1 / 58

Classical Cryptography

Classical Cryptography. Outline. [1] Introduction: Some Simple Cryptosystems <1> The Shift Cipher <2> The Substitution Cipher <3> The Affine Cipher <4> The Vigen è re Cipher <5> The Hill Cipher <6> The Permutation Cipher <7> Stream Ciphers [2] Cryptanalysis

pstephanie
Download Presentation

Classical Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Classical Cryptography

  2. Outline • [1] Introduction: Some Simple Cryptosystems • <1> The Shift Cipher • <2> The Substitution Cipher • <3> The Affine Cipher • <4> The Vigenère Cipher • <5> The Hill Cipher • <6> The Permutation Cipher • <7> Stream Ciphers • [2] Cryptanalysis • <1> Cryptanalysis of the Affine Cipher • <2> Cryptanalysis of the Substitution Cipher • <3> Cryptanalysis of the Vigenère Cipher • <4> Cryptanalysis of the Hill Cipher • <5> Cryptanalysis of the LFSR Stream Cipher

  3. Oscar x y x Alice encrypter decrypter Bob secure channel K key source Classical Cryptography • [1] Introduction

  4. Classical Cryptography • Definition 1.1: A cryptosystem is a five-tuple (P,C,K,E,D) satisfies • P is a finite set of possible plaintexts • C is a finite set of possible ciphertexts • K, the keyspace, is a finite set of possible keys • For each K∈K, there is an encryption rule eK∈E and a corresponding decryption rule dK∈D • dK(eK(x))=x for every plaintext x∈P

  5. Classical Cryptography • Definition 1.2: a and b are integers, m is a positive integer • congruence: a≡b (mod m) if m divides b-a • Zm: the set {0,1,…,m-1} • with 2 operations + and ☓ • 10+20=4 in Z26 (10+20 mod 26=4) • 10☓20=18 in Z26 (10☓20 mod 26=18)

  6. Classical Cryptography • <1> Shift Cipher • Cryptosystem 1.1: Shift Cipher • P = C =K = Z26 • K, x, y ∈Z26 • eK(x)=(x+K) mod 26 • dK(y)=(y-K) mod 26

  7. Classical Cryptography • eg.: Suppose K=11 • Plaintext: student • Ciphertext: DEFOPZE

  8. Classical Cryptography • <2> Substitution Cipher • Cryptosystem 1.2: Substitution Cipher • P=C=Z26 • K: all possible permutations of the 26 symbols • For each p∈K • ep(x)=p(x) • dp(y)=p-1(y) where p-1 is the inverse permutation to p

  9. Classical Cryptography • eg.: • Plaintext: student • Ciphertext: VMUSHSM

  10. Classical Cryptography • <3> Affine Cipher • Theorem 1.1: ax≡b (mod m) has a unique solution x∈Zm for every b∈Zm iff gcd(a,m)=1 • Definition 1.3: Suppose a≥1 and m≥2 are integers • a and m are relatively prime if gcd(a,m)=1 • f(m): the number of integers in Zm that are relatively prime to m • Theorem 1.2: Suppose

  11. Classical Cryptography • Definition 1.4: Suppose a∈Zm • a-1 mod m: the multiplicative inverse of a modulo m • aa-1≡a-1a≡1 (mod m) • Cryptosystem 1.3: Affine Cipher • P = C = Z26 • K={(a,b) ∈Z26☓Z26 : gcd(a,26)=1} • For K=(a,b)∈K ; x, y∈Z26 • eK(x)=(ax+b) mod 26 • dK(y)=a-1(y-b) mod 26

  12. Classical Cryptography • e.g.: Suppose K=(7,3) • 7-1 mod 26 = 15 • Plaintext: student • Ciphertext: ZGNYFQG eK(x)=(7x+3) mod 26 dK(y)=15(y-3) mod 26

  13. Classical Cryptography • <4> Vigenère Cipher • Cryptosystem 1.4: Vigenère Cipher • m: a positive integer • P = C = K = (Z26)m • For a key K=(k1,k2,…,km) • eK(x1,x2,…,xm)=(x1+k1,x2+k2,…,xm+km) • dK(y1,y2,…,ym)=(y1-k1,y2-k2,…,ym-km)

  14. Classical Cryptography • e.g.: Suppose m=4 and K=(2,8,15,7) • Plaintext: student • Ciphertext: UBJKGVI

  15. Classical Cryptography • <5> Hill Cipher • Definition 1.5: Suppose A=(ai,j) is an m☓m matrix • Ai,j: the matrix obtained from A by deleting the ith row and the jth column • det A: the determinant of A • m=1: det A=a1,1 • m>1: for any fixed i • A*=(a*i,j): the adjoint matrix of A • a*i,j=(-1)i+jdet Aj,i

  16. Classical Cryptography • Theorem 1.3: Suppose K=(ki,j) is an m☓m invertible matrix over Zn • K-1=(det K)-1K* • e.g.: • det K=11☓7-8☓3 mod 26=1 • K-1=(det K)-1K*=

  17. Classical Cryptography • Cryptosystem 1.5: Hill Cipher • M ≥ 2 is an integer • P = C = (Z26)m • K = {m☓m invertible matrices over Z26} • For a key K • eK(x)=xK • dK(y)=yK-1 where K-1 is the inverse of K

  18. Classical Cryptography • e.g.: • Plaintext: GOD (6 14 3) • Ciphertext: WTJ (22 19 9)

  19. Classical Cryptography • <6> Permutation Cipher • Cryptosystem 1.6: Permutation Cipher • m is a positive integer • P = C = (Z26)m • K consist of all permutations of {1,…,m} • For a key(a permutation) p • ep(x1,…,xm)=(xp(1),…,xp(m)) where p-1 is the inverse permutation to p

  20. Classical Cryptography • e.g.: Suppose m=6 • Plaintext: CYBERFORMULA • Ciphertext: BRCFEYMLOAUR

  21. Classical Cryptography • <7> Stream Ciphers • Definition 1.6: A synchronous stream cipher is a tuple (P,C,K,L,E,D) with a function g • P: a finite set of possible plaintexts • C: a finite set of possible ciphertexts • K: a finite set of possible keys • L: a finite set called the keystream alphabet • g: the keystream generator • Input: K • g generates an infinite string z1z2…

  22. Classical Cryptography • Definition 1.6 (cont.) • For each z∈L, there is an encryption rule ez∈E and a corresponding decryption rule dZ∈D • dz(ez(x))=x for every plaintext x∈P

  23. Classical Cryptography • Vigenère Cipher can be defined as a synchronous stream cipher • K= (Z26)m • P = C = L = Z26 • ez(x)=(x+z) mod 26 • dz(y)=(y-z) mod 26

  24. Classical Cryptography • Keystream can be produced efficiently in hardware using a LFSR (Linear Feedback Shift Register) • k1 would be tapped as the next keystream bit • k2,…km would each be shifted 1 stage to the left • The new value of km would be this is “linear feedback“ (see Figure 1.2) • This system is mudulo 2

  25. + k1 k2 k3 k4 Classical Cryptography • e.g.: in Figure 1.2,suppose K=(1,0,0,0) • c0=1, c1=1, c2=0, c3=0 • The keystream is 100010011010111… Figure 1.2

  26. Classical Cryptography • Non-synchronous stream cipher: • Each keystream element zi depends on previous plaintext or ciphertext elements • Cryptosystem 1.7: Autokey Cipher • P = C = K = L = Z26 • z1=K, zi=xi-1 for all i>1 • For x, y, z ∈Z26 • ez(x)=(x+z) mod 26 • dz(y)=(y-z) mod 26

  27. Classical Cryptography • e.g.: Suppose K=8 • Plaintext: student • Ciphertext: ALNXHRG

  28. Classical Cryptography • [2] Cryptanalysis • Assumption:(Kerckhoffs’ principle) The opponent knows the cryptosystem being used • Attack models: • ciphertext only attack • known plaintext attack • chosen plaintext attack • chosen ciphertext attack

  29. Classical Cryptography • Statistical properties of the English language: (see Table 1.1) • E: probability about 0.120 • T, A, O, I, N, S, H, R: between 0.06 and 0.09 • D, L: 0.04 • C, U, M, W, F, G, Y, P, B: between 0.015 and 0.028 • V, K, J, X, Q, Z: 0.01 • Most common digrams: • TH, HE, IN, ER, AN, ND, … • Most common trigrams: • THE, ING, AND, END, …

  30. Classical Cryptography Table 1.1

  31. Classical Cryptography • <1> Cryptanalysis of the Affine Cipher • Ciphertext obtained form an Affine Cipher: • FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDKAPRKDLYEVLRHHRH • Frequency analysis: Table 1.2 • Most frequent ciphertext characters: • R: 8 occurrences • D: 7 occurrences • E,H,K: 5 occurrences • We now guess the mapping and solve the equation eK(x)=ax+b mod 26

  32. Classical Cryptography Table 1.2

  33. Classical Cryptography • Guess e→R,t→D • eK(4)=17, eK(19)=3 • a=6, b=19 • ILLEGAL (gcd(a,26)>1) • Guess e→R,t→E • eK(4)=17, eK(19)=4 • a=13, b=17 • ILLEGAL (gcd(a,26)>1) • Guess e→R,t→H • eK(4)=17, eK(19)=7 • a=8, b=11 • ILLEGAL (gcd(a,26)>1)

  34. Classical Cryptography • Guess e→R,t→K • eK(4)=17, eK(19)=10 • a=3, b=5 • LEGAL • dK(y)=9y-19 • Plaintext: • algorithmsarequitegeneraldefinitionsofarithmeticprocesses

  35. Classical Cryptography • <2> Crytanalysis of the Substitution Cipher • Ciphertext obtained from a Substitution Cipher • YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJNDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZNZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJXZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR • Frequency analysis: Table 1.3 • Z occurs most: guess dK(Z)=e • occur at least 10 times: C,D,F,J,M,R,Y • These are encryptions of {t,a,o,i,n,s,h,r} • But the frequencies do not vary enough to guess

  36. Classical Cryptography Table 1.3

  37. Classical Cryptography • We now look at digrams: -Z or Z- • 4 times: DZ,ZW • Guess dK(W)=d: ed→ZW • 3 times: NZ,ZU • Guess dk(N)=h: he→NZ • We have ZRW: guess dk(R)=n, end→ZRW • We have CRW: guess dk(C)=a, and→CRW • We have RNM, which decrypts to nh- • Suggest h- begins a word: M should be a vowel • We have CM: guess dK(M)=i (ai is more likely than ao)

  38. Classical Cryptography • We have DZ(4 times) and ZD(2 times) • Guess dK(D)∈{r,s,t} • Since o is a common letter • Guess eK(o)∈{F,J,Y} • We have CFM and CJM: guess dK(Y)=o (aoi is impossible) • Guess NMD→his : dK(D)=s • Guess HNCMF→chair: dK(H)=c, dK(F)=r • dK(J)=t: the→JNZ

  39. Classical Cryptography • Now easy to determine the others

  40. Classical Cryptography • <3> Cryptanalysis of the Vigenère Cipher • Kasaski test (1863) (Find m only): • Search the ciphertext for pairs of identical segments (length at least 3) • Record the distance between the starting positions of the 2 segments • If we obtain several such distances d1,d2,…, we would conjecture that the key length m divides all of the di’s • m divides the gcd of the di’s

  41. Classical Cryptography • Friedman test (1925) • Definition 1.7: • Suppose x=x1x2…xn is a string of n alphabetic characters • Index of coincidence of x, denoted IC(x): the probability that 2 random elements of X are identical • We denote the frequencies of A,B,..,Z in x by f0,f1,…,f25

  42. Classical Cryptography • Using the expected probabilities in Table 1.1 p0,…,p25: the expected probability of A,…,Z • Suppose a ciphertext Y=y1y2…yn • Define m substrings of Y1,…,Ym of Y • Each value IC(Yi) should be roughly equal to 0.065

  43. Classical Cryptography • If m is not the keyword length • Yi will look much more random • A completely random string will have

  44. Classical Cryptography • Ciphertext obtained from a Vigenere Cipher • CHREEVOAHMAERATBIAXXWTNXBEEOPHBSBQMQEQERBWRVXUOAKXAOSXXWEAHBWGJMMQMNKGRFVGXWTRZXWIAKLXFPSKAUTEMNDCMGTSXMXBTUIADNGMGPSRELXNJELXVRVPRTULHDNQWTWDTYGBPHXTFALJHASVBFXNGLLCHRZBWELEKMSJIKNBHWRJGNMGJSGLXFEYPHAGNRBIEQJTAMRVLCRREMNDGLXRRIMGNSNRWCHRQHAEYEVTAQEBBIPEEWEVKAKOEWADREMXMTBHHCHRTKDNVRZCHRCLQOHPWQAIIWXNRMGWOIIFKEE • CHR occurs in 5 places: 1,166,236,276,286 • The distances from the 1st one: 165,235,275,285 • g.c.d. is 5: we guess m=5 (by Kasaski test)

  45. Classical Cryptography • We check the indices of coincidences: • m=1: IC(Y)=0.045 • m=2: IC(Y1)=0.046, IC(Y2)=0.041 • m=3: IC=0.043, 0.050, 0.047 • m=4: IC=0.042, 0.039, 0.046, 0.040 • m=5: IC=0.063, 0.068, 0.069, 0.061, 0.072 • By Friedman test, m=5

  46. Classical Cryptography • Now we want to determine the key K=(k1,k2,…,km) • f0,f1,…f25: the frequencies of A,B,…,Z • n’=n/m: the length of the string Yi • The probability distribution of the 26 letters in Yi: • Yi is obtained by shift encryption using a shift ki • We hope that the shifted probability distribution would be close to p0,…,p25

  47. Classical Cryptography • Define the quantity Mg: for 0 ≤ g ≤ 25 • If g=ki , • If g≠ki , Mg will smaller than 0.065 • Return to the previous example: • Computes the values Mg, for 1≤i≤5 (Table 1.4) • For each i, look for a value of Mg close to 0.065 • From Table 1.4: K=(9,0,13,4,19) • The keyword is JANET

More Related