l1.1. an introduction to classical cryptosystems

L1.1. An Introduction to Classical Cryptosystems

Rocky K. C. Chang, February 2013

2

This and the next set of slides

Secret keyfunctions

Public keyfunctions

Hashfunctions

Secrecyservice

Authenticationservice

Messageintegrity service

Nonrepudiationservice

3

Outline

Components of a cryptosystem Some modular arithmetic Some classical ciphers

Shift Cipher Substitution Cipher Affine Cipher Vigenère Cipher Permutation Cipher Stream Ciphers

Attack models and cryptanalysis

4

Elements of a secret-key cryptosystem

5

The Cryptosystem

Alice Encryptor decryptor Bob

Eve

Key source

m m c

K Secure channel

6

A cryptosystem consists of M: a finite set of possible plaintexts C: a finite set of possible ciphertexts K: the key space, a finite set of possible keys E: A set of encryption rules D: A set of decryption rules For each K K, there is an EK() E and a DK()

D, such that DK(EK(m)) = m for every m M.

7

Requirements for a practical cryptosystem

Note that EK() must be a 1-to-1 function. If M = C, then EK() is a permutation.

Practically, EK() and DK() should be efficiently computable. An attacker, upon seeing a ciphertext, should be

unable to determine the key or the plaintext. The attack models Cryptanalysis: attempt to compute K given some

ciphertexts.

8

Several classical ciphers

9

First, “recall” some modular arithmetic Suppose a and b are integers, and n is a

positive integer (modulus). a mod n = the remainder of a/n {0, 1, …, n –

1}. Congruence

a b (mod n) iff a mod n = b mod n, i.e., same remainders.

“a is congruent to b modulo n.” E.g.,

101 mod 7 = 714 + 3 = 3 -101 mod 7 = 7(-15) + 4 = 4

10

The Shift Cipher Let M = C = K = {0, 1, 2, …, 25} For 0 ≤ K ≤ 25, define

EK(m) = (m + K) mod 26 DK(c) = (c – K) mod 26

For example, K = 11 m: 22 4 22 8 11 11 12 4 4 19 c: 7 15 7 19 22 22 23 15 15 4

For K = 3, the Shift Cipher is often called the Caesar Cipher.

Show that DK(EK(m)) = m for every mM.

11

The Substitution Cipher Let M = C = {0, 1, 2, …, 25} K = {All possible permutations of the 26

numbers} For each permutation K K, define

EK(m) = K(m) = c DK(c) = K-1(c), the inverse permutation

For example, one possible K is a b c d e f g h i j k l m n o p q r s … X N Y A H P O G Z Q W B T S F L R C V … EK(a) = X and DK(X) = a

Is this cipher more secure?

12

Affine Cipher Let M = C = {0, 1, 2, …, 25} K = (a, b), where a, b {0, 1, 2, …, 25}. Encryption and decryption functions;

EK(m) = (am + b) mod 26 DK(c) = a-1(c - b) mod 26

EK(m) is not an one-to-one function for all a. When a = 1, Affine Cipher is the same as a Shift

Cipher. Affine Cipher is still a special case of the

Substitution Cipher.

13

The Vigenère (vee zhun AIR) Cipher Monoalphabetic (e.g., Shift and Substitution) vs

polyalphabetic (e.g., Vigenère) M = C = K = (Z26)n, where n is a positive integer.

For a key K (keyword) = (k1, k2, …, kn), define EK(m1, m2, …, mn) = (m1+k1, m2+k2, …, mn+kn)

DK(c1, c2, …, cn) = (c1 – k1, c2 – k2, …, cn – kn), where the additions and subtractions are done in mod 26.

For example, n= 6 and K = (2, 8, 15, 7, 4, 17), m: 19 7 8 18 2 17 24 15 19 14 18 24 K: 2 8 15 7 4 17 2 8 15 7 4 17 c: 21 15 23 25 6 8 0 23 8 21 22 15 …

14

The Permutation (or Transposition) Cipher

All the ciphers so far involve substitution: a plaintext symbol replaced by a different symbol.

A permutation cipher keeps the plaintext symbols unchanged but to alter their positions.

M = C = (Z26)n

K = {All permutations of 1, 2, …, n}. For a key K (a given permutation), define

EK(m1, m2, …, mn) = (mK(1), mK(2), …, mK(n)) DK(c1, c2, …, cn) = (cK

-1(1), cK

-1(2), …, cK

-1(n)).

15

The Permutation Cipher (cont’d) For example, n = 6

i: 1 2 3 4 5 6 K(i): 3 6 1 5 2 4 m : s h e s e l l s s e a s c : e e s l s h s a l s e s

16

The Stream Cipher The cryptosystems considered so far are known as

block ciphers. The plaintexts are encrypted using the same key.

An alternative is to generate a key stream y1y2y3, …. c = Ey1

(m1)Ey2(m2)Ey3

(m3) ….

M, C, and K are the same as before. g, the keystream generator, takes a key K to

generate y1y2y3, …, where yiL. For each y in the keystream, there is an

encryption rule Ey() and a corresponding decryption rule Dy(), such that Dy(Ey(m)) = m for every m M.

17

The Vigenère Cipher and the Stream Cipher Define Vigenère Cipher as a Stream Cipher:

M = C = L = Z26 (note the difference here) K = (Z26)n

For each y L, Ey(m) = (m + y) mod 26

Dy(m) = (c y) mod 26

The keystream: yi= ki if 1 ≤ i ≤ n; yi = ki-n, else.

18

Block cipher vs stream cipher Stream ciphers are typically faster than block. Block ciphers typically require more memory

as their operations are based on blocks. Stream ciphers are more difficult to

implement correctly. Block ciphers are more susceptible to noise in

transmission. Stream ciphers do not provide integrity

protection or authentication, whereas some block ciphers could provide them.

19

Attack models What kind of information available to the

attacker? Kerckhoff’s principle: a cryptosystem should be

secure even if everything about the system, except the key, is public knowledge. The attack’s objective is to determine the key in use.

Different attack models: Ciphertext-only attack: Eve possesses ciphertexts. Known-plaintext attack: Eve possesses plaintexts and the

corresponding ciphertexts. Chosen-plaintext attack: Eve can temporarily choose a

plaintext and construct the corresponding ciphertext. Chosen-ciphertext attack: Eve can temporarily choose a

ciphertext and construct the corresponding plaintext.

20

Cryptanalysis The Shift, Substitution, and Vigenère Ciphers are

vulnerable to ciphertext-only attacks. The Permutation and Stream Ciphers are

vulnerable to known-plaintext attacks. Most of the cryptanalysis are based on statistical

properties of the English language. E has the highest occurrence rate (0.12) T, A, O, I, N, S, H, R (0.06-0.09) … V, K, J, X, Q, Z (< 0.01) Popular digrams: TH, HE, IN, ER, … Popular trigrams: THE, ING, AND, HER, …

21

Cryptanalysis of the Vigenère Cipher The first step is to determine n, the keyword

length using Kasiski test. The method is based on

2 identical segments of plaintext will be encrypted to the same ciphertext if they are d positions apart, where d 0 (mod n).

If 2 identical segments of ciphertext found and each length ≥ 3, it is “likely” that they correspond to identical segments of plaintext.

The test: Search the ciphertext for pairs of identical segments of

length ≥ 3. If exists, record the distance between them, say d1, d2, …. n must divide the greatest common divisor of d1, d2, ….

22

Conclusions Classical ciphers can be classified as

Substitution vs permutation Monoalphabetic vs polyalphabetic Stream ciphers (e.g., JK Flip-Flop, A5, SEAL, RC4)

vs block ciphers (e.g., DES, IDEA, AES, RC2) Various stream ciphers:

http://en.wikipedia.org/wiki/Stream_cipher#Usage

Ciphers’ security The size of the key space Vulnerability under cryptanalysis

23

Acknowledgments This set of slides is prepared mainly based on

D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002.

Some of the book’s materials can be found at http://www.maths.uwa.edu.au/~praeger/teaching/3CC/WWW/chapter2.html

The slide on block cipher vs stream cipher is based on http://security.stackexchange.com/questions/334/advantages-and-disadvantages-of-stream-versus-block-ciphers

Cryptool portal: http://www.cryptool.org/en/