you know the key.

Columnar Transposition

In a columnar transposition, the message is written out in rows of a fixed length. The message is then read out by column by column, where the columns are chosen in some scrambled order. The number of columns and the order in which they are chosen is defined by a keyword. For example, the word ZEBRAS is 6 letters long. Therefore, there are 6 columns that will be read of in the following order: 6 3 2 4 1 5. The order is chosen by the alphabetical order of the letters in the keyword.

****************Regular Case

In a regular columnar transposition cipher, the empty spaces are filled with random letters. For example, suppose we use the keyword ZEBRAS and the message WE ARE DISCOVERED FLEE AT ONCE. Our grid would look like this:

Z E B R A S 6 3 2 4 1 5 ------W E A R E D I S C O V E R E D F L E E A T O N C E Q K J E U

The six columns are now written out in the scrambled order defined by the keyword:

EVLNE ACDTK ESEAQ ROFOJ DEECU WIREE **************************** Irregular Case

In the irregular case, the empty letters are not filled in with random letters:

Z E B R A S 6 3 2 4 1 5 ------W E A R E D I S C O V E R E D F L E E A T O N C E

This results in the following (shorter) ciphertext:

EVLNA CDTES EAROF ODEEC WIREE

To decipher it, the recipient has to work out the column lengths by dividing the message length by the key length. This step is slightly more difficult if the irregular case is used. After determining the number of columns, the message can be written in columns and rearranged back into the plaintext message.

Double Column Transposition

To make the message even more difficult to decipher, you can take the ciphertext produced by this algorithm and run it through the encryption again using a different keyword. This transposes the columns twice and makes the message extremely difficult to decipher.

Keyword Cipher Encoder

Keyword: Z EBRA S Use Irregular Case

Plaintext Ciphertext

WEA REDISCOV EREDFLEEA TONCE EV LNA A CDTJESEA IROFOFDEECBWIREE

Encipher Decipher

Monoalphabetic Ciphers

Caesar Cipher

A Caesar cipher is one of the simplest (and easiest cracked) encryption methods. It is a Substitution Cipher that involves replacing each letter of the secret message with a different letter of the alphabet which is a fixed number of positions further in t he a lphabet. B ecause each letter in t he message has a di rect t ranslation t o another l etter, frequency a nalysis can b e u sed to decipher t he message. F or example, the letter E is the most commonly used letter in t he E nglish language. Thus, i f t he most co mmon letter in a s ecret message i s K, i t is like ly t hat K represents E. Additionally, c ommon word endings s uch a s ING, LY, a nd ES a lso give clues. A brute-force a pproach of trying all 25 possible combinations would also work to decipher the message.

Example

In this example, each letter in the plaintext message has been shifted 3 letters down in the alphabet.

Plaintext: This is a secret message Ciphertext: wklv lv d vhfuhw phvvdjh

Caesar Encoder / Decoder

Number of letters to shift to the right: 3

Plaintext Ciphertext

This is a secret message w klv lv d vhfuhw phvvdjh

Encipher Decipher

Atbash Cipher

The Atbash cipher is a very specific case of a substitution cipher where the letters of the alphabet are reversed. In otherwords, all As are replaced with Zs, all Bs are replaced with Ys, and so on. Because reversing the alphabet twice will get you actual alphabet, you can encipher and decipher a message using the exact same algorithm.

Example Plaintext: This is a secret message Ciphertext: Gsrh rh z hvxivg nvhhztv

Atbash Encoder / Decoder

Plaintext Ciphertext

This is a secret message Gsrh rh z hvxivg nvhhztv

Encipher

Keyword Cipher

The Keyword cipher is identical to the Caesar Cipher with the exception that the substitution alphabet used can be represented with a keyword. To create a substitution alphabet from a keyword, you first write down the alphabet. Below this you write down the keyword (omitting duplicate letters) followed by the remaining unused letters of the alphabet.

ABCDEFGHIJKLMNOPQRSTUVWXYZ KEYWORDABCFGHIJLMNPQSTUVXZ

To encipher a plaintext message, you convert all letters from the top row to their correspondng letter on the bottom row (A to K, B to E, etc). These types of simple substitution ciphers can be easily cracked by using frequency analysis and some educated guessing.

Keyword Cipher Encoder

Keyword: keyw ord

Plaintext Ciphertext

this is a secret message qabp bp k poynoq hoppkdo

Encipher Decipher

Pigpen / Masonic Cipher

The p igpen c ipher ( sometimes ca lled t he masonic c ipher o r Freemason's c ipher) is a s imple s ubstitution c ipher e xchanging letters for symbols based on a grid. The scheme was developed and used by the Freemasons in t he ear ly 1700s f or r ecord-keeping a nd correspondence. T he ex ample ke y s hows on e w ay t he letters can be assigned to the grid.

Polybius Square

A Polybius Square is a table that allows someone to translate letters into numbers. To give a small level of encryption, this table can be randomized and shared with the recipient. In order to fit the 26 letters of the alphabet into the 25 spots created by the table, the letters i and j are usually combined.To encipher a message you replace each letter with the row and column in which it appears. For example, D would be replaced with 14. To decipher a message you find the letter that intersects the specified row and column.

1 2 3 4 5

1 A B C D E

2 F G H I K

3 L M N O P

4 Q R S T U

5 V W X Y Z

Example:

Plaintext: This is a secret message Ciphertext: 44232443 2443 11 431513421544 32154343112215

Polybius Square Encoder / Decoder

Plaintext Ciphertext

This is a secret message 44232443 2443 11 431513421544 321543

Encipher Decipher

Polyalphabetic Ciphers

Vigenère Cipher

In a Caesar Cipher, each letter of the alphabet is shifted along some number of places; for example, in a Caesar cipher of shift 3, A would become D, B would

12 become E and so on. The Vigenere cipher consists of using several Caesar ciphers in sequence with different shift values.

To encipher, a table of alphabets can be used, termed a tabula recta, Vigenère square, or Vigenère table. It consists of the alphabet written out 26 times in different rows, each alphabet shifted cyclically to the left compared to the previous alphabet, corresponding to the 26 possible Caesar ciphers. At different points in the encryption process, the cipher uses a different alphabet from one of the rows. The alphabet used at each point depends on a repeating keyword.

For example, suppose that the plaintext to be encrypted is:

ATTACKATDAWN

The person sending the message chooses a keyword and repeats it until it matches the length of the plaintext, for example, the keyword "LEMON":

LEMONLEMONLE

Each letter is encoded by finding the intersection in the grid between the plaintext letter and keyword letter. For example, the first letter of the plaintext, A, is enciphered using the alphabet in row L, which is the first letter of the key. This is done by looking at the letter in row L and column A of the Vigenere square, namely L. Similarly, for the second letter of the plaintext, the second letter of the key is used; the letter at row E and column T is X. The rest of the plaintext is enciphered in a similar fashion:

Plaintext: ATTACKATDAWN Key: LEMONLEMONLE Ciphertext: LXFOPVEFRNHR

Decryption is performed by finding the position of the ciphertext letter in a row of the table, and then taking the label of the column in which it appears as the plaintext. For example, in row L, the ciphertext L appears in column A, which taken as the first plaintext letter. The second letter is decrypted by looking up X in row E of the table; it appears in column T, which is taken as the plaintext letter.

A Gronsfeld cipher is identical to the Vigenere cipher with the exception that only 10 rows are used which allows the keyword to be a number instead of a word.

A Beaufort cipher uses the same alphabet table as the Vigenère cipher, but with a different algorithm. To encode a letter you find the letter in the top row. Then trace down until you find the keyletter. Then trace over to the left most column to find the enciphered letter. To decipher a letter, you find the letter in the left column, trace over to the keyletter and then trace up to find the deciphered letter.

An Autokey cipher is identical to the Vigenère cipher with the exception that instead of creating a keyword by repeating one word over and over, the keyword is constructed by appending the keyword to the begining of the actual plaintext message.

A Running Key cipher is identical to the Vigenère cipher with the exception that the keyword is chosen to be a book or long passage.

Beaufort Cipher

To encrypt a plaintext message using the Vigenère Cipher, one locates the row with the first letter to be encrypted, and the column with the first letter of the keyword. The ciphertext letter is located at the intersection of the row and column. This continues for the entire length of the message.

Autokey Cipher

To encrypt a plaintext message using the Vigenère Cipher, one locates the row with the first letter to be encrypted, and the column with the first letter of the keyword. The ciphertext letter is located at the intersection of the row and column. this continues for the entire length of the message.

For example, if your plain text message was:

This is a secret message

And your keyword was "zebra", then your actual keyword would be:

zebrathisisasecretmessage

Enciphering and deciphering the message is performed using the exact same method as the Vigenère Cipher

Running Key Cipher

In a Running Key cipher, the keyword is the text of a predetermined book or passage. For example, if the chossed book was "A Tale of Two Cities" by Charles Dickens, then the keyword would be It was the best of times, it was the worst of times...

Enciphering and deciphering the message is performed using the exact same method as the Vigenère Cipher. If the predetermined passage is a string of random letters that is only used once and then discarded, this is similar to a One-time Pad.

Polygraphic Ciphers

Playfair Cipher

The Playfair cipher encrypts pairs of letters (digraphs), instead of single letters. This is significantly harder to break since the frequency analysis used for simple substitution ciphers is considerably more difficult.

Memorization of the keyword and 4 simple rules is all that is required to create the 5 by 5 table and use the cipher.

K E Y W O R D A B C F G H I J L M N P S T U V X Z

The Playfair cipher uses a 5 by 5 table containing a key word or phrase. To generate the table, one would first fill in the spaces of the table with the letters of the keyword (dropping any duplicate letters), then fill the remaining spaces with the rest of the letters of the alphabet in order (to reduce the alphabet to fit you can either omit "Q" or replace "J" with "I"). In the example to the right, the keyword is "playfair example".

To encrypt a message, one would break the message into groups of 2 letters. If there is a dangling letter at the end, we add an X. For example. "Secret Message" becomes "SE CR ET ME SS AG EX". We now take each group and find them out on the table. Noticing the location of the two letters in the table, we apply the following rules, in order.

1. If both letters are the same, add an X between them. Encrypt the new pair, re-pair the remining letters and continue. 2. If the letters appear on the same row of your table, replace them with the letters to their immediate right respectively, wrapping around to the left side of the row if necessary. For example, using the table above, the letter pair GJ would be encoded as HF.

3. If the letters appear on the same column of your table, replace them with the letters immediately below, wrapping around to the top if necessary. For example, using the table above, the letter pair MD would be encoded as UG. 4. If the letters are on different rows and columns, replace them with the letters on the same row respectively but at the other pair of corners of the rectangle defined by the original pair. The order is important - the first letter of the pair should be replaced first. For example, using the table above, the letter pair EB would be encoded as WD.

To decipher, ignore rule 1. In rules 2 and 3 shift up and left instead of down and right. Rule 4 remains the same. Once you are done, drop any extra Xs that don't make sense in the final message and locate any missing Qs or any Is that should be Js.

Playfair Cipher Encoder / Decoder

Keyword: keyw ord Omit Q Replace J with I

Plaintext Ciphertext

thisisasecretmessage vf jp jp cn od dk ul om nc md

Encipher Decipher

Bifid Cipher

The Bifid Cipher uses a Polybius Square to encipher a message in a way that makes it fairly difficult to decipher without knowing the secret. This is because each letter in the ciphertext message is dependent upon two letters from the plaintext message. As a result, frequency analysis of letters becomes much more difficult.

1 2 3 4 5

1 A B C D E

2 F G H I K

3 L M N O P

4 Q R S T U

5 V W X Y Z

The first step is to use the Polybius Square to convert the letters into numbers. We will be writing the numbers vertically below the message.

secret message 411414 3144121 353254 2533125

The numbers are now read off horizontally and grouped into pairs.

41 14 14 31 44 12 13 53 25 42 53 31 25

The Polybius Square is used again to convert the numbers back into letters which gives us our ciphertext.

qddltbcxkrxlk

Since the first letter in the plaintext is encoded into the first and middle letters of the ciphertext, the recipient of the message must have the entire message before they can decode it. This means that if part of the ciphertext is discovered by a third party, it is unlikely that they will be able to crack it.

To decipher a Bifid encrypted message, you first convert each letter into its corresponding number via the Polybius Square. Now, divide the long string of numbers into two equal rows. The digit in the top row and the digit in the bottom row will together reference the decoded letter in the Polybius Square.

The Bifid Cipher can be taken into three dimensions to slightly increase the security of the message. This new cipher is called the Trifid Cipher.

Bifid Encoder / Decoder

Plaintext Ciphertext

secretmessage qddltbcxkrxlk

Encipher Decipher

Trifid Cipher

The Trifid Cipher is the Bifid Cipher taken to one more dimension. Instead of using a 5x5 Polybius Square, you use a 3x3x3 cube. Otherwise everything else remains the same. As with the Bifid Cipher, the cube can be mixed to add an extra layer of protection, but for these examples we not be using a mixed alphabet cube.

The first step is to use the cube to convert the letters into numbers. We will be writing the numbers vertically below the message in the order of Layer, Column, Row.

secret message 311213 2133111 123322 1211112 121321 2211132

The numbers are now read off horizontally and grouped into triplets.

311 213 213 311 112 332 212 111 121 213 212 211 132

The cube is used again to convert the numbers back into letters which gives us our ciphertext.

Sppsdxmabpmjf

To decipher a Trifid encrypted message, you first convert each letter into its corresponding number via the cube. Now, divide the long string of numbers into three equal rows. Now, read off each column and use the cube to convert the three numbers into the plaintext letter.

Layer 1 Layer 2 Layer 3

1 2 3 1 2 3 1 2 3

1 A B C 1 J K L 1 S T U

2 D E F 2 M N O 2 V W X

3 P Q R 3 Y Z . 3 G H I

Trifid Encoder / Decoder

Plaintext Ciphertext

secretmessage sppsdxmabpmjf

Encipher Decipher

Four-square cipher

The four-square cipher encrypts pairs of letters (digraphs) and is thus less susceptible to frequency analysis attacks.

The four-square cipher uses four 5 by 5 matrices arranged in a square. Each of the 5 by 5 matrices contains the letters of the alphabet (usually omitting "Q" or putting both "I" and "J" in the same location to reduce the alphabet to fit). In general, the upper-left and lower-right matrices are the "plaintext squares" and each contain a standard alphabet. The upper-right and lower-left squares are the "ciphertext squares" and contain a mixed alphabetic sequence. a b c d e E X A M P f g h i j L B C D F k l m n o G H I J K p r s t u N O R S T v w x y z U V W Y Z

K E Y W O a b c d e R D A B C f g h i j F G H I J k l m n o L M N P S p r s t u T U V X Z v w x y z

To generate the ciphertext squares, one would first fill in the spaces in the matrix with the letters of a keyword or phrase (dropping any duplicate letters), then fill the remaining spaces with the rest of the letters of the alphabet in order. The four- square algorithm allows for two separate keys, one for each of the two ciphertext

23 matrices. In the example to the right, "EXAMPLE" and "KEYWORD" have been used as keywords. To encrypt a message you would first split the message into digraphs. "This is a secret message" would become:

TH IS IS AS EC RE TM ES SA GE a b c d e E X A M P f g h i j L B C D F k l m n o G H I J K p r s t u N O R S T v w x y z U V W Y Z

K E Y W O a b c d e R D A B C f g h i j F G H I J k l m n o L M N P S p r s t u T U V X Z v w x y z

Once that was complete, you would take the first pair of letters and find the first letter in the upper left square and the second letter in the lower right square. In this example we are enciphering TH, so we locate T and H in the grid below (see blue characters). Now, we find the intersections of the rows and columns of the plain text letters. In this example, they have been highlighted in red (R and B). These new letters are the enciphered digraph (RB).

You continue enciphering digraphs in this way until you reach the end of the message. To continue our example, "This is a secret message" would be enciphered as:

RB CP CP AL AO TE RI AS NY FE

Other Ciphers and Codes

ASCII

ASCII is a code used by computers to represent characters as numbers. This allows computers to store a letter as one byte of information. One byte of information allows you to represent 256 different values, which is enough to encode all the letters (uppercase and lowercase) as well as the numbers 0-9 and other special characters such as the @ symbol.

ASCII Encoder / Decoder

Plaintext ASCII

This is a secret message 84 104 105 115 32 105 115 32 97 32 115

Convert to ASCII Convert from ASCII

Beale Cipher

A beale cipher is a modified Book Cipher. Instead of replacing each word in the secret message with a number, you replace each letter in the secret message with a number. The letter by letter method makes it easier to encode a message with unusual words that may not appear in the book. With this method, each letter in the

25 secret message is replaced with a number which represents the position of a word in the book which starts with this letter. For example, if we are enciphering the word "attack" we would start with the letter A. We would find a word in the book that started with A. Lets say that the 27th word was "and". The letter A is now translated to 27. An encoded message may look something like this.

713 23 245 45 124 1269 586 443 8 234

It should be noted that for enhanced security, the same number should not be used for the same letter throughout the secret message. Because you have a book, you can pick multiple numbers for each letter and use them interchangeably.

Beale Encoder

Plaintext Book

secret seven crazy termites eat rotten elderberrie

(To protect our server, these fields can hold a maximum of 5000 characters each)

Encipher

Beale Decoder

Ciphertext Book

1 4 2 5 6 3 seven crazy termites eat rotten elderberrie

(To protect our server, these fields can hold a maximum of 5000 characters each)

Decipher

Book Cipher

A book cipher uses a large piece of text to encode a secret message. Without the key (the piece of text) it is very difficult to decrypt the secret message. To implement a book cipher, each word in the secret message would be replaced with a number which represents the same word in the book. For example, if the word "attack" appeared in the book as word number 713, then "attack" would be replaced with this number. The result would be an encoded message that looked something like this.

713 23 245 45 124 1269 586 443 8 234

To decipher the message you simply count the number of words in the book and write down each one

Frequency Analysis

Frequency Analysis is a cryptanalysis technique of studying the frequency that letters occur in the encrypted ciphertext. In English, certain letters are more

27 commonly used than others. This fact can be used to take educated guesses at deciphering a Monoalphabetic Substitution Cipher.

Here is the alphabet in order of the frequency that each letter is used.

E, T, A, O, I, N, S, R, H, L, D, C, U, M, F, P, G, W, Y, B, V, K, X, J, Q, Z

Morse Code

Morse code is a method for transmitting information, using standardized sequences of short and long marks or pulses - commonly known as "dots" and "dashes" - for the letters, numerals, punctuation and special characters of a message.

Originally created for Samuel Morse's electric telegraph in the mid-1830s, it was also extensively used for early radio communication beginning in the 1890s. However, with the development of more advanced communications technologies, the widespread use of Morse code is now largely obsolete.

When using morse code, a dash is equal to three dots. A space between parts of the same letter is equal to one dot. A space between two letters is equal to three dots and a space between two words is equal to five dots.

Morse Code Encoder / Decoder

Please use a period (.) for a dot and a minus (-) for a dash. When typing morse code, use a space to separate letters and a double space to separate words.

Plaintext Morse Code

This is a message - ...... - -- ...... - --. .

Encode Decode

One-time Pad

The one-time pad is a long sequence of random letters. These letters are combined with the plaintext message to produce the ciphertext. To decipher the message, a person must have a copy of the one-time pad to reverse the process. A one-time pad should be used only once (hence the name) and then destroyed. This is the first and only encryption algorithm that has been proven to be unbreakable.

To encipher a message, you take the first letter in the plaintext message and add it to the first random letter from the one-time pad. For example, suppose you are enciphering the letter S (the 19th letter of the alphabet) and the one-time pad gives you C (3rd letter of the alphabet). You add the two letters and subtract 1. When you add S and C and subtract 1, you get 21 which is U. Each letter is enciphered in this method, with the alphabet wrapping around to the begining if the addition results in a number beyond 26 (Z).

To decipher a message, you take the first letter of the ciphertext and subtract the first random letter from the one-time pad. If the number is negative you wrap around to the end of the alphabet.

Example

29 plaintext : SECRETMESSAGE one-time pad: CIJTHUUHMLFRU ciphertext : UMLKLNGLEDFXY

One-time Pad Encoder / Decoder

Plaintext / Ciphertext One-time pad

SECRETMESSAGE CIJTHUUHMLFRU

Encipher Decipher

Enciphered Message: UMLKLNGLEDFXY

Semaphore

Sempahore is similar to Morse code in that each letter of a message is translated into another form to allow it to be more easily communicated. While Morse code is used to send messages electronically over a telegraph line, semaphore is used to visually communicate information over long distances.

To use semaphore, an operator holds a flag or lighted wand in each hand. The operator extends their arms to the correct position and pauses for each letter of the message. "Attention" is the only signal that involves movement and the "rest" position is the only time when the flags should cross.

Tap Code

The Tap Code is a code (similar to Morse Code), commonly used by prisoners in jail to communicate with one another. The method of communicating is usually by "tapping" either the metal bars or the walls inside the cell, hence its name. It is a very simple code, not meant to avoid interception, since the messages are sent in cleartext.

It was reportedly invented by four POWs imprisoned in 1 2 3 4 5 Vietnam and is sometimes called "Smitty Code" after Captain Carlyle ("Smitty") Harris. Harris remembered an Air Force 1 A B C D E instructor who had shown him a code based on a five-by-five alphabet matrix (a Polybius square), as shown on the graph. 2 F G H I J

Each letter was communicated by tapping two numbers. The 3 L M N O P first designated the horizontal row and the second designated the vertical row. The letter "X" was used to break up sentences 4 Q R S T U and the letter "C" replaced the letter "K". 5 V W X Y Z For example, to communicate the word "WATER" the code would be the following

......

Because of the difficulty and length of time required for specifying a single letter, most prisoners devised abbreviations and acronyms for common items or phrases.

Tap Code Encoder / Decoder

Please use a period (.) for a tap. When typing tap code, use a space to separate tap groups, a double space to separate letters and a / to separate words.

Plaintext Morse Code

This is a message ...... / ...... / . .

Encode Decode

Data Encryption Standard (DES)

Block Cipher Block Cipher - An encryption scheme that "the clear text is broken up into blocks of fixed length, and encrypted one block at a time". Usually, a block cipher encrypts a block of clear text into a block of cipher text of the same length. In this case, a block cipher can be viewed as a simple substitute cipher with character size equal to the block size. ECB Operation Mode - Blocks of clear text are encrypted independently. ECB stands for Electronic Code Book. Main properties of this mode:

• Identical clear text blocks are encrypted to identical cipher text blocks. • Re-ordering clear text blocks results in re-ordering cipher text blocks. • An encryption error affects only the block where it occurs.

CBC Operation Mode - The previous cipher text block is XORed with the clear text block before applying the encryption mapping. Main properties of this mode:

• An encryption error affects only the block where is occurs and one next block.

Product Cipher - An encryption scheme that "uses multiple ciphers in which the cipher text of one cipher is used as the clear text of the next cipher". Usually, substitution ciphers and transposition ciphers are used alternatively to construct a product cipher. Iterated Block Cipher - A block cipher that "iterates a fixed number of times of another block cipher, called round function, with a different key, called round key, for each iteration". Feistel Cipher - An iterate block cipher that uses the following algorithm: Input: T: 2t bits of clear text k1, k2, ..., kr: r round keys f: a block cipher with bock size of t

Output: C: 2t bits of cipher text

Algorithm: (L0, R0) = T, dividing T in two t-bit parts (L1, R1) = (R0, L0 ^ f(R0, k1)) (L2, R2) = (R1, L1 ^ f(R1, k2)) ...... C = (Rr, Lr), swapping the two parts ^ is the XOR operation.

DES Cipher - A 16-round Feistel cipher with block size of 64 bits. DES stands for Data Encryption Standard.

Data Encryption Standard (DES) The Data Encryption Standard (DES), known as the Data Encryption Algorithm (DEA) by ANSI and the DEA-1 by the ISO, has been most widely used block cipher in world, especially in financial industry. It encrypts 64-bit data, and uses 56-bit key with 16 48-bit sub-keys.

6.1 DES (Data Encryption Standard) history In the early 1970s, there are no cryptagraphic equipment available on the market. Although several small companies made and sold cryptographic equipment. The equipment was all different and couldn't interoperate. No one really knew if any of it was secure; there was no independent body to certify the security. In 1972, the National Bureau of Standards (NBS), now the National Institute of Standards and Technology (NIST), initiated a program to protect computer and communications data. As part of that program, they wanted to develop a single, standard cryptographic algorithm. A single algorithm could be tested and certified, and different cryptographic equipment using it could interoperate. It would also be cheaper to implement and readily available. In the May, 1973 and again in August, 1974, the NBS issued a public request for proposals for a standard cryptographic algorithm. They specified a series of design criteria: The algorithm must be:

• security

• completely specified

• easy to understand

• public

• available to all users

• efficient to use

• able to be validated

• exportable

Public response indicated that there was considerable interest in a cryptographic standard, but little public expertise in the field. Most of the submissions are reworked classical or machine cipher; none of the submissions came close to meeting the requirements. However, IBM submitted an algorithm based on one developed by IBM during the early 1970s, called Lucifer. The algorithm, although complicated, was straightforward. It used only simple logical operations on small groups of bits and could be implemented fairly efficiently in hardware. The proposed standard was adopted as a federal standard in November, 1976 and authorized for use on all unclassified government communications. ANSI approved DES as a private- sector standard in 1980.

6.2 Description of DES

DES is a block cipher; it encrypts data in 64-bit blocks. A 64-bit block of plaintext goes in one end of the algorithm and a 64-bit block of ciphertext comes out the other end. DES is a symmetric algorithm: The same algorithm and key are used for both encryption and decryption (except for minor differences in the key schedule). The key length is 56 bits. (The key is usually expressed as a 64-bit number, but

every eighth bit is used for parity checking and is ignored. These parity bits are the least- significant bits of the key bytes.) The key can be any 56-bit number and can be changed at any time. All security rests within the key. At its simplest level, the algorithm is nothing more than a combination of the two basic techniques of encryption: confusion and diffusion. The fundamental building block of DES is a single combination of these techniques (a substitution followed by a permutation) on the text, based on the key. This is known as a round. DES has 16 rounds; it applies the same combination of techniques on the plaintext block 16 times (see Figure 6.1).

Figure 6.1 DES

Outline of the Algorithm The basic process in enciphering a 64-bit data block using the DES consists of:

• an initial permutation (IP)

• 16 rounds of a complex key dependent calculation f

• final permutation, being the inverse of IP

In each round (see Figure 6.2), the key bits are shifted, and then 48 bits are selected from the 56 bits of the key. The right half of the data is expanded to 48 bits via an expansion permutation, combined with 48 bits of a shifted and permuted key via an XOR, sent through 8 S-boxes producing 32 new bits, and permuted again. These four operations make up Function f. The output of Function f is then combined with the left half via another XOR. The result of these operations becomes the new right half; the old right half becomes the new left half. If Bi is the result of the ith iteration, Li and Ri are the left and right halves of Bi, Ki is the 48-bit key for round i, and f is the function that does all the substituting and permuting and XORing with the key, then a round looks like:

Li = R j-1

Ri = L i-1 Xor f (Ri-1, Ki)

Figure 6.2 One round of DES

The Initial Permutation The initial permutation occurs before round 1; it transposes the input block as described in Table 6.1. This table, like all the other tables in this lecture, should be read left to right, top to bottom. For example, the initial permutation moves bit 58 of the plaintext to bit position 1, bit 50 to bit position 2, bit 42 to bit position 3, and so forth. The initial permutation and the corresponding final permutation do not improve DES's security, just make DES more complex.

Example:

IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)

Note that all numbers are written in hexadecimal as a "short-form" version of the binary actually used, since 1 Hex digit = 4 Binary bits. The digit mapping is: 0=0000 1=0001 2=0010 3=0011 4=0100 5=0101 6=0110 7=0111 8=1000 9=1001 a=1010 b=1011 c=1100 d=1101 e=1110 f=1111

The Key Transformation Initially, the 64-bit DES key is reduced to a 56-bit key by ignoring every eighth bit. Let us call this operation PC1. This is described in Table 6.2.

PC2 is the operation which reduces the 56-bits key to a 48-bits subkey for each of the 16 rounds of DES. These subkeys, Ki, are determined in the following manner. PC1 splits the key bits into 2 halves (C and D), each 28-bits. The halves C and D are circularly shifted left by either one or two bits, depending on the round. This shift is given in Table 6.3.

After being shifted, 48 out of the 56 bits are selected. This is done by an operation called compression permutation, it permutes the order of the bits as well as selects a subsets of bits. Table 6.4 defines the compression permutation.

Example: keyinit(5b5a5767, 6a56676e) PC1(Key) C=00ffd820, D=ffec9370

KeyRnd01 C1=01ffb040, D1=ffd926f0, PC2(C,D)=(38 09 1b 26 2f 3a 27 0f) KeyRnd02 C2=03ff6080, D2=ffb24df0, PC2(C,D)=(28 09 19 32 1d 32 1f 2f) KeyRnd03 C3=0ffd8200, D3=fec937f0, PC2(C,D)=(39 05 29 32 3f 2b 27 0b) KeyRnd04 C4=3ff60800, D4=fb24dff0, PC2(C,D)=(29 2f 0d 10 19 2f 1d 3f) KeyRnd05 C5=ffd82000, D5=ec937ff0, PC2(C,D)=(03 25 1d 13 1f 3b 37 2a) KeyRnd06 C6=ff608030, D6=b24dfff0, PC2(C,D)=(1b 35 05 19 3b 0d 35 3b) KeyRnd07 C7=fd8200f0, D7=c937ffe0, PC2(C,D)=(03 3c 07 09 13 3f 39 3e) KeyRnd08 C8=f60803f0, D8=24dfffb0, PC2(C,D)=(06 34 26 1b 3f 1d 37 38) KeyRnd09 C9=ec1007f0, D9=49bfff60, PC2(C,D)=(07 34 2a 09 37 3f 38 3c) KeyRnd10 C10=b0401ff0, D10=26fffd90, PC2(C,D)=(06 33 26 0c 3e 15 3f 38) KeyRnd11 C11=c1007fe0, D11=9bfff640, PC2(C,D)=(06 02 33 0d 26 1f 28 3f) KeyRnd12 C12=0401ffb0, D12=6fffd920, PC2(C,D)=(14 16 30 2c 3d 37 3a 34) KeyRnd13 C13=1007fec0, D13=bfff6490, PC2(C,D)=(30 0a 36 24 2e 12 2f 3f) KeyRnd14 C14=401ffb00, D14=fffd9260, PC2(C,D)=(34 0a 38 27 2d 3f 2a 17) KeyRnd15 C15=007fec10, D15=fff649b0, PC2(C,D)=(38 1b 18 22 1d 32 1f 37) KeyRnd16 C16=00ffd820, D16=ffec9370, PC2(C,D)=(38 0b 08 2e 3d 2f 0e 17)

Table 6.1 Initial Permutation 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7.

Table 6.2 Key Permutation 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4.

Table 6.3 Number of Key Bits Shifted per Round Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Number 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

Table 6.4 Compression Permutation 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32.

The Expansion Permutation

This operation expands the right half of the data, Ri, from 32 bits to 48 bits. Because this operation changes the order of the bits as well as repeating certain bits, it is known as an expansion permutation. This operation has two purposes: It makes the right half the same size as the key for the XOR operation and it provides a longer result that can be compressed during the substitution operation. However, neither of those is its main cryptographic purpose. For each 4-bit input block, the first and fourth bits each represent two bits of the output block, while the second and third bits each represent one bit of the output block. Table 6.5 shows which output positions correspond to which input positions. For example, the bit in position 3 of the input block moves to position 4 of the lutput block, and the bit in position 21 of the input block moves to positions 30 and 32 of the output block.

Table 6.5 Expansion Permutation 32, 1, 2, 3, 4, 5, 4, 5, 6, 7, 8, 9, 8. 9, 10, 11, 12, 13, 12, 13, 14, 15, 16, 17, 16, 17, 18, 19, 20, 21, 20, 21, 22, 23, 24, 25, 24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32, 1

The S-Box Substitution After the compressed key is XORed with the expanded block, the 48-bit result moves to a substitution operation. The substitutions are performed by eight substitution boxes, or S-

boxes. Each S-box has a 6-bit input and a 4-bit output, and there are eight different S-boxes. The 48 bits are divided into eight 6-bit sub-blocks. Each separate block is operated on by a separate S-box: The first block is operated on by S-box 1, the second block is operated on by S-box 2, and so on. Each S-box is a table of 4 rows and 16 columns. Each entry in the box is a 4-bit number. The 6 input bits of the S-box specify under which row and column number to look for the output. Table 6.6 shows all eight S-boxes. The input bits specify an entry in the S-box in a very particular manner. Consider an S-box input of 6 bits, labeled bi, b2, b3, b, b, and b6. Bits b, and b6are combined to form a 2-bit number, from 0 to 3, which corresponds to a row in the table. The middle 4 bits, b2 through b5, are combined to form a 4-bit number, from 0 to 15, which corresponds to a column in the table. For example, assume that the input to the sixth S-box (i.e., bits 31 through 36 of the XOR function) is 110011. The first and last bits combine to form 11, which corrspends to row 3 of the sixth S-box. The middle 4 bits combine to form 1001, which corresponds to the column 9 of the same S-box. The entry under row 3, column 9 of S-box 6 is 14. (Remember to count rows and columns from 0 and not from 1.) The value 1110 is substituted for 110011. The S-box substitution is the critical step in DES. The algorithm's other operanons are linear and easy to analyze. The S-boxes are nonlinear and, more than any.hing else, give DES its security. The result of this substitution phase is eight 4-bit blocks which are recombined into a single 32-bit block. This block moves to the next step: the P-box permutation.

Table 6.6 S-Boxes

S-box 1: 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13,

S-box 2: 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9,

S-box 3: 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12,

S-box 4: 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,

3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14,

S-box 5: 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, 41, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3,

S-box 6: 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13,

S-box 7: 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12,

S-box 8: 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, -2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11

Example: S(18 09 12 3d 11 17 38 39) = 5fd25e03

The P-Box Permutation The 32-bit output of the S-box substitution is permuted according to a P-box. This permutation maps each input bit to an output position; no bits are used twice and no bits are ignored. Table 12.7 shows the position to which each bit moves. For example, bit 21 moves to bit 4. while bit 4 moves to bit 3 1.

Table 6.7 P-Box Permutation 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25

Finally, the result of the P-box permutation is XORed with the left half of the initial 64-bit block. Then the left and right halves are switched and another round begins.

The Final Permutation The final permutation is the inverse of the initial permutation and is described in Table 6.8. Note that the left and right halves are not exchanged after the last round of DES; instead the concatenated block R16L16 is used as the input to the final permutation. There's nothing going on here; exchanging the halves and shifting around the permutation would yield exactly the same result. This is so that the algorithm can be used to both encrypt and decrypt.

Table 6.8 Final Permutation 40, 8, 48, 16, 56, 24, 64, 32, 39, 7, 47, 15, 55, 23, 63, 31, 38, 6, 46, 14, 54, 22, 62 30, 37, 5, 45, 13, 53, 21, 61, 29, 36, 4, 44, 12, 52, 20, 60, 28, 35, 3, 43, 11, 51, 19, 59, 27, 34, 2, 42, 10, 50, 18, 58, 26, 33, 1, 41, 9, 49, 17, 57, 25.

Decrypting DES After all the substitutions, permutations, XORs, and shifting around, you might think that the decryption algorithm is completely different and just as confusing as the encryption algorithm. On the contrary, the various operations were chosen to produce a very useful property: The same algorithm works for both encryption and decryption.

With DES it is possible to use the same function to encrypt or decrypt a block. The only difference is that the keys must be used in the reverse order. That is, if the encryption keys for each round are K1, K2, K3, . . . , K16, then the decryption keys are K16, K15, K14, . . . , K1,. The algorithm that generates the key used for each round is circular as well. The key shift is a right shift and the number of positions shifted is 0, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1.

Summary DES is a widely used symmetric block cipher. It encrypts 64-bit data, and uses 56-bit key

with 16 48-bit sub-keys. The basic process in enciphering a 64-bit data block using the DES consists of:

• an initial permutation (IP).

• 16 rounds of a complex key dependent calculation f

• a final permutation, being the inverse of IP.

Review Questions

1. How many bit of data does DES encrypt?

2. What is the length of the key of DES?

3. How many rounds of key dependent calculation does DES need to encrypt data?

4. Which step in DES algorithm gives DES security?

5. If K1, K2, ..., K16 are encryption key, What is the decryption key?

Answers: 1. 64 bits.

2. 56 bits.

3. 16 rounds of calculation.

4. S-box substitution.

5. The decryption key is K16, K15, K14, K13,..., K2, K1.

Practice Test

1. True or false: DES is a block symmetric cipher which encrypt 64 bits data using same length key.

2. True or false: The same algorithm works for both encryption and decryption.

3. Which step in the algorithm gives DES security.

A)P-box permuation B)S-box substitution C) Initial permuation

4. How many boxes in the S-box substitution step?

5. In decryption, the order of key is A) same as in encryption B) the reverse order

Answers: 1. F

2. T

3. B

4. Eight

5. B

Exponential Cipher

Introduction

 traditional private/secret/single key cryptography uses one key  shared by both sender and receiver  if this key is disclosed communications are compromised  also is symmetric, parties are equal  hence does not protect sender from receiver forging a message & claiming is sent by sender

Public-Key Cryptography

 probably most significant advance in the 3000 year history of cryptography  uses two keys – a public & a private key  asymmetric since parties are not equal  uses clever application of number theoretic concepts to function  complements rather than replaces private key crypto

Why Public-Key Cryptography?

 developed to address two key issues:  key d istribution – how t o have secure communications i n g eneral without having to trust a KDC with your key  digital s ignatures – how t o verify a message co mes intact from t he claimed sender  public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976  known earlier in classified community 1

Public-Key Cryptography

 public-key/two-key/asymmetric cryptography involves the use of two keys:  a public-key, w hich may be known by a nybody, a nd can be used to encrypt messages, and verify signatures  a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures  is asymmetric because  those who encrypt messages or verify signatures cannot decrypt messages or create signatures

Public-Key Characteristics

 Public-Key algorithms rely on two keys where:  it is computationally infeasible to find decryption ke y knowing only algorithm & encryption key 2

 it is co mputationally easy t o en/decrypt messages when the relevant (en/decrypt) key is known  either o f t he t wo related keys c an be us ed for e ncryption, w ith t he other used for decryption (for some algorithms)

Public-Key Applications

 can classify uses into 3 categories:  encryption/decryption (provide secrecy)  digital signatures (provide authentication)  key exchange (of session keys)  some algorithms are suitable for all uses, others are specific to one

Security of Public Key Schemes

 like pr ivate ke y s chemes br ute force e xhaustive s earch at tack is a lways theoretically possible 3

 but keys used are too large (>512bits)  security relies o n a large e nough d ifference in d ifficulty be tween eas y (en/decrypt) and hard (cryptanalyse) problems  more generally the hard problem is known, but is made hard enough to be impractical to break  requires the use of very large numbers  hence is slow compared to private key schemes

Exponentiation Ciphers

 We w ill c onsider two kinds of e xponentiation c iphers de veloped by the following people:

Pohlig and Hellman Rivest, Shamir, and Adleman (RSA)  Both schemes encipher a message block M ∈ [0, n – 1] b y c omputing the exponential C = M e mod n,

 where e and n are the key to the enciphering transformation.  M is restored by the same operation, but using a different exponent d for the key: M = C d mod n.

 Enciphering a nd deciphering can be i mplemented using t he fast exponentiation algorithm:

C = fast_exp(M, e, n)

M = fast_exp(C, d, n) 4

 Thm: Given e, d, M such that ed mod φ(n)

= 1,M ∈ [0, n -1] ,gcd(M, n) = 1,

Then (M e mod n) d mod n = M.

 Proof:

(M e mod n) d mod n = M ed mod n

ed mod φ(n) = 1 ⇒ ed = t φ(n) + 1

M ed mod n

= M tφ(n)+1 mod n

= M M tφ(n) mod n

= M (M tφ(n) mod n) mod n = M where

= M tφ(n) mod n

= (M φ(n) mod n) t mod n

= 1t mod n = 1 .

 Note t hat b y s ymmetry, e nciphering a nd deciphering a re c ommutative a nd mutual inverses; thus,

(M d mod n) e mod n = M de mod n = M 5

 Given φ(n), it is easy to generate a pair (e, d) such that ed mod φ(n) = 1. This is done by first choosing d relatively prime to φ(n), and then computing e as  e = inv(d, φ(n))  Because e and d are symmetric, we could also pick e and compute d = inv(e, φ(n)).  Given e, it is easy to compute d (or vice versa) if φ(n) is known. But if e and n can be r eleased without giving aw ay φ(n) o r d, t hen t he de ciphering transformation can be kept secret, while t he enciphering transformation is made public.

 It is the ability to hide φ(n) that distinguishes the two schemes.

Pohlig-Hellman Scheme

 The modulus is chosen to be a large prime p.

To encipher:

C = M e mod p

To decipher:

M = C d mod p

 Because p is prime, φ(p) = p – 1.  Thus the scheme can only be used for conventional encryption, where e and d are both kept secret.

 Ex. Le t p = 11, φ(p) = 10. C hoose d = 7 a nd compute e = inv(7, 10) = 3. Suppose M = 5. Then M is enciphered as:

C = M e mod p = 53 mod 11 = 4.

Similarly, C is deciphered as:

C d mod p = 47 mod 11 = 5 = M .

Security Concern

 The s ecurity o f t he s cheme r ests on t he complexity o f c omputing discrete logarithms.  A c ryptanalyst may deduce p by obs erving t he s izes o f p laintext a nd ciphertext blocks.  Under a known-plaintext attack, a cr yptanalyst can compute e (and thereby d) given a pair (M, C):  e = log M C  Pohlig and Hellman show that if (p – 1) has only small prime factors, it is possible to compute the logarithm in O(log2p) time, which is unsatisfactory even for large values of p.  They recommend picking p = 2p′ + 1, where p′ is also a large prime.

Discrete Logarithm

 The fastest kn own al gorithm for co mputing t he d iscrete l ogarithm takes about 3/1 3/2 e((ln ) ln(ln pp )) 7

steps.

If p is a few hundred decimal digits long, it will take several billion years to compute.

RSA description and algorithm

RSA stands for Rivest, Shamir, and Adleman, they are the inventors of the RSA c ryptosystem. R SA is o ne o f t he a lgorithms used in P KI ( Public Key Infrastructure), as ymmetric ke y e ncryption s cheme. R SA is a b lock chiper, it encrypt message in blocks (block by block).

RSA c an be used for s ecurity (encryption), c onfidentiality ( signature), a nd ke y exchange p urposes. Nowadays, it is o ften used for s ignature a nd key e xchange only, this is because the encryption and decryption are slow, it consumes times.

RSA s ecurity is s o much depends o n t he d ifficulty o f factoring large pr ime number. At this time (writing time, 2001) the calculation required to find the factor the value to break the key is slow, many cryptanalysts consider that linear attack and differential at tack are d ifficult to applied in R SA, onl y mathematical a ttack (eg: number field sieve factoring algorithm by John M. Pollard) and brute force are feasible, but the time needed to use these attacks are quite long, therefore they are considered as impractical. May be later in the future as computer speed increased, this encryption algorithm may consider i nsecure and unused, b ut do nt forget we can just s imply increase t he s ize o f t he ke y t o prevent it from at tacker. T he common size for the key length now is 1024 bits for P and Q, therefore N is 2048

bits, if the implementation (the library) of RSA is fast enough, we can double the key size.

Below is the algorithms for creating key, encryption, decryption, the signing is the same like decryption and verification is the same like encryption. These three main functions are very simple.

1. Creating keys: 1. Generate (find) two large prime numbers (P and Q) 2. Calculate N = PQ 3. Calculate M = phi(N) = (P - 1)(Q - 1) = (Euler totient function) 4. Select any integer E, the rules to select E are:

a. E is positive integer b. 0 < E < M

c. GCD (M, E) = 1 ... (GCD = Greater Common Divisor) NOTE: It is recommended to use E = 65537 (17 bits).

2. 5. Calculate D a use Extended Euclid Theorem (mod inverse)

(E * D) = 1 (mod M)

(E * D) mod M = 1

3. Public key: E, N Private key:

Normal (slow): D and N

P, Q, dP, dQ, invQ Chinese Remainder dP = E * dP mod (P-1) = 1 Theorem dQ = E * dQ mod (Q-1) = 1 (faster): invQ = Q * invQ mod P = 1

4. Encryption / Verification: Original plain text (a block value) = X ... X < N Chipertext = C ... C = (X^E) mod N 5. Decryption / Signing: Chipertext = C Dechiper text = Y

Normal (slow way): Y = (C^D) mod N

M1 = (C^dP) mod P M2 = (C^dQ) mod Q CRT (faster way): H = (M1 - M2) invQ mod P Y = M2 + (Q * H)

If everything goes fine, the value of Y a nd X should be equal (Y = X), ot herwise there is must be something wrong with the program (implementation).

Note t hat bo th e ncryption a nd decryption in R SA involve raising a large integer power followed b y mod ope ration. I f the e xponential is first do ne o ver t he t wo values and then reduced by the modulo, this operation requires very big space and many computing po wer, but we can reduce (divide) the e xponent value by 2 then continue with mod operation, repeating this simple operation is faster and use less 10

space a nd l ess c omputing p ower. A SIMPLE ps eudo c ode f or t his a lgorithm is below:

E = exponential value, M = message to encrypt, N = modulo value C = chipertext value

C = 1 ... set it as default value While E

If E is odd

C = C * M

C = C % N

E = E / 2

M = M * M

M = M % N

While Loop

Security Concern

 Because φ(n) cannot be determined without knowing the prime factors p and q, it is possible to keep d secret even if e and n are made public.

 Thus t he R SA s cheme c an be used for public-key e ncryption, w here t he enciphering t ransformation is made pu blic and the de ciphering transformation is kept secret.

 The security of the system depends on the difficulty of factoring n into p and q. T he fastest k nown factoring algorithm takes a bout the s ame number of steps required for solving the discrete logarithm problem.

More About Euler's Theorem

 Recall that for Pohlig-Hellman and RSA schemes to work, we must have M < n and gcd(M, n) = 1.

 For Pohlig-Hallman scheme, this is for sure since n is prime. But how about RSA? Since n equals p×q, it is possible t hat M is a mul tiple o f p or a multiple of q (but not both, of course).

 We want to show that even if M is a multiple of p or q, the RSA scheme still works.

What Happens When gcd(M, n) ≠ 1

 Suppose M is a multiple of p, so that M = cp for some c and gcd(M, q) = 1.

Mφ(q) mod q = 1

⇒ (Mφ(q)) φ(p) mod q = 1

⇒ Mφ(n) mod q = 1

 Therefore, there is some k such that 12

Mφ(n) = kq + 1

Multiply each side by M = cp,

Mφ(n)+1 = M + kqcp = M + ckn

Thus

Mφ(n)+1 mod n = M .

The case when M is a multiple of q is similar.

Public-Key Systems

 In a public-key system, each user has both a public and private key, and two users can communicate knowing only each other's public keys.

 User A has a public enciphering transformation EA, which may be registered

with a public directory, and a private deciphering transformation DA, which is known only to user A.

 The pr ivate transformation DA is described by a private key, and the public

transformation EA by a public key derived from the private key by a one-way transformation.

 It must be computationally infeasible to determine DA from EA.

Secrecy And Authenticity

 In a public-key system, secrecy and authenticity are both provided.

 Secrecy Suppose user A wishes to send a message M to another user B. If A

knows B's public transformation EB, A can transmit M to B in secrecy by

sending the ciphertext C = EB(M).

 On receipt, B deciphers C using B's private transformation DB, getting

 DB(C) = DB(EB(M)) = M

protected

M EK C DK M

disallowed M

public private

M EB DB M A B  The s cheme does not provide a uthenticity because a ny user w ith access to B's p ublic t ransformation c ould substitute a nother message M' for M by replacing C with C' = EB(M' ).

 AuthenticityFor authenticity, M must be transformed by A's own private

transformation DA. A sends C = DA(M) to B.

 On receipt, B uses A's public transformation EA to compute

 EA(C) = EA(DA(M)) = M .

protected

M EK C DK M C′ disallowed M′

private public

M DA EA M A B

 Authenticity is provided because only A can apply the transformation DA.

 Secrecy is n ot pr ovided because any user w ith acces s t o A's pub lic transformation can recover M.

Both Secrecy And Authenticity

 To use a public-key system for both secrecy and authenticity:

 the ciphertext space must be equivalent to the plaintext space so that

EA and DA can operate on both plaintext and ciphertext messages.

 Both EA and DA must be m utual i nverses so that EA(DA(M)) =

DA(EA(M)) = M.

 Suppose A wishes to send a message M to B. A sends to B the ciphertext

C = EB(DA(M)) .

 On receipt, B deciphers C by

EA(DB(C))

= EA(DB(EB(DA(M))))

= EA(DA(M))

= M .

private private public public

M DA EB DB EA M A B secrecy

authenticity

 RSA scheme can be used for both secrecy and authenticity.

Merkle-Hellman Knapsacks

Knapsack problem: How to find the optimal way to pack a knapsack enclosing the maximum number of objects.

Numerically:

target sum: 17

set S {4, 7, 1,12,10}

one solution set: {4, 1,12 }=17

V {1, 0, 1, 1, 0 }

N-P Complete

• basically: a n N P c omplete p roblem has a de terministic e xponential time solution. For example, 2n

• This allows us to control the brute force attack. Ie, make time to break very large!

Merkle-Hellman Knapsacks

MH Knapsack

• Each element is larger than the previous

• Example a 1, a2, a3, a4, a5, … ak-1, ak

• sums between ak and ak+1 must contain ak

– superincreasing knapsack-each integer is > ∑ ak

– also called simple knapsack

• S=[1,4,11,17,38,73] is a superincreasing knapsack

Diffie-Hellman

Diffie-Hellman found a way to break the superincreasing sequence of integers. w * x mod n. If w and n are relatively prime, w will have a multiplicitive inverse. w * w-1 = 1 mod n. (w*q) w-1 = q

Why so important?

• This allows us to create a p ublic knapsack (Hard) which can be based on a secret simple knapsack and a secret w, and n.

Example

Create a Superincreasing (or simple) knapsack

S=[1,2,4,9,19] m=5

Example

S=[1,2,4,9,19] m=5

Choose a multiplier w, and modulus n n should be larger than the largest integer in your knapsack

Hint: Choose modulus (n) to be a prime number.

Generate the Hard knapsack by hi=w * si mod n

H=[h1, h2, h3, .. Hm]

S=[1,2,4,9] 19

Example (decipher)

MH Practical Implementations

• Choose value of n to be large, 100 to 200 binary digits.

• Each element in the knapsack is 2200 apart

• 200 terms in the knapsack

• large S and H make it infeasible to use brute force. 2200 for each element in S, 1047 years to crack.

Cryptanalysis Reality!

• Merkle-Hellman was cracked in 1980 by Shamir and Zipple

• interceptor does not have to solve the basic knapsack problem to break the encryption.

• Shamir points out another flaw. 21

One-Time Pad or Vernam Cipher • The one-time pad, which is a provably secure cryptosystem, was developed by Gilbert Vernam in 1918. • The message is represented as a binary string (a sequence of 0’s and 1’s using a coding mechanism such as ASCII coding. • The key is a truly random sequence of 0’s and 1’s of the same length as the message. • The encryption is done by adding the key to the message modulo 2, bit by bit. This process is often called exclusive or, and is denoted by XOR. The symbol ⊕ is used.

a b c = a ⊕ b

0 0 0 0 1 1 1 0 1 1 1 0 One-Time Pad & Stream Ciphers 1 One-Time Pad or Vernam Cipher Example: Let the message be IF then its ASCII code be (1001001 1000110) and the key be (1010110 0110001). The ciphertext can be found exoring message and key bits Encryption: 1001001 1000110 plaintext 1010110 0110001 key 0011111 1110110 ciphertext = (v)

Decryption: 0011111 1110110 ciphertext 1010110 0110001 key 1001001 1000110 plaintext

One-Time Pad & Stream Ciphers 2 Why One-Time Pad is provably secure? Or how can we prove it is unbreakable?

• The security depends on the randomness of the key. • It is hard to define randomness. • In cryptographic context, we seek two fundamental properties in a binary random key sequence: 1. Unpredictability: Independent of the number of the bits of a sequence observed, the probability of guessing the next bit is not better than ½. Therefore, the probability of a certain bit being 1 or 0 is exactly equal to ½. 2. Balanced (Equal Distribution): The number of 1’s and 0’s should be equal.

One-Time Pad & Stream Ciphers 3 Mathematical Proof • the probability of a key bit being 1 or 0 is exactly equal to ½. • The plaintext bits are not balanced. Let the probability of 0 be x and then the probability of 1 turns out to be 1-x. • Let us calculate the probability of ciphertext bits.

mi prob. ki prob. ci prob. 0 x 0 ½ 0 ½ x 0 x 1 ½ 1 ½ x 1 1-x 0 ½ 1 ½ (1-x) 1 1-x 1 ½ 0 ½ (1-x)

• We find out the probability of a ciphertext bit being 1 or 0 is equal to (½)x + (½)(1-x) = ½. Ciphertext looks like a random sequence. One-Time Pad & Stream Ciphers 4 A Practical One-Time Pad • A satellite produces and broadcasts several random sequences of bit at a rate fast enough such that no computer can store more than a very small fraction of them. • Alice & Bob use a PKC to agree on a method of sampling bits from these random sequences. • They use these bits to form a key for one-time pad. • Eve, in theory, can break the PKC they used even though doing so is difficult. • But by the time she breaks it, random bits Alice & Bob collected disappeared and Eve can not decrypt the message since she hasn’t got the resources to store all the random bits that have been broadcast.

One-Time Pad & Stream Ciphers 5 • Symmetric-key ciphers • Encrypt individual characters at a time, • Faster and less complex in hardware, • They are desirable in some applications in which • buffering is limited • bits must be individually processed as they are received. • Transmission errors are highly probable. • Vast amount of theoretical knowledge. • Various design principles. • Widely being used at present, will probably be used in the future.

One-Time Pad & Stream Ciphers 6 Basic Idea comes from One-Time-Pad cipher,

Encryption : iii ikmc =⊕= ,...3,2,1 mi : plain-text bits. ki : key (key-stream ) bits ci : cipher-text bits.

Decryption : iii ikcm =⊕= ,...3,2,1 • Provably Secure. Drawback : Key-stream should be as long as plain-text. Key distribution & Management difficult. Solution : Stream Ciphers (in which key-stream is generated in pseudo-random fashion from relatively short secret key.

One-Time Pad & Stream Ciphers 7 Randomness : Closely related to unpredictability. Pseudo-randomness :PR sequences appears random to a computationally bounded adversary. • Stream Ciphers can be modeled as Finite-state machine.

S i+1 Si : state of the cipher Si at time t = i. F : state function. G : output function. F

Initial state, output and state G functions are controlled by the ki secret key. mi ci

One-Time Pad & Stream Ciphers 8 1.Synchronous Stream Ciphers • Key-stream is independent of plain and cipher-text. • Both sender &receiver must be synchronized. • Resynchronization can be needed. • No error propagation. • Active attacks can easily be detected. 2. Self-Synchronizing Stream Ciphers • Key-stream is a function of fixed number t of cipher-text bits. • Limited error propagation (up to t bits). • Active attacks cannot be detected. • At most t bits later, it resynchronizes itself when synchronization is lost. • It helps to diffuse plain-text statistics.

One-Time Pad & Stream Ciphers 9 Analysis • Efforts to evaluate the security of stream ciphers. 1. Mathematical Analysis • Period and Linear Complexity, • Security against Correlation Attacks. 2. Pseudo-randomness Testing • Statistical Tests, • Linear Complexity, • Ziv-Lempel Complexity • Maximum Order Complexity, • Maurer’s Universal Test. • In testing, all the tests are applied to as many key-streams of different lengths as possible. One-Time Pad & Stream Ciphers 10 Linear Feedback Shift Register - LFSR

Output sequence

ci= 0 or 1 c1 c2 cL

2 L 1)( 21 ++++= L xcxcxcxC : Connection Polynomial • If C(x) is primitive, LFSR is called maximum-length, and the output sequence is called m-sequence and its period is T = 2L-1. • m-sequences have good statistical properties. • However, they are predictable. One-Time Pad & Stream Ciphers 11 • If 2L successive bits of an m-sequence are known, the shortest LFSR which produces the rest of the sequence can be found using Berlekamp-Massey (BM) algorithm. • Generally, the length of the shortest LFSR which generates a sequence is called linear complexity.

Stream Cipher Designs Based on LFSRs

• LFSRs generate m-sequence. • However, “ Linearity is the curse of cryptographer.” • The methods of utilizing LFSRs as building blocks in the stream cipher design. • The design principle : Use other blocks which introduce non-linearity while preserving the statistical properties of m-sequences. One-Time Pad & Stream Ciphers 12 Nonlinear combination Generators

LFSR-L1

LFSR-L2 Nonlinear Combiner output Function F

LFSR-Ln

The Combiner Function should be, 1. Balanced, 2. Highly nonlinear, 3. Correlation Immune.

One-Time Pad & Stream Ciphers 13 • Utilizing the algebraic normal form of the combiner function we can compute the linear complexity of the output sequence.

Example (Geffe Generator ) :

),,( ⊕⊕= xxxxxxxxF 33221321 If the lengths of the LFSRs are relatively prime and all connection polynomials are primitive, then

LL LLL ++= L33221 T L1 L2 L3 −⋅−⋅−= )12()12()12(

When we inspect the truth table of the combiner function we gain more insight about the security of Geffe generator.

One-Time Pad & Stream Ciphers 14 x1 x2 x3 z = F(x1,x2,x3) 0 0 0 0 0 0 1 1 0 1 0 0 0 1 1 0 1 0 0 0 1 0 1 1 1 1 0 1 1 1 1 1

• The combiner function is balanced. • However, the correlation probability,

xzP 1 == .4/3)( • Geffe generator is not secure.

One-Time Pad & Stream Ciphers 15 Nonlinear Filter Generator

LFSR

Filter output Function

• Upper bound for linear complexity, m  L Lm = ∑  m : nonlinear order of the filter function. i=1  i  • When L and m are big enough, the linear complexity will become large. One-Time Pad & Stream Ciphers 16 Clock-controlled Generators

• An LFSR can be clocked by the output of another LFSR. • This introduces an irregularity in clocking of the first LFSR, hence increase the linear complexity of its output.

Example : Shrinking Generator

LFSR -S si

LFSR -A ai si = 1 output ai

si = 0 discard ai

One-Time Pad & Stream Ciphers 17 • Relatively new design. • However, it is analyzed and it seems secure under certain circumstances.

()LLif As 1,gcd ⇒= − T LA ⋅−= 2)12( LS 1

LS −2 LS −1 LA 2 LL A ⋅<<⋅ 2

One-Time Pad & Stream Ciphers 18 Different Designs

• SEAL, RC4.

• They use expanded key tables, • Fast in software, • Look secure, • They have not been fully analyzed yet, • Efficient analysis tools are not developed.

One-Time Pad & Stream Ciphers 19