session 1 classical cryptography. basic concepts cryptology – kryptos=secret + logos=(word,...

Session 1

Classical Cryptography

Basic concepts

• Cryptology – kryptos=secret + logos=(word,

language, meaning, science)

• Cryptology = Cryptography + Cryptanalysis– Opposite and complementary at the

same time

2/71

Basic concepts

• Cryptography – develops methods of encipherment in

order to protect information.

• Cryptanalysis – breaks these methods in order to

reconstruct the original information.

3/71

The general cryptographic procedure

A

Plaintext

KEY

decipher

decrypt

Cryptanalysis

Ciphertextencipher

Plaintext

KEY

B

4/71

Classification of cryptosystems• Secret key cryptography (symmetric)

– Shared key (secret), delivered to both parties in advance via a secure channel.

– Classification of symmetric ciphers• Stream ciphers• Block ciphers

5/71

Classification of cryptosystems

• Public key cryptography (asymmetric)– The key is reconstructed from the secret

part and the public part. – The secure channel is not needed.

6/71

Symmetric cryptography

• Stream ciphers– The transformation is applied to every

symbol of the original message (e.g. to every bit of the message).

• Block ciphers– The transformation is applied to a group

of symbols of the original message (e.g. to groups of 128 bits).

7/71


• Stream ciphers– Can be very fast– Used mainly in government applications

(military, police etc.)– Civilian applications, too (e.g. in Web

browsers)– Export limitations often make good

stream ciphers unsuitable for public use.

8/71


• Block ciphers– Slower and less secure than stream

ciphers (in general)– No implementation and export

limitations– It is possible to build a stream cipher

starting from a block cipher– There exists a “standard” block cipher -

AES– Used a lot in practice.

9/71

Classical cipher systems

• Transposition– A fixed permutation of n letters of the

plaintext– The plaintext is divided into groups

(blocks!) of length n– The permutation is applied to each group– This is a primitive block cipher

• The permutation is fixed – the permutation is the key

• Statistics of the plaintext are preserved on output - bad!

10/71


• Transposition - example

Groups of 4 letters (n=4)

Transposition: ( )1 2 3 4

4 3 2 1

Plaintext: C L A S S I C A L S Y S T E M S

Ciphertext: S A L C A C I S S Y S L S M E T

11/71


• Substitution– Monoalphabetic

• Each occurrence of the same symbol of the plaintext is substituted with the same symbol.

– Polyalphabetic• Each occurrence of the same symbol of the

plaintext is substituted with a different symbol that depends on the key.

12/71


• Substitution – example

• This is a monoalphabetic substitution– Example: an “A” is always substituted with

a “P”.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

P L O K N M J U I B V G Y T F C X D R E S Z W A Q H

Plaintext: T H I S I S A N E X A M P L E

Ciphertext: E U I R I R P T N A P Y C G N

13/71


• Caesar’s cipher (monoalphabetic) (1st century B.C.)

– The substitution is obtained by a cyclic shift of the original Roman alphabet (23 letters) by 3 to the left.

A B C D E F G H I K L M N O P Q R S T V X Y Z

D E F G H I K L M N O P Q R S T V X Y Z A B C

Gaius Julius Caesar,

100-44 B.C.

14/71


• Caesar’s cipher– Mathematical representation:

– Example:

,2,1,3,1,0

23mod

izBA

zxy

i

iii

Plaintext X V I N I V I D I V I N C I

Key Z D D D D D D D D D D D D D

Ciphertext Y Z M Q M Z M G M Z M Q F M

15/71


• Vigenère’s cipher (polyalphabetic) (1586)– Mathematical representation (26 letters

alphabet):• Encipherment:• Decipherment:

– Example: key Z=(L,O,U,P)

26modiii zxy

26modiii zyx

,B,A 10

Plaintext X P A R I S V A U T B I E N U N E M E S S E

Key Z L O U P L O U P L O U P L O U P L O U P L

Ciphertext Y A O L X D J U J E P C T Y I H T X S M H P

16/71


• Vigenère’s cipher - manual enciphering– Letter encoding:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

Ay

LzPx

i

ii

026mod1115:letterCiphertext

11:letterKey15:letterPlaintext

Px

LzAy

i

ii

1526mod1126mod110:letterPlaintext

11:letterKey0:letterCiphertext

Enciphering:

Deciphering:

Note that the modulus of a negative value is computed by repeatedly adding the base until a positive value is obtained.

17/71


• Vigenère’s cipher

Blaise de Vigenère (1523-1596)

18/71

Vigenère’s tableA B C D E F G H I J K L M N O P Q R S T U V W X Y Z

B C D E F G H I J K L M N O P Q R S T U V W X Y Z A

C D E F G H I J K L M N O P Q R S T U V W X Y Z A B

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

E F G H I J K L M N O R Q R S T U V W X Y Z A B C D

F G H I J K L M N O P Q R S T U V W X Y Z A B C D E

G H I J K L M N O P Q R S T U V W X Y Z A B C D E F

H I J K L M N O P Q R S T U V W X Y Z A B C D E F G

I J K L M N O P Q R S T U V W X Y Z A B C D E F G H

J K L M N O P Q R S T U V W X Y Z A B C D E F G H I

K L M N O P Q R S T U V W X Y Z A B C D E F G H I J

L M N O P Q R S T U V W X Y Z A B C D E F G H I J K

M N O P Q R S T U V W X Y Z A B C D E F G H I J K L

N O P Q R S T U V W X Y Z A B C D E F G H I J K L M

O P Q R S T U V W X Y Z A B C D E F G H I J K L M N

P Q R S T U V W X Y Z A B C D E F G H I J K L M N O

Q R S T U V W X Y Z A B C D E F G H I J K L M N O P

R S T U V W X Y Z A B C D E F G H I J K L M N O P Q

S T U V W X Y Z A B C D E F G H I J K L M N O P Q R

T U V W X Y Z A B C D E F G H I J K L M N O P Q R S

U V W X Y Z A B C D E F G H I J K L M N O P Q R S T

V W X Y Z A B C D E F G H I J K L M N O P Q R S T U

W X Y Z A B C D E F G H I J K L M N O P Q R S T U V

X Y Z A B C D E F G H I J K L M N O P Q R S T U V W

Y Z A B C D E F G H I J K L M N O P Q R S T U V W X

Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

19/71


• Beaufort’s cipher (polyalphabetic) (1857)– Mathematical representation (26 letters

alphabet):• Encipherment:• Decipherment:

– Example: key Z=(W,I,N,D)

26modiii xzy

26modiii yzx ,B,A 10

Plaintext T H I S I S T H E S A M E O L D S T U F F

Key W I N D W I N D W I N D W I N D W I N D W

Ciphertext D B F L O Q U W S Q N R S U C A E P T Y R

Encipherment and decipherment are the same (involution)

Sir Francis Beaufort (1774-1857)

20/71


• Beaufort’s cipher - manual enciphering– Letter encoding:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

Dy

WzTx

i

ii

326mod1922:letterCiphertext

22:letterKey19:letterPlaintext

Tx

WzDy

i

ii

1926mod322:letterPlaintext

22:letterKey3:letterCiphertext

Enciphering:

Deciphering:

21/71

Beaufort’s tableA B C D E F G H I J K L M N O P Q R S T U V W X Y Z

B C D E F G H I J K L M N O P Q R S T U V W X Y Z A

C D E F G H I J K L M N O P Q R S T U V W X Y Z A B

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

E F G H I J K L M N O R Q R S T U V W X Y Z A B C D

F G H I J K L M N O P Q R S T U V W X Y Z A B C D E

G H I J K L M N O P Q R S T U V W X Y Z A B C D E F

H I J K L M N O P Q R S T U V W X Y Z A B C D E F G

I J K L M N O P Q R S T U V W X Y Z A B C D E F G H

J K L M N O P Q R S T U V W X Y Z A B C D E F G H I

K L M N O P Q R S T U V W X Y Z A B C D E F G H I J

L M N O P Q R S T U V W X Y Z A B C D E F G H I J K

M N O P Q R S T U V W X Y Z A B C D E F G H I J K L

N O P Q R S T U V W X Y Z A B C D E F G H I J K L M

O P Q R S T U V W X Y Z A B C D E F G H I J K L M N

P Q R S T U V W X Y Z A B C D E F G H I J K L M N O

Q R S T U V W X Y Z A B C D E F G H I J K L M N O P

R S T U V W X Y Z A B C D E F G H I J K L M N O P Q

S T U V W X Y Z A B C D E F G H I J K L M N O P Q R

T U V W X Y Z A B C D E F G H I J K L M N O P Q R S

U V W X Y Z A B C D E F G H I J K L M N O P Q R S T

V W X Y Z A B C D E F G H I J K L M N O P Q R S T U

W X Y Z A B C D E F G H I J K L M N O P Q R S T U V

X Y Z A B C D E F G H I J K L M N O P Q R S T U V W

Y Z A B C D E F G H I J K L M N O P Q R S T U V W X

Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

22/71


• Electromechanical devices– The principal drawback of the systems

that used tables was their inefficiency at enciphering/deciphering long texts.

– At the same time, the need to process long texts increased.

– In the beginning of the 20th century, technology advanced enough to enable design of electromechanical cryptographic devices.

23/71


• The ENIGMA machine– Patented in 1918 by Arthur Scherbius, a

German engineer.– Used extensively by the Germans in the

World War II.– Essentially, this was a multiple

substitution cipher that achieved a considerably higher number of possible combinations to search in the process of cryptanalysis than the older ciphers.

24/71


• The ENIGMA machine– All the machines of this kind consisted

of wheels.

M

Q

Rotor machines – principle of operation

25/71


• The ENIGMA machine– Some wheels were fixed (stators) and

some were mobile (rotors). – ENIGMA consisted of two fixed wheels

(the entry wheel and the reflector) and 3 or 4 rotors.

– Rotors could be selected out of a number of rotors (usually 3 out of 5).

26/71


• The ENIGMA machine– The choice of the rotors, as well as their

ordering constituted a part of the key. – All the rotors had contacts on both sides,

through which current was flowing. – Each contact corresponded to a letter of

the alphabet and the contacts on both sides of a rotor were connected by a special wiring – monoalphabetic substitution.

27/71


• The ENIGMA machine– Due to a special kind of stepping motion

of the wheels, not all the wheels rotated the same number of shifts at enciphering different letters.

– There was one wheel that moved with every single letter to be enciphered, and the other wheels moved more slowly and irregularly.

28/71


• The ENIGMA machine– Current positions of the contacts on the

wheels determined the substitution of the given (typed) letter – long period of the output sequence.

29/71


• The ENIGMA machine– Some variants of ENIGMA also included a

permutation (plugboard) that was realized through wiring, and that permutation occasionally changed.

– The role of the plugboard was to change the letter that was actually typed to some other letter (depending on the permutation) before and after the electric current entered the wheels.

30/71


• The ENIGMA machine– What distinguished the ENIGMA machine

from the other electromechanical cryptographic machines was the use of the reflector - a special stator that was redirecting the flow of the current back through the rotors by a different route.

– The reflector ensures that the ENIGMA machine is self-reciprocal, i.e. the enciphering and the deciphering transformations are the same.

31/71


• The ENIGMA machine– However, by introducing the reflector,

substituting the given letter with itself was disabled.

– That introduced a small bias in the statistics of the letter sequence produced by the machine that enabled the cryptanalysis.

32/71

The ENIGMA machine

Source: http://en.wikipedia.org/wiki/Enigma_machine

33/71


• The Vernam cipher (1917) (One-time pad)– Key: binary random sequence used only

once.– Mathematical representation:

• Encipherment:• Decipherment:

– Example - plaintext: come soon (Encoding ITA-2)

iii zxy

iii zyx

0 1

0 0 1

1 1 0

Plaintext 01110 11000 11100 00001 00100 00101 11000 11000 01100

Key 11011 00101 01011 00110 01111 10110 10101 01100 10010

Ciphertext 10101 11101 10111 00111 01011 10011 01101 10100 11110

34/71


• The Vernam cipher was a cipher intended to be used on teletype writers.

• Because of that, the key storage medium was a paper tape of the same type as the tape that was used for storing the messages.

35/71


• The message had to be encoded first, and the teletype writer itself performed this transformation.

• Every teletype writer implemented some encoding and the most widespread one was International Telegraph Alphabet No 2 (ITA-2).

36/71


• ITA-2Binary Decimal LETTERS NUMBERS Binary Decimal

LETTERS NUMBERS --------------------------------------------------------------------------------------------------------- 00000 0 BLANK BLANK 10000 16 T 5 00001 1 E 3 10001 17 Z " 00010 2 LF LF 10010 18 L ) 00011 3 A - 10011 19 W 2 00100 4 SP SP 10100 20 H # 00101 5 S BELL 10101 21 Y 6 00110 6 I 8 10110 22 P 0 00111 7 U 7 10111 23 Q 1 01000 8 CR CR 11000 24 O 9 01001 9 D $ 11001 25 B ? 01010 10 R 4 11010 26 G & 01011 11 J ‘ 11011 27 FIGS FIGS 01100 12 N , 11100 28 M . 01101 13 F ! 11101 29 X / 01110 14 C : 11110 30 V ; 01111 15 K ( 11111 31 LTRS LTRS 37/71

Cryptographic security

• How much security a cipher system offers?– This question implies that there is a

measure of security.– It is not easy to define such a measure.

• A desirable property of a cipher system would be that a cryptanalyst should not be able to decrypt the plaintext by trying all the possible keys.

• But this does not necessarily provide high level of security.

38/71


• Example: any monoalphabetic cipher– 26 letters alphabet– Each key (a permutation of the

alphabet) equally likely– Relatively long plaintext (>25 letters for

English)

39/71


• Example (cont.): – 1 ns (10-9s) to check one out of 26!

possible keys– Then we need 1.281010 years to try all

the keys.– Is the system secure? No!– We can break it by statistical means,

without trying any key.

40/71


• Suppose that the cryptanalyst does actually have resources (i.e. time) to try all the keys.

• Can he/she determine the plaintext?• Not necessarily!

– It is possible (this depends on the cipher system) that the cryptanalyst cannot decide which plaintext was sent even after trying all the possible keys.

41/71


• Theoretical security (perfect secrecy)– The system is secure against an attacker

with unlimited time and computational resources.

• Example: The Vernam cipher (One-time pad).

• Practical security– The system is secure against an attacker

with limited time and computational resources.

• Example: The RSA cryptosystem. 42/71


• Perfect secrecy (Shannon, 1949)– A cryptosystem is perfectly secret if:

• The plaintext X is statistically independent on the cryptogram Y for all the possible plaintexts and all the possible cryptograms, i.e.

P(X = x | Y = y) = P(X = x)

– This is achieved if:• There is exactly 1 key transforming each

plaintext to each cryptogram.• All the keys are equally likely.

43/71


• Is perfect secrecy practically achievable?– Example:

• A cipher with X, Y, Z{0,1,…,L-1}n

• All the keys are equally likely• The enciphering transformation:

• The number of keys/plaintexts/ciphertexts is Ln.

n,,i,Lzxy iii 1mod

44/71


• Example (cont.)– Then there is exactly one key

transforming each plaintext to each cryptogram.

– Even if the cryptanalyst can try all the possible keys, there is no way of telling whether the obtained plaintext is the right one or not, since all the plaintexts obtained by trying the keys will belong to the set X.

45/71


• Example: L=4, n=1• If we receive the cryptogram y1

and try all the possible keys, we get all the plaintexts (x1,…,x4).

• Then we still do not know which plaintext is the right one.

• The same happens if the other possible cryptograms (y2,…,y4) are received.

• Thus this cipher system is perfectly secret.

46/71


• What happens if n grows?– The number of keys/plaintexts/ciphertexts is Ln.– But meaningful texts usually represent only an

infinitesimal part of the set X with Ln elements.– This means that after trying all the possible

keys, the cryptanalyst will get a (relatively) small number of meaningful plaintexts.

– The longer the n, the smaller the number of meaningful plaintexts obtained in this process.

47/71


• What is the minimum length n0 of the cryptogram needed for the cryptanalyst to get only 1 meaningful plaintext after trying all the possible keys?

• n0 is called unicity distance.

• n0 depends on the properties of the language. To quantify them (and compute n0) we need the concept of entropy.

48/71


• Shannon’s entropy– The cryptanalyst has to make a decision

• He/she is faced with a set of possible events.• Each of these events has an associated

probability.• The only logical choice is to accept the event

with the highest probability.• If the event with the highest probability is not

unique, the choice is made at random among the events that have equal this highest probability.

49/71


• Shannon’s entropy– The confidence with which the

cryptanalyst makes the decision depends on how much the probability of the chosen event exceeds the probabilities of other events.

– A quantitative measure of this confidence is called entropy – the measure of uncertainty of the system – the higher the confidence, the less the uncertainty.

50/71


• Shannon’s entropy– Requirements for the entropy function H:

• If all the events are equally likely, then a purely random guess is made and there is no confidence in the decision whatsoever – the uncertainty (the entropy function) reaches its maximum.

• If one event has probability 1 and all the others have probability zero, then the confidence in the decision reaches its maximum – and the entropy function reaches its minimum (0).

51/71


• Shannon’s entropy– Definition of Shannon’s entropy (the

discrete case):• Given a discrete random variable T, where t T

is any of its possible outcomes

• This function clearly satisfies the requirements for the entropy function.

Tt

tptpTH 2log

52/71


• Shannon’s entropy– Example: binary variable T{0,1}

53/71


• Shannon’s entropy– In cryptography:

• Message entropy

• Key entropy

Xx

xpxpXH 2log

Zz

zpzpZH 2log

54/71


• Conditional entropy (equivocation)– The message entropy tells us about the

confidence with which we can predict that a particular message will be transmitted.

– Usually, we have some a priori information

• We have already intercepted some material.• We want to know, given this material, how

confidently we can predict that a given message was sent / given key was used.

55/71


• Conditional entropy (equivocation)– For any set of cryptograms Y and any

positive integer n, let Yn denote the set of cryptograms of length n in Y.

– Let p(x,y) be the joint probability that the plaintext x was sent and the cryptogram y was received.

– Let p(x|y) be the a posteriori probability that the plaintext x was sent if y was received.

56/71


• Conditional entropy (equivocation)– The conditional entropy of the plaintext

– With p(y,z) and py(z) defined analogously, we have for the conditional entropy of the key:

nYyXx

n y|xpy,xpY|XH 2log

nYyZz

n y|zpz,ypY|ZH 2log

57/71


• Let X, Y, Z{0,1,…,L-1}n

– The cardinality of X, Y, Z is Ln.– We can write, where .– plaintexts of length n can be divided

into 2 groups:• The meaningful plaintexts

– All the plaintexts in this group have approximately equal probabilities, which are much higher than the probabilities of the members of the other group.

• The meaningless plaintexts.

nrnL 02 Lr 20 lognr02

58/71


• The number of meaningful messages is where

• rn is the entropy of the plaintext source per letter – the rate of the language.

n

Y|XHr nn

nrn2

59/71


• The probability that a plaintext chosen at random is meaningful is

• Since all the keys are equally likely, decrypting a cryptogram y by trying all the possible keys leads to a random selection of plaintexts, i.e. the probability of obtaining a meaningful plaintext in this process is

nn rrnnrnr 00 22

nrrn 02

60/71


• In natural languages, like English or Norwegian, rn is very small compared to r0.

• The redundancy of the language

• A high redundancy of the language is not desirable for the cryptographer.

nn rrd 0

61/71


• In natural languages, n is not constant.

• But as n grows, rn tends to a constant r – the true rate of the language.

• The corresponding value for dn is

• Since all the keys are equally likely

rrd 0

ZHY|ZH n

62/71


• We can now compute the unicity distance

• The value of r needed for computing d is obtained in an experimental way.

• r1.5 for English (Hellman, 1974).

d

ZHn 0

63/71


• n0 is a good measure of security.

• In a completely secure system n.• How to achieve this?

– Remove the meaningless plaintexts – this means remove redundancy.

– This cannot be achieved completely in practice, but redundancy can be considerably reduced by source coding.

64/71


• Security of monoalphabetic ciphers.– The statistical properties of the plaintext

are reflected exactly in the ciphertext.– The statistical methods of cryptanalysis

use the statistical properties of the language in which the message has been written.

65/71


• Letter statistics – EnglishE 12.70%

T 9.06%

A 8.17%

O 7.51%

I 6.97%

N 6.75%

S 6.33%

H 6.09%

R 5.99%

D 4.25%

L 4.03%

C 2.78%

U 2.76%

M 2.41%

66/71


• Letter statistics – EnglishW 2.36%

F 2.23%

G 2.02%

Y 1.97%

P 1.93%

B 1.49%

V 0.98%

K 0.77%

J 0.15%

X 0.15%

Q 0.10%

Z 0.07%

Source: Cipher Systems – Henry Beker, Fred Piper, Northwood Books, 1982.

67/71


• Letter statistics – NorwegianE 17%

N, R 9%

T 8%

S 7%

I, L 6%

A, D, K 5%

G, O 4%

M 3%

F, P, U, V 2%

B, H, J, Y, Æ, Ø, Å 1%

C, Q, W, X, Z <1%

Source: Kryptografi – Ben Johnsen, Tapir Akademisk Forlag, Trondheim, 2005.

68/71


• Security of the Vigenère cipher– Kasiski (1863): Repetition of a certain group of

letters in the cryptogram originating from the same group of letters in the plaintext takes place at a distance equal to a multiple of the length of the key word – the incidence of the coincidences.

– By studying these repetitions, it is possible to determine the length K of the key word.

– Then the original cryptogram can be decomposed into simple monoalphabetic cryptograms.

69/71


• Example: K=5

– We try possible lengths of the key (K=1,2,3,…) and count the number of coincidences when we compare the cryptogram with the shifted version of it by K.

– If we guess K=5, we get the major number of coincidences.

PETER LEGRAND IS A GOOD FRIEND OF NAPOLEON LEGRAND

EDGAR EDGARED GA R EDGA REDGAR ED GAREDGAR EDGARED

THZEI PHMRRRG OS R KRUD WVLKNU SI TAGSOKOE PHMRRRG

70/71


• Example (cont.)– Then we use the statistical attack for

decrypting monoalphabetic ciphers, where the cryptogram is obtained by picking the letters at the 1st, 6th, 11th, etc. position in the original cryptogram, then from 2nd, 7th, 12th, etc.

– Thus the problem of cryptanalysis of the Vigenère cipher is reduced to K problems of monoalphabetic cipher cryptanalysis.

71/71

session 1 classical cryptography. basic concepts cryptology – kryptos=secret + logos=(word,...

Documents

classical cryptography

s s i c

plaintext key b

c i s sy s

standard block cipher

letters n

key statistics

good stream ciphers