Cryptoanalysis• It not very common to teach cryptoanalysis on a basic course

on communications security. It is probably because cryptoanalysis is not very useful anymore.

• Cryptoanalysis has a role in checking weaknesses in new algorithms and giving the theory how to design cryptoalgorithms.

• It is only a myth that modern cryptoalgorithms are broken by top-bright mathematicians working with pen and paper and some supercomputers of course, provided that the algorithms are used as they should be.

• In the second world war codes were indeed broken by mathematics but now they are usually too good.

• In some years computers get faster and do the cracking with brute force but before that time the analysist should hope for errors in usage leading to a compromise. Errors are common.

Cryptoanalysis• Known cryptoanalytic methods were usually developed long

time ago and are mostly of historical interest. • Older cryptoalgorithms are made by substitution and

transposition of letters. (modern work with bits)• Monoalphabetic substitution uses one list of characters and

letters are substituted according to it. No monoalphabetic substitution algorithm is safe as they can be easily cracked by statistical analysis of probability of letters.

• Polyalphabetic substitution algorithms use several substitution lists.

• Permutation algorithms change the order of letters. Pure permutation algorithms are simple to crack.

• Basically, in order to crack these kind of algorithms you need to guess a word or 3-4 letters, after which guessing gets easier.

Cryptoanalysis• Monoalphabetic:• Replace the letter in the upper row with one in the lower row.• a b c d e f g h i j k ...• j m n g z y l t b u s ...

• Polyalphabetic: (example, VIGENERE)• t h i s i s a c l e a r t e x t w h i c h i w r o t e • k e y w o r d k e y w o r d k e y w o r d .....• Use the key letter for encrypting the letter in the clear text

letter by e.g. • cipher_letter = (clear_letter + key_letter) modulo 26• Thus, every 7th letter is encypted by the same key and the

ciphertext is a composition of 7 monoalphabetic ciphers.

Cryptoanalysis• If there is enough cipher text, monoalphabetic cipher is easy

to break since letters have different frequences.• Most common letters: (every cryptoanalysis should

memorize these, they are said to be easy to remember)• English etaoinshrdlu• French esarintulo• German enirstaduhl• Italian eiaorints• If there is not enough text, like there is only one cipher

message, we still can look for likely words or letter combinations. If anything is repeated, it is a common sequence. In English there is a common ending /ation, common word the and so on.

• This statistical cryptoanalysis works also with polyalphabetic substitution ciphers, simply take every Kth letter provided you get the key length K in some way.

Cryptoanalysis• Polyalphabetic substitution cipher can be much more

difficult, like ENIGMA, but with a simple algorithm, like VIGENERE, we can use Kasiski’s attack:

• look for repeated letter sequences in the cipher text and calculate their distance.

• Some repetitions are pure chance, but some are caused by the same letters both in the clear text and in the key. Then the distance is a multiple of the key length.

• Looking at all these repetitions we can deduce the likely key length.

• When the key length K is known, take every Kth letter from the cipher text and decrypt it as a monoalphabetic substitution cipher.

CryptoanalysisStatistical analysis can be made stronger by having all frequences of two, three and four letter combinations in a language. A machine can be used to find the best match.

• Statistical analysis using simple letter or letter combination frequences is too elementary.

• A more advanced method is to calculate some invariants.• Let us look this way to proceed: calculating invariants,

such as Kappa, Chi and Phi.• There are statistical tests, such as Friedman’s Kappa-test

and Kullback’s Phi-test based on these invariants.• (These researchers helped Americans to break Japanese

codes in the Second World War. )• Usually you would have a computer to do the testing.

Cryptoanalysis• Kappa and Chi

• Let us consider two texts:

• Kappa is the coincidence of letters:

• Different languages have different typical values for Kappa:

• N Kullback(1976) Eyraud(1953)

• English 26 6.61% 6.75%

• German 26 7.62% 8.20%

• French 26 7.78% 8.00%

• Russian 32 5.29% 4.70%

• Spanish 26 7.76% 7.69%

• Kappa can thus identify the language for substitution cipher.

M

iii MutUTKappa

1

/),(),(

Mi tttT ,...,, 2 MuuuU ,...,, 21

Cryptoanalysis• Chi is defined as follows. Consider the texts

• Let and be the numbers letters and occur in T and U

• Definition:

• where is the number of letters in the alphabet of the language.

• Let us also define

• Let designate a cyclic permutation of to the right (take the first letter and move it to be the last, repeat r times).

• The Kappa-Chi Theorem states that

Mi tttT ,...,, 2 MuuuU ,...,, 21im in ix iy

2

1

/),( MnmUTChiN

jii

N

),()( TTChiTPsi )(rT T

1

0

)( ),(),(1 M

r

r UTChiUTKappaM

Cryptoanalysis• Let us define

• Kappa-Phi Theorem states that

• One can show that:

• Phi will not change in transpositions.

• Phi will not change in monoalphabetic substitutions.

• Chi (and Psi) of two texts with the same length created with the same cipher, will not change in monoalphabetic substitutions, nor in transpositions.

N

iii MMmmTPhi

1

)1(/()1()(

1

0

)( )(),(1

1 M

r

r TPhiTTKappaM

Cryptoanalysis• Renyi’s entropy concept:

• is called Renyi’s -entropy

• Example, for a sample text of 280 characters in English one may measure e.g.

ifMm

ifMmMm

ifMm

TPsi

iNi

N

iii

N

ii

)/(max

1)/ln()/(exp

1)/(

)(

1

1

)1/(1

1

)(log2 TPsi

095.4)(log 12 TPsi850.3)(log 22 TPsi

959.2)(log 32 TPsi

These characteristic numbers are typically invariant and can find the language, maybe more, maybe even identify the text.

Cryptoanalysis• In the Second World War time...

• Japanese ambassy code was used in a way leading to a compromise using these kind of invariants.

• Letters had formal structure so it was possible to guess many words, and formal beginnings or endings to letters.

• Furthermore, when a letter was addressed to the USA, it was handed out in clear text in exactly the same form it was received in cryptotext, thus Americans got clear text, cipher text pairs.

• Now it is rather easy to see that statistical invariants identifying a text may help a good way in deciphering.

Cryptoanalysis• A good attack against some polyalphabetic substitution

algorithms is also missing match attack. We first must guess that somewhere in the clear text there is some known reasonably long word, like bombing.

• Polyalphabetic substitution ciphers never encrypt any letter to the same letter.

• We shift the known word to the right in the clear text and try to find a place where no letter matches with the known word and the cipher text.

• This may be the cipher text for the word. Then some letters are quessed and deciphering gets easier.

• If there are many matches, we need a computer to investigate all cases.

• Naturally, we do not need to know the known word, but may try to guess what there could be.

Cryptoanalysis• A pure transposition cipher simply changes the order of letters. • Though there are not so many combinations (N!) in a cipher text

of length N if N is small, there is one problem:• We can go through all combinations but there may be several

possible clear texts that could be the answers. • This is because a pure transposition is an anagram and anagrams

do not have a unique answer. • Example: Newton once wrote to Leibniz

• It may mean: ”data aequatione quodcumque fluentes quantitates involvente, fluxiones invenire et vice versa”

• but who knows, and besides, who knows what Newton meant with the phrase in Latin anyway.

• Clearly, transposition may strengthen a cryptoalgorithm.

112842348137214227 xvtsrqonmlifedca

Cryptoanalysis• Viasira’s attack against encryption of Bazeries is yet another

example how some polyalphabetic substitution ciphers can be broken.

• The encrytion is made using 20 tables (or wheels) and on each wheel there are 20 letters. A table may contain several times the same letter and thus cannot contain all letters.

• The tables are moved to some starting point determined by the key. Encyption starts at some table and moves to the next table for the next letter.

• In Viasira’s attack you try to find such a starting place for the tables that all letters in the cipher text could have been produced the encyption devise. There will not be so many such places. This attack is simple, but illustrates how the encyption devise’s specific structure influences cryptoanalysis.

Cryptoanalysis• Linear cryptoanalysis

• Uses densities of letter combinations and a linear transform in order to get the key.

• Example:

• FDYSW IJXNZ NSNRE NHUWA WMIEJ EXWASX

• ISIGO JNTBD BWDPU ....

• Convert letters to numbers and group them by three

• 5 2 24 18 22 8 9 23 13 25 13 18 13 17 4 13 7 20

• 22 0 22 12 8 4 8 4 23 4 18 8 13 19 1 3 1 22 3 15 20

• ...

Cryptoanalysis• Let us assume that we notice that some combinations

appear often, like 13 17 4, 22 0 22 and 6 16 9. If this is English,German or French, the ending /ation is the most common. Thus we may suppose that these combinations are /ati, /tio and /ion.

• These combinations in numbers are 0 19 8, 19 8 14 and 8 14 13. Let us try to find a linear transform X so that:

• Thus we get

41713

9166

22022

13148

14819

8190

X

OTN

YSI

RIM

X

141913

24188

17812

Clearly, we found the key Ministry o(f).

In practice this is harder.

Cryptoanalysis• There are much more classical cryptoanalytic methods.• Most of the classical methods do not work with modern

ciphers.• Two methods are currently used with symmetric

algorithms: linear cryptoanalysis and differential cryptoanalysis.

• Linear cryptoanalysis is a variant of the method decribed before with letter-based ciphers.

• Differential cryptoanalysis studies the differences in cipher text if the clear text is changed very little, or vice versa.

• Both methods have been shown to work with DES, but they reduce attacks on DES from brute force attack of

• trials only to and respectively. • The way DES is broken in practice is by brute force.

56104710 4210

Cryptoanalysis• Brute force is thus a way to crack symmetric

cryptoalgorithms with too short keys, and it can be made e.g. with thousands of computers in the Internet.

• With public key cryptosystems the question is more involved. There is no known lower boundary of complexity for breaking a public key cryptosystem.

• They are though to be based on hard mathematical problems, but mathematicians solve hard long lasting problems every now and then.

• Cryptoanalysis is no longer very useful for cracking good cryptoalgorithms, fortunately they are sometimes used incorrectly. An unlucky case of incorrect usage may cause the algorithm to be compromised.

Cryptoanalysis• One such case was with ENIGMA, the same text was

encrypted twice and the double encipherment created flaws that cryptoanalysists could take advantage of.

• Present situation in cryptoanalysis, apart from some lucky errors leading into compromises, is that good algorithms cannot be cracked before the key sizes become too small.

• Key sizes are chosen small, maybe for better performance but some claim keysize is chosen small enough so that the intelligence of some countries can open them.

• Accoring to one article in Signal magazine, Americans have not been able to decrypt Soviet ciphers after they were modernized.

• Secret information has been obtained all the time, but by theft, bribery or blackmail.

• This lecture was based on: Friedrich L. Bauer: Decrypted Secrets, 3rd edition, Springer, 2002.