Upload
abhijeet
View
219
Download
0
Embed Size (px)
Citation preview
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 138
March 23 2006 1
Cryptography and Network Security
Lecture 2 Classical encryption
Ion PetreIon PetreAcademy of Finland andAcademy of Finland andDepartment of IT Aringbo Akademi UniversityDepartment of IT Aringbo Akademi University
Spring 2006httpwwwabofi~ipetrecrypto
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 238
March 23 2006 2
Part I Cryptography
Will cover more than half of this course
I1 Secret-key cryptography
Also called symmetric or conventional cryptography Five ingredients
Plaintext Encryption algorithm runs on the plaintext and the encryption key to yield the ciphertext Secret key an input to the encryption algorithm value independent of the plaintext
different keys will yield different outputs Ciphertext the scrambled text produced as an output by the encryption algorithm Decryption algorithm runs on the ciphertext and the key to produce the plaintext
Requirements for secure conventional encryption Strong encryption algorithm
An opponent who knows one or more ciphertexts would not be able to find the plaintexts or the key Ideally even if he knows one or more pairs plaintext-ciphertext he would not be able to find the key
Sender and receiver must share the same key Once the key is compromised allcommunications using that key are readable
It is impractical to decrypt the message on the basis of the ciphertext plus the knowledgeof the encryption algorithm encryption algorithm is not a secret
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 338
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 438
March 23 2006 4
Caesar Cipher
It is a typical substitution cipher and the oldest known ndash attributed to JuliusCaesar
Simple rule replace each letter of the alphabet with the letter standing 3places further down the alphabet Example
MEET ME AFTER THE TOGA PARTY
PHHW PH DIWHU WKH WRJD SDUWB Here the key is 3 ndash choose another key to get a different substitution The alphabet is wrapped around so that after Z follows A
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 538
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 638
March 23 2006 6
Attacking Caesar
Caesar can be broken if we only know one pair (plain letterencrypted letter) The difference between them is the key
Caesar can be broken even if we only have the encrypted text andno knowledge of the plaintext Brute-force attack is easy there are only 25 keys possible Try all 25 keys and check to see which key gives an intelligible message
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 738
March 23 2006 7
From Stallings ndash ldquoCryptography andNetwork Securityrdquo
Why is Caesar easy to break
Only 25 keys to try The language of the
plaintext is known and easilyrecognizable What if the language is
unknown What if the plaintext is a
binary file of an unknownformat
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 838
March 23 2006 8
Strengthening Caesar monoalphabetic ciphers
Caesar only has 25 possible keys ndash far from secure Idea instead of shifting the letters with a fixed amount how about allowing
any permutation of the alphabetPlain abcdefghijklmnopqrstuvwxyz
Cipher DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext if we wish to replace letters
Ciphertext WI RF RWAJ UH YFTSDVF SFUUFYA
This is called monoalphabetic susbstitution cipher ndash a single alphabet isused
The increase in the number of keys is dramatic 26 ie more than 4x1026possible keys
Compare DES only has an order of 1016 possible keys
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 938
March 23 2006 9
How large is large
Adapted from Handbook of Applied Cryptography (AMenezes Pvan Oorschot SVanstone) 1996
Reference Order of magnitude
Seconds in a year asymp 3 x 107
Age of our solar system (years) asymp 6 x 109
Seconds since creation of solar system asymp 2 x 1017
Clock cycles per year 3 GHz computer asymp 96 x 1016
Binary strings of length 64 264asymp 18 x 1019
Binary strings of length 128 2128asymp 34 x 1038
Binary strings of length 256 2256asymp 12 x 1077
Number of 75-digit prime numbers asymp 52 x 1072
Electrons in the universe asymp 837 x 1077
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1038
March 23 2006 10
Monoalphabetic ciphers
Having 1016 possible keys appears to make the system challengingdifficult to perform brute-force attacks
There is however another line of attack that easily defeats thesystem even when a relatively small ciphertext is known If the cryptanalyst knows the nature of the text eg noncompressed
English text then he can exploit the regularities of the language
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1138
March 23 2006 11
Language redundancy and cryptanalysis
Human languages are redundant
Letters are not equally commonly used In English E is by far the most common letter Follows TRNIOAS Other letters are fairly rare
See ZJKQX
Tables of single double amp triple letter frequencies exist Most common digram in English is TH
Most common trigram in English in THE
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1238
March 23 2006 12
English Letter Frequencies
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1338
March 23 2006 13
Cryptanalysis of monoalphabetic ciphers
Key concept - monoalphabetic substitution ciphers do not change relativeletter frequencies
Discovered by Arabs in the 9th
century Calculate letter frequencies for ciphertext Compare countsplots against known values
Most frequent letter in the ciphertext may well encrypt E
The next one could encrypt T or A After relatively few tries the system is broken If the ciphertext is relatively short (and so the frequencies are not fully relevant)
then more guesses may be needed
Powerful tool look at the frequency of two-letter combinations (digrams)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 238
March 23 2006 2
Part I Cryptography
Will cover more than half of this course
I1 Secret-key cryptography
Also called symmetric or conventional cryptography Five ingredients
Plaintext Encryption algorithm runs on the plaintext and the encryption key to yield the ciphertext Secret key an input to the encryption algorithm value independent of the plaintext
different keys will yield different outputs Ciphertext the scrambled text produced as an output by the encryption algorithm Decryption algorithm runs on the ciphertext and the key to produce the plaintext
Requirements for secure conventional encryption Strong encryption algorithm
An opponent who knows one or more ciphertexts would not be able to find the plaintexts or the key Ideally even if he knows one or more pairs plaintext-ciphertext he would not be able to find the key
Sender and receiver must share the same key Once the key is compromised allcommunications using that key are readable
It is impractical to decrypt the message on the basis of the ciphertext plus the knowledgeof the encryption algorithm encryption algorithm is not a secret
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 338
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 438
March 23 2006 4
Caesar Cipher
It is a typical substitution cipher and the oldest known ndash attributed to JuliusCaesar
Simple rule replace each letter of the alphabet with the letter standing 3places further down the alphabet Example
MEET ME AFTER THE TOGA PARTY
PHHW PH DIWHU WKH WRJD SDUWB Here the key is 3 ndash choose another key to get a different substitution The alphabet is wrapped around so that after Z follows A
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 538
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 638
March 23 2006 6
Attacking Caesar
Caesar can be broken if we only know one pair (plain letterencrypted letter) The difference between them is the key
Caesar can be broken even if we only have the encrypted text andno knowledge of the plaintext Brute-force attack is easy there are only 25 keys possible Try all 25 keys and check to see which key gives an intelligible message
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 738
March 23 2006 7
From Stallings ndash ldquoCryptography andNetwork Securityrdquo
Why is Caesar easy to break
Only 25 keys to try The language of the
plaintext is known and easilyrecognizable What if the language is
unknown What if the plaintext is a
binary file of an unknownformat
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 838
March 23 2006 8
Strengthening Caesar monoalphabetic ciphers
Caesar only has 25 possible keys ndash far from secure Idea instead of shifting the letters with a fixed amount how about allowing
any permutation of the alphabetPlain abcdefghijklmnopqrstuvwxyz
Cipher DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext if we wish to replace letters
Ciphertext WI RF RWAJ UH YFTSDVF SFUUFYA
This is called monoalphabetic susbstitution cipher ndash a single alphabet isused
The increase in the number of keys is dramatic 26 ie more than 4x1026possible keys
Compare DES only has an order of 1016 possible keys
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 938
March 23 2006 9
How large is large
Adapted from Handbook of Applied Cryptography (AMenezes Pvan Oorschot SVanstone) 1996
Reference Order of magnitude
Seconds in a year asymp 3 x 107
Age of our solar system (years) asymp 6 x 109
Seconds since creation of solar system asymp 2 x 1017
Clock cycles per year 3 GHz computer asymp 96 x 1016
Binary strings of length 64 264asymp 18 x 1019
Binary strings of length 128 2128asymp 34 x 1038
Binary strings of length 256 2256asymp 12 x 1077
Number of 75-digit prime numbers asymp 52 x 1072
Electrons in the universe asymp 837 x 1077
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1038
March 23 2006 10
Monoalphabetic ciphers
Having 1016 possible keys appears to make the system challengingdifficult to perform brute-force attacks
There is however another line of attack that easily defeats thesystem even when a relatively small ciphertext is known If the cryptanalyst knows the nature of the text eg noncompressed
English text then he can exploit the regularities of the language
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1138
March 23 2006 11
Language redundancy and cryptanalysis
Human languages are redundant
Letters are not equally commonly used In English E is by far the most common letter Follows TRNIOAS Other letters are fairly rare
See ZJKQX
Tables of single double amp triple letter frequencies exist Most common digram in English is TH
Most common trigram in English in THE
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1238
March 23 2006 12
English Letter Frequencies
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1338
March 23 2006 13
Cryptanalysis of monoalphabetic ciphers
Key concept - monoalphabetic substitution ciphers do not change relativeletter frequencies
Discovered by Arabs in the 9th
century Calculate letter frequencies for ciphertext Compare countsplots against known values
Most frequent letter in the ciphertext may well encrypt E
The next one could encrypt T or A After relatively few tries the system is broken If the ciphertext is relatively short (and so the frequencies are not fully relevant)
then more guesses may be needed
Powerful tool look at the frequency of two-letter combinations (digrams)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 338
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 438
March 23 2006 4
Caesar Cipher
It is a typical substitution cipher and the oldest known ndash attributed to JuliusCaesar
Simple rule replace each letter of the alphabet with the letter standing 3places further down the alphabet Example
MEET ME AFTER THE TOGA PARTY
PHHW PH DIWHU WKH WRJD SDUWB Here the key is 3 ndash choose another key to get a different substitution The alphabet is wrapped around so that after Z follows A
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 538
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 638
March 23 2006 6
Attacking Caesar
Caesar can be broken if we only know one pair (plain letterencrypted letter) The difference between them is the key
Caesar can be broken even if we only have the encrypted text andno knowledge of the plaintext Brute-force attack is easy there are only 25 keys possible Try all 25 keys and check to see which key gives an intelligible message
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 738
March 23 2006 7
From Stallings ndash ldquoCryptography andNetwork Securityrdquo
Why is Caesar easy to break
Only 25 keys to try The language of the
plaintext is known and easilyrecognizable What if the language is
unknown What if the plaintext is a
binary file of an unknownformat
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 838
March 23 2006 8
Strengthening Caesar monoalphabetic ciphers
Caesar only has 25 possible keys ndash far from secure Idea instead of shifting the letters with a fixed amount how about allowing
any permutation of the alphabetPlain abcdefghijklmnopqrstuvwxyz
Cipher DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext if we wish to replace letters
Ciphertext WI RF RWAJ UH YFTSDVF SFUUFYA
This is called monoalphabetic susbstitution cipher ndash a single alphabet isused
The increase in the number of keys is dramatic 26 ie more than 4x1026possible keys
Compare DES only has an order of 1016 possible keys
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 938
March 23 2006 9
How large is large
Adapted from Handbook of Applied Cryptography (AMenezes Pvan Oorschot SVanstone) 1996
Reference Order of magnitude
Seconds in a year asymp 3 x 107
Age of our solar system (years) asymp 6 x 109
Seconds since creation of solar system asymp 2 x 1017
Clock cycles per year 3 GHz computer asymp 96 x 1016
Binary strings of length 64 264asymp 18 x 1019
Binary strings of length 128 2128asymp 34 x 1038
Binary strings of length 256 2256asymp 12 x 1077
Number of 75-digit prime numbers asymp 52 x 1072
Electrons in the universe asymp 837 x 1077
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1038
March 23 2006 10
Monoalphabetic ciphers
Having 1016 possible keys appears to make the system challengingdifficult to perform brute-force attacks
There is however another line of attack that easily defeats thesystem even when a relatively small ciphertext is known If the cryptanalyst knows the nature of the text eg noncompressed
English text then he can exploit the regularities of the language
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1138
March 23 2006 11
Language redundancy and cryptanalysis
Human languages are redundant
Letters are not equally commonly used In English E is by far the most common letter Follows TRNIOAS Other letters are fairly rare
See ZJKQX
Tables of single double amp triple letter frequencies exist Most common digram in English is TH
Most common trigram in English in THE
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1238
March 23 2006 12
English Letter Frequencies
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1338
March 23 2006 13
Cryptanalysis of monoalphabetic ciphers
Key concept - monoalphabetic substitution ciphers do not change relativeletter frequencies
Discovered by Arabs in the 9th
century Calculate letter frequencies for ciphertext Compare countsplots against known values
Most frequent letter in the ciphertext may well encrypt E
The next one could encrypt T or A After relatively few tries the system is broken If the ciphertext is relatively short (and so the frequencies are not fully relevant)
then more guesses may be needed
Powerful tool look at the frequency of two-letter combinations (digrams)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 438
March 23 2006 4
Caesar Cipher
It is a typical substitution cipher and the oldest known ndash attributed to JuliusCaesar
Simple rule replace each letter of the alphabet with the letter standing 3places further down the alphabet Example
MEET ME AFTER THE TOGA PARTY
PHHW PH DIWHU WKH WRJD SDUWB Here the key is 3 ndash choose another key to get a different substitution The alphabet is wrapped around so that after Z follows A
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 538
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 638
March 23 2006 6
Attacking Caesar
Caesar can be broken if we only know one pair (plain letterencrypted letter) The difference between them is the key
Caesar can be broken even if we only have the encrypted text andno knowledge of the plaintext Brute-force attack is easy there are only 25 keys possible Try all 25 keys and check to see which key gives an intelligible message
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 738
March 23 2006 7
From Stallings ndash ldquoCryptography andNetwork Securityrdquo
Why is Caesar easy to break
Only 25 keys to try The language of the
plaintext is known and easilyrecognizable What if the language is
unknown What if the plaintext is a
binary file of an unknownformat
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 838
March 23 2006 8
Strengthening Caesar monoalphabetic ciphers
Caesar only has 25 possible keys ndash far from secure Idea instead of shifting the letters with a fixed amount how about allowing
any permutation of the alphabetPlain abcdefghijklmnopqrstuvwxyz
Cipher DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext if we wish to replace letters
Ciphertext WI RF RWAJ UH YFTSDVF SFUUFYA
This is called monoalphabetic susbstitution cipher ndash a single alphabet isused
The increase in the number of keys is dramatic 26 ie more than 4x1026possible keys
Compare DES only has an order of 1016 possible keys
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 938
March 23 2006 9
How large is large
Adapted from Handbook of Applied Cryptography (AMenezes Pvan Oorschot SVanstone) 1996
Reference Order of magnitude
Seconds in a year asymp 3 x 107
Age of our solar system (years) asymp 6 x 109
Seconds since creation of solar system asymp 2 x 1017
Clock cycles per year 3 GHz computer asymp 96 x 1016
Binary strings of length 64 264asymp 18 x 1019
Binary strings of length 128 2128asymp 34 x 1038
Binary strings of length 256 2256asymp 12 x 1077
Number of 75-digit prime numbers asymp 52 x 1072
Electrons in the universe asymp 837 x 1077
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1038
March 23 2006 10
Monoalphabetic ciphers
Having 1016 possible keys appears to make the system challengingdifficult to perform brute-force attacks
There is however another line of attack that easily defeats thesystem even when a relatively small ciphertext is known If the cryptanalyst knows the nature of the text eg noncompressed
English text then he can exploit the regularities of the language
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1138
March 23 2006 11
Language redundancy and cryptanalysis
Human languages are redundant
Letters are not equally commonly used In English E is by far the most common letter Follows TRNIOAS Other letters are fairly rare
See ZJKQX
Tables of single double amp triple letter frequencies exist Most common digram in English is TH
Most common trigram in English in THE
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1238
March 23 2006 12
English Letter Frequencies
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1338
March 23 2006 13
Cryptanalysis of monoalphabetic ciphers
Key concept - monoalphabetic substitution ciphers do not change relativeletter frequencies
Discovered by Arabs in the 9th
century Calculate letter frequencies for ciphertext Compare countsplots against known values
Most frequent letter in the ciphertext may well encrypt E
The next one could encrypt T or A After relatively few tries the system is broken If the ciphertext is relatively short (and so the frequencies are not fully relevant)
then more guesses may be needed
Powerful tool look at the frequency of two-letter combinations (digrams)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 538
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 638
March 23 2006 6
Attacking Caesar
Caesar can be broken if we only know one pair (plain letterencrypted letter) The difference between them is the key
Caesar can be broken even if we only have the encrypted text andno knowledge of the plaintext Brute-force attack is easy there are only 25 keys possible Try all 25 keys and check to see which key gives an intelligible message
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 738
March 23 2006 7
From Stallings ndash ldquoCryptography andNetwork Securityrdquo
Why is Caesar easy to break
Only 25 keys to try The language of the
plaintext is known and easilyrecognizable What if the language is
unknown What if the plaintext is a
binary file of an unknownformat
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 838
March 23 2006 8
Strengthening Caesar monoalphabetic ciphers
Caesar only has 25 possible keys ndash far from secure Idea instead of shifting the letters with a fixed amount how about allowing
any permutation of the alphabetPlain abcdefghijklmnopqrstuvwxyz
Cipher DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext if we wish to replace letters
Ciphertext WI RF RWAJ UH YFTSDVF SFUUFYA
This is called monoalphabetic susbstitution cipher ndash a single alphabet isused
The increase in the number of keys is dramatic 26 ie more than 4x1026possible keys
Compare DES only has an order of 1016 possible keys
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 938
March 23 2006 9
How large is large
Adapted from Handbook of Applied Cryptography (AMenezes Pvan Oorschot SVanstone) 1996
Reference Order of magnitude
Seconds in a year asymp 3 x 107
Age of our solar system (years) asymp 6 x 109
Seconds since creation of solar system asymp 2 x 1017
Clock cycles per year 3 GHz computer asymp 96 x 1016
Binary strings of length 64 264asymp 18 x 1019
Binary strings of length 128 2128asymp 34 x 1038
Binary strings of length 256 2256asymp 12 x 1077
Number of 75-digit prime numbers asymp 52 x 1072
Electrons in the universe asymp 837 x 1077
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1038
March 23 2006 10
Monoalphabetic ciphers
Having 1016 possible keys appears to make the system challengingdifficult to perform brute-force attacks
There is however another line of attack that easily defeats thesystem even when a relatively small ciphertext is known If the cryptanalyst knows the nature of the text eg noncompressed
English text then he can exploit the regularities of the language
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1138
March 23 2006 11
Language redundancy and cryptanalysis
Human languages are redundant
Letters are not equally commonly used In English E is by far the most common letter Follows TRNIOAS Other letters are fairly rare
See ZJKQX
Tables of single double amp triple letter frequencies exist Most common digram in English is TH
Most common trigram in English in THE
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1238
March 23 2006 12
English Letter Frequencies
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1338
March 23 2006 13
Cryptanalysis of monoalphabetic ciphers
Key concept - monoalphabetic substitution ciphers do not change relativeletter frequencies
Discovered by Arabs in the 9th
century Calculate letter frequencies for ciphertext Compare countsplots against known values
Most frequent letter in the ciphertext may well encrypt E
The next one could encrypt T or A After relatively few tries the system is broken If the ciphertext is relatively short (and so the frequencies are not fully relevant)
then more guesses may be needed
Powerful tool look at the frequency of two-letter combinations (digrams)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 638
March 23 2006 6
Attacking Caesar
Caesar can be broken if we only know one pair (plain letterencrypted letter) The difference between them is the key
Caesar can be broken even if we only have the encrypted text andno knowledge of the plaintext Brute-force attack is easy there are only 25 keys possible Try all 25 keys and check to see which key gives an intelligible message
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 738
March 23 2006 7
From Stallings ndash ldquoCryptography andNetwork Securityrdquo
Why is Caesar easy to break
Only 25 keys to try The language of the
plaintext is known and easilyrecognizable What if the language is
unknown What if the plaintext is a
binary file of an unknownformat
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 838
March 23 2006 8
Strengthening Caesar monoalphabetic ciphers
Caesar only has 25 possible keys ndash far from secure Idea instead of shifting the letters with a fixed amount how about allowing
any permutation of the alphabetPlain abcdefghijklmnopqrstuvwxyz
Cipher DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext if we wish to replace letters
Ciphertext WI RF RWAJ UH YFTSDVF SFUUFYA
This is called monoalphabetic susbstitution cipher ndash a single alphabet isused
The increase in the number of keys is dramatic 26 ie more than 4x1026possible keys
Compare DES only has an order of 1016 possible keys
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 938
March 23 2006 9
How large is large
Adapted from Handbook of Applied Cryptography (AMenezes Pvan Oorschot SVanstone) 1996
Reference Order of magnitude
Seconds in a year asymp 3 x 107
Age of our solar system (years) asymp 6 x 109
Seconds since creation of solar system asymp 2 x 1017
Clock cycles per year 3 GHz computer asymp 96 x 1016
Binary strings of length 64 264asymp 18 x 1019
Binary strings of length 128 2128asymp 34 x 1038
Binary strings of length 256 2256asymp 12 x 1077
Number of 75-digit prime numbers asymp 52 x 1072
Electrons in the universe asymp 837 x 1077
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1038
March 23 2006 10
Monoalphabetic ciphers
Having 1016 possible keys appears to make the system challengingdifficult to perform brute-force attacks
There is however another line of attack that easily defeats thesystem even when a relatively small ciphertext is known If the cryptanalyst knows the nature of the text eg noncompressed
English text then he can exploit the regularities of the language
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1138
March 23 2006 11
Language redundancy and cryptanalysis
Human languages are redundant
Letters are not equally commonly used In English E is by far the most common letter Follows TRNIOAS Other letters are fairly rare
See ZJKQX
Tables of single double amp triple letter frequencies exist Most common digram in English is TH
Most common trigram in English in THE
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1238
March 23 2006 12
English Letter Frequencies
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1338
March 23 2006 13
Cryptanalysis of monoalphabetic ciphers
Key concept - monoalphabetic substitution ciphers do not change relativeletter frequencies
Discovered by Arabs in the 9th
century Calculate letter frequencies for ciphertext Compare countsplots against known values
Most frequent letter in the ciphertext may well encrypt E
The next one could encrypt T or A After relatively few tries the system is broken If the ciphertext is relatively short (and so the frequencies are not fully relevant)
then more guesses may be needed
Powerful tool look at the frequency of two-letter combinations (digrams)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 738
March 23 2006 7
From Stallings ndash ldquoCryptography andNetwork Securityrdquo
Why is Caesar easy to break
Only 25 keys to try The language of the
plaintext is known and easilyrecognizable What if the language is
unknown What if the plaintext is a
binary file of an unknownformat
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 838
March 23 2006 8
Strengthening Caesar monoalphabetic ciphers
Caesar only has 25 possible keys ndash far from secure Idea instead of shifting the letters with a fixed amount how about allowing
any permutation of the alphabetPlain abcdefghijklmnopqrstuvwxyz
Cipher DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext if we wish to replace letters
Ciphertext WI RF RWAJ UH YFTSDVF SFUUFYA
This is called monoalphabetic susbstitution cipher ndash a single alphabet isused
The increase in the number of keys is dramatic 26 ie more than 4x1026possible keys
Compare DES only has an order of 1016 possible keys
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 938
March 23 2006 9
How large is large
Adapted from Handbook of Applied Cryptography (AMenezes Pvan Oorschot SVanstone) 1996
Reference Order of magnitude
Seconds in a year asymp 3 x 107
Age of our solar system (years) asymp 6 x 109
Seconds since creation of solar system asymp 2 x 1017
Clock cycles per year 3 GHz computer asymp 96 x 1016
Binary strings of length 64 264asymp 18 x 1019
Binary strings of length 128 2128asymp 34 x 1038
Binary strings of length 256 2256asymp 12 x 1077
Number of 75-digit prime numbers asymp 52 x 1072
Electrons in the universe asymp 837 x 1077
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1038
March 23 2006 10
Monoalphabetic ciphers
Having 1016 possible keys appears to make the system challengingdifficult to perform brute-force attacks
There is however another line of attack that easily defeats thesystem even when a relatively small ciphertext is known If the cryptanalyst knows the nature of the text eg noncompressed
English text then he can exploit the regularities of the language
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1138
March 23 2006 11
Language redundancy and cryptanalysis
Human languages are redundant
Letters are not equally commonly used In English E is by far the most common letter Follows TRNIOAS Other letters are fairly rare
See ZJKQX
Tables of single double amp triple letter frequencies exist Most common digram in English is TH
Most common trigram in English in THE
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1238
March 23 2006 12
English Letter Frequencies
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1338
March 23 2006 13
Cryptanalysis of monoalphabetic ciphers
Key concept - monoalphabetic substitution ciphers do not change relativeletter frequencies
Discovered by Arabs in the 9th
century Calculate letter frequencies for ciphertext Compare countsplots against known values
Most frequent letter in the ciphertext may well encrypt E
The next one could encrypt T or A After relatively few tries the system is broken If the ciphertext is relatively short (and so the frequencies are not fully relevant)
then more guesses may be needed
Powerful tool look at the frequency of two-letter combinations (digrams)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 838
March 23 2006 8
Strengthening Caesar monoalphabetic ciphers
Caesar only has 25 possible keys ndash far from secure Idea instead of shifting the letters with a fixed amount how about allowing
any permutation of the alphabetPlain abcdefghijklmnopqrstuvwxyz
Cipher DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext if we wish to replace letters
Ciphertext WI RF RWAJ UH YFTSDVF SFUUFYA
This is called monoalphabetic susbstitution cipher ndash a single alphabet isused
The increase in the number of keys is dramatic 26 ie more than 4x1026possible keys
Compare DES only has an order of 1016 possible keys
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 938
March 23 2006 9
How large is large
Adapted from Handbook of Applied Cryptography (AMenezes Pvan Oorschot SVanstone) 1996
Reference Order of magnitude
Seconds in a year asymp 3 x 107
Age of our solar system (years) asymp 6 x 109
Seconds since creation of solar system asymp 2 x 1017
Clock cycles per year 3 GHz computer asymp 96 x 1016
Binary strings of length 64 264asymp 18 x 1019
Binary strings of length 128 2128asymp 34 x 1038
Binary strings of length 256 2256asymp 12 x 1077
Number of 75-digit prime numbers asymp 52 x 1072
Electrons in the universe asymp 837 x 1077
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1038
March 23 2006 10
Monoalphabetic ciphers
Having 1016 possible keys appears to make the system challengingdifficult to perform brute-force attacks
There is however another line of attack that easily defeats thesystem even when a relatively small ciphertext is known If the cryptanalyst knows the nature of the text eg noncompressed
English text then he can exploit the regularities of the language
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1138
March 23 2006 11
Language redundancy and cryptanalysis
Human languages are redundant
Letters are not equally commonly used In English E is by far the most common letter Follows TRNIOAS Other letters are fairly rare
See ZJKQX
Tables of single double amp triple letter frequencies exist Most common digram in English is TH
Most common trigram in English in THE
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1238
March 23 2006 12
English Letter Frequencies
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1338
March 23 2006 13
Cryptanalysis of monoalphabetic ciphers
Key concept - monoalphabetic substitution ciphers do not change relativeletter frequencies
Discovered by Arabs in the 9th
century Calculate letter frequencies for ciphertext Compare countsplots against known values
Most frequent letter in the ciphertext may well encrypt E
The next one could encrypt T or A After relatively few tries the system is broken If the ciphertext is relatively short (and so the frequencies are not fully relevant)
then more guesses may be needed
Powerful tool look at the frequency of two-letter combinations (digrams)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 938
March 23 2006 9
How large is large
Adapted from Handbook of Applied Cryptography (AMenezes Pvan Oorschot SVanstone) 1996
Reference Order of magnitude
Seconds in a year asymp 3 x 107
Age of our solar system (years) asymp 6 x 109
Seconds since creation of solar system asymp 2 x 1017
Clock cycles per year 3 GHz computer asymp 96 x 1016
Binary strings of length 64 264asymp 18 x 1019
Binary strings of length 128 2128asymp 34 x 1038
Binary strings of length 256 2256asymp 12 x 1077
Number of 75-digit prime numbers asymp 52 x 1072
Electrons in the universe asymp 837 x 1077
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1038
March 23 2006 10
Monoalphabetic ciphers
Having 1016 possible keys appears to make the system challengingdifficult to perform brute-force attacks
There is however another line of attack that easily defeats thesystem even when a relatively small ciphertext is known If the cryptanalyst knows the nature of the text eg noncompressed
English text then he can exploit the regularities of the language
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1138
March 23 2006 11
Language redundancy and cryptanalysis
Human languages are redundant
Letters are not equally commonly used In English E is by far the most common letter Follows TRNIOAS Other letters are fairly rare
See ZJKQX
Tables of single double amp triple letter frequencies exist Most common digram in English is TH
Most common trigram in English in THE
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1238
March 23 2006 12
English Letter Frequencies
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1338
March 23 2006 13
Cryptanalysis of monoalphabetic ciphers
Key concept - monoalphabetic substitution ciphers do not change relativeletter frequencies
Discovered by Arabs in the 9th
century Calculate letter frequencies for ciphertext Compare countsplots against known values
Most frequent letter in the ciphertext may well encrypt E
The next one could encrypt T or A After relatively few tries the system is broken If the ciphertext is relatively short (and so the frequencies are not fully relevant)
then more guesses may be needed
Powerful tool look at the frequency of two-letter combinations (digrams)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1038
March 23 2006 10
Monoalphabetic ciphers
Having 1016 possible keys appears to make the system challengingdifficult to perform brute-force attacks
There is however another line of attack that easily defeats thesystem even when a relatively small ciphertext is known If the cryptanalyst knows the nature of the text eg noncompressed
English text then he can exploit the regularities of the language
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1138
March 23 2006 11
Language redundancy and cryptanalysis
Human languages are redundant
Letters are not equally commonly used In English E is by far the most common letter Follows TRNIOAS Other letters are fairly rare
See ZJKQX
Tables of single double amp triple letter frequencies exist Most common digram in English is TH
Most common trigram in English in THE
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1238
March 23 2006 12
English Letter Frequencies
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1338
March 23 2006 13
Cryptanalysis of monoalphabetic ciphers
Key concept - monoalphabetic substitution ciphers do not change relativeletter frequencies
Discovered by Arabs in the 9th
century Calculate letter frequencies for ciphertext Compare countsplots against known values
Most frequent letter in the ciphertext may well encrypt E
The next one could encrypt T or A After relatively few tries the system is broken If the ciphertext is relatively short (and so the frequencies are not fully relevant)
then more guesses may be needed
Powerful tool look at the frequency of two-letter combinations (digrams)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1138
March 23 2006 11
Language redundancy and cryptanalysis
Human languages are redundant
Letters are not equally commonly used In English E is by far the most common letter Follows TRNIOAS Other letters are fairly rare
See ZJKQX
Tables of single double amp triple letter frequencies exist Most common digram in English is TH
Most common trigram in English in THE
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1238
March 23 2006 12
English Letter Frequencies
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1338
March 23 2006 13
Cryptanalysis of monoalphabetic ciphers
Key concept - monoalphabetic substitution ciphers do not change relativeletter frequencies
Discovered by Arabs in the 9th
century Calculate letter frequencies for ciphertext Compare countsplots against known values
Most frequent letter in the ciphertext may well encrypt E
The next one could encrypt T or A After relatively few tries the system is broken If the ciphertext is relatively short (and so the frequencies are not fully relevant)
then more guesses may be needed
Powerful tool look at the frequency of two-letter combinations (digrams)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1238
March 23 2006 12
English Letter Frequencies
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1338
March 23 2006 13
Cryptanalysis of monoalphabetic ciphers
Key concept - monoalphabetic substitution ciphers do not change relativeletter frequencies
Discovered by Arabs in the 9th
century Calculate letter frequencies for ciphertext Compare countsplots against known values
Most frequent letter in the ciphertext may well encrypt E
The next one could encrypt T or A After relatively few tries the system is broken If the ciphertext is relatively short (and so the frequencies are not fully relevant)
then more guesses may be needed
Powerful tool look at the frequency of two-letter combinations (digrams)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1338
March 23 2006 13
Cryptanalysis of monoalphabetic ciphers
Key concept - monoalphabetic substitution ciphers do not change relativeletter frequencies
Discovered by Arabs in the 9th
century Calculate letter frequencies for ciphertext Compare countsplots against known values
Most frequent letter in the ciphertext may well encrypt E
The next one could encrypt T or A After relatively few tries the system is broken If the ciphertext is relatively short (and so the frequencies are not fully relevant)
then more guesses may be needed
Powerful tool look at the frequency of two-letter combinations (digrams)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1438
March 23 2006 14
Example of cryptanalysis
Ciphertext
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies P is the most frequent (1333) followed byZ (1167) S (833) U (833) O (75) M (667) H (583) etc Guess P and Z stand for E and T but the order is not clear because of small
difference in the frequency The next set of letters SU O M H may stand for A H I N O R S but again it
is not completely clear which is which One may try to guess and see how the text translates Also a good guess is that ZW the most common digram in the ciphertext is TH the
most common digram in English thus ZWP is THE Proceed with trial and error and finally get after inserting the proper blanks
it was disclosed yesterday that several informal but direct contacts havebeen made with political representatives of the viet cong in moscow
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1538
March 23 2006 15
Some conclusions after this cryptanalysis
Monoalphabetic ciphers are easy to break because they reflect thefrequency of the original alphabet Essential to know the original alphabet
Countermeasure provide multiple substitutes for a given letter Highly frequent letters such as E could be encrypted using a larger number of
letters than less frequent letters such as Z to encrypt E one could choose eitherone of say 15 fixed letters and to encrypt Z one could choose either one of say2 fixed letters
The number of encryptions for a letter may be proportional with the frequencyrate in the original language (English)
This should (intuitively) hide the frequency information Wrong Multiple-letter patterns (digrams trigrams etc) survive in the text
providing a tool for cryptanalysis Each element of the plaintext only affects one element in the ciphertext Longer text needed for breaking the system
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1638
March 23 2006 16
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once
2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
Consider both these approaches in the following
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1738
March 23 2006 17
Playfair Cipher
The Playfair Cipher is an example of multiple-letter encryption Invented by Sir Charles Wheatstone in 1854 but named after his
friend Baron Playfair who championed the cipher at the Britishforeign office
Based on the use of a 5x5 matrix in which the letters of the alphabetare written (I is considered the same as J) This is called key matrix
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1838
March 23 2006 18
Playfair key matrix
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (no duplicates)
Left to right top to bottom Fill the rest of matrix with the other letters in alphabetic order
Eg using the keyword MONARCHY we obtain the following matrixM O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 1938
March 23 2006 19
Encrypting and decrypting with Playfair
The plaintext is encrypted two letters at a time
1 Break the plaintext into pairs of two consecutive letters2 If a pair is a repeated letter insert a filler like Xlsquo in the plaintext eg balloon is
treated as ba lx lo on3 If both letters fall in the same row of the key matrix replace each with the letter
to its right (wrapping back to start from end) eg ldquoAR encrypts as RM4 If both letters fall in the same column replace each with the letter below it (again
wrapping to top from bottom) eg ldquoMU encrypts to CM
5 Otherwise each letter is replaced by the one in its row in the column of the otherletter of the pair eg ldquoHS encrypts to BP and ldquoEA to IM or JM (as desired)
Decryption works in the reverse direction The examples above are based on this key matrix
M O N A R M O N A R
C H Y B D C H Y B D
E F G I K E F G I K
L P Q S T L P Q S T
U V W X Z U V W X Z
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2038
March 23 2006 20
Security of Playfair
Security much improved over monoalphabetic There are 26 x 26 = 676 digrams
Needs a 676 entry digram frequency table to analyse (vs 26 for amonoalphabetic) and correspondingly more ciphertext
Widely used for many years (eg US amp British military in WW I otherallied forces in WW II)
Can be broken given a few hundred letters Still has much of plaintext structure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2138
March 23 2006 21
Measures to hide the structure of the plaintext
1 Encrypt multiple letters of the plaintext at once2 Use more than one substitution in encryption and decryption
(polyalphabetic ciphers )
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2238
March 23 2006 22
Polyalphabetic substitution ciphers
Idea use different monoalphabetic substitutions as one proceedsthrough the plaintext
Makes cryptanalysis harder with more alphabets (substitutions) toguess and flattens frequency distribution
A key determines which particular substitution is used in each step Example the Vigenegravere cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2338
March 23 2006 23
Vigenegravere Cipher
Proposed by Giovan Batista Belaso (1553) and reinvented by Blaisede Vigenegravere (1586) called ldquole chiffre indeacutechiffrablerdquo for 300 years
Effectively multiple Caesar ciphers Key is a word K = k1 k2 kd Encryption
Read one letter t from the plaintext and one letter k from the key
t is encrypted according to the Caesar cipher with key k When the key word is finished start the reading of the key from the beginning
Decryption works in reverse Example key is ldquobcderdquo ldquotestingrdquo is encrypted as ldquougvxjpjrdquo
Note that the two lsquotrsquo are encrypted by different letters lsquoursquo and lsquoxrsquo The two lsquo jrsquo in the cryptotext come from different plain letters lsquoirsquo and lsquo jrsquo
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2438
March 23 2006 24
Plaintext letters here
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2538
March 23 2006 25
Vigenere tableauA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Example
bull write the plaintext out
bull write the keyword repeated above it
bull use each key letter as a Caesar cipher key
bull encrypt the corresponding plaintext letter
bull eg using keyword deceptive
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZICVTWQNGRZGVTWAVZHCQYGLMGJ
K
e y l e t t e r s h e
r e
f h
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2638
March 23 2006 26
Security of Vigenegravere Ciphers
Its strength lays in the fact that each plaintext letter has multipleciphertext letters
Letter frequencies are obscured (but not totally lost) Breaking Vigenegravere
If we need to decide if the text was encrypted with a monoalphabeticcipher or with Vigenegravere Start with letter frequencies See if it ldquolooksrdquo monoalphabetic or not the frequencies should be those of
letters in English texts If not then it is Vigenegravere
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2738
March 23 2006 27
Breaking Vigenegravere the Kasiski Method (cryptotext only)
Method developed by Babbage (1854) Kasiski (1863) Famous incident with breaking the Zimmerman telegram (Jan 16 1917)
We need to find the key word and for this we first find its length Idea if the length is N then the letters on positions 1 N+1 2N+1 3N+1 etc are encrypted with
Caesar same for letters on positions i N+i 2N+i 3N+i etc where i runs from 1 to N Clearly if we deduce the length of the key word then breaking the system is easy break N
Caesar systems
Finding the length of the key word If plaintext starts with ldquotherdquo (encrypted say by ldquoXYZrdquo) and ldquotherdquo also occurs starting from
position N+1 then 2nd occurrence of ldquotherdquo will also be encrypted by ldquoXYZrdquo Idea repetitions in ciphertext give clues to period Approach find a piece of ciphertext that is repeated several times (say at distance 6 9 18 9
from each other) If they really come from the same piece of plaintext then the length of the key word will be a
divisor of all those distances (in our example the length of the key word must be 3)
Example
plain wearediscoveredsaveyourself
key deceptivedeceptivedeceptive
cipher ZIC VTWQNGRZG VTW AVZHCQYGLMGJ
I Vi egrave k
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2838
March 23 2006 28
Improvement on Vigenegravere autokey system
If the key were as long as the message then the system would bedefended against the previous attack
Vigenegravere proposed the autokey cipher the keyword is followed by the message itself (see example bellow) Decryption
Knowing the keyword can recover the first few letters Use these in turn on the rest of the message
Note the system still has frequency characteristics to attack and can berather easily defeated
Example the key is deceptive
Weakness plaintext and key share the same statistical distribution of
letters
plaintext wearediscoveredsaveyourself
key deceptivewearediscoveredsav
ciphertext ZICVTWQNGKZEIIGASXSTSLVVWLA
O Ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 2938
March 23 2006 29
One-Time pad
The idea of the autokey system can be extended to create an
unbreakable system one-time pad Idea use a (truly) random key as long as the plaintext It is unbreakable since the ciphertext bears no statistical
relationship to the plaintext Moreover for any plaintext amp any ciphertext there exists a key
mapping one to the other Thus a ciphertext can be decrypted to any plaintext of the same length
The cryptanalyst is in an impossible situation
S it f th ti d
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3038
March 23 2006 30
Security of the one-time pad
The security is entirely given by the randomness of the key If the key is truly random then the ciphertext is random A key can only be used once if the cryptanalyst is to be kept in the
ldquo darkrdquo
Problems with this ldquoperfectrdquo cryptosystem Making large quantities of truly random characters is a significant
task Key distribution is enormously difficult for any message to be sent a
key of equal length must be available to both parties
Oth r t h i f r pti tr p iti
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3138
March 23 2006 31
Other technique of encryption transpositions
We have considered so far substitutions to hide the plaintext eachletter is mapped into a letter according to some substitution
Different idea perform some sort of permutation on the plaintextletters Hide the message by rearranging the letter order without altering the
actual letters used
The simplest such technique rail fence technique
Rail Fence cipher
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3238
March 23 2006 32
Rail Fence cipher
Idea write plaintext letters diagonally over a number of rows thenread off cipher row by row
Eg with a rail fence of depth 2 to encrypt the text ldquomeet me afterthe toga partyrdquo write message out asm e m a t r h t g p r y
e t e f e t e o a a t
Ciphertext is read from the above row-by-rowMEMATRHTGPRYETEFETEOAAT
Attack this is easily recognized because it has the same frequencydistribution as the original text
Row transposition ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3338
March 23 2006 33
Row transposition ciphers
More complex scheme row transposition Write letters of message out in rows over a specified number of columns Reading the cryptotext column-by-column with the columns permuted
according to some key
Example ldquoattack postponed until two amrdquo with key 4312567 first readthe column marked by 1 then the one marked by 2 etc
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n ed u n t i l t
w o a m x y z
If we number the letters in the plaintext from 1 to 28 then the result ofthe first encryption is the following permutation of letters from plaintext03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Note the regularity of that sequence Easily recognized
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Iterating the encryption makes it more secure
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3438
March 23 2006 34
Iterating the encryption makes it more secure
Idea use the same scheme once more to increase security
Key 4 3 1 2 5 6 7
Input T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
After the second transposition we get the following sequence of letters
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04 23 19 14 11 01 26 21 18 08 06 28
This is far less structured and so more difficult to cryptanalyze
Output NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Product Ciphers
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3538
March 23 2006 35
Product Ciphers
Ciphers using substitutions or transpositions are not secure becauseof language characteristics
Idea using several ciphers in succession increases security However
two substitutions only make another (more complex) substitution two transpositions make another (more complex) transposition a substitution followed by a transposition makes a new much harder
cipher
This is the bridge from classical to modern ciphers
Rotor Machines
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3638
March 23 2006 36
Rotor Machines
Before modern ciphers rotor machines were most common product cipher Widely used in WW2
German Enigma Allied Hagelin Japanese Purple
Implemented a very complex varying substitution cipher Principle the machine has a set of independently rotating cylinders through whichelectrical impulses flow Each cylinder has 26 input pins and 26 output pins with internal wiring that connects each input
pin to a unique fixed output pin (one cylinder thus defines a monoalphabetic substitutioncipher)
The output pins of one cylinder are connected to the input pins of the next cylinder After each keystroke the last cylinder rotates one position and the others remain still After a complete rotation of the last cylinder (26 keystrokes) the cylinder before it rotates one
position etc 3 cylinders have a period of 263=17576 4 cylinders have a period of 456 976 5 cylinders have a period of 11 881 376
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3738
March 23 2006 37
The Enigma machine (pictures from Wikipedia)
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38
872019 Cryptography - lecture2
httpslidepdfcomreaderfullcryptography-lecture2 3838
March 23 2006 38