chapter1_l2
TRANSCRIPT
-
8/9/2019 chapter1_l2
1/17
1
Cryptanalysis
Four kinds of attacks (recall)The objective: determine the key ( Herckhoff principle )Assumption: English plaintext text
Basic techniques: frequency analysis based on: Probabilities of occurrences of 26 letters Common digrams and trigrams.
-
8/9/2019 chapter1_l2
2/17
2
Cryptanalysis -- statistical analysis
Probabilities of occurrences of 26 letters E, having probability about 0.120 (12%) T,A,O,I,N,S,H,R, each between 0.06 and 0.09 D,L, each around 0.04
C,U,M,W,F,G,Y,P,B, each between 0.015 and 0.028 V,K,J,X,Q,Z, each less than 0.01 See table 1.1, page 26
30 common digrams (in decreasing order):
TH, HE, IN, ER, AN, RE,12 common trigrams (in decreasing order): THE, ING,AND,HER,ERE,
-
8/9/2019 chapter1_l2
3/17
3
Cryptanalysis of Affine Cipher Suppose a attacker got the following Affine cipher FMXVEDKAPHFERBNDKRXRSREFNORUDSDKDVSHVUFEDKAPRKDLYEVLR
HHRH
Cryptanalysis steps: Compute the frequency of occurrences of letters
R: 8, D:7, E,H,K:5, F,S,V: 4 (see table 1.2, page 27) Guess the letters, solve the equations, decrypt the cipher, judge correct or not.
First guess: R e, D t, i.e., e K (4)=17, e K (19)=3 Thus, 4a+b=17 a=6, b=19, since gcd (6,26)=2, so incorrect.
19a+b=3N ext guess: R e, E t, the result will be a=13, not correct.G uess again: R e, H t, the result will be a=8, not correct again.G uess again: R e, K t, the result will be a=3, b=5.
K =(3,5), e K ( x)=3 x+5 mod 26, and d K ( y)=9 y-19 mod 26. Decrypt the cipher: algorithmsarequitegeneraldefinitionsofarithmeticprocesses
If the decrypted text is not meaningful, try another guess.N eed programming: compute frequency and solve equationsSince Affine cipher has 12*26=312 keys, can write a program to try all keys.
-
8/9/2019 chapter1_l2
4/17
4
Cryptanalysis of substitution cipher
Final goal is to find the corresponding plaintextletter for each ciphertext letter.Ciphertext: example 1.11, page 28Steps:
Frequency computation, see table 1.3, page 29Guess Z e, quite sureC,D,F,J,M,R,Y are t,a,o,i,n,s,h,r, but not exact
Look at digrams, especially Z or Z-.Since ZW occurs 4 times, but no WZ, so guess W d (because
ed is a common digram, but not de)Continue to guess
Look at the trigrams, especially THE, ING, AND,
-
8/9/2019 chapter1_l2
5/17
5
Cryptanalysis of Vigenere cipher
In some sense, the cryptanalysis of Vigenerecipher is a s y st ema tic method and can betot ally progr ammed .
Step 1: determine the length m of the keyword Ka sis ki test and index of coinci dence
Step 2: determine K =(k 1 ,k 2 ,,k m)
Determine each k i separately.
-
8/9/2019 chapter1_l2
6/17
6
Ka sisk i testdetermine keyword length m
Observation: two identical plaintext segments will be encrypted to the same ciphertext whenever theyappear H positions apart in plaintext, where H| 0mod m. Vice Versa.
So search ciphertext for pairs of identicalsegments, record the distance between their starting positions, such as H1, H2,, then m shoulddivide all of His. i.e., m divides gcd of all His.
-
8/9/2019 chapter1_l2
7/17
7
I ndex of coinci denceCan be used to determine m as well as to confirm
m, determined by Ka sisk i testDefinition: suppose x=x 1 x2 ,,x n is a string of length n. The index of coinci dence of x, denoted by I c( x), is defined to be the probability that two
random elements of x are identical. Denoted the frequencies of A,B,,Z in x by f 0, f 1,, f 25
-- I c( x)=i=0
25 ( ) f i2
( )n2= i=0
25
f i( f i-1)
n(n-1)( For mula IC )
-
8/9/2019 chapter1_l2
8/17
8
Suppose x is a string of English text, denote the expected probability of occurrences of A,B,,Z by p0, p1,, p25 withvalues from table 1.1, then I c( x) } p i2 =0.082 2+0.015 2++0.001 2=0.065(since the probability that two random elements both are A is p02, both are B is p12,)
I ndex of coinci dence (cont .)
Question: if y is a ciph ert ext obt a ined b y shift cipher , what is th e I c( y)?
Answer: should be 0.065, because the individual probabilities will be permuted, but the p i2 will be unchanged.
Therefore, suppose y =y 1 y2y n is the ciphertext from Vigenere cipher.For any given m, divide y into m substrings:
y1= y1 ym+1 y2m+1 if m is indeed the keyword length, theny2= y2 ym+2 y2m+2 each y i is a shift cipher, I c(y i) is about 0.065.
ym= ym y2m y3m otherwise, I c(y i) } 26(1/26) 2 = 0.038.
-
8/9/2019 chapter1_l2
9/17
-
8/9/2019 chapter1_l2
10/17
10
Determine keyword K =(k 1,k 2,, k m)1. Determine each k i (from yi) independently.
2. Observation:2.1 let f 0, f 1,, f 25 denote the frequencies of A,B,,Z in y i and n = n/ m2.2 then probability distribution of 26 letters in y i is:
f 0 f 25n , , n
2.3 if the shift key is k i, then f 0+k i (i.e., A+ k i) is the frequency of a in the corresponding plaintext x i , , f 25+ k i (note the subscript
25+ k i should be computed by modulo 26) is the frequencyof z in x i . Since x i is normal English text, probability distribution
of f 0+ k i f 25+k in , , n should be close to ideal probabilitydistribution p0, p1,, p25.
p0, , p25So: f 0+ k i
n' p0 ++
f 25+ k in'
p25
p0
2++ p25
2 =0.065
-
8/9/2019 chapter1_l2
11/17
11
Determine keyword K =(k 1,k 2,, k m) (cont.)
Therefore, define: f i+g
M g = i=025 p in
When g =k i, M g will generally be around 0.065 (i.e., i=025 p i2).
Otherwise M g will be quite smaller than 0.065.So let g from 0, until 25, compute M g , and for some g , if M g is around 0.065, then k i= g .
Note: the subscript i+ g should be seen as modulo 26.
f 0+g n'
p0 ++ f 25+g
n' p25
On the other hand, for any g != k i,
will not be close to 0.065.
-
8/9/2019 chapter1_l2
12/17
12
Cryptanalysis of Vigenere cipher--exampleExample 1.12, page 33. Using Ka sis k i t e st to determine the keyword length
CHR appears five times at 1,166,236,276,286the distance is 165, 235,275,285, the gcd is 5, so m=5.
Using index of coinci dence to verify m=5.Divide ciphertext into y1, y2, y3, y 4 , y 5Compute f 0, f 1,, f 25 for each y i and then I c( y i), get 0.063,0.068,0.069,0.061,0.072, so m=5 is correct.
Determine k ifor i=1,,5.
Compute M g for g =0,1,,25 and if M g } 0.065, then letk i= g . where
M g = i=025 p in
f i+g
As a result, k 1=9, k 2=0, k 3=13, k 4=4,k 5=19, i.e., JANET
-
8/9/2019 chapter1_l2
13/17
13
Cryptanalysis of Hill cipher
Difficult to break based on ciphertext onlyEasily to break based on both ciphertext and
plaintext.
Suppose given at least m distinct plaintext-ciphertext pairs: x j=( x1, j, x2, j,, xm, j)
y j=( y1, j, y2, j,, ym, j)
then define two matrices X =( xi ,j) and Y =( yi ,j)Let Y=XK, if X is invertible, then K=X -1Y .
-
8/9/2019 chapter1_l2
14/17
14
Suppose plaintext is: fridayand ciphertext is: PQCFKUand the m=2. Then e K (f,r)=(P,Q), e K (i,d)=(C,F).
That is:
Cryptanalysis of Hill cipher--example
( ) = ( ) K 15 162 55 178 3
K =( ) -1( )=( )( )=( )5 178 315 162 5
9 12 15
15 162 5
7 198 3
Then using the third pair, i.e., (a,y) and (K,U) to verify K .
In case m is unknown, try m=2,3,
-
8/9/2019 chapter1_l2
15/17
15
Cryptanalysis of LFSR stream cipher Vulnerable to known-plaintext attack.
Suppose m, plaintext binary string x1, x2,, xn andciphertext binary string y1, y2,, yn are known, aslong as n>2m, the key can be broken: Keystream is: zi=( xi+ yi) mod 2. (i=1,2,, n) Then the initialization vector of K is z1,, zm. Next is to determine coefficients ( c0,c1,, cm-1) of K
(recall that z i+ m = m-1 j=0c j zi+ j mod 2 for all iu 1)i.e,
( zm+1, zm+2,, z2m)=(c0,c1,, cm-1) z1 z2 zm z2 z3 zm+1 zm zm+1 z2m-1
-
8/9/2019 chapter1_l2
16/17
16
Cryptanalysis of LFSR stream cipher (cont.)
(c0,c1,, cm-1)=( zm+1, zm+2,, z2m)
z1 z2 zm z2 z3 zm+1
zm zm+1 z2m-1
Therefore:
-1
-
8/9/2019 chapter1_l2
17/17
17
Example 1.14, page 37. Suppose LFSR 5 with the following:
Cryptanalysis of LFSR stream cipher --example
Ciphertext string: 101101011110010Plaintext string: 011001111111000
Then keystream: 110100100001010Therefore initialization vector is: 11010.For next five key elements: 01000, set up equationfor coefficients ( c0,c1,c2,c3,c4) and solve it.
The result is: ( c0,c1,c2,c3,c4) =(1,0,0,1,0)i.e., zi+5=( zi+ zi+3) mod 2.