06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 24 September, 2012 Handout 1 Summary of this handout: Overview of historical cryptographic techniques — Definition of some im- portant cryptographic concepts — Math: Permutations and Residue Classes
I. Historical Overview
1. Secret Writing Communicating secretly in writing is probably as old as writing itself. Already the Egyptians are known to have included secret hieroglyphs in their writing. In ancient times secret writing has mainly been used for religious purposes and mysticism. In the classical antiquity are the first accounts of secret writing being used for military purposes by the ancient Greeks. From there on the ability to secretly pass messages was a major factor for military and diplomatic communication. It is therefore little surprising that many of the techniques for secret communication known today have been developed by government agencies and often only made known to the public long after their invention. Since the ancient Greeks many methods of exchanging secret messages have been developed (and successfully broken). This handout gives an overview over some of the historical techniques and also introduces some basic and simple mathematical concepts used. The Science of Secret Writing can be roughly divided into the following branches:
Steganography Code Secret Writing Substitution Cryptography Cipher Transposition
2. Hiding Messages The best form of sending a secret message is by concealing that a message has been sent. The study of how to effectively hide messages such that only the intended receiver can find them is called Steganog- raphy. Traditionally secret messages used to be hidden physically, for instance by using invisible ink, or within unobtrusive communications. Nowadays there are many more ways of sending concealed mes- sages, for instance by hiding them in unsuspicious file formats, such as pictures or sound files, or in propaganda videos. In this course we will be not concerned with techniques to hide messages but only with hiding the information contained in a message. 3. Scrambling Messages In many situations it is obvious that messages are sent. For instance, it is clear that during a phone conversation some information is communicated, thus “hiding the message” is essentially impossible. To guard against interception or eavesdropping, messages can be scrambled in a way that they only make sense to the receiver but not to an uninitiated eavesdropper. The scientific study of scrambling messages is the mathematical discipline of Cryptography. In this handout I will give a short overview over some historical cryptographic techniques and their underlying mathematics. 4. Cryptography can be divided into two main branches: Transposition techniques encrypt messages by permuting the components of a message within itself.
Substitution techniques encrypt messages by replacing the components of a message. There are two main branches for substitution techniques:
4 Codes are algorithms that substitute entire words or phrases of a message, i.e. they work on a level of meaning. Ciphers are algorithms that substitute the single letters or characters of a message, i.e. they work on a level of individual letters, small groups of letters, or individual bits.
5. Some basic definitions Let’s first define some more concepts that will be useful throughout the lecture.
Encrypt The process of scrambling a message.
Decrypt The process of unscrambling a message.
Encode The process of encrypting a message with respect to some code.
Decode The process of decrypting a message with respect to some code.
Encipher The process of encrypting a message with respect to some cipher.
Decipher The process of decrypting a message with respect to some cipher.
Plaintext A message before it is encrypted.
Codetext An encoded message. Since we will concentrate on ciphers in this lecture we will rarely use this term.
Ciphertext An enciphered message.
Cryptography The science of keeping messages secure.
Cryptographer A practitioner of cryptography.
Cryptanalysis The science of breaking ciphertexts. While we will mainly concentrate on cryptography in this course I will also discuss some cryptanalytic techniques.
Cryptanalyst A practitioner of cryptanalysis.
Cryptology The branch of mathematics encompassing both cryptography and cryptanalysis
Cryptologist A practitioner of cryptology.
6. Sending Secret Messages We can describe the process of sending encrypted messages with the following schematic view:
Plaintext Encryption Cipher-/Codetext Decryption Orig. Plaintext
From a practical point of view, codes are relatively useless as they require far too much overhead to be effective. In theory, one would have to design an entire dictionary of code words before commencing communication. Obviously, this makes it not only difficult to work with a code, but also insecure as a code book can not easily be hidden or memorised, as well as very costly to change a code. While codes have a certain usefulness for ad hoc communication, they are not relevant for the type of efficient cryptography we are interested in. With ciphers on the other hand one only has to know how to encipher and decipher the basic set of symbols, for example the 26 letters of the alphabet. Therefore, ciphers are far easier to apply, to keep secret and to change in order to guarantee prolonged secure communication. In this lecture we will therefore discuss cryptographic methods based on ciphers and will start with a look at some of the classical ciphers.
5 I.1 Transposition Ciphers The basic idea of a transposition cipher is to scramble a message by transposing the single letters of a message in a particular order that is only known to the sender and receiver. Transposition ciphers are the oldest form of enciphering messages. They can be traced back to the ancient Egyptians where they were mainly used for religious purposes. The order of hieroglyphs of single words would be changed probably for mystical purposes. Similarly the Jewish mystics used temurah to rearrange words and sentences to find hidden meanings in the Bible. 7. Rail Fence Cipher The first known military use of a transposition cipher was by the Spartans. They invented the rail fence cipher to send messages between troops. We write the plain text message in columns of a particular height and then compose the ciphertext from the resulting rows. To decipher we divide the length of the overall message by the height of the columns and break the ciphertext into rows whose length corresponds to the quotient. Writing the rows again one upon the other, we can read off the original plaintext. Example: We take the plaintext: When shall we three meet again in thunder lightning or in rain We then write it as a rail fence of height 5: WHEEAINIIIN HATMGNDGNNE ELHEATEHGRU NLREIHRTOAK SWETNULNRIE
Observe that the original message had 51 characters. In order to complete the rail fence I added four nonsense characters. These characters are meaningless and can be discarded after deciphering. We call meaningless characters added to the ciphertext nulls. Reading off row by row gives the following ciphertext: WHEEAINIIINHATMGNDGNNEELHEAREHGRUNLREIHRTOAKSWETNUL NRIE In order to decrypt the message the receiver, who knows the height of the rail fence, divides the length of the message by the height and thus gets the length of the single rows. In our case we get 55/5 = 11: WHEEAINIIINHATMGNDGNNEELHEAREHGRUNLREIHRTOAKSWETNULNRIE Adding nulls is not strictly necessary, we could have just combined the rows of different lengths and nevertheless could have decrypted the message without problems. In fact not adding nulls can make the work for a cryptanalyst more difficult. But in either case the rail fence cipher is very easy to break as we only have to test all possible divisors up to half the length of the text. 8. Permutation Cipher We can obtain a more elaborate cipher by transposing the characters in the plaintext in a less regular fashion using permutations. Suppose we take a permutation s ∈ Sn, we then divide the plaintext into chunks of length n and permute the letters in each chunk according to our chosen s, which results in the −1 ciphertext. To decipher the text we simply take the inverse of s, s ∈ Sn and apply it to the ciphertext divided into chunks of length n. 123456 Example: We take s = = (1 2 3)(5 6) ∈ S6 as permutation. � 231465 � We divide our plaintext from above into chunks of length 6. WHENSHALLWETHREEMEETAGAININTHUNDERLIGHTNINGORINRAINEUK Applying the permutation yields EWHNHSLALWTEEHREEMAETGIANNITUHENDRILTGHNNIRGOIRNNAIEKU and thus the ciphertext EWHNHSLALWTEEHREEMAETGIANNITUHENDRILTGHNNIRGOIRNNAIEKU In order to decrypt the message we use the inverse of s, which is (1 3 2)(5 6).
6 I.2 Substitution Ciphers A substitution cipher is a method to replace units of the plaintext with parts of the ciphertext. Substitution ciphers are nearly as old as transposition ciphers. One of the earliest examples is the Atbash, used in Jewish mysticism, a cipher that substitutes the first letter of the Hebrew alphabet with the last, the second letter with the one before last, and so on. For simplicity, we will for now assume that the units of our plaintext are always the 26 letters of the alphabet only, without spaces, punctuation, etc. 9. Shift Cipher and Caesar’s Cipher The oldest form of substitution ciphers is the shift cipher. Its idea is to shift every letter in the message by a set number of places in the alphabet. For example a shift cipher with a shift of 1 simply replaces every letter by its successor and Z by A. More mathematically, if we enumerate all letters of the alphabet from 0 to 25 then we can express the shift cipher as an operation in modular arithmetic as c ≡ p + s(mod 26), where p is the plaintext letter, s is the shift, and c is the enciphered letter. Decryption can be performed similarly with the reverse operation: p ≡ c − s(mod 26). Julius Caesar used this Cipher with a fixed shift of s = 3, which is nowadays known as Caesar Cipher. Since there are only 26 possible shift ciphers they make for very weak security. 10. Using Keys Obviously all the ciphers we have encountered so far are relatively easy to break. In fact their security hinges on the fact that a potential cryptanalyst does not know the method of encryption, i.e. the particular rail fence or shift, etc. Once broken the encryption method has to be changed. An invention that avoided having to come up constantly with new encryption techniques, was the intro- duction of keys into cryptography. A key is some auxiliary information that is used to vary the encryption procedure and its knowledge is crucial to successfully decrypt a message. The advantage of using a key is, that even if the algorithm for encryption is known, a cryptanalyst can nevertheless not decrypt the message without knowing the key. One additional complication is that sender and intended receiver have to agree on a common, secret key and have to exchange this key at some point before the actual communication. The secret communication would then look something like this.
Key Key Encryption Ciphertext Decryption Plaintext Plaintext
11. Monoalphabetic Substitution Ciphers Instead of just shifting the letters of the alphabet we can define a substitution by explicitly assigning each plaintext letter a corresponding cipher letter. In other words we define a substitution by giving a mapping from a plaintext-alphabet (i.e., the normal 26 letters) to a cipher-alphabet. This mapping could be arbitrary, giving us 26! ≈ 286 different ways of encrypting a message. However, in order to make it easier to memorise the cipher-alphabet one generally constructs it by:
1. choosing a keyword,
2. removing all duplicate letters from the keyword
3. start the cipher-alphabet with the letters from duplicate-free keyword
4. at the end of the codeword continue with the next unused letter of the alphabet that follows the last letter in the codeword
5. continue filling in letters in alphabetical order leaving out those letters already used; if necessary, start from the beginning of the alphabet again similar to a shift cipher
7 Example: Taking my own name as keyword, I can construct the following substitution cipher: Plaintext-alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher-alphabet: VOLKERSGHIJMNPQTUWXYZABCDF A monoalphabetic substitution cipher can be expressed as a single permutation on the letters of the alphabet or the first 26 integers. I.e. the cipher is essentially equivalent to some permutation s ∈ S26. In our example we get:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 = � 22 23 24 25 5 26 8 9 10 11 4 3 12 13 2 14 15 6 7 16 17 1 18 19 20 21 �
(1 22)(2 23 18 6 26 21 17 15)(3 24 19 7 8 9 10 11 4 25 20 16 14 13 12)(5) ∈ S26 We now want to encrypt the message Attack at dawn. Plaintext: ATTACKATDAWN Ciphertext: VYYVLJVYKVBP One weakness of the chosen key is that the letter E encoded by itself. While this does not have much effect in the message above, if we consider the Ciphertext: BENEEYVYYGWEE it is quite obvious that the plaintext means We meet at three. 12. Breaking Monoalphabetic Substitution Ciphers Apart from the obvious weakness when letters are replaced by themselves, monoalphabetic ciphers suffer from the problem that the encryption does not disguise the structure of the text or words. This fact was first exploited by an Arab Theologian al-Kind¯ıin the ninth century. He discovered a technique known as frequency analysis, at statistical method to analyse texts with respect to the frequency of occurrences of the different letters of the alphabet. Each language has a characteristic distribution of occurrences of the letters. For instance for the English an approximate table is: Letter Percentage Letter Percentage Letter Percentage Letter Percentage Letter Percentage a 8.2 f 2.2 k 0.8 p 1.9 u 2.8 b 1.5 g 2.0 l 4.0 q 0.1 v 1.0 c 2.8 h 6.1 m 2.4 r 6.0 w 2.4 d 4.3 i 7.0 n 6.7 s 6.3 x 0.2 e 12.7 j 0.2 o 7.5 t 9.1 y 2.0 z 0.1 Cryptanalysis can exploit this fact by compiling the occurrence percentages of the letters in the ciphertext and then comparing them with the frequency table. One then starts to guess the decryption of the letters, first by inserting those with the most frequent occurrence, i.e., e,a,t, and so on. 13. Homophonic Substitution Ciphers One way of tricking frequency analysis was by introducing nulls or null ciphers and giving frequently occurring letters more than one possible encryption. I.e. we can give each letter in the alphabet a number of different symbols they can be encoded with that would balance their actual frequency of occurrence, for instance we give E seven counterparts in the cipher-alphabet, but Z only one. This means, of course, that the cipher-alphabet now has to contain more symbols than the plaintext-alphabet. While this makes frequency analysis more difficult, it does not make it impossible. 14. Vigenere` Cipher An answer to attacks by frequency analysis was the use of several cipher-alphabets, so called polyal- phabetic substitution ciphers. The idea is that during the encryption one changes cipher-alphabets in a certain order thereby encoding the same letter according to different ciphers and thus hiding their fre- quency. One polyalphabetic cipher that was considered unbreakable for a very long time is the Vigenere` Cipher (which was already invented in the 16th century by the Italian Belaso but later reinvented and attributed to Vigen`ere). It’s idea is based on 26 cipher-alphabets that represent all possible shift ciphers. They are compiled in a square (see below). A keyword is then used to decide which particular alphabet is used to encipher a particular letter. Each letter in the keyword defines a different cipher-alphabet, depending on its place in the alphabet, e.g. the letter A defines the first cipher-alphabet, B the second and so on. We can easily
8 read off the cipher-alphabet determined by the letters of the keyword by looking at the first letter of the cipher-alphabet in the Vigen´ere square. Example: If we use the keyword MACBETH then M determines the 13th alphabet. Using the keyword we encipher our message by writing the keyword over the message as often as necessary and then for each letter reading of the corresponding cipher in the square. Thus W is enciphered with row 13 into I, H with row 1 into H, etc. Key: MACBETHMACBETHMACBETHMACBETHMACBETHMACBETHMACBETHMA Plain: WHENSHALLWETHREEMEETAGAININTHUNDERLIGHTNINGORINRAIN Cipher: IHGOWAHXLYFXAYQEOFIMHSAKOMGATUPEIKSUGJVRBUSOTJRKHUN
Plain ABCDEFGHIJKLMNOPQRSTUVWXYZ Shift 1 ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 2 BCDEFGHIJKLMNOPQRSTUVWXYZA 1 3 CDEFGHIJKLMNOPQRSTUVWXYZAB 2 4 DEFGHIJKLMNOPQRSTUVWXYZABC 3 5 EFGHIJKLMNOPQRSTUVWXYZABCD 4 6 FGHIJKLMNOPQRSTUVWXYZABCDE 5 7 GHIJKLMNOPQRSTUVWXYZABCDEF 6 8 HIJKLMNOPQRSTUVWXYZABCDEFG 7 9 IJKLMNOPQRSTUVWXYZABCDEFGH 8 10 JKLMNOPQRSTUVWXYZABCDEFGHI 9 11 KLMNOPQRSTUVWXYZABCDEFGHIJ 10 12 LMNOPQRSTUVWXYZABCDEFGHIJK 11 13 MNOPQRSTUVWXYZABCDEFGHIJKL 12 14 NOPQRSTUVWXYZABCDEFGHIJKLM 13 15 OPQRSTUVWXYZABCDEFGHIJKLMN 14 16 PQRSTUVWXYZABCDEFGHIJKLMNO 15 17 QRSTUVWXYZABCDEFGHIJKLMNOP 16 18 RSTUVWXYZABCDEFGHIJKLMNOPQ 17 19 STUVWXYZABCDEFGHIJKLMNOPQR 18 20 TUVWXYZABCDEFGHIJKLMNOPQRS 19 21 UVWXYZABCDEFGHIJKLMNOPQRST 20 22 VWXYZABCDEFGHIJKLMNOPQRSTU 21 23 WXYZABCDEFGHIJKLMNOPQRSTUV 22 24 XYZABCDEFGHIJKLMNOPQRSTUVW 23 25 YZABCDEFGHIJKLMNOPQRSTUVWX 24 26 ZABCDEFGHIJKLMNOPQRSTUVWXY 25
We can regard the Vigen`ere cipher also algebraically in modular arithmetic. If we again enumerate the letters A–Z with the numbers 0–25, we can directly compute the numerical value of the letter in the ciphertext from the value of the plaintext letter plus the shift determined by the numerical value of the respective letter in the keyword. The right-most column of the above Vigen`ere square gives all the shift th values explicitly. Formally we can compute the i letter of the ciphertext ci as
ci ≡ pi + si(mod 26),
th th where pi represents the i plaintext letter and si the i letter in the repeated key. Similarly we can express decryption as pi ≡ ci − si(mod 26). Example: When enciphering W (which corrsponds to letter number 22) wrt. the key M (number 12), we get 22 + 12 ≡ 8(mod 26), which corresponds to I. For an abbreviated version of our example text (When shall we three meet again) we get the following equations in Z26: Key: 1202 1 419712 0 21 419 7120 214197120 2 1 Plain: 22 7 4 13 18 7 0 11 11 22 4 19 7 17 4 4 12 4 4 19 0 6 0 8 13 Cipher: 8 7 6 14 22 0 7 23 11 24 5 23 0 24 16 4 14 5 8 12 7 18 0 10 14
9 15. Breaking Vigenere` The Vigen`ere cipher is similar to the homophonic substitution ciphers in that both can encipher the same letter in different ways. The advantage of the Vigen`ere cipher is, however, that it can also encipher different letters into the same letter and therefore does not need a larger cipher-alphabet. This fact makes it also invulnerable to straight-forward frequency analysis. The Vigen`ere cipher was nevertheless broken by Friedrich Kasiski in 1863 (but very likely already by Charles Babbage in 1854). The idea is to first find out the length of the keyword. This is done by determining all repeated sequences of letters of length at least four in the ciphertext. Then we count for each such sequence after how many letters it is repeated. Comparing these numbers we usually narrow down the possible key length to only one or two candidates. Once the (likely) length of the key is determined we can use ordinary frequency analysis separately on all the letters of the message encrypted with the same cipher-alphabet. 16. Rotor Machines At the beginning of the twentieth century encryption was mechanised. Particularly successful were so called rotor machines of which Enigma and Lorenz, two machines used by the Germans during WWII, are examples. The Enigma was originally a commercial encryption machine that was later adopted by the military. The basic machine comprises the following main elements: A keyboard with letters from A to Z, a plug board, three rotors and a reflector. In a first step, the letters from the keyboard are substituted using the plug board with a substitution cipher. In the next step, the electric signal passes the three rotors, each of which applies a fixed substitution to the letters. If these rotors were static, this step would yield nothing than a substitution cipher again. However, after encrypting one letter, the rightmost rotor advances one step. After one full turn the middle rotor advances as well, and after one full turn of the middle rotor the leftmost rotor advances as well. Thus each letter is treated with a different substitution. After passing the three rotors the signal enters the reflector. It reflects the signal, applying one more permutations, then passing all three rotors in opposite direction, passing the plug board one more time, and then reaching the lamps. The reflector was invented to simplify decryption: The same setting can be used to decrypt the message. Thus the key for the Enigma consisted of the order and setting of the three rotors and the plug board configuration. The Enigma was successfully broken during the second world war at Bletchley Park exploiting weak- nesses such as that with the reflector, a letter is never encrypted to the same letter, as the three rotors perform a substitution and the reflector cannot ”reflect” the signal back the same path through the rotors, as no electric circuit would be established then. Breaking the Enigma and Lorenz ciphers also initiated the development of modern day computers. 17. One Time Pad One of the weaknesses why Enigma could be successfully broken, was that keys were reused. For example, the day key had to be used in all communications of a particular day in order to establish the message key and therefore the first six letters of all intercepted messages where encrypted with the same key. However, already during the first world war a absolute secure way of encrypting messages was developed. It depends on three factors: Firstly, the key has to be as long as the message to encrypt. Secondly, there should be no repetition or obvious pattern in the key,i.e., it should be a random combination of letters. And thirdly, the key should never be reused. The cipher is called the One Time Pad and while this guarantees security it is impractical in most sit- uations. Not only is the key size and distribution a major problem and moreover it is very difficult to produce proper random keys in the necessary quantity. This is a problem we will get back to later in this term. Nevertheless, One Time Pads have been employed, for instance, to encrypt the telephone line between Washington and Moscow during the cold war.
10 06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 24 September, 2012
Mathematics 1 – Permutations
The concept of a permutation expresses the idea that discreet, distinguishable objects may be arranged in various different orders. Consider, for instance, the integers from one to three, and all possible lists of the numbers without repetition. There are altogether six: (1, 2, 3) (1, 3, 2) (2, 1, 3) (2, 3, 1) (3, 1, 2) (3, 2, 1). A permutation describes the rearrangement of the elements of an ordered list into a one-to- one correspondence of itself. For example, we can describe how we get (3, 1, 2) from (1, 2, 3) by a 1 2 3 permutation s = , which essentially describes that 1 moves to the place where 2 was, 2 to � 2 3 1 � the place of 3, and 3 back to the place of 1. As abbreviation we use a linear notation, so called cycles. For example we can write s as (1 2 3), which expresses 1 �→ 2, 2 �→ 3, 3 �→ 1. The notation is cyclic in the sense, that (1 2 3) = (2 3 1) = (3 1 2). We normally start with the smallest element of the list. 123456 As another example consider t = = (1 2 3)(5 6). Observe that we omit the � 231465 � elements of the permutation that are not changed, e.g. 4, when denoting the cycles. Observe also that the cycles of a permutation are always disjoint and duplicate free. We denote the identity permutation, i.e. the permutation that does not change the order of the list at all, by (1). The set of all possible permutations of a list of size n is denoted by Sn and is of size n!. We call Sn the symmetric group of order n. In our above examples we had s ∈ S3 and t ∈ S6; S3 contains 6 elements and S6 has 720 elements. Applying Permutations We can use permutations to express rearranging lists of other discreet objects. We simply enumerate the positions of the list and rearrange the objects according to their positions. For instance we can permute the list of letters A B C D according to s = (1 2 4) ∈ S4 to get D A C B, i.e., the letter at position 1 is moved to position 2, which in turn is moved to position 4, etc. Conversely we can express the rearranging of any list of discreet objects as a permutation. If we have three mugs, a blue, a yellow, and a white one, that have originally the order B Y W and are rearranged to Y W B, then we first enumerate the single positions in the list. That is, B is at position 1, Y at 2, and W at 3. Then rearrangement corresponds to B being moved from position 1 to position 3, W from 3 to 2, and Y from 2 to 1. This can be easily expressed as the cycle (1 3 2). Multiplying Permutations Permutations are one-to-one mappings between lists of objects. We can therefore define an operation between two permutations by composing the mappings. We will call the operation multiplication be- tween permutations, but observe that it has nothing to do with multiplication on numbers (or vectors or matrices)! Instead the result of multiplying two permutations s ∗ t is determined by the result of applying first s and then t. For example, take s,t ∈ S3 with s = (1 2 3), t = (1 2). s ∗ t is then determined by 1 �→ 2 �→ 1, 2 �→ 3 �→ 3 (as there is no mapping specified for 3 in t and therefore it remains identical), 3 �→ 1 �→ 2. In other words 1 is mapped onto itself, 2 onto 3, and 3 onto 2, which results in the cycle (2 3). We can also determine this again by the more extensive matrix notation from above. Starting with the two separate permutations we can combine them into one matrix with three rows where the second row corresponds to the application of s and the third row to the application of t. I have shaded the columns below that represent the mapping for 1 by s and t. Obviously we can again collapse the three row form into the first and last row only and read off the result of multiplying s with t.
1 2 3 1 2 3 1 2 3 1 2 3 s ∗ t = ∗ = 2 3 1 = = (2 3)∈S3 � 2 3 1 � � 2 1 3 � � 1 3 2 � 1 3 2 i Let’s have another look at an example from S6:
123456 s ∗ t = (1 2 3)(5 6) ∗ (1 4)(3 5) = 231465 = (1 2 5 6 3 4) ∈ S6 254163 Observe that, in this example, permutation t leaves 2 and 6 unchanged. Note that multiplication on permutations is generally not commutative, i.e. the order does matter! For example, (1 4)(3 5) ∗ (1 2 3)(5 6) = (1 4 2 3 6 5). Inverses The inverse of a permutation s is that permutation that undoes the operation of s and results in the original ordered list. That is, applying first s and then its inverse to a list returns the original list, or, in other words, multiplying s and its inverse gives the identity permutation. We denote the inverse of s by s−1, and say that s ∗ s−1 = (1) For instance the inverse of s = (1 2 3) is s−1 = (1 3 2). We can verify this by multiplying the two together:
1 2 3 −1 1 2 3 1 2 3 1 2 3 s ∗ s = ∗ = 2 3 1 = = (1)∈S3, � 2 3 1 � � 3 1 2 � � 1 2 3 � 1 2 3 −1 For the example from S6, s = (1 2 3)(5 6) the inverse is s = (1 3 2)(5 6). Observe that a permutation that only transposes two numbers, e.g. (1 2), is its own inverse. The same holds for a permutation that only consists of cycles of length 2. While multiplication of permutations is generally not commutative, it is easy to see that
−1 −1 s ∗ s = s ∗ s = (1)
.
ii 06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 24 September, 2012 Mathematics 2 – Modular Arithmetic and Residue Classes Modulo Operation Modular arithmetic defines standard arithmetic operations, i.e. +, −, ∗, on finite sets of integers. We first define a modulo operation mod on the set of integers Z as follows: we say for that two numbers a, b ∈ Z are congruent modulo some n ∈ Z if a − b is divisible by n. For example, if we have n = 5, a = 6, and b = 1 then 5 divides 6 − 1 and we say 6 modulo 5 is congruent 1 and write 6 ≡ 1(mod 5). We call 1 the remainder or residue. Observe that the modulo operation is related to division with remainder but not the same! Indeed for positive integers it is very similar: For example, if we divide 6 by 5 we have a remainder of 1. Likewise if we divide 17 by 6 we have a remainder of 5 or 17 mod 6 ≡ 5. More systematically we can then write down for the modulo 5 operation as: 0 ≡ 0(mod 5) 1 ≡ 1(mod 5) 2 ≡ 2(mod 5) 3 ≡ 3(mod 5) 4 ≡ 4(mod 5) 5 ≡ 0(mod 5) 6 ≡ 1(mod 5) 7 ≡ 2(mod 5) 8 ≡ 3(mod 5) 9 ≡ 4(mod 5) 10 ≡ 0(mod 5) � � � etc. However, while we can say that 11 ≡ 6(mod5), the remainder of 11 divided by 5 is still 1. The difference becomes even more apparent when we move to negative integers. While −6 divided by 5 has −1 as remainder, with respect to the modulo operation we can also express −6 ≡ 4(mod 5). Thus we can write a prequel to the above table: � � � −10 ≡ 0(mod 5) −9 ≡ 1(mod 5) −8 ≡ 2(mod 5) −7 ≡ 3(mod 5) −6 ≡ 4(mod 5) −5 ≡ 0(mod 5) −4 ≡ 1(mod 5) −3 ≡ 2(mod 5) −2 ≡ 3(mod 5) −1 ≡ 4(mod 5) 0 ≡ 0(mod 5) � � � see above Residue Classes Suppose that we now want to solve congruence equations, i.e. we are interested in the question for which x holds x ≡ 1(mod 5). Then obviously there is more than one correct answer and we can obtain them by repeatedly adding 5 to or subtracting 5 from 1. Thus x can be equal to ..., −9, −4, 1, 6, 11,.... All these values are equally valid and we can thus say they are equivalent with respect to the (mod 5) operation. It is easy to see that the (mod 5) operation partitions the integers into exactly 5 sets of numbers, or five different equivalence classes. (One can easily show that every modulo operation forms an equivalence relation, i.e., is reflexive, symmetric, and transitive.) We call these equivalence classes residue classes modulo 5 and introduce a shorthand notation by denoting a residue class by its smallest positive integer representant and the modulo factor as subscript. For example we write [0]5 for the residue class 0 modulo 5, which is the set of all integers that are congruent to 0 under the modulo 5 operation. We can now write down the set of all residue classes modulo 5 as Z5 = {[0]5, [1]5, [2]5, [3]5, [4]5}. Sim- ilarly we can denote the residue class for the modulo 6 operation Z6 = {[0]6, [1]6, [2]6, [3]6, [4]6, [5]6} Observe that [1]5 and [1]6 are different objects, since the sets they represent are not equal, i.e. [1]5 = {..., −9, −4, 1, 6, 11,...}= � {..., −11, −5, 1, 7, 13,...} = [1]6! In general we will denote the set of all residue classes modulo some n by Zn={[0]n, [1]n,..., [n − 1]n}. In case it is clear from the context we will sometimes write only the integer representant for a residue class in question, i.e. we write 0 instead of [0]n. Arithmetic on Residue Classes We can now define arithmetic operations on residue classes via the underlying modulo operation. For example when we want to add [3]5 and [4]5 we compute (3 + 4) = 7 ≡ 2(mod 5) and thus get [3]5 + [4]5 = [2]5. Similarly we can define multiplication [3]5 ∗ [4]5 = [2]5 as (3 ∗ 4) = 12 ≡ 2(mod 5). Generally we define addition (subtraction) and multiplication for residue classes as [a]n + [b]n = [c]n if (a + b) ≡ c(mod n) [a]n ∗ [b]n = [c]n if (a ∗ b) ≡ c(mod n) Observe that these operations are only defined wrt. to residue classes modulo the same factor n. Never mix residue classes of unequal modulo operator!
iii 06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 24 September, 2012
Exercise Sheet 1
Submit via the correct pigeon hole before 5 October, 2pm.
1. Decipher the following ciphertext that has been doubly enciphered with a rail fence of height 5 and a monoalphabetic substitution cipher with keyword CRYPTOGRAPHY: WUNCAVNMRWTWRNTHSHTWWVXNNWAWTM 10
2. Carry out the following computations on residue classes:
(a) [8]11 + [10]11 (c) [6]11 ∗ [7]11
(b) [5]12 − [7]12 (d) [5]12 ∗ [11]12 1+1+1+1
3. (a) Carry out the following muliplication on permutations: (1 2)(3 5 6) ∗ (2 4)(5 6) (b) Compute the inverse of the following permutation: (1 2 6 4 5 8) (c) Apply the permutation (1 3 5)(2 4 6) to the list of letters ABCDEFG . 1+1+2
4. a−1(mod n) is defined as the integer b such that 0 ≤ b
11 Cryptography Glossary 1
Caesar Cipher Shift cipher with fixed shift of 3. 7 Cipher Substitution at the level of letters/characters/symbols. 5 Cipher-alphabet Thealphabetusedforencryption. 7 Ciphertext An enciphered message. 5 Code Substitution at the level of words 5 Codetext An encoded message. 5 Cryptanalysis Thescienceofbreakingciphertexts. 5 Cryptanalyst A practitioner of cryptanalysis. 5 Cryptographer A practitioner of cryptography. 5 Cryptography Thescienceofscramblingmessages. 4,5 Cryptologist A practitioner of cryptology. 5 Cryptology The branch of mathematics encompassing both cryptography and crypt- 5 analysis
Decipher The process of decrypting a message with respect to some cipher. 5 Decode The process of decrypting a message with respect to some code. 5 Decrypt Theprocessofunscramblingamessage. 5
Encipher The process of encrypting a message with respect to some cipher. 5 Encode The process of encrypting a message with respect to some code. 5 Encrypt Theprocessofscramblingamessage. 5
Frequency Analysis A statistical method to decipher messages based on the frequency of 8 occurrences of letters in particular languages.
Key Auxiliary information that is used to vary the encryption procedure 7
Monoalphabetic Substitution Cipher Usingasinglecipher-alphabetforencryption. 7
Nulls Emptyormeaninglesswordsorlettersinacipherorcode. 6
One Time Pad Asecurebutimpracticalcipherthatisunbreakable. 10
Permutation Cipher Amoreelaboratetranspositioncipher. 6 Plaintext Amessagebeforeitisencrypted. 5 Plaintext-alphabet The regular alphabet which is in our case 26 letters but could also contain 7 numbers etc. Polyalphabetic Substitution Cipher Usingseveralcipher-alphabetsforencryption. 8
Rail Fence Cipher A simple transposition cipher. 6
Shift Cipher Substitution cipher that shifts every letter in the message by a set number 7 of places in the alphabet. Steganography The science of hiding messages. 4 Substitution Cipher Encrypting texts by replacing characters in the plaintext with characters 5, 7 from a cipher-alphabet. Symmetric Group The set of all permutations on n numbers. i
Transposition Cipher Encrypting texts by transposing characters with one another. 5,6
Vigenere Cipher A polyalphabetic substitution cipher. 8