Classical cryptography1

CRYPTOSYSTEMS & CRYPTOSYSTEMS & AUTHENTICATIONAUTHENTICATION

Classical Cryptography-Substitution Ciphers-permutation Ciphers-Block Ciphers-DES Modes of Operation- AES-Linear Cryptanalysis, Differential Cryptanalysis- Hash Function -SHA 512- Message Authentication Codes-HMAC - Authentication Protocols

UNIT II

Objectives

0To introduce basic concepts & terminology of encryption

0To prepare us for studying modern cryptography

IFETCE/M.E CSE/NE7202-NIS/Unit 2

2

Overview

0Cryptography0Basic Terminology0Classical Cryptography

0 Substitution0 Transposition0 Product

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-3

What is Cryptography?

0 The idea of storing and transmitting data in a form that only the authorized parties can interpret.

0 Process of making and using codes to secure transmission of information


Cryptography

0 Can be characterized by:0 type of encryption operations used

0substitution / transposition / product

0 number of keys used0single-key or private / two-key or public

0 way in which plaintext is processed0block / stream


Basic terminology

0 Plaintext: original message to be encrypted

0 Ciphertext: the encrypted message

0 Enciphering or encryption: the process of converting plaintext into ciphertext

0 Encryption algorithm: performs encryption

0 Two inputs: a plaintext and a secret key


Basic terminology

0 Deciphering or decryption: recovering plaintext from ciphertext

0 Decryption algorithm: performs decryption0 Two inputs: ciphertext and secret key

0 Secret key: same key used for encryption and decryption0 Also referred to as a symmetric key





Cryptanalysis

0 Opponent whose goal is to break cryptosystem is the adversary

0 Objective: to recover the plaintext of a ciphertext or, more typically, to recover the secret key.

0 Kerkhoff’s principle: adversary knows algorithm used, but not key

0 Two general approaches:0 brute-force attack0 non-brute-force attack (cryptanalytic attack)


Brute-Force Attack0 Try every key to decipher the ciphertext.0 On average, need to try half of all possible keys 0 Time needed proportional to size of key space

Key Size (bits) Number of Alternative Keys

Time required at 1 decryption/µs

Time required at 106 decryptions/µs

32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds

56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours

128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years

168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years

26 characters (permutation)

26! = 4 1026 2 1026 µs = 6.4 1012 years 6.4 106 years

Cryptanalytic Attacks

0 Classified by how much information needed by the attacker

0 Three types of attacks:0 Ciphertext only: adversary has only ciphertext; goal is to find

plaintext, possibly key. 0 Known plaintext: adversary has ciphertext, corresponding

plaintext; goal is to find key0 Chosen plaintext: adversary may supply plaintexts and obtain

corresponding ciphertext; goal is to find key0 Chosen-ciphertext attack: adversary may choose ciphertext

and corresponding decrypted plaintext ; goal is to find key


Ciphertext-only attack

0 Given: a ciphertext c 0 Q: what is the plaintext m?0 An encryption scheme is completely insecure if it

cannot resist ciphertext-only attacks.


Known-plaintext attack

0 Given: (m1,c1), (m2,c2), …, (mk,ck) and a new ciphertext c.

0 Q: what is the plaintext of c?0 Q: what is the secret key in use?


Chosen-plaintext attack

0 Given: (m1,c1), (m2,c2), …, (mk,ck), where m1, m2, …, mk are chosen by the adversary; and a new ciphertext c.

0 Q: what is the plaintext of c, or what is the secret key?


Chosen-Plaintext Attack

Crook #1 changeshis PIN to a numberof his choice

cipher(key,PIN)

PIN is encrypted andtransmitted to bank

Crook #2 eavesdropson the wire and learnsciphertext correspondingto chosen plaintext PIN

… repeat for any PIN value

Chosen-ciphertext attack

0 Given: (m1,c1), (m2,c2), …, (mk,ck), where c1, c2, …, ck are chosen by the adversary; and a new ciphertext c.

0 Q: what is the plaintext of c, or what is the secret key?


Basis for Attacks

0 Mathematical attacks0 Based on analysis of underlying mathematics

0 Statistical attacks0 Make assumptions about the distribution of letters,

pairs of letters (digrams), triplets of letters (trigrams), etc.0Called models of the language

0 Examine ciphertext, correlate properties with the assumptions.


Statistical Attack

0 Compute frequency of each letter in ciphertext:G 0.1 H 0.1 K 0.1 O 0.3

R 0.2 U 0.1 Z 0.1

0 Apply 1-gram model of English0 Frequency of characters (1-grams) in English is on next

slide


Cryptology

CRYPTOLOGY

CRYPTOGRAPHY CRYPTANALYSIS

Private Key(Secret Key)

Public Key

Block Cipher Stream Cipher Integer Factorization

Discrete Logarithm

More Definitions

0 Unconditional security 0 no matter how much computer power is available, the

cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext

0 Computational security 0 given limited computing resources (eg time needed for

calculations is greater than age of universe), the cipher cannot be broken

Cryptosystem

0 Quintuple (E, D, M, K, C)0 M set of plaintexts0 K set of keys0 C set of ciphertexts0 E set of encryption functions e: M K C0 D set of decryption functions d: C K M


Example

0Example: Cæsar cipher0M = { sequences of letters }0K = { i | i is an integer and 0 ≤ i ≤ 25 }

0E = { Ek | k K and for all letters m,

Ek(m) = (m + k) mod 26 }

0D = { Dk | k K and for all letters c,

Dk(c) = (26 + c – k) mod 26 }

0C = M


Ciphers0Symmetric cipher: same key used for

encryption and decryption

0Block cipher: encrypts a block of plaintext at a time

(typically 64 or 128 bits)

0Stream cipher: encrypts data one bit or one byte at

a time0Asymmetric cipher: different keys used for

encryption and decryptionIFETCE/M.E CSE/NE7202-NIS/Unit 2

25

Classical Cryptography

0Sender, receiver share common key0Keys may be the same, or trivial to derive

from one another0Sometimes called symmetric cryptography

0Two basic types0Transposition ciphers0Substitution ciphers0Combinations are called product ciphers



Classical Ciphers

0Plaintext is viewed as a sequence of elements (e.g., bits or characters)

0Substitution cipher: replacing each element of the plaintext with another element.

0Transposition (or permutation) cipher: rearranging the order of the elements of the plaintext.

0Product cipher: using multiple stages of substitutions and transpositions


28

Substitution Ciphers

0Change characters in plaintext to produce ciphertext

0Monoalphabetic Substitution0 Each plaintext character is mapped onto a unique

character of a ciphertext.

0Polyalphabetic Substitution0 Each plaintext character can be mapped onto m

alphabetic characters of a ciphertext.


Monoalphabetic Ciphers

0Shift Cipher(Ceaser)0Substitution Cipher0Playfair Cipher0Affine Cipher0Hill Cipher


1.Caesar Cipher

0 Earliest known substitution cipher0 Invented by Julius Caesar 0 Each letter is replaced by the letter three positions further

down the alphabet.Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z

Cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C0 Example: ohio state RKLR VWDWH


Caesar Cipher

0Mathematically, map letters to numbers:a, b, c, ..., x, y, z

0, 1, 2, ..., 23, 24, 25

0Then the general Caesar cipher is:c = EK(p) = (p + k) mod 26

p = DK(c) = (c – k) mod 26

0Can be generalized with any alphabet.


Cryptanalysis of Caesar Cipher

0Only have 26 possible ciphers 0 A maps to A,B,..Z

0Could simply try each in turn 0A brute force search 0Given ciphertext, just try all shifts of letters0Do need to recognize when have plaintext0Eg. break ciphertext "GCUA VQ DTGCM"


2.Monoalphabetic Cipher

0Shuffle (jumble) the letters arbitrarily 0Each plaintext letter maps to a different

random ciphertext letter 0Hence key is 26 letters long

Plain letters: abcdefghijklmnopqrstuvwxyz

Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext: ifwewishtoreplaceletters

Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA


Monoalphabetic Cipher Security

0Now have a total of 26! = 4 x 1026 keys 0With so many keys, might think is secure

0But not secure against some cryptanalytic attacks.

0Problem is language characteristics


Language Statistics and Cryptanalysis

0Human languages are not random.

0Letters are not equally frequently used.

0In English, E is by far the most common letter, followed by T, R, N, I, O, A, S.

0Other letters like Z, J, K, Q, X are fairly rare.

0There are tables of single, double & triple letter frequencies for various languages


English Letter Frequencies


Statistics for double & triple letters

0 In decreasing order of frequency

0 Double letters:

th he an in er re es on, …

0 Triple letters:

the and ent ion tio for nde, …


Use in Cryptanalysis0 Key concept - monoalphabetic substitution ciphers do not

change relative letter frequencies 0 To attack, we

0 calculate letter frequencies for ciphertext0 compare this distribution against the known one

0 If caesar cipher look for common peaks/troughs 0 peaks at: A-E-I triple, NO pair, RST triple0 troughs at: JK, X-Z

0 For monoalphabetic must identify each letter0 tables of common double/triple letters help


Example Cryptanalysis

0Given ciphertext:UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

0Count relative letter frequencies 0Guess P & Z are e and t0Guess ZW is th and hence ZWP is the0Proceeding with trial and error finally get:

it was disclosed yesterday that several informal butdirect contacts have been made with politicalrepresentatives of the viet cong in moscow


3.Playfair Cipher

Not even the large number of keys in a monoalphabetic cipher provides security

One approach to improving security was to encrypt multiple letters

Playfair Cipher was invented by Charles Wheatstone in 1854, but named after his friend Baron Playfair


Playfair Key Matrix

0A 5X5 matrix of letters based on a keyword 0Fill in letters of keyword 0Fill rest of matrix with other letters0Eg. using the keyword MONARCHY

MM OO NN AA RR

CC HH YY BB DD

EE FF GG I/JI/J KK

LL PP QQ SS TT

UU VV WW XX ZZIFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-42

Encrypting and Decrypting0Plaintext is encrypted two letters at a time

1. if a pair is a repeated letter, insert filler like 'X’

2. if both letters fall in the same row, replace each with letter to right (wrapping back to start from end)

3. if both letters fall in the same column, replace each with the letter below it (wrapping to top from bottom)

4. otherwise each letter is replaced by the letter in the same row and in the column of the other letter of the pair


Security of Playfair Cipher

0Equivalent to a monoalphabetic cipher with an alphabet of 26 x 26 = 676 characters.

0Security is much improved over the simple monoalphabetic cipher.

0Widely used for many yearseg. by US & British military in WW1 and WW2

0Once thought to be unbreakable.0Actually, it can be broken, because it still

leaves some structure of plaintext intact.


4.Affine Ciphers

}25,24,,2,1,0{26 Z1)26,gcd( a

)( baxy

The affine cipher uses a pair of keys in which the first key is from 26* and the second is from

26.The size of the key domain is 26 × 12 = 312.

Use an affine cipher to encrypt the message “hello” with the key pair (7, 2).

Example 3.10

Example

0 If Alice chooses m=26, (a,b)=(7,3) and encrypts the German word “bald” with the affine cipher, what is the ciphertext?

Excercise

5.Hill Cipher

0 Takes two or three or more letter combinations to the same size combinations, e.g. “the” “rqv”

0 Uses simple linear equations0 An example of a “block” cipher encrypting a block of

text at a time0 Numbered alphabet: a = 0, b = 1, c = 3, etc.


Letter to Number Substitution

A B C D E F G H I J K L M

0 1 2 3 4 5 6 7 8 9 10 11 12

N O P Q R S T U V W X Y Z

13 14 15 16 17 18 19 20 21 22 23 24 25

Modular Inverses of Mod 26

A 1 3 5 7 9 11 15 17 19 21 23 25

A-1 1 9 21 15 3 19 7 23 11 5 17 25

Example – Find the Modular Inverse of 9 for Mod 269 · 3 = 27

27 Mod 26 = 1

3 is the Modular Inverse of 9 Mod 26

Encryption

0 Assign each letter in alphabet a number between 0 and 25

0 Change message into 2 x 1 letter vectors0 Change each vector into 2 x 1 numeric vectors0 Multiply each numeric vector by encryption matrix0 Convert product vectors to letters

Change Message to Vectors

Message to encrypt = HELLO WORLD

Multiply Matrix by Vectors

Convert to Mod 26

Convert Numbers to Letters

“hello world” has been encrypted to SLHZY ATGZT

Decryption

0 Change message into 2 x 1 letter vectors0 Change each vector into 2 x 1 numeric vectors0 Multiply each numeric vector by decryption matrix0 Convert new vectors to letters

Change Message to Vectors

Ciphertext to decrypt = SLHZYATGZ

Multiply Matrix by Vectors

Convert to Mod 26

Convert Numbers to Letters

SLHZYATGZT has been decrypted to “hello world”

Exercise

C1 9 18 10 p1

C2 = 16 21 1 p2 (mod 26)

C3 5 12 23 p3

0Encrypt the plaintext “pay more money” with the given key

Polyalphabetic Substitution Ciphers

0A sequence of monoalphabetic ciphers (M1, M2, M3, ..., Mk) is used in turn to encrypt letters.

0A key determines which sequence of ciphers to use.

0Each plaintext letter has multiple corresponding ciphertext letters.

0This makes cryptanalysis harder since the letter frequency distribution will be flatter. vc


1.Vigenère Cipher

0Simplest polyalphabetic substitution cipher0Effectively multiple caesar ciphers

0Key is multiple letters long K = k1 k2 ... kd

0ith letter specifies ith alphabet to use 0Use each alphabet in turn 0Repeat from start after d letters in message0Decryption simply works in reverse



Example of Vigenère Cipher

0Keyword: deceptivekey: deceptivedeceptivedeceptive

plaintext: wearediscoveredsaveyourself

ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ


Security of Vigenère Ciphers0There are multiple ciphertext letters corresponding

to each plaintext letter.0So, letter frequencies are obscured but not totally

lost.0To break Vigenere cipher:

1. Try to guess the key length. How?

2. If key length is N, the cipher consists of N Caesar ciphers. Plaintext letters at positions k, N+k, 2N+k, 3N+k, etc., are encoded by the same cipher.

3. Attack each individual cipher as before.IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-66

Guessing the Key Length0Main idea: Plaintext words separated by multiples

of the key length are encoded in the same way. 0In our example, if plaintext = “…thexxxxxxthe…”

then “the” will be encrypted to the same ciphertext words.

0So look at the ciphertext for repeated patterns.0E.g. repeated “VTW” in the previous example

suggests a key length of 3 or 9: ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

0Of course, the repetition could be a random fluke.0Then attack each monoalphabetic cipher

individually using same techniques as before


2.Vernam Cipher/

0 Ultimate defense is to use a key as long as the plaintext with no statistical relationship to it

0 Invented by AT&T engineer Gilbert Vernam in 19180 Originally proposed using a very long but eventually

repeating key


Vernam cipher random key bits K1, K2,…, Kn

plaintext bits P1, P2,…, Pn

+P1 K1, P2 K2,…, Pn Kn

ciphertext bits

How do you decrypt using the Vernam cipher?

Vernam Cipher Example

3.One-Time Pad

0If a truly random key as long as the message is used, the cipher will be secure

0Called as One-Time pad0It is unbreakable since ciphertext bears no

statistical relationship to the plaintext0Since for any plaintext & any ciphertext there

exists a key mapping one to other0Can use the key only once though0Problems in generation & safe distribution of key


One-Time Pad

0 The message is represented as a binary string (a sequence of 0’s and 1’s using a coding mechanism such as ASCII coding.

0 The key is a truly random sequence of 0’s and 1’s of the same length as the message.

0 The encryption is done by adding the key to the message modulo 2, bit by bit. This process is often called exclusive or, and is denoted by XOR. The symbol is used


Example

0message =‘IF’ 0then its ASCII code =(1001001 1000110) 0key = (1010110 0110001)0Encryption:

0 1001001 1000110 plaintext0 1010110 0110001 key0 0011111 1110110 ciphertext

0Decryption:0 0011111 1110110 ciphertext0 1010110 0110001 key0 1001001 1000110 plaintext

4.Rotor Cipher 0 Before modern ciphers, rotor machines were most common

complex ciphers in use.

0 Widely used in WW2.

0 Used a series of rotating cylinders.

0 Implemented a polyalphabetic substitution cipher of period K.

0 With 3 cylinders, K = 263 =17,576.

0 With 5 cylinders, K = 265 =12 x 106.


Rotor Cipher

A three letter word such as “bee” is encrypted as

“BCA”.

Enigma Machine

Originally invented by Sherbius, but was modified by

the German army and extensively used during World

War II.

Enigma Rotor Machine


Transposition Ciphers

0Also called permutation ciphers.0A transposition cipher reorders symbols.0Can recognise these since have the same

frequency distribution as the original text


1.Rail Fence cipher

0Write message letters out diagonally over a number of rows

0Then read off cipher row by row0For example to send the message “Meet

me at the park” to Bob, Alice writes

0CiphertextMEMATEAKETETHPR


2.Row Transposition Ciphers

0Plaintext is written row by row in a rectangle.

0Ciphertext: write out the columns in an order specified by a key.

Key: 3 4 2 1 5 6 7

Plaintext:

Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ


a t t a c k po s t p o n e

d u n t i l tw o a m x y z

Slide #9-80

Example 2

• The ciphers are vulnerable to several kinds of ciphertext-only attacks.

• Statistical Attack:A transposition cipher does not change the

frequency of letters in ciphertext, but dose not preserve the frequency of digrams and trigrams.

• Brute-Force Attack: The number of keys can be huge (1! + 2! + … +

L!), where L is the length of the ciphertext.

A better approach is to guess the number of columns.

Transposition Cipher-Cryptanalysis

Product Ciphers0Ciphers using substitutions or transpositions are

not secure because of language characteristics0Consider using several ciphers in succession to

make harder, but: 0 two substitutions make a more complex substitution 0 two transpositions make more complex transposition

0Uses a sequence of substitutions and transpositions0 Harder to break than just substitutions or transpositions

0This is a bridge from classical to modern ciphers


Stream Ciphers

Call the plaintext stream P, the ciphertext stream C, and the key stream K.

Block Ciphers

• In a block cipher, a group of plaintext symbols of size m (m > 1) are encrypted together creating a group of ciphertext of the same size.

• A single key is used to encrypt the whole block even if the key is made of multiple values.

Playfair ciphers are block ciphers. The size of the block is m = 2. Two characters are encrypted together.

Example 1

Hill ciphers are block ciphers. A block of plaintext, of size 2 or more is encrypted together using a single key (a matrix). In these ciphers, the value of each character in the ciphertext depends on all the values of the characters in the plaintext.Although the key is made of m × m values,

it is considered as a single key.

Example 2

Block Ciphers

Classical to Modern Cryptography

0 Classical cryptography0 Encryption/decryption done by hand

0 Modern cryptography0 Computers to encrypt and decrypt0 Same principles, but automation allows ciphers to

become much more complex


Summary

0 Cryptography-Definitions0 Cryptanalysis0 Classical Cryptography

0 Substitution0 Transposition0 Product

0 Steam cipher0 Block Cipher


Education

Classical cryptography1