1 classical cryptography prof. heejin park. 2 overview classical cryptosystems the shift cipher the...
TRANSCRIPT
1
Classical Cryptography
Prof. Heejin Park
2
Overview
Classical cryptosystems The Shift Cipher The Affine Cipher The Substitution Cipher The Vigenère Cipher The Hill Cipher The Permutation Cipher Stream Ciphers
Cryptanalysis of some classical cryptosystems
3
The Shift Cipher
Encryption of plaintext wewillmeet with K = 11
1. Convert each character to an integer
2. Add 11 mod 26 to each value.
3. Convert the value to its corresponding character.
w e w i l l m e e t
22
4 22
8 11
11
12
4 4 19
22
4 22
8 11
11
12
4 4 19
7 15
7 19
22
22
23
15
15
4
7 15
7 19
22
22
23
15
15
4
h p h t w w x p p e
4
The Shift Cipher
Decryption of ciphertext hphtwwxppe Inverse of encryption
Cryptanalysis of shift cipher Exhaustive key search
The key space is too small: only 26 possible keys
JBCRCLQRWCRVNBJENBWRWN
0 Jbcrclqrwcrvnbjenbwrwn
1 Iabqbkpqvbqumaidmavqvm
… …
9 astitchintimesavesnine
5
The Affine Cipher
Encryption
Encryption of hot using Since h, o, t are the 7th, 14th, and 19th characters, (7x7+3) mod 26 = 52 mod 26 = 0. (7x14+3) mod 26 = 101 mod 26 = 23. (7x19+3) mod 26 = 136 mod 26 = 6.
if a =1, it becomes a Shift Cipher.
26mod)()( baxxe 26, Zba
26mod37)( xxe
6
The Affine Cipher
Encryption
Decryption
a should be an integer such that a-1 exists. a-1 exists if and only if a and 26 are relatively prime. 12 integers: 1,3,5,7,9,11,15,17,19,21,23, 25
26mod)()( baxxe 26, Zba
26mod)()( 1 byayd
7
The Affine Cipher
Cryptanalysis The exhaustive key search: Count the number of keys
Number of a’s? 12: 1,3,5,7,9,11,15,17,19,21,23, 25
Number of b’s? 26: because b can be any integer among 0,1,…, 25.
We have 12 X 26 = 312 number of keys.
26mod)()( 1 byayd
26mod)()( baxxe
8
The Affine Cipher
Cryptanalysis
If the modulus is large, the exhaustive key search is infeasible.
However, the Affine Cipher can be easily cryptanalyzed by other methods.
9
The Substitution Cipher
Encryption Substitute each symbol in a plaintext using a
permutation.
a b c d e f g h i j k l m
X N Y A H P O G Z Q W B T
n o p q r s t u v w x y z
S F L R C V M U E K J D I
10
The Substitution Cipher
Decryption Substitute each symbol in a ciphertext using the
inverse permutation.
Quiz MGZVYZLGHCMHJMYXSSFMNHAHYCDLMHA ?
The Shift Cipher is a special case of the Substitution Cipher.
Is the Affine Cipher a special case of the Substitution Cipher?
11
The Substitution Cipher
Cryptanalysis
An exhaustive key search is infeasible. The number of possible permutation is 26! (> 4 x 1026).
However, the Substitution Cipher can be cryptanalyzed by other methods.
12
The Vigenère Cipher
Monoalphabetic cryptosystems The Shift Cipher and the Substitution Cipher. Each character is mapped to one character.
Polyalphabetic cryptosystems The Vigenère Cipher A character can be mapped to one of characters.
13
The Vigenère Cipher
Encryption m = 6, K = (2,8,15,7,4,7)
Decryption Inverse of encryption
19 7 8 18 2 17 24 15 19 14 18 24
2 8 15 7 4 17 2 8 15 7 4 17
21 15 23 25 6 8 0 23 8 21 22 15
plaintext
key
ciphertext
14
The Vigenère Cipher
Formal Definition Let m be a positive integer. Define P = C = K = (Z26)m. For
a key K = (k0, k1, … , km-1), we define
eK(x0, x1, … , xm-1) = ( x0 + k0 , x1 + k1, … , xm-1 + km-1)
dK(y0, y1, … , ym-1) = ( y0 - k0 , y1 - k1, … , ym-1 – km-1)
Where all operations are performed in Z26
15
The Vigenère Cipher
Cryptanalysis
The number of possible keys 26m
Exhaustive key search is infeasible if m is not too small.
However, the Vigenère cipher can be cryptanalyzed by other methods.
16
The Hill Cipher
Encryption key: m x m matrix
1,11,10,1
1,11.10,1
1,01,00,0
11,0110
...
.........
...
...
),...,(),...,,(
mmmm
m
m
mm
kkk
kkk
kkk
xxxyyy
1,11,10,1
1,11.10,1
1,01,00,0
...
.........
...
...
mmmm
m
m
kkk
kkk
kkk
17
The Hill Cipher
Encrypt the plaintext july with k =
We partition july into ju and ly. ju: (9, 20)
ly: (11, 24)
73
811
(3,4)(159,212)140)60,72(9973
811(9,20)
(11,22)(84,256)168)72,88(1273
811(11,24)
18
The Hill Cipher
Decryption Use the inverse of key matrix
),...,(
1
...
.........
...
...
),...,,( 11,0
1,11,10,1
1,11.10,1
1,01,00,0
110
m
mmmm
m
m
m xxx
kkk
kkk
kkk
yyy
19
The Permutation Cipher
Encryption key: a permutation of size m
a permutation where m = 6
shesellsseashellsbytheseashore
shesel lsseas hellsb ythese ashore
EESLSH SALSES LSHBLE HSYEET HRAEOS
2 4 0 5 3 1
012345
20
The Permutation Cipher
Decryption Use the inverse permutation of the key
The Permutation Cipher is a special case of the Hill Cipher.
2 4 0 5 3 1
001000
000010
010000
000001
100000
000100
),...,(),...,,( 51,0510 xxxyyy
20 xy 41 xy
21
Stream Ciphers
Block ciphers Each plaintext element is encrypted using the same key K.
Stream ciphers Plaintext elements are encrypted using key stream .
)()( 1010 xexeyyy KK
)()( 1010 21xexeyyy ZZ
10zz
22
Stream Ciphers
Key stream construction
Synchronous stream ciphers The key stream is constructed from the key.
Non-synchronous stream ciphers The key stream is constructed from the key, the plaintext, or the
ciphertext.
23
Synchronous Ciphers
The Vigenère Cipher is a kind of stream cipher. Encryption
The is a synchronous stream cipher whose keystream is z1z2… such that
mii kz mod
1110 mmm xxxxx
10110 kkkkk m
1110 mmm yyyyy
26 mod mod miii kxy
24
Synchronous Ciphers
A stream cipher is a periodic stream cipher with period d if for all i ≥ 0. The Vigenère Cipher is a periodic stream cipher with
period m.
Stream cipher are often described in terms of binary alphabets (P = C = K = Z2) The encryption/decryption operations are just exclusive-or.
idi zz
iii zxy 10xx10zz
10 yyiii zyx
25
Synchronous Ciphers
A method for generating binary key stream z0z1…
Initialize z0…zm-1 using a binary tuple (k0, …, km-1). z0 = k0 , z1 = k1,…, zm-1 = km-1
Generate zmzm+1… using a linear recurrence of degree m
for all i ≥ 0, where are specified constant
1
0
2modm
jjijmi zcz
210 ,..., Zcc m
26
Synchronous Ciphers
Example m = 4 and the keystream is generated using
If starting with (1, 0, 0, 0), the keystream is 10001001…
If starting with (0, 0, 0, 0), the keystream is 00000000… So, zero vector should be avoided for the key.
If is chosen carefully, the period of the key stream can be 2m-1.
2mod)( 14 iii zzz
10 ,..., mcc
27
Synchronous Ciphers
LFSR (Linear feedback shift register) Use a shift register with m stages The vector (k1, … , km) is used to initialize the shift
register At each time unit, the following operation is
performed. k1 becomes the next keystream bit k2, … , km are shifted to the left The “new” value of km becomes
1
01
m
jjjkc
K1 K2 K3 K4
2mod)( 14 iii zzz
28
Non-synchronous stream cipher
Autokey Cipher
z0 = K , z1 = x0, z2 = x1,… zi = xi-1… Encryption
Decryption
26mod)( iii zxy
26mod)( 1 iii xxy
26mod)( 1 iii xyx
29
Non-synchronous stream cipher
K = 8 and the plaintext is rendexvous
Convert the plaintext to integers
Keystream
Add corresponding elements modulo 26
Ciphertext is VRQHDUJIM
17 4 13 3 4 25 21 14 20 18
8 17 4 13 3 4 25 21 14 20
25 21 7 16 7 3 20 9 8 12
30
Non-synchronous stream cipher
Decryption
25 21 7 16 7 3 20 9 8 12
1726mod) 825(1 x
426mod)1721(2 x
31
Overview
Classical cryptosystems The Shift Cipher The Affine Cipher The Substitution Cipher The Vigenère Cipher The Hill Cipher The Permutation Cipher Stream Ciphers
Cryptanalysis of some classical cryptosystems The Affine Cipher The Substitution Cipher The Vigenère Cipher The Hill Cipher The LFSR Stream Ciphers
32
Cryptanalysis
In general, it is assumed that the opponent knows the cryptosystem being used.
Cryptanalysis Full cryptanalysis
Find the key, i.e., generate the ciphertext string for any plaintext string.
Partial cryptanalysis Generate the ciphertext strings for some plaintext
strings.
33
Attacks
Ciphertext only attack The opponent can see the ciphertext strings.
Known plaintext attack The opponent can see some plaintext strings and their
ciphertext strings.
Chosen plaintext attack The opponent can temporary access to the encryption
machinery. Hence he can choose some plaintext strings and construct their ciphertext strings.
Chosen ciphertext attack The opponent can temporary access to the decryption
machinery. Hence he can choose some ciphertext strings and construct their plaintext strings.
34
English Text
The frequency of each character
E: about 12%
T, A, O, I, N, S, H, R: 6-9%
D, L : about 4%
C, U, M, W, F, G, Y, P, B: 1.5%-2.8%
V, K, J, X, Q, Z:< 1%
letter probability letter probability
A .082 N .067
B .015 O .075
C .028 P .019
D .043 Q .001
E .127 R .060
F .022 S .063
G .020 T .091
H .061 U .028
I .070 V .010
J .002 W .023
K .008 X .001
L .040 Y .020
M .024 Z .001
35
English Text
It is also useful to consider sequences of two or three consecutive letters, called digrams and trigrams
The 30 most common digrams are
The twelve most common trigrams are
TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND, OU, EA, NG, AS, OR, TI, IS, ET, IT, OF
THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR, DTH
36
The Affine Cipher
Ciphertext only attack Suppose opponent has intercepted the following
ciphertext
Frequency of occurrence of the 26 ciphertext letters
FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDKAPRKDLYEVLRHHR
letterFrequenc
yLetter
Frequency
A 2 H 5
B 1 I 0
C 0 J 0
D 7 K 5
E 5 L 2
F 4 M 2
G 0
letterFrequenc
yLetter
Frequency
N 1 U 2
O 1 V 4
P 2 W 0
Q 0 X 2
R 8 Y 1
S 3 Z 0
T 0
37
The Affine Cipher
Suppose opponent has intercepted the following ciphertext
Frequency of occurrence of the 26 ciphertext letters
FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDKAPRKDLYEVLRHHR
letterFrequenc
yLetter
Frequency
A 2 H 5
B 1 I 0
C 0 J 0
D 7 K 5
E 5 L 2
F 4 M 2
G 0
letterFrequenc
yLetter
Frequency
N 1 U 2
O 1 V 4
P 2 W 0
Q 0 X 2
R 8 Y 1
S 3 Z 0
T 0
38
The Affine Cipher
The most frequent ciphertext characters are R (8 occurrences) D (7 occurrences) E, H, K (5 occurrences each) F, S, V (4 occurrences each)
First guess: eK(e)=R, eK(t)=D. We have eK(4)=17 and eK(19)=3. Recall that eK(x)=ax+b , where a and b are unknowns
This system has the unique solution a = 6, b = 19 (in Z26), but this is an illegal key, since gcd (a, 26) = 2 > 1
319
174
ba
ba
39
The Affine Cipher
Guess: eK(e)=R and eK(t)=E. Obtain a = 13, which is again illegal.
Guess: eK(e)=R and eK(t)=H. This yields a = 8, again impossible.
Guess: eK(e)=R and eK(t)=K. This produces a = 3, b = 5, which is at least a legal key. K = (3, 5)
Perform decryption The given ciphertext decrypts to yield
algorithmsarequitegeneraldefinitionsofarithmeticprocesses
40
The Substitution Cipher
Ciphertext only attackCiphertext obtained from a substitution cipher
The frequency analysis of this ciphertext
YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJNDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZNZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJXZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR
letterFrequenc
yLetter
Frequency
A 0 H 4
B 1 I 5
C 15 J 11
D 13 K 1
E 7 L 0
F 11 M 16
G 1
letterFrequenc
yLetter
Frequency
N 9 U 5
O 0 V 5
P 1 W 8
Q 4 X 6
R 10 Y 10
S 3 Z 20
T 2
41
The Substitution Cipher
Z occurs significantly more often than others. We might conjecture that eK(e)=Z.
C, D, F, J, M, R, Y Occur at least ten times. We might expect that these letters are
encryptions of t, a, o, i, n, s, h, r. But, not vary enough what the correspondence
might be.
42
The Substitution Cipher
We might look at digrams, especially those of the form –Z or Z– The most common digrams of this type
DZ and ZW (four times each) NZ and ZU (three times each) RZ, HZ, XZ, FZ, ZR, ZV, ZC, ZD and ZJ (twice each)
ZW occurs four times and WZ not at all W occurs less often than many other characters, The Common digrams e– : ER, ED, ES, EN, EA, ET
expect letter {t, a, o, i, n, s, h, r} we might guess that dk(W) = d
DZ occurs four times and ZD occurs twice The common digram –e : HE(EH not exist), RE, SE, TE },,{)( tsrDDK
43
The Substitution Cipher
If we proceed on the assumption that dk(Z) = e and dk(W) = d. ZRW(e-d) and RZW(-ed) both occurring near the beginning of
the ciphertext and RW(-d) occurs again later on.
Since R occurs frequently in the ciphertext and nd is a common digram, we might try dk(R) = n as the most likely possibility.
------end---------e----ned---e------------YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ
--------e----e---------n—d---en----e----eNDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ
-e---n------n------ed---e---e--ne-nd-e-e--NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ
-ed----- n ------------e----ed-------d---e--nXZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR
44
The Substitution Cipher
Next step might be to try dK(N) = h NZ(he) is a common digram and ZN(eh) is not A common digram –e : HE(EH not exist), RE, SE, TE So, dK(N) = h If this is correct, then the segment of plaintext ne – ndhe suggests
that dK(C) = a ZC(e-) is a common digram and CZ(-e) is not
------end-----a---e-a--nedh--e------a-----YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ
h-------ea---e-a---a---nhad-a-en--a-e-h--eNDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ
he-a-n------n------ed---e---e--neandhe-e--NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ
-ed-a--- nh---ha---a-e----ed-----a-d--he--nXZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR
45
The Substitution Cipher
We might consider M, the second most common ciphertext character The ciphertext segment RNM, which we believe decrypts to nh- Suggest that h- begins a word, so M probably represent a vowel We have already accounted for a and e
expect letter {t, a, o, i, n, s, h, r} So, we expect that dK(M) = i or o Since ai is a much more likely digram than ao, so dK(M) = i first
-----iend-----a-i-e-a-inedhi-e------a---i-YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ
h-----i-ea-i-e-a---a-i-nhad-a-en--a-e-hi-eNDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ
he-a-n-----in-i----ed---e---e-ineandhe-e--NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ
-ed-a---inhi--hai--a-e-i--ed-----a-d--he--nXZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR
46
The Substitution Cipher
Next, We might try to determine which letter is encrypted to o Since o is a common letter, we guess one of D, F, J, Y
At least ten times characters : C, D, F, J, M, R, Y Y seem to be the possibility
We would get long strings of vowels, namely aoi form CFM or CJM Hence, let’s suppose dK(Y) = o
The three most frequent remaining ciphertext letters are D, F, J, which we conjecture could decrypt to r, s, t in some order Two occurrences of the trigram NMD(hi-) suggest that dK(D) = s, giving the
trigram his in the plaintext
The segment HNCMF could be an encryption of chair, which would give dK(F) = r (and dK(H) = c) So we would then have dK(J) = t
Process of elimination
47
The Substitution Cipher
Now, we have
The complete decryption is
o-r-riend-ro--arise-a-inedhise--t---ass-itYIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ
hs-r-riseasi-e-a-orationhadta-en--ace-hi-eNDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ
he-asnt-oo-in-i-o-redso-e-ore-ineandhesettNZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ
-ed-ac--inhischair-aceti-ted--to-ardsthes-nXZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR
Our friend from Paris examined his empty glass with surprise, asif evaporation had taken place while he wasn’t looking. I poured somemore wine and he settled back in his chair, face tilted up towards the sun
48
The Vigenère Cipher
Encryption m = 6, K = (2,8,15,7,4,7)
We first compute m and then compute K. Techniques used
Kasiski test The index of coincidence
19 7 8 18 2 17 24 15 19 14 18 24
2 8 15 7 4 17 2 8 15 7 4 17
21 15 23 25 6 8 0 23 8 21 22 15
plaintext
key
ciphertext
49
The Vigenère Cipher
Observation: Two identical segments of plaintext will be encrypted to the same ciphertext whenever their occurrence in the plaintext is δ positions apart, where .
Kasiski test
Search the ciphertext for pair of identical segments of length at least three.
Record the distance between the starting positions of the two segments If we obtain several such distances, sayδ1,δ2, … ,
Then we would conjecture that m divides all of the δi’s Hence m divides the greatest common divisor of theδi’s
)(mod 0 m
50
The Vigenère Cipher
The distances from the first occurrence to other four occurrences are 165, 235, 275, 285.
The greatest common divisor of these four integers is 5. (very likely keyword length)
CHREEVOAHMAERATBIAXXWTNXBEEOPHBSQMQEQERBWRVXUOAKXAOSXXWEAHBWGJMMQMNKGRFVGXWTRZXWIAKLXFPSKAUTEMNDCMGTSXMXBTUIADNGMGPSRELXNJELXVRVPRTULHDNQWTWDTYGBPHXTFALJHASVBFXNGLLCHRZBWELEKMSJIKNBHWRJGNMGJSGLXFEYPHAGNRBIEQJTAMRVLCRREMNDGLXRRIMGNSNRWCHRQHAEYEVTAQEBBIPEEWEVKAKOEWADREMXMTBHHCHRTKDNVRZCHRCLQOHPWQAIIWXNRMGWOIIFKEE
51
The Vigenère Cipher
The index of coincidence
Observe that a completely random string will have
The two values 0.065 and 0.038 are quite apart.
letter probability letter probability
A .082 N .067
B .015 O .075
C .028 P .019
D .043 Q .001
E .127 R .060
F .022 S .063
G .020 T .091
H .061 U .028
I .070 V .010
J .002 W .023
K .008 X .001
L .040 Y .020
M .024 Z .001
065.0)(25
0
2 i
ic pI x
038.026
1)
26
1(26 2 cI
52
The Vigenère Cipher
Using index of coincidenceDefine m substring of y, denoted y1, y2, … , ym,
y1 = y1ym+1y2m+1 … y2 = y2ym+2y2m+2 …
…ym= ymy2my3m …
If m is indeed the keyword length Each value Ic(yi) ≈ 0.065.
If m is not the keyword length The substrings yi will look much more random. Each value Ic(yi) ≈ 0.038.
53
The Vigenère Cipher
Computation of indices of coincidence m = 1, index of coincidence is 0.045 m = 2, we get 0.046 and 0.041 m = 3, we get 0.043, 0.050, and 0.047 m = 4, we get 0.042. 0.039. 0.046, and 0.040 m = 5, we get 0.063, 0.068, 0.069, 0.061, and
0.072
54
The Vigenère Cipher
How to determine the key K = (k1, k2, … , km).
Let p’0, … , p’25 denote the probabilities of A, B, …, Z in the string yi.
Since substring yi is obtained by shift encryption of a subset of the plaintext using a shift ki ,
p0 ≈ p’0+k , p1 ≈ p’1+k , …
55
The Vigenère Cipher
Compute
for all 0 ≤ k ≤ 25.
If k = ki, I ≈ 0.065.
If k ≠ ki, I ≈ 0.038.
'25
0
I kii
i pp
56
The Vigenère Cipher
Y1
.035 .031 .036 .037 .035 .039 .028 .028 .048
.061 .039 .035 .040 .038 .038 .044 .036 .030
.042 .043 .036 .033 .049 .043 .041 .036 .000
Y2
.069 .044 .032 .035 .044 .034 .036 .033 .030
.031 .042 .045 .040 .045 .046 .042 .037 .032
.034 .037 .032 .034 .043 .032 .026 .047 .000
Y3
.048 .029 .042 .043 .044 .034 .038 .035 .032
.049 .035 .031 .035 .065 .035 .038 .036 .045
.027 .035 .034 .034 .037 .035 .046 .040 .000
Y4
.045 .032 .033 .038 .060 .034 .034 .034 .050
.033 .033 .043 .040 .033 .028 .036 .040 .044
.037 .050 .034 .034 .039 .044 .038 .035 .000
Y5
.034 .031 .035 .044 .047 .037 .043 .038 .042
.037 .033 .032 .035 .037 .036 .045 .032 .029
.044 .072 .036 .027 .030 .048 .036 .037 .000
57
The Vigenère Cipher
From the data in Table 1.4, the key is likely to be K = (9, 0, 13, 4, 19)
Decrytion of the ciphertext
The almond tree was in tentative blossom. The days were longer, often ending with magnificent evenings of corrugated pink skies. The hunting season was over, with hounds and guns put away for six months. The vineyards were busy again as the well-organized farm-ers treated their vines and the more lackadaisical neighbors hurried to do the pruning they should have done in November.
58
The Hill Cipher
Encryption key K: m x m matrix
The hill cipher can be difficult to break with a ciphertext-only attack, but it succumbs to a known plaintext attack. Assume that the opponent know the value of m.
Kxxx
kkk
kkk
kkk
xxxyyy m
mmmm
m
m
mm ),...,(
...
.........
...
...
),...,(),...,,( 11,0
1,11,10,1
1,11.10,1
1,01,00,0
11,0110
1,11,10,1
1,11.10,1
1,01,00,0
...
.........
...
...
mmmm
m
m
kkk
kkk
kkk
59
Suppose he has m distinct plaintext-ciphertext pairs
, for 0 ≤ j ≤ m-1.
The Hill Cipher
),...,,( ,1,1,0 jmjjj xxxx ),...,,( ,1,1,0 jmjjj yyyy
Kxxxyyy mm ),...,(),...,,( 0,10,1,0,00,10,10,0
Kxxxyyy mm ),...,(),...,,( 1,11,1,1,01,11,11,0
1,11,10,1
1,11.10,1
1,01,00,0
1,11,11,0
1,11,11,0
0,10,10,0
1,11,11,0
1,11,11,0
0,10,10,0
...
.........
...
...
...
.........
...
...
...
.........
...
...
mmmm
m
m
mmmm
m
m
mmmm
m
m
kkk
kkk
kkk
xxx
xxx
xxx
yyy
yyy
yyy
· ·
· ·
60
The Hill Cipher
1,11,10,1
1,11.10,1
1,01,00,0
1,11,10,1
1,11.10,1
1,01,00,0
1,11,10,1
1,11.10,1
1,01,00,0
...
.........
...
...
...
.........
...
...
...
.........
...
...
mmmm
m
m
mmmm
m
m
mmmm
m
m
kkk
kkk
kkk
xxx
xxx
xxx
yyy
yyy
yyy
1,11,10,1
1,11.10,1
1,01,00,0
1,11,10,1
1,11.10,1
1,01,00,0
1,11,10,1
1,11.10,1
1,01,00,0
...
.........
...
...
...
.........
...
...1
...
.........
...
...
mmmm
m
m
mmmm
m
m
mmmm
m
m
kkk
kkk
kkk
yyy
yyy
yyy
xxx
xxx
xxx
61
The Hill Cipher
Suppose the plaintext Friday is encrypted to the ciphertext PQCFKU using a Hill Cipher with m = 2. eK(5, 17) = (15, 16), eK(8, 3) = (2, 5), eK(0, 24) = (10,
20) We get the matrix equation
So
K
38
175
52
1615
152
19
38
173det)1(
38
1751,1
11
1
A
38
197
52
1615
152
19K
62
What would the opponent do if he does not know m?
Assuming that m is not too big, he could simply try m = 2, 3, …. , untill the key found.
The Hill Cipher
63
The LFSR Stream Cipher
Ciphertext is the exclusive-or of the plaintext and the keystream
The keystream is produced from an initial m-tuple, (z0, … , zm-1)=(k0, … , km-1), using the linear recurrence
for all i ≥ 0, where
iii zxy
1
0
2modm
jjijmi zcz
210 ,..., Zcc m
64
The LFSR Stream Cipher
Known plaintext attack From the given paintext string x1x2…xn and
the corresponding ciphertext string y1y2…yn, the keystream bits z1z2…zn .
Suppose that opponent knows the value of m
He needs only to compute c0, …, cm-1 .
iii yxz
65
The LFSR Stream Cipher
If n ≥ 2m, then there are m linear equations in m unknowns, which can subsequently be solved.
121
132
21
110221
...
.........
...
...
),...,,(),...,,(
mmm
m
m
mmmm
zzz
zzz
zzz
ccczzz
),...,,(
1
...
.........
...
...
),...,,( 110
121
132
21
221
m
mmm
m
m
mmm ccc
zzz
zzz
zzz
zzz
66
The LFSR Stream Cipher
Example Suppose the ciphertext string is
10110 10111 10011 and the plaintext string is
01100 11111 11000 Then the keystream bits are
11010 01000 01010
67
The LFSR Stream Cipher
If m = 5,
00100
01001
10010
00101
01011
),,,,()0,0,0,1,0( 43210 ccccc
11101
11010
10000
01001
10010
00100
01001
10010
00101
010111
)0,1,0,0,1(
11101
11010
10000
01001
10010
)0,0,0,1,0(),,,,( 43210
ccccc
Thus zi+5 = (zi+zi+3) mod 2