chapter1_l2

8/9/2019 chapter1_l2

1/17

1

Cryptanalysis

Four kinds of attacks (recall)The objective: determine the key ( Herckhoff principle )Assumption: English plaintext text

Basic techniques: frequency analysis based on: Probabilities of occurrences of 26 letters Common digrams and trigrams.


2/17

2

Cryptanalysis -- statistical analysis

Probabilities of occurrences of 26 letters E, having probability about 0.120 (12%) T,A,O,I,N,S,H,R, each between 0.06 and 0.09 D,L, each around 0.04

C,U,M,W,F,G,Y,P,B, each between 0.015 and 0.028 V,K,J,X,Q,Z, each less than 0.01 See table 1.1, page 26

30 common digrams (in decreasing order):

TH, HE, IN, ER, AN, RE,12 common trigrams (in decreasing order): THE, ING,AND,HER,ERE,


3/17

3

Cryptanalysis of Affine Cipher Suppose a attacker got the following Affine cipher FMXVEDKAPHFERBNDKRXRSREFNORUDSDKDVSHVUFEDKAPRKDLYEVLR

HHRH

Cryptanalysis steps: Compute the frequency of occurrences of letters

R: 8, D:7, E,H,K:5, F,S,V: 4 (see table 1.2, page 27) Guess the letters, solve the equations, decrypt the cipher, judge correct or not.

First guess: R e, D t, i.e., e K (4)=17, e K (19)=3 Thus, 4a+b=17 a=6, b=19, since gcd (6,26)=2, so incorrect.

19a+b=3N ext guess: R e, E t, the result will be a=13, not correct.G uess again: R e, H t, the result will be a=8, not correct again.G uess again: R e, K t, the result will be a=3, b=5.

K =(3,5), e K ( x)=3 x+5 mod 26, and d K ( y)=9 y-19 mod 26. Decrypt the cipher: algorithmsarequitegeneraldefinitionsofarithmeticprocesses

If the decrypted text is not meaningful, try another guess.N eed programming: compute frequency and solve equationsSince Affine cipher has 12*26=312 keys, can write a program to try all keys.


4/17

4

Cryptanalysis of substitution cipher

Final goal is to find the corresponding plaintextletter for each ciphertext letter.Ciphertext: example 1.11, page 28Steps:

Frequency computation, see table 1.3, page 29Guess Z e, quite sureC,D,F,J,M,R,Y are t,a,o,i,n,s,h,r, but not exact

Look at digrams, especially Z or Z-.Since ZW occurs 4 times, but no WZ, so guess W d (because

ed is a common digram, but not de)Continue to guess

Look at the trigrams, especially THE, ING, AND,


5/17

5

Cryptanalysis of Vigenere cipher

In some sense, the cryptanalysis of Vigenerecipher is a s y st ema tic method and can betot ally progr ammed .

Step 1: determine the length m of the keyword Ka sis ki test and index of coinci dence

Step 2: determine K =(k 1 ,k 2 ,,k m)

Determine each k i separately.


6/17

6

Ka sisk i testdetermine keyword length m

Observation: two identical plaintext segments will be encrypted to the same ciphertext whenever theyappear H positions apart in plaintext, where H| 0mod m. Vice Versa.

So search ciphertext for pairs of identicalsegments, record the distance between their starting positions, such as H1, H2,, then m shoulddivide all of His. i.e., m divides gcd of all His.


7/17

7

I ndex of coinci denceCan be used to determine m as well as to confirm

m, determined by Ka sisk i testDefinition: suppose x=x 1 x2 ,,x n is a string of length n. The index of coinci dence of x, denoted by I c( x), is defined to be the probability that two

random elements of x are identical. Denoted the frequencies of A,B,,Z in x by f 0, f 1,, f 25

-- I c( x)=i=0

25 ( ) f i2

( )n2= i=0

25

f i( f i-1)

n(n-1)( For mula IC )


8/17

8

Suppose x is a string of English text, denote the expected probability of occurrences of A,B,,Z by p0, p1,, p25 withvalues from table 1.1, then I c( x) } p i2 =0.082 2+0.015 2++0.001 2=0.065(since the probability that two random elements both are A is p02, both are B is p12,)

I ndex of coinci dence (cont .)

Question: if y is a ciph ert ext obt a ined b y shift cipher , what is th e I c( y)?

Answer: should be 0.065, because the individual probabilities will be permuted, but the p i2 will be unchanged.

Therefore, suppose y =y 1 y2y n is the ciphertext from Vigenere cipher.For any given m, divide y into m substrings:

y1= y1 ym+1 y2m+1 if m is indeed the keyword length, theny2= y2 ym+2 y2m+2 each y i is a shift cipher, I c(y i) is about 0.065.

ym= ym y2m y3m otherwise, I c(y i) } 26(1/26) 2 = 0.038.


9/17


10/17

10

Determine keyword K =(k 1,k 2,, k m)1. Determine each k i (from yi) independently.

2. Observation:2.1 let f 0, f 1,, f 25 denote the frequencies of A,B,,Z in y i and n = n/ m2.2 then probability distribution of 26 letters in y i is:

f 0 f 25n , , n

2.3 if the shift key is k i, then f 0+k i (i.e., A+ k i) is the frequency of a in the corresponding plaintext x i , , f 25+ k i (note the subscript

25+ k i should be computed by modulo 26) is the frequencyof z in x i . Since x i is normal English text, probability distribution

of f 0+ k i f 25+k in , , n should be close to ideal probabilitydistribution p0, p1,, p25.

p0, , p25So: f 0+ k i

n' p0 ++

f 25+ k in'

p25

p0

2++ p25

2 =0.065


11/17

11

Determine keyword K =(k 1,k 2,, k m) (cont.)

Therefore, define: f i+g

M g = i=025 p in

When g =k i, M g will generally be around 0.065 (i.e., i=025 p i2).

Otherwise M g will be quite smaller than 0.065.So let g from 0, until 25, compute M g , and for some g , if M g is around 0.065, then k i= g .

Note: the subscript i+ g should be seen as modulo 26.

f 0+g n'

p0 ++ f 25+g

n' p25

On the other hand, for any g != k i,

will not be close to 0.065.


12/17

12

Cryptanalysis of Vigenere cipher--exampleExample 1.12, page 33. Using Ka sis k i t e st to determine the keyword length

CHR appears five times at 1,166,236,276,286the distance is 165, 235,275,285, the gcd is 5, so m=5.

Using index of coinci dence to verify m=5.Divide ciphertext into y1, y2, y3, y 4 , y 5Compute f 0, f 1,, f 25 for each y i and then I c( y i), get 0.063,0.068,0.069,0.061,0.072, so m=5 is correct.

Determine k ifor i=1,,5.

Compute M g for g =0,1,,25 and if M g } 0.065, then letk i= g . where

M g = i=025 p in

f i+g

As a result, k 1=9, k 2=0, k 3=13, k 4=4,k 5=19, i.e., JANET


13/17

13

Cryptanalysis of Hill cipher

Difficult to break based on ciphertext onlyEasily to break based on both ciphertext and

plaintext.

Suppose given at least m distinct plaintext-ciphertext pairs: x j=( x1, j, x2, j,, xm, j)

y j=( y1, j, y2, j,, ym, j)

then define two matrices X =( xi ,j) and Y =( yi ,j)Let Y=XK, if X is invertible, then K=X -1Y .


14/17

14

Suppose plaintext is: fridayand ciphertext is: PQCFKUand the m=2. Then e K (f,r)=(P,Q), e K (i,d)=(C,F).

That is:

Cryptanalysis of Hill cipher--example

( ) = ( ) K 15 162 55 178 3

K =( ) -1( )=( )( )=( )5 178 315 162 5

9 12 15

15 162 5

7 198 3

Then using the third pair, i.e., (a,y) and (K,U) to verify K .

In case m is unknown, try m=2,3,


15/17

15

Cryptanalysis of LFSR stream cipher Vulnerable to known-plaintext attack.

Suppose m, plaintext binary string x1, x2,, xn andciphertext binary string y1, y2,, yn are known, aslong as n>2m, the key can be broken: Keystream is: zi=( xi+ yi) mod 2. (i=1,2,, n) Then the initialization vector of K is z1,, zm. Next is to determine coefficients ( c0,c1,, cm-1) of K

(recall that z i+ m = m-1 j=0c j zi+ j mod 2 for all iu 1)i.e,

( zm+1, zm+2,, z2m)=(c0,c1,, cm-1) z1 z2 zm z2 z3 zm+1 zm zm+1 z2m-1


16/17

16

Cryptanalysis of LFSR stream cipher (cont.)

(c0,c1,, cm-1)=( zm+1, zm+2,, z2m)

z1 z2 zm z2 z3 zm+1

zm zm+1 z2m-1

Therefore:

-1


17/17

17

Example 1.14, page 37. Suppose LFSR 5 with the following:

Cryptanalysis of LFSR stream cipher --example

Ciphertext string: 101101011110010Plaintext string: 011001111111000

Then keystream: 110100100001010Therefore initialization vector is: 11010.For next five key elements: 01000, set up equationfor coefficients ( c0,c1,c2,c3,c4) and solve it.

The result is: ( c0,c1,c2,c3,c4) =(1,0,0,1,0)i.e., zi+5=( zi+ zi+3) mod 2.

chapter1_l2

Documents