Classic Crypto
Classic Crypto
�Overview
We briefly consider the following classic
(pen and paper) ciphers
o
o
o
o
Transposition ciphers
Substitution ciphers
One-time pad
Codebook
These were all chosen for a reason
o We see same principles in modern ciphers
Classic Crypto
�Transposition Ciphers
In transposition ciphers, we transpose
(scramble) the plaintext letters
o The scrambled text is the ciphertext
o The transposition is the key
Corresponds to Shannons principle of
diffusion (more about this later)
o This idea is widely used in modern ciphers
Classic Crypto
�Scytale
Spartans, circa 500 BC
Wind strip of leather around a rod
Write message across the rod
T H E T I M E H A
S C O M E T H E W
A L R U S S A I D
T O T A L K O F M
A N Y T H I N G S
When unwrapped, letters are scrambled
TSATAHCLONEORTYTMUATIESLHMTS
Classic Crypto
�Scytale
Suppose Alice and Bob use Scytale to encrypt
a message
o What is the key?
o How hard is it for Trudy to break without key?
Suppose many different rod diameters are
available to Alice and Bob
o How hard is it for Trudy to break a message?
o Can Trudy attack messages automaticallywithout
manually examining each putative decrypt?
Classic Crypto
�Columnar Transposition
Put plaintext into rows of matrix then read
ciphertext out of columns
For example, suppose matrix is 3 x 4
o Plaintext: SEETHELIGHT
o Ciphertext: SHGEEHELTTIX
Same effect as Scytale
o What is the key?
Classic Crypto
�Keyword Columnar
Transposition
For example
o Plaintext: CRYPTOISFUN
o Matrix 3 x 4 and keyword MATH
o Ciphertext: ROUPSXCTFYIN
What is the key?
How many keys are there?
Classic Crypto
�Keyword Columnar
Transposition
How can Trudy cryptanalyze this cipher?
Consider the ciphertext
VOESA IVENE MRTNL EANGE WTNIM HTMLL ADLTR NISHO DWOEH
Matrix is n x m for some n and m
Since 45 letters, nm = 45
How many cases to try?
How will Trudy know when she is correct?
Classic Crypto
�Keyword Columnar
Transposition
The ciphertext is
VOESA IVENE MRTNL EANGE WTNIM HTMLL ADLTR NISHO DWOEH
If encryption matrix was 9 x 5, then
Classic Crypto
�Cryptanalysis: Lesson I
Exhaustive key search
o Always an option for Trudy
If keyspace is too large, such an attack will
not succeed in a reasonable time
o Or it will have a low probability of success
A large keyspace is necessary for security
But, large keyspace is not sufficient
Classic Crypto
�Double Transposition
Plaintext:
columns
row 0
0
A
1
T
2
T
row 1
row 2
row 3
row 4
ATTACK AT DAWN
Ciphertext:
Key?
Permute rows
and columns
columns
row 2
0
X
2
T
1
A
row 4
row 0
row 3
row 1
XTAWXNATTXADAKC
o 5 x 3 matrix, perms (2,4,0,3,1) and (0,2,1)
Classic Crypto
�Double Transposition
How can Trudy attack double transposition?
Spse Trudy sees 45-letter ciphertext
Then how many keys?
o Size of matrix: 3 x 15, 15 x 3, 5 x 9, or 9 x 5
o A lot of possible permutations!
5! 9! 225 and 3! 15! 242
Size of keyspace is greater than 243
Is there a shortcut attack?
Classic Crypto
�Double Transposition
Shortcut attack on double transposition?
Suppose ciphertext is
ILILWEAHREOMEESANNDDVEGMIERWEHVEMTOSTTAONNTNH
Suppose Trudy guesses matrix is 9 x 5
Then Trudy has:
Now what?
Try all perms?
5! 9! 225
Is there a better way?
Classic Crypto
column
row 0
row 1
row 2
row 3
row 4
row 5
row 6
row 7
row 8
0
I
E
O
A
V
E
V
S
N
1
L
A
M
N
E
R
E
T
N
2
I
H
E
N
G
W
M
T
T
3
L
R
E
D
M
E
T
A
N
4
W
E
S
D
I
H
O
O
H
�Double Transposition
Shortcut attack on double transposition?
Trudy tries columns first strategy
column
row 0
row 1
row 2
row 3
row 4
row 5
row 6
row 7
row 8
0
I
E
O
A
V
E
V
S
N
1
L
A
M
N
E
R
E
T
N
2
I
H
E
N
G
W
M
T
T
3
L
R
E
D
M
E
T
A
N
Now what?
Classic Crypto
4
W
E
S
D
I
H
O
O
H
Permute
columns
column
row 0
row 1
row 2
row 3
row 4
row 5
row 6
row 7
row 8
2
I
H
E
N
G
W
M
T
T
4
W
E
S
D
I
H
O
O
H
0
I
E
O
A
V
E
V
S
N
1
L
A
M
N
E
R
E
T
N
3
L
R
E
D
M
E
T
A
N
�Cryptanalysis: Lesson II
Divide and conquer
o Trudy attacks part of the keyspace
o A great shortcut attack strategy
Requires careful analysis of algorithm
We will see this again and again in the
attacks discussed later
Of course, cryptographers try to prevent
divide and conquer attacks
Classic Crypto
�Substitution Ciphers
In substitution ciphers, we replace the
plaintext letters with other letters
o The resulting text is the ciphertext
o The substitution rule is the key
Corresponds to Shannons principle of
confusion (more on this later)
o This idea is used in modern ciphers
Classic Crypto
�Ceasars Cipher
Plaintext:
FOURSCOREANDSEVENYEARSAGO
Key:
Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y z
Ciphertext D E F G H I J K L M N O P Q R S T U V WX Y Z A B C
Ciphertext:
IRXUVFRUHDAGVHYHABHDUVDIR
More succinctly, key is shift by 3
Classic Crypto
�Ceasars Cipher
Trudy
loves the Ceasars cipher
Suppose ciphertext is
VSRQJHEREVTXDUHSDQWV
Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y z
Ciphertext D E F G H I J K L M N O P Q R S T U V WX Y Z A B C
Then
plaintext is
SPONGEBOBSQUAREPANTS
Classic Crypto
�Simple Substitution
Caesars
cipher is trivial if we adhere
to Kerckhoffs Principle
We want a substitution cipher with
lots of keys
What to do?
Generalization of Caesars cipher
Classic Crypto
�Simple Substitution
Key
is some permutation of letters
Need not be a shift
For example
Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y z
Ciphertext J I C A X S E Y V D K WB Q T Z R H F M P N U L G O
Then
26! 288 possible keys
Thats lots of keys!
Classic Crypto
�Cryptanalysis of Simple
Substitution
Trudy know a simple substitution is used
Can she find the key given ciphertext:
PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVW
LXTOXBTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQ
WAKVWLXQWAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFH
CVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFAGF
OTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQP
BQWAQJJTODXQHFOQPWTBDHHIXQVAPBFZQHCFWPFHP
BFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHFQAPBFEQ
JHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFL
QHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAI
TIXPFHXAFQHEFZQWGFLVWPTOFFA
Classic Crypto
�Cryptanalysis of Simple
Substitution
Trudy cannot try all 288 possible keys
Can she be more clever?
Statistics!
English letter frequency counts:
0.14
0.12
0.10
0.08
0.06
0.04
0.02
0.00
A B C D E F G H I
Classic Crypto
J K
L M N O P Q R S T U V W X Y Z
�Cryptanalysis of Simple
Substitution
Ciphertext:
PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTF
XQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBF
XFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVP
PBFTIXPFHXZHVFAGFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFT
DPTOGHFQPBQWAQJJTODXQHFOQPWTBDHHIXQVAPBFZQHCFWPFH
PBFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHFQAPBFEQJHDXXQV
AVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFLQHGFXVAFXQHFUFH
ILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEFZQWGFLVWPT
OFFA
Ciphertext frequency counts:
A B C D E F G H I J K L M N O P Q R S T U V WX Y Z
21 26 6
10 12 51 10 25 10 9
Classic Crypto
10 0
15 28 42 0
27 4
24 22 28 6
�Cryptanalysis: Lesson III
Statistical
analysis
o Statistics might reveal info about key
Ciphertext
should appear random
But randomness is not easy
o Difficult to define random (entropy)
Cryptographers
work hard to prevent
statistical attacks
Classic Crypto
�Poly-Alphabetic Substitution
Like
a simple substitution, but
permutation (alphabet) changes
o Often, a new alphabet for each letter
Very
common in classic ciphers
Used
in WWII-era cipher machines
o Vigenere cipher is an example
o Discuss Vigenere later in this section
Classic Crypto
�Affine Cipher
Number
the letters 0 thru 25
o A is 0, B is 1, C is 2, etc.
Then
affine cipher encryption is
defined by ci = api + b (mod 26)
o Where pi is the ith plaintext letter
o And a and b are constants
o Require that gcd(a, 26) = 1 (why?)
Classic Crypto
�Affine Cipher
Encryption:
ci = api + b (mod 26)
Decryption: pi = a1(ci b) (mod 26)
Keyspace size?
o Keyspace size is 26 (26) = 312
o Too small to be practical
Classic Crypto
�Vigenere Cipher
Key is of the form K = (k0,k1,,kn-1)
o Where each ki {0,1,2,,25}
Encryption
ci = pi + ki (mod n) (mod 26)
Decryption
pi = ci ki (mod n) (mod 26)
Nothing tricky here!
Just a repeating sequence of (shift by n)
simple substitutions
Classic Crypto
�Vigenere Cipher
For example, suppose key is MATH
o That is, K = (12,0,19,7), since M is letter 12, and so on
Plaintext:
Ciphertext:
Encrypt:
S
18
+12
4
E
SECRETMESSAGE
EEVYQTFLESTNQ
E C R E T M E S S A G E
4 2 17 4 19 12 4 18 18 0 6 4
0 19 7 12 0 19 7 12 0 19 7 12
4 21 24 16 19 5 11 4 18 19 13 16 (mod 26)
E V Y Q T F L E S T N Q
Classic Crypto
�Vigenere Cipher
Vigenere
is just a series of k simple
substitution ciphers
Should be able to do k simple
substitution attacks
o Provided enough ciphertext
But
how to determine k (key length)?
Index of coincidence
Classic Crypto
�Index of Coincidence
Assume
ciphertext is English letters
Let n0 be number of As, n1 number of
Bs, , n25 number of Zs in ciphertext
Let n = n0 + n1 + + n25
Define index of coincidence
What
does this measure?
Classic Crypto
�Index of Coincidence
Gives the probability that 2 randomly
selected letters are the same
For plain English, prob. 2 letter are same:
o p02 + p12 + + p252 0.065, where pi is
probability of ith letter
Then for simple substitution, I 0.065
For random letters, each pi = 1/26
o Then p02 + p12 + + p252 0.03846
Then I 0.03846 for poly-alphabetic
substitution with a very long keyword
Classic Crypto
�Index of Coincidence
How to use this to estimate length of
keyword in Vigenere cipher?
Suppose keyword is length k, message is
length n
o Ciphertext in matrix with k columns, n/k rows
Select 2 letters from same columns
o Like selecting from simple substitution
Select 2 letters from different columns
o Like selecting random letters
Classic Crypto
�Index of Coincidence
Suppose k columns and n/k rows
Approximate number of matching pairs from
same column, but 2 different rows:
Approximate number of matching pairs from
2 different columns, and any two rows:
Classic Crypto
�Index of Coincidence
Approximate index of coincidence by:
Solve for k to find:
Use n and I (known from ciphertext) to
approximate length of Vigenere keyword
Classic Crypto
�Index of Coincidence:
Bottom Line
A
crypto breakthrough when invented
o By William F. Friedman in 1920s
Useful
against classical and WWIIera ciphers
Incidence of coincidence is a wellknown statistical test
o Many other statistical tests exists
Classic Crypto
�Hill Cipher
Hill cipher is not related to small mountains
Invented by Lester Hill in 1929
o A pre-modern block cipher
Idea is to create a substitution cipher with a
large alphabet
All else being equal (which it never is) cipher
should be stronger than simple substitution
Classic Crypto
�Hill Cipher
Plaintext, p0, p1, p2,
Each pi is block of n consecutive letters
o As a column vector
Let A be n x n invertible matrix, mod 26
Then ciphertext block ci is given by
o ci = A pi (mod 26)
o Decryption: pi = A1ci (mod 26)
The matrix A is the key
Classic Crypto
�Hill Cipher Example
Let n = 2 and
Plaintext
MEETMEHERE = (12,4,4,19,12,4,7,4,17,4)
Then
And
Ciphertext:
(4,22,23,9,4,22,24,19,10,25) =
EWXJEWYTKZ
Classic Crypto
�Hill Cipher Cryptanalysis
Trudy suspects Alice and Bob are using Hill
cipher, with n x n matrix A
SupposeTrudy knows n plaintext blocks
o Plaintext blocks p0,p1,,pn-1
o Ciphertext blocks c0,c1,,cn-1
Let P be matrix with columns p0,p1,,pn-1
Let C be matrix with columns c0,c1,,cn-1
Then AP = C and A = CP1 if P1 exists
Classic Crypto
�Cryptanalysis: Lesson IV
Linear
ciphers are weak
o Since linear equations are easy to solve
Strong
cipher must have nonlinearity
o Linear components are useful
o But cipher cannot be entirely linear
Cryptanalyst
try to approximate
nonlinear parts with linear equations
Classic Crypto
�One-time Pad
A
provably secure cipher
No other cipher we discuss is
provably secure
Why not use one-time pad for
everything?
o Impractical for most applications
o But it does have its uses
Classic Crypto
�One-time Pad Encryption
e=000
h=001
i=010
k=011
l=100
r=101
s=110
t=111
Encryption: Plaintext Key = Ciphertext
Plaintext: 001 000 010 100 001 010 111 100 000 101
Key: 111 101 110 101 111 100 000 101 110 000
Ciphertext: 110 101 100 001 110 110 111 001 110 101
s
Classic Crypto
�One-time Pad Decryption
e=000
h=001
i=010
k=011
l=100
r=101
s=110
t=111
Decryption: Ciphertext Key = Plaintext
Ciphertext: 110 101 100 001 110 110 111 001 110 101
Key: 111 101 110 101 111 100 000 101 110 000
Plaintext: 001 000 010 100 001 010 111 100 000 101
h
Classic Crypto
�One-time Pad
Double agent claims sender used key:
s
Ciphertext: 110 101 100 001 110 110 111 001 110 101
key: 101 111 000 101 111 100 000 101 110 000
Plaintext: 011 010 100 100 001 010 111 100 000 101
k
e=000
h=001
i
i=010
Classic Crypto
k=011
l=100
t
r=101
s=110
r
t=111
�One-time Pad
Sender is captured and claims the key is:
s
Ciphertext: 110 101 100 001 110 110 111 001 110 101
Key: 111 101 000 011 101 110 001 011 101 101
Plaintext: 001 000 100 010 011 000 110 010 011 000
h
e=000
h=001
e
i=010
Classic Crypto
k=011
l=100
s
r=101
s=110
e
t=111
�One-time Pad Summary
Provably secure, when used correctly
o
o
o
o
o
o
Ciphertext provides no info about plaintext
All plaintexts are equally likely
Pad must be random, used only once
Pad is known only by sender and receiver
Pad is same size as message
No assurance of message integrity
Why not distribute message the same way
as the pad?
Classic Crypto
�Real-world One-time Pad
Project VENONA
o Soviet spy messages from U.S. in 1940s
o Nuclear espionage, etc.
o Thousands of messaged
Spy carried one-time pad into U.S.
Spy used pad to encrypt secret messages
Repeats within the one-time pads made
cryptanalysis possible
Classic Crypto
�VENONA Decrypt (1944)
[C% Ruth] learned that her husband [v] was called up by the army but
he was not sent to the front. He is a mechanical engineer and is now
working at the ENORMOUS [ENORMOZ] [vi] plant in SANTA FE, New
Mexico. [45 groups unrecoverable]
detain VOLOK [vii] who is working in a plant on ENORMOUS. He is a
FELLOWCOUNTRYMAN [ZEMLYaK] [viii]. Yesterday he learned that
they had dismissed him from his work. His active work in progressive
organizations in the past was cause of his dismissal. In the
FELLOWCOUNTRYMAN line LIBERAL is in touch with CHESTER [ix].
They meet once a month for the payment of dues. CHESTER is
interested in whether we are satisfied with the collaboration and whether
there are not any misunderstandings. He does not inquire about specific
items of work [KONKRETNAYa RABOTA]. In as much as CHESTER
knows about the role of LIBERAL's group we beg consent to ask C.
through LIBERAL about leads from among people who are working on
ENOURMOUS and in other technical fields.
Ruth == Ruth Greenglass
Liberal == Julius Rosenberg
Enormous == the atomic bomb
Classic Crypto
�Codebook Cipher
Literally,
a book filled with codes
o More precisely, 2 codebooks, 1 for
encryption and 1 for decryption
Key
is the codebook itself
Security of cipher requires physical
security for codebook
Codebooks widely used thru WWII
Classic Crypto
�Codebook Cipher
Literally, a book filled with codewords
Zimmerman Telegram encrypted via codebook
Februar
fest
finanzielle
folgender
Frieden
Friedenschluss
:
13605
13732
13850
13918
17142
17149
:
Modern block ciphers are codebooks!
More on this later
Classic Crypto
�Zimmerman
Telegram
One of most
famous codebook
ciphers ever
Led to US entry
in WWI
Ciphertext
shown here
Classic Crypto
�Zimmerman
Telegram
Decrypted
British had
recovered
partial
codebook
Able to fill in
missing parts
Classic Crypto
�Codebook Cipher
Codebooks
are susceptible to
statistical analysis
o Like simple substitution cipher, but lots
of data required to attack a codebook
Historically,
codebooks very popular
To extend useful life of a codebook,
an additive was usually used
Classic Crypto
�Codebook Additive
Codebook
additive is another book
filled with random number
Sequence of additive numbers added to
codeword to yield ciphertext
plaintext
lookup in
codebook
Classic Crypto
codeword
add the
additive
ciphertext
�Codebook Additive
Usually,
starting position in additive
book selected at random by sender
Starting additive position usually sent
in the clear with the ciphertext
o Part of the Message Indicator (MI)
o Modern term: Initialization Vector (IV)
Why
does this extend the useful life of
a codebook?
Classic Crypto
�Cryptanalysis: Summary
Exhaustive
key search
Divide and conquer
Statistical analysis
Exploit linearity
Or any combination thereof (or anything
else you can think of)
Alls fair in love and war
o and cryptanalysis!
Classic Crypto
