cryptography part 1: classical ciphers jerzy wojdyło may 4, 2001
TRANSCRIPT
CryptographyPart 1: Classical Ciphers
Jerzy Wojdyło
May 4, 2001
Cryptography, Jerzy Wojdylo, 5/4/01
Overview
Classical Cryptography– Simple Cryptosystems– Cryptoanalysis of Simple Cryptosystems
Shannon’s Theory of Secrecy Modern Encryption Systems
– DES, Rijndel– RSA
Signature Schemes
Cryptography, Jerzy Wojdylo, 5/4/01
Cryptosystem
A cryptosystem is a five-tuple (P,C,K,E,D), where the following are satisfied:
1. P is a finite set of possible plaintexts
2. C is a finite set of possible ciphertexts
3. K, the keyspace, is a finite set of possible keys
4. KK, eKE (encryption rule), dKD (decryption rule). Each eK: PC and dK: CP are functions such that xP, dK(eK(x)) = x.
Cryptography, Jerzy Wojdylo, 5/4/01
Notation
English alphabet Lower case: a, b, c,…, z for plaintext Upper case: A, B, C,…, Z for ciphertext For encryption and decryption algorithms,
we will substitute letters a, b, c,…, z with numbers 0, 1, 2,…, 25.
Cryptography, Jerzy Wojdylo, 5/4/01
Classical Cryptography
Monoalphabetic CiphersOnce a key is chosen, each alphabetic character of a plaintext is mapped onto a unique alphabetic character of a ciphertext.
– The Shift Cipher (Caesar Cipher)
– The Substitution Cipher
– The Affine Cipher
Cryptography, Jerzy Wojdylo, 5/4/01
Classical Cryptography
Polyalphabetic CiphersEach alphabetic character of a plaintext can be mapped onto m alphabetic characters of a ciphertext. Usually m is related to the encryption key.
– The Vigenère Cipher
– The Hill Cipher
– The Permutation Cipher
Cryptography, Jerzy Wojdylo, 5/4/01
The Shift (Caesar) Cipher
Let P = C = K = Z26.
xP, yC, KK, define
eK(x) = x + K (mod 26)
and
dK(y) = y - K (mod 26).
Example on www.
Cryptography, Jerzy Wojdylo, 5/4/01
The Substitution Cipher
Let P = C = Z26, let K = S26
xP, yC, K, define
e(x) = (x)
and
d(x) = -1(x).
Example on www.
Cryptography, Jerzy Wojdylo, 5/4/01
The Affine Cipher
Let P = C = Z26, let
K = {(a, b) Z26 Z26 | gcd(a, 26) = 1}.xP, yC, K K, define
eK(x) = ax + b (mod 26)and
dK(y) = a-1(y – b) (mod 26).
Example on www.
Cryptography, Jerzy Wojdylo, 5/4/01
The Vigenère Cipher
Let m Z+, let P = C = K = (Z26)m. For a key K = (k1, k2, ,…, km),
we define
eK (x1, x2, ,…, xm) = (x1+ k1, x2+ k2,…, xm + km)and
dK (x1, x2, ,…, xm) = (x1– k1, x1 – k1,…, xm – km)where all operations are modulo 26.
This is an example (www) of a block cipher.
Cryptography, Jerzy Wojdylo, 5/4/01
The Hill Cipher
Let m Z+, let P = C = (Z26)m, let
K = {mm invertible matrices over Z26}.For a key K, we define
eK(x) = Kx (mod 26)and
dK(y) = K-1y (mod 26).
Example MATLAB.
Cryptography, Jerzy Wojdylo, 5/4/01
The Permutation Cipher
Let m Z+, let P = C = (Z26)m, let K = Sm.
For a key (i.e. a permutation) π we define
eπ (x1, x2, ,…, xm) = (xπ (1), xπ (2),…, xπ (m))
and
dπ (y1, y2, ,…, ym)=(yπ-1(1), yπ -1 (2),…, yπ-1(m))
where π-1 is the inverse permutation to π.
(The Hill Cipher, where K = a permutation matrix.)
Cryptography, Jerzy Wojdylo, 5/4/01
Cryptoanalysis
Kerchkhoff’s Principle: cryptosystem (the algorithm) is NOT secret, the key is secret.
Common attacks to obtain the key– Ciphertext-only– Known plaintext – Chosen plaintext– Chosen ciphertext
Cryptography, Jerzy Wojdylo, 5/4/01
Attack on a Shift Cipher
Ciphertext-only Exhaustive search 26 cases Very insecure cipher
Cryptography, Jerzy Wojdylo, 5/4/01
Cryptoanalysis of a Monoalphabetic Cipher Ciphertext-only attack Letter frequencies the English language
0.127
0.091
0.082
0.075
0.070
0.067
0.063
0.061
0.060
0.043
0.040
0.028
0.028
0.024
0.023
0.022
0.020
0.020
0.019
0.015
0.010
0.008
0.002
0.001
0.001
0.001
0.000
0.020
0.040
0.060
0.080
0.100
0.120
0.140
E T AO I N S HRD L CUMWFG Y P B V K J Q X Z
Cryptography, Jerzy Wojdylo, 5/4/01
Attack on a Substitution Cipher
Insecure cipher, even though the number of possible keys is 26! = 403291461126605635584000000(approximately 4.0329·1026)
Letter frequencies calculator www
Cryptography, Jerzy Wojdylo, 5/4/01
Attack on the Vigenère Cipher
Kasiski test (m, length of the key)– Fredrich Wilhelm Kasiski (1863)– Charles Babbage (1854, result remained secret)
Two identical segments of plaintext will be encrypted to the same ciphertext if their occurrence in the plaintext is x position apart, where x is a multiple of m.
Cryptography, Jerzy Wojdylo, 5/4/01
Attack on the Vigenère Cipher
CHREEVOAHMAERATBIAXXWTNXBEEOPHBSBQMQEQERBWRVXUOAKXAOSXXWEAHBWGJMMQMNKGRFVGXWTRZXWIAKLXFPSKAUTEMNDCMGTSXMXBTUIADNGMGPSRELXNJELXVRVPRTULHDNQWTWDTYGBPHXTFALJHASVBFXNGLLCHRZBWELEKMSJIKNBHWRJGNMGJSGLXFEYPHAGNRBIEQJTAMRVLCRREMNDGLXRRIMGNSNRWCHRQHAEYEVTAQEBBIPEEWEVKAKOEWADREMXMTBHHCHRTKDNVRZCHRCLQOHPWQAIIWXNRMGWOIIFKEE
Cryptography, Jerzy Wojdylo, 5/4/01
Attack on the Vigenère Cipher
Positions of CHR: 1, 166, 236, 276, 286. Differences of positions:
166 – 1 = 165 236 – 1 = 235276 – 1 = 235 286 – 1 = 285
The gcd of these differences is 5, so the key is most likely of length m = 5.
Cryptography, Jerzy Wojdylo, 5/4/01
Attack on the Vigenère Cipher
Divide the ciphertext into 5 subsrtings (positions 5k, 5k+1, 5k+2, 5k+3, 5k+4)
Analize each substring as a monoalphabetic cipher.
Continue on http://math.ucsd.edu/~crypto/java/EARLYCIPHERS/Vigenere.html
Also an insecure cipher
Cryptography, Jerzy Wojdylo, 5/4/01
Cryptonalysis of the Hill Cipher
Number of keys k = number of invertible mm matrices with coefficients from Z26.Does anyone know the formula?
If p is prime, the alphabet is Zp then
If p = 29 and
k p pm i
i
m
c h0
1
m 3 4 5 10
k 1.4·1013 2.4·1023 3.5·1036 1.7·10146
Cryptography, Jerzy Wojdylo, 5/4/01
Cryptonalysis of the Hill Cipher
Easily broken with known plaintext attack. Permutation Cipher = Hill Cipher, where
the key is a permutation matrix. Both ciphers are insecure.
Cryptography, Jerzy Wojdylo, 5/4/01
Perfect Secrecy
A cryptosystem is computationally secure if the best algorithm for breaking it requires at least N operations, where N is some specified , very large number.Problems…
A cryptosystem is unconditionally secure if it cannot be broken with infinite computational resources.
Cryptography, Jerzy Wojdylo, 5/4/01
Perfect Secrecy
None of the classical cryptosystems is even computationally secure.
However the Shift Cipher, the Substitution Cipher, and the Vigènere Cipher are unconditionally secure if only one element of plaintext is encrypted with a given key!REALLY???
Cryptography, Jerzy Wojdylo, 5/4/01
Perfect Secrecy
Claude Shannon “Communication Theory of Secrecy Systems”, Bell Systems Technical Journal, (1949) .
A cryptosystem has perfect secrecy if pP(x|y) = pP(x) for any xP and yC. That is the a posteriori probability that the plaintext is x, given that the ciphertext is y, is identical to the a priori probability that the plaintext is x.
Cryptography, Jerzy Wojdylo, 5/4/01
Perfect Secrecy
Theorem (Shannon). Suppose the 26 keys in the Shift Cipher are used with equal probability 1/26. Then for any plaintext probability distribution, the Shift Cipher has perfect secrecy.
Consequences: One-time Pad Cryptosystem (Gilbert Vernam, 1917). Key, plaintext, and ciphertext have the same length. Problems with keys: very long, distribution. Each key can be used only ONCE!
The EndCryptography, Part 1: Classical Ciphers
Cryptography
Part 2: Modern Cryptosystems
Stay Tuned…