1 classical cryptography prof. heejin park. 2 overview classical cryptosystems the shift cipher the...

1

Classical Cryptography

Prof. Heejin Park

2

Overview

Classical cryptosystems The Shift Cipher The Affine Cipher The Substitution Cipher The Vigenère Cipher The Hill Cipher The Permutation Cipher Stream Ciphers

Cryptanalysis of some classical cryptosystems

3

The Shift Cipher

Encryption of plaintext wewillmeet with K = 11

1. Convert each character to an integer

2. Add 11 mod 26 to each value.

3. Convert the value to its corresponding character.

w e w i l l m e e t

22

4 22

8 11

11

12

4 4 19

22

4 22

8 11

11

12

4 4 19

7 15

7 19

22

22

23

15

15

4

7 15

7 19

22

22

23

15

15

4

h p h t w w x p p e

4

The Shift Cipher

Decryption of ciphertext hphtwwxppe Inverse of encryption

Cryptanalysis of shift cipher Exhaustive key search

The key space is too small: only 26 possible keys

JBCRCLQRWCRVNBJENBWRWN

0 Jbcrclqrwcrvnbjenbwrwn

1 Iabqbkpqvbqumaidmavqvm

… …

9 astitchintimesavesnine

5

The Affine Cipher

Encryption

Encryption of hot using Since h, o, t are the 7th, 14th, and 19th characters, (7x7+3) mod 26 = 52 mod 26 = 0. (7x14+3) mod 26 = 101 mod 26 = 23. (7x19+3) mod 26 = 136 mod 26 = 6.

if a =1, it becomes a Shift Cipher.

26mod)()( baxxe 26, Zba

26mod37)( xxe

6

The Affine Cipher

Encryption

Decryption

a should be an integer such that a-1 exists. a-1 exists if and only if a and 26 are relatively prime. 12 integers: 1,3,5,7,9,11,15,17,19,21,23, 25

26mod)()( baxxe 26, Zba

26mod)()( 1 byayd

7

The Affine Cipher

Cryptanalysis The exhaustive key search: Count the number of keys

Number of a’s? 12: 1,3,5,7,9,11,15,17,19,21,23, 25

Number of b’s? 26: because b can be any integer among 0,1,…, 25.

We have 12 X 26 = 312 number of keys.

26mod)()( 1 byayd

26mod)()( baxxe

8

The Affine Cipher

Cryptanalysis

If the modulus is large, the exhaustive key search is infeasible.

However, the Affine Cipher can be easily cryptanalyzed by other methods.

9

The Substitution Cipher

Encryption Substitute each symbol in a plaintext using a

permutation.

a b c d e f g h i j k l m

X N Y A H P O G Z Q W B T

n o p q r s t u v w x y z

S F L R C V M U E K J D I

10

The Substitution Cipher

Decryption Substitute each symbol in a ciphertext using the

inverse permutation.

Quiz MGZVYZLGHCMHJMYXSSFMNHAHYCDLMHA ?

The Shift Cipher is a special case of the Substitution Cipher.

Is the Affine Cipher a special case of the Substitution Cipher?

11

The Substitution Cipher

Cryptanalysis

An exhaustive key search is infeasible. The number of possible permutation is 26! (> 4 x 1026).

However, the Substitution Cipher can be cryptanalyzed by other methods.

12

The Vigenère Cipher

Monoalphabetic cryptosystems The Shift Cipher and the Substitution Cipher. Each character is mapped to one character.

Polyalphabetic cryptosystems The Vigenère Cipher A character can be mapped to one of characters.

13

The Vigenère Cipher

Encryption m = 6, K = (2,8,15,7,4,7)

Decryption Inverse of encryption

19 7 8 18 2 17 24 15 19 14 18 24

2 8 15 7 4 17 2 8 15 7 4 17

21 15 23 25 6 8 0 23 8 21 22 15

plaintext

key

ciphertext

14

The Vigenère Cipher

Formal Definition Let m be a positive integer. Define P = C = K = (Z26)m. For

a key K = (k0, k1, … , km-1), we define

eK(x0, x1, … , xm-1) = ( x0 + k0 , x1 + k1, … , xm-1 + km-1)

dK(y0, y1, … , ym-1) = ( y0 - k0 , y1 - k1, … , ym-1 – km-1)

Where all operations are performed in Z26

15

The Vigenère Cipher

Cryptanalysis

The number of possible keys 26m

Exhaustive key search is infeasible if m is not too small.

However, the Vigenère cipher can be cryptanalyzed by other methods.

16

The Hill Cipher

Encryption key: m x m matrix

1,11,10,1

1,11.10,1

1,01,00,0

11,0110

...

.........

...

...

),...,(),...,,(

mmmm

m

m

mm

kkk

kkk

kkk

xxxyyy

1,11,10,1

1,11.10,1

1,01,00,0

...

.........

...

...

mmmm

m

m

kkk

kkk

kkk

17

The Hill Cipher

Encrypt the plaintext july with k =

We partition july into ju and ly. ju: (9, 20)

ly: (11, 24)

73

811

(3,4)(159,212)140)60,72(9973

811(9,20)

(11,22)(84,256)168)72,88(1273

811(11,24)

18

The Hill Cipher

Decryption Use the inverse of key matrix

),...,(

1

...

.........

...

...

),...,,( 11,0

1,11,10,1

1,11.10,1

1,01,00,0

110

m

mmmm

m

m

m xxx

kkk

kkk

kkk

yyy

19

The Permutation Cipher

Encryption key: a permutation of size m

a permutation where m = 6

shesellsseashellsbytheseashore

shesel lsseas hellsb ythese ashore

EESLSH SALSES LSHBLE HSYEET HRAEOS

2 4 0 5 3 1

012345

20

The Permutation Cipher

Decryption Use the inverse permutation of the key

The Permutation Cipher is a special case of the Hill Cipher.

2 4 0 5 3 1

001000

000010

010000

000001

100000

000100

),...,(),...,,( 51,0510 xxxyyy

20 xy 41 xy

21

Stream Ciphers

Block ciphers Each plaintext element is encrypted using the same key K.

Stream ciphers Plaintext elements are encrypted using key stream .

)()( 1010 xexeyyy KK

)()( 1010 21xexeyyy ZZ

10zz

22

Stream Ciphers

Key stream construction

Synchronous stream ciphers The key stream is constructed from the key.

Non-synchronous stream ciphers The key stream is constructed from the key, the plaintext, or the

ciphertext.

23

Synchronous Ciphers

The Vigenère Cipher is a kind of stream cipher. Encryption

The is a synchronous stream cipher whose keystream is z1z2… such that

mii kz mod

1110 mmm xxxxx

10110 kkkkk m

1110 mmm yyyyy

26 mod mod miii kxy

24

Synchronous Ciphers

A stream cipher is a periodic stream cipher with period d if for all i ≥ 0. The Vigenère Cipher is a periodic stream cipher with

period m.

Stream cipher are often described in terms of binary alphabets (P = C = K = Z2) The encryption/decryption operations are just exclusive-or.

idi zz

iii zxy 10xx10zz

10 yyiii zyx

25

Synchronous Ciphers

A method for generating binary key stream z0z1…

Initialize z0…zm-1 using a binary tuple (k0, …, km-1). z0 = k0 , z1 = k1,…, zm-1 = km-1

Generate zmzm+1… using a linear recurrence of degree m

for all i ≥ 0, where are specified constant

1

0

2modm

jjijmi zcz

210 ,..., Zcc m

26

Synchronous Ciphers

Example m = 4 and the keystream is generated using

If starting with (1, 0, 0, 0), the keystream is 10001001…

If starting with (0, 0, 0, 0), the keystream is 00000000… So, zero vector should be avoided for the key.

If is chosen carefully, the period of the key stream can be 2m-1.

2mod)( 14 iii zzz

10 ,..., mcc

27

Synchronous Ciphers

LFSR (Linear feedback shift register) Use a shift register with m stages The vector (k1, … , km) is used to initialize the shift

register At each time unit, the following operation is

performed. k1 becomes the next keystream bit k2, … , km are shifted to the left The “new” value of km becomes

1

01

m

jjjkc

K1 K2 K3 K4

2mod)( 14 iii zzz

28

Non-synchronous stream cipher

Autokey Cipher

z0 = K , z1 = x0, z2 = x1,… zi = xi-1… Encryption

Decryption

26mod)( iii zxy

26mod)( 1 iii xxy

26mod)( 1 iii xyx

29

Non-synchronous stream cipher

K = 8 and the plaintext is rendexvous

Convert the plaintext to integers

Keystream

Add corresponding elements modulo 26

Ciphertext is VRQHDUJIM

17 4 13 3 4 25 21 14 20 18

8 17 4 13 3 4 25 21 14 20

25 21 7 16 7 3 20 9 8 12

30

Non-synchronous stream cipher

Decryption

25 21 7 16 7 3 20 9 8 12

1726mod) 825(1 x

426mod)1721(2 x

31

Overview

Classical cryptosystems The Shift Cipher The Affine Cipher The Substitution Cipher The Vigenère Cipher The Hill Cipher The Permutation Cipher Stream Ciphers

Cryptanalysis of some classical cryptosystems The Affine Cipher The Substitution Cipher The Vigenère Cipher The Hill Cipher The LFSR Stream Ciphers

32

Cryptanalysis

In general, it is assumed that the opponent knows the cryptosystem being used.

Cryptanalysis Full cryptanalysis

Find the key, i.e., generate the ciphertext string for any plaintext string.

Partial cryptanalysis Generate the ciphertext strings for some plaintext

strings.

33

Attacks

Ciphertext only attack The opponent can see the ciphertext strings.

Known plaintext attack The opponent can see some plaintext strings and their

ciphertext strings.

Chosen plaintext attack The opponent can temporary access to the encryption

machinery. Hence he can choose some plaintext strings and construct their ciphertext strings.

Chosen ciphertext attack The opponent can temporary access to the decryption

machinery. Hence he can choose some ciphertext strings and construct their plaintext strings.

34

English Text

The frequency of each character

E: about 12%

T, A, O, I, N, S, H, R: 6-9%

D, L : about 4%

C, U, M, W, F, G, Y, P, B: 1.5%-2.8%

V, K, J, X, Q, Z:< 1%

letter probability letter probability

A .082 N .067

B .015 O .075

C .028 P .019

D .043 Q .001

E .127 R .060

F .022 S .063

G .020 T .091

H .061 U .028

I .070 V .010

J .002 W .023

K .008 X .001

L .040 Y .020

M .024 Z .001

35

English Text

It is also useful to consider sequences of two or three consecutive letters, called digrams and trigrams

The 30 most common digrams are

The twelve most common trigrams are

TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND, OU, EA, NG, AS, OR, TI, IS, ET, IT, OF

THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR, DTH

36

The Affine Cipher

Ciphertext only attack Suppose opponent has intercepted the following

ciphertext

Frequency of occurrence of the 26 ciphertext letters

FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDKAPRKDLYEVLRHHR

letterFrequenc

yLetter

Frequency

A 2 H 5

B 1 I 0

C 0 J 0

D 7 K 5

E 5 L 2

F 4 M 2

G 0

letterFrequenc

yLetter

Frequency

N 1 U 2

O 1 V 4

P 2 W 0

Q 0 X 2

R 8 Y 1

S 3 Z 0

T 0

37

The Affine Cipher

Suppose opponent has intercepted the following ciphertext

Frequency of occurrence of the 26 ciphertext letters

FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDKAPRKDLYEVLRHHR

letterFrequenc

yLetter

Frequency

A 2 H 5

B 1 I 0

C 0 J 0

D 7 K 5

E 5 L 2

F 4 M 2

G 0

letterFrequenc

yLetter

Frequency

N 1 U 2

O 1 V 4

P 2 W 0

Q 0 X 2

R 8 Y 1

S 3 Z 0

T 0

38

The Affine Cipher

The most frequent ciphertext characters are R (8 occurrences) D (7 occurrences) E, H, K (5 occurrences each) F, S, V (4 occurrences each)

First guess: eK(e)=R, eK(t)=D. We have eK(4)=17 and eK(19)=3. Recall that eK(x)=ax+b , where a and b are unknowns

This system has the unique solution a = 6, b = 19 (in Z26), but this is an illegal key, since gcd (a, 26) = 2 > 1

319

174

ba

ba

39

The Affine Cipher

Guess: eK(e)=R and eK(t)=E. Obtain a = 13, which is again illegal.

Guess: eK(e)=R and eK(t)=H. This yields a = 8, again impossible.

Guess: eK(e)=R and eK(t)=K. This produces a = 3, b = 5, which is at least a legal key. K = (3, 5)

Perform decryption The given ciphertext decrypts to yield

algorithmsarequitegeneraldefinitionsofarithmeticprocesses

40

The Substitution Cipher

Ciphertext only attackCiphertext obtained from a substitution cipher

The frequency analysis of this ciphertext

YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJNDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZNZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJXZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

letterFrequenc

yLetter

Frequency

A 0 H 4

B 1 I 5

C 15 J 11

D 13 K 1

E 7 L 0

F 11 M 16

G 1

letterFrequenc

yLetter

Frequency

N 9 U 5

O 0 V 5

P 1 W 8

Q 4 X 6

R 10 Y 10

S 3 Z 20

T 2

41

The Substitution Cipher

Z occurs significantly more often than others. We might conjecture that eK(e)=Z.

C, D, F, J, M, R, Y Occur at least ten times. We might expect that these letters are

encryptions of t, a, o, i, n, s, h, r. But, not vary enough what the correspondence

might be.

42

The Substitution Cipher

We might look at digrams, especially those of the form –Z or Z– The most common digrams of this type

DZ and ZW (four times each) NZ and ZU (three times each) RZ, HZ, XZ, FZ, ZR, ZV, ZC, ZD and ZJ (twice each)

ZW occurs four times and WZ not at all W occurs less often than many other characters, The Common digrams e– : ER, ED, ES, EN, EA, ET

expect letter {t, a, o, i, n, s, h, r} we might guess that dk(W) = d

DZ occurs four times and ZD occurs twice The common digram –e : HE(EH not exist), RE, SE, TE },,{)( tsrDDK

43

The Substitution Cipher

If we proceed on the assumption that dk(Z) = e and dk(W) = d. ZRW(e-d) and RZW(-ed) both occurring near the beginning of

the ciphertext and RW(-d) occurs again later on.

Since R occurs frequently in the ciphertext and nd is a common digram, we might try dk(R) = n as the most likely possibility.

------end---------e----ned---e------------YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ

--------e----e---------n—d---en----e----eNDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ

-e---n------n------ed---e---e--ne-nd-e-e--NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ

-ed----- n ------------e----ed-------d---e--nXZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

44

The Substitution Cipher

Next step might be to try dK(N) = h NZ(he) is a common digram and ZN(eh) is not A common digram –e : HE(EH not exist), RE, SE, TE So, dK(N) = h If this is correct, then the segment of plaintext ne – ndhe suggests

that dK(C) = a ZC(e-) is a common digram and CZ(-e) is not

------end-----a---e-a--nedh--e------a-----YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ

h-------ea---e-a---a---nhad-a-en--a-e-h--eNDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ

he-a-n------n------ed---e---e--neandhe-e--NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ

-ed-a--- nh---ha---a-e----ed-----a-d--he--nXZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

45

The Substitution Cipher

We might consider M, the second most common ciphertext character The ciphertext segment RNM, which we believe decrypts to nh- Suggest that h- begins a word, so M probably represent a vowel We have already accounted for a and e

expect letter {t, a, o, i, n, s, h, r} So, we expect that dK(M) = i or o Since ai is a much more likely digram than ao, so dK(M) = i first

-----iend-----a-i-e-a-inedhi-e------a---i-YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ

h-----i-ea-i-e-a---a-i-nhad-a-en--a-e-hi-eNDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ

he-a-n-----in-i----ed---e---e-ineandhe-e--NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ

-ed-a---inhi--hai--a-e-i--ed-----a-d--he--nXZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

46

The Substitution Cipher

Next, We might try to determine which letter is encrypted to o Since o is a common letter, we guess one of D, F, J, Y

At least ten times characters : C, D, F, J, M, R, Y Y seem to be the possibility

We would get long strings of vowels, namely aoi form CFM or CJM Hence, let’s suppose dK(Y) = o

The three most frequent remaining ciphertext letters are D, F, J, which we conjecture could decrypt to r, s, t in some order Two occurrences of the trigram NMD(hi-) suggest that dK(D) = s, giving the

trigram his in the plaintext

The segment HNCMF could be an encryption of chair, which would give dK(F) = r (and dK(H) = c) So we would then have dK(J) = t

Process of elimination

47

The Substitution Cipher

Now, we have

The complete decryption is

o-r-riend-ro--arise-a-inedhise--t---ass-itYIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ

hs-r-riseasi-e-a-orationhadta-en--ace-hi-eNDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ

he-asnt-oo-in-i-o-redso-e-ore-ineandhesettNZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ

-ed-ac--inhischair-aceti-ted--to-ardsthes-nXZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

Our friend from Paris examined his empty glass with surprise, asif evaporation had taken place while he wasn’t looking. I poured somemore wine and he settled back in his chair, face tilted up towards the sun

48

The Vigenère Cipher

Encryption m = 6, K = (2,8,15,7,4,7)

We first compute m and then compute K. Techniques used

Kasiski test The index of coincidence

19 7 8 18 2 17 24 15 19 14 18 24

2 8 15 7 4 17 2 8 15 7 4 17

21 15 23 25 6 8 0 23 8 21 22 15

plaintext

key

ciphertext

49

The Vigenère Cipher

Observation: Two identical segments of plaintext will be encrypted to the same ciphertext whenever their occurrence in the plaintext is δ positions apart, where .

Kasiski test

Search the ciphertext for pair of identical segments of length at least three.

Record the distance between the starting positions of the two segments If we obtain several such distances, sayδ1,δ2, … ,

Then we would conjecture that m divides all of the δi’s Hence m divides the greatest common divisor of theδi’s

)(mod 0 m

50

The Vigenère Cipher

The distances from the first occurrence to other four occurrences are 165, 235, 275, 285.

The greatest common divisor of these four integers is 5. (very likely keyword length)

CHREEVOAHMAERATBIAXXWTNXBEEOPHBSQMQEQERBWRVXUOAKXAOSXXWEAHBWGJMMQMNKGRFVGXWTRZXWIAKLXFPSKAUTEMNDCMGTSXMXBTUIADNGMGPSRELXNJELXVRVPRTULHDNQWTWDTYGBPHXTFALJHASVBFXNGLLCHRZBWELEKMSJIKNBHWRJGNMGJSGLXFEYPHAGNRBIEQJTAMRVLCRREMNDGLXRRIMGNSNRWCHRQHAEYEVTAQEBBIPEEWEVKAKOEWADREMXMTBHHCHRTKDNVRZCHRCLQOHPWQAIIWXNRMGWOIIFKEE

51

The Vigenère Cipher

The index of coincidence

Observe that a completely random string will have

The two values 0.065 and 0.038 are quite apart.

letter probability letter probability

A .082 N .067

B .015 O .075

C .028 P .019

D .043 Q .001

E .127 R .060

F .022 S .063

G .020 T .091

H .061 U .028

I .070 V .010

J .002 W .023

K .008 X .001

L .040 Y .020

M .024 Z .001

065.0)(25

0

2 i

ic pI x

038.026

1)

26

1(26 2 cI

52

The Vigenère Cipher

Using index of coincidenceDefine m substring of y, denoted y1, y2, … , ym,

y1 = y1ym+1y2m+1 … y2 = y2ym+2y2m+2 …

…ym= ymy2my3m …

If m is indeed the keyword length Each value Ic(yi) ≈ 0.065.

If m is not the keyword length The substrings yi will look much more random. Each value Ic(yi) ≈ 0.038.

53

The Vigenère Cipher

Computation of indices of coincidence m = 1, index of coincidence is 0.045 m = 2, we get 0.046 and 0.041 m = 3, we get 0.043, 0.050, and 0.047 m = 4, we get 0.042. 0.039. 0.046, and 0.040 m = 5, we get 0.063, 0.068, 0.069, 0.061, and

0.072

54

The Vigenère Cipher

How to determine the key K = (k1, k2, … , km).

Let p’0, … , p’25 denote the probabilities of A, B, …, Z in the string yi.

Since substring yi is obtained by shift encryption of a subset of the plaintext using a shift ki ,

p0 ≈ p’0+k , p1 ≈ p’1+k , …

55

The Vigenère Cipher

Compute

for all 0 ≤ k ≤ 25.

If k = ki, I ≈ 0.065.

If k ≠ ki, I ≈ 0.038.

'25

0

I kii

i pp

56

The Vigenère Cipher

Y1

.035 .031 .036 .037 .035 .039 .028 .028 .048

.061 .039 .035 .040 .038 .038 .044 .036 .030

.042 .043 .036 .033 .049 .043 .041 .036 .000

Y2

.069 .044 .032 .035 .044 .034 .036 .033 .030

.031 .042 .045 .040 .045 .046 .042 .037 .032

.034 .037 .032 .034 .043 .032 .026 .047 .000

Y3

.048 .029 .042 .043 .044 .034 .038 .035 .032

.049 .035 .031 .035 .065 .035 .038 .036 .045

.027 .035 .034 .034 .037 .035 .046 .040 .000

Y4

.045 .032 .033 .038 .060 .034 .034 .034 .050

.033 .033 .043 .040 .033 .028 .036 .040 .044

.037 .050 .034 .034 .039 .044 .038 .035 .000

Y5

.034 .031 .035 .044 .047 .037 .043 .038 .042

.037 .033 .032 .035 .037 .036 .045 .032 .029

.044 .072 .036 .027 .030 .048 .036 .037 .000

57

The Vigenère Cipher

From the data in Table 1.4, the key is likely to be K = (9, 0, 13, 4, 19)

Decrytion of the ciphertext

The almond tree was in tentative blossom. The days were longer, often ending with magnificent evenings of corrugated pink skies. The hunting season was over, with hounds and guns put away for six months. The vineyards were busy again as the well-organized farm-ers treated their vines and the more lackadaisical neighbors hurried to do the pruning they should have done in November.

58

The Hill Cipher

Encryption key K: m x m matrix

The hill cipher can be difficult to break with a ciphertext-only attack, but it succumbs to a known plaintext attack. Assume that the opponent know the value of m.

Kxxx

kkk

kkk

kkk

xxxyyy m

mmmm

m

m

mm ),...,(

...

.........

...

...

),...,(),...,,( 11,0

1,11,10,1

1,11.10,1

1,01,00,0

11,0110

1,11,10,1

1,11.10,1

1,01,00,0

...

.........

...

...

mmmm

m

m

kkk

kkk

kkk

59

Suppose he has m distinct plaintext-ciphertext pairs

, for 0 ≤ j ≤ m-1.

The Hill Cipher

),...,,( ,1,1,0 jmjjj xxxx ),...,,( ,1,1,0 jmjjj yyyy

Kxxxyyy mm ),...,(),...,,( 0,10,1,0,00,10,10,0

Kxxxyyy mm ),...,(),...,,( 1,11,1,1,01,11,11,0

1,11,10,1

1,11.10,1

1,01,00,0

1,11,11,0

1,11,11,0

0,10,10,0

1,11,11,0

1,11,11,0

0,10,10,0

...

.........

...

...

...

.........

...

...

...

.........

...

...

mmmm

m

m

mmmm

m

m

mmmm

m

m

kkk

kkk

kkk

xxx

xxx

xxx

yyy

yyy

yyy

· ·

· ·

60

The Hill Cipher

1,11,10,1

1,11.10,1

1,01,00,0

1,11,10,1

1,11.10,1

1,01,00,0

1,11,10,1

1,11.10,1

1,01,00,0

...

.........

...

...

...

.........

...

...

...

.........

...

...

mmmm

m

m

mmmm

m

m

mmmm

m

m

kkk

kkk

kkk

xxx

xxx

xxx

yyy

yyy

yyy

1,11,10,1

1,11.10,1

1,01,00,0

1,11,10,1

1,11.10,1

1,01,00,0

1,11,10,1

1,11.10,1

1,01,00,0

...

.........

...

...

...

.........

...

...1

...

.........

...

...

mmmm

m

m

mmmm

m

m

mmmm

m

m

kkk

kkk

kkk

yyy

yyy

yyy

xxx

xxx

xxx

61

The Hill Cipher

Suppose the plaintext Friday is encrypted to the ciphertext PQCFKU using a Hill Cipher with m = 2. eK(5, 17) = (15, 16), eK(8, 3) = (2, 5), eK(0, 24) = (10,

20) We get the matrix equation

So

K

38

175

52

1615

152

19

38

173det)1(

38

1751,1

11

1

A

38

197

52

1615

152

19K

62

What would the opponent do if he does not know m?

Assuming that m is not too big, he could simply try m = 2, 3, …. , untill the key found.

The Hill Cipher

63

The LFSR Stream Cipher

Ciphertext is the exclusive-or of the plaintext and the keystream

The keystream is produced from an initial m-tuple, (z0, … , zm-1)=(k0, … , km-1), using the linear recurrence

for all i ≥ 0, where

iii zxy

1

0

2modm

jjijmi zcz

210 ,..., Zcc m

64

The LFSR Stream Cipher

Known plaintext attack From the given paintext string x1x2…xn and

the corresponding ciphertext string y1y2…yn, the keystream bits z1z2…zn .

Suppose that opponent knows the value of m

He needs only to compute c0, …, cm-1 .

iii yxz

65

The LFSR Stream Cipher

If n ≥ 2m, then there are m linear equations in m unknowns, which can subsequently be solved.

121

132

21

110221

...

.........

...

...

),...,,(),...,,(

mmm

m

m

mmmm

zzz

zzz

zzz

ccczzz

),...,,(

1

...

.........

...

...

),...,,( 110

121

132

21

221

m

mmm

m

m

mmm ccc

zzz

zzz

zzz

zzz

66

The LFSR Stream Cipher

Example Suppose the ciphertext string is

10110 10111 10011 and the plaintext string is

01100 11111 11000 Then the keystream bits are

11010 01000 01010

67

The LFSR Stream Cipher

If m = 5,

00100

01001

10010

00101

01011

),,,,()0,0,0,1,0( 43210 ccccc

11101

11010

10000

01001

10010

00100

01001

10010

00101

010111

)0,1,0,0,1(

11101

11010

10000

01001

10010

)0,0,0,1,0(),,,,( 43210

ccccc

Thus zi+5 = (zi+zi+3) mod 2