chapter 2, classical encryption techniques historical...

1

Historical Ciphers

ECE 646 - Lecture 6

Required Reading

•  W. Stallings, Cryptography and Network Security, Chapter 2, Classical Encryption Techniques

•  A. Menezes et al., Handbook of Applied Cryptography, Chapter 7.3 Classical ciphers and historical development

Why (not) to study historical ciphers?

AGAINST FOR

Not similar to modern ciphers

Long abandoned

Basic components became a part of modern ciphers Under special circumstances modern ciphers can be reduced to historical ciphers

Influence on world events

The only ciphers you can break!

Secret Writing

Steganography (hidden messages)

Cryptography (encrypted messages)

Substitution Transformations

Transposition Ciphers (change the order of letters)

Codes Substitution Ciphers (replace

words) (replace letters)

Selected world events affected by cryptology

1586  - trial of Mary Queen of Scots - substitution cipher

1917  - Zimmermann telegram, America enters World War I

1939-1945 Battle of England, Battle of Atlantic, D-day - ENIGMA machine cipher

1944 – world’s first computer, Colossus - German Lorenz machine cipher

1950s – operation Venona – breaking ciphers of soviet spies stealing secrets of the U.S. atomic bomb – one-time pad

Mary, Queen of Scots

•  Scottish Queen, a cousin of Elisabeth I of England •  Forced to flee Scotland by uprising against her and her husband •  Treated as a candidate to the throne of England by many British Catholics unhappy about a reign of Elisabeth I, a Protestant •  Imprisoned by Elisabeth for 19 years •  Involved in several plots to assassinate Elisabeth •  Put on trial for treason by a court of about 40 noblemen, including Catholics, after being implicated in the Babington Plot by her own letters sent from prison to her co-conspirators in the encrypted form

2

Mary, Queen of Scots – cont. •  cipher used for encryption was broken by codebreakers of Elisabeth I •  it was so called nomenclator – mixture of a code and a substitution cipher •  Mary was sentenced to death for treachery and executed in 1587 at the age of 44

Zimmermann Telegram •  sent on January 16, 1917 from the Foreign Secretary of the German Empire, Arthur Zimmermann, to the German ambassador in Washington •  instructed the ambassador to approach the Mexican government with a proposal for military alliance against the U.S. •  offered Mexico generous material aid to be used to reclaim a part of territories lost during the Mexican-American War of 1846-1848, specifically Texas, New Mexico, and Arizona •  sent using a telegram cable that touched British soil •  encrypted with cipher 0075, which British codebreakers had partly broken •  intercepted and decrypted

Zimmermann Telegram

•  British foreign minister passed the ciphertext, the message in German, and the English translation to the American Secretary of State, and he has shown it to the President Woodrow Wilson •  A version released to the press was that the decrypted message was stolen from the German embassy in Mexico •  After publishing in press, initially believed to be a forgery •  On February 1, Germany had resumed "unrestricted" submarine warfare, which caused many civilian deaths, including American passengers on British ships •  On March 3, 1917 and later on March 29, 1917, Arthur Zimmermann was quoted saying "I cannot deny it. It is true.” •  On April 2, 1917, President Wilson asked Congress to declare war on Germany. On April 6, 1917, Congress complied, bringing the United States into World War I.

1996 (2nd ed) 1999

Ciphers used predominantly in the given period(1)

Electromechanical machine ciphers (Complex polyalphabetic substitution ciphers)

1919

Vigenère cipher (Simple polyalphabetic substitution ciphers)

Cryptography Cryptanalysis

1586 Invention of the Vigenère Cipher

Monoalphabetic substitution cipher

Homophonic ciphers

Invention of rotor machines

XVIII c. Black chambers

1863 Kasiski’s method

1918 Index of coincidence William Friedman

Shift ciphers 100 B.C.

IX c. Frequency analysis al-Kindi, Baghdad

1926 Vernam cipher (one-time pad)

3

Ciphers used predominantly in the given period(2)

Cryptography Cryptanalysis

DES 1977

2001 AES

Triple DES

1932

1977

2001

Rejewski, Poland Reconstructing ENIGMA

1939 1949 Shennon’s theory of secret systems

Polish cryptological bombs, and perforated sheets

Publication of DES

1945 British cryptological

bombs, Bletchley Park, UK Breaking Japanese “Purple” cipher

1990 DES crackers

one-time pad Stream Ciphers

S-P networks

Substitution Ciphers (1) 1. Monalphabetic (simple) substitution cipher

M = m1 m2 m3 m4 . . . . mN C = f(m1) f(m2) f(m3) f(m4) . . . . f(mN)

Generally f is a random permutation, e.g.,

f = a b c d e f g h i j k l m n o p q r s t u v w x y z s l t a v m c e r u b q p d f k h w y g x z j n i o

Key = f

Number of keys = 26! ≈ 4 ⋅ 1026

Monalphabetic substitution ciphers Simplifications (1)

A. Caesar Cipher

ci = f(mi) = mi + 3 mod 26

No key B. Shift Cipher

ci = f(mi) = mi + k mod 26

Key = k Number of keys = 26

mi = f-1(ci) = ci - 3 mod 26

mi = f-1(ci) = ci - k mod 26

Coding characters into numbers

A ⇔ 0 B ⇔ 1 C ⇔ 2 D ⇔ 3 E ⇔ 4 F ⇔ 5 G ⇔ 6 H ⇔ 7 I ⇔ 8 J ⇔ 9 K ⇔ 10 L ⇔ 11 M ⇔ 12

N ⇔ 13 O ⇔ 14 P ⇔ 15 Q ⇔ 16 R ⇔ 17 S ⇔ 18 T ⇔ 19 U ⇔ 20 V ⇔ 21 W ⇔ 22 X ⇔ 23 Y ⇔ 24 Z ⇔ 25

Caesar Cipher: Example

Plaintext:

Ciphertext:

I C A M E I S A W I C O N Q U E R E D

8 2 0 12 4 8 18 0 22 8 2 14 13 16 20 4 17 4 3

11 5 3 15 7 11 21 3 25 11 5 17 16 19 23 7 20 7 6

L F D P H L V D Z L F R Q T X H U H G

Monalphabetic substitution ciphers Simplifications (2)

C. Affine Cipher

ci = f(mi) = k1 ⋅ mi + k2 mod 26

Key = (k1, k2) Number of keys = 12⋅26 = 312

gcd (k1, 26) = 1

mi = f-1(ci) = k1-1 ⋅ (ci - k2) mod 26

4

Most frequent single letters

Average frequency in a long English text: E — 13% T, N, R, I, O, A, S — 6%-9% D, H, L — 3.5%-4.5% C, F, P, U, M, Y, G, W, V — 1.5%-3% B, X, K, Q, J, Z — < 1%

= 0.038 = 3.8%

Average frequency in a random string of letters: 1 26

Digrams:

TH, HE, IN, ER, RE, AN, ON, EN, AT

Trigrams: THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR, DTH

Most frequent digrams, and trigrams

0

2

4

6

8

10

12

14

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Relative frequency of letters in a long English text by Stallings

7.25

1.25

3.5 4.25

12.75

3 2

3.5

7.75

0.25 0.5

3.75 2.75

7.75 7.5

2.75

0.5

8.5

6

9.25

3

1.5 1.5 0.5

2.25

0.25

0

2

4

6

8

10

12

14

a b c d e f g h i j k l m n o p q r s t u v w x y z

0

2

4

6

8

10

12

14


Character frequency in a long English plaintext

Character frequency in the corresponding ciphertext for a shift cipher

0

2

4

6

8

10

12

14



Character frequency in the corresponding ciphertext for a general monoalphabetic substitution cipher

0

2

4

6

8

10

12

14


0

2

4

6

8

10

12

14


0

2

4

6

8

10

12

14


0

2

4

6

8

10

12

14

a b c d e f g h I j k l m n o p q r s t u v w x y z

0

2

4

6

8

10

12

14

a b c d e f g h I j k l m n o p q r s t u v w x y z

Long English text T

Ciphertext of the long English text T

Short English message M

Ciphertext of the short English message M

Frequency analysis attack: relevant frequencies

5

Ciphertext: FMXVE DKAPH FERBN DKRXR SREFM ORUDS DKDVS HVUFE DKAPR KDLYE VLRHH RH

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

R - 8 D - 7 E, H, K - 5

Frequency analysis attack (1)

Step 1: Establishing the relative frequency of letters in the ciphertext

f(E) = R f(T) = D f(4) = 17 f(19) = 3


Step 2: Assuming the relative frequency of letters in the corresponding message, and deriving the corresponding equations

Assumption: Most frequent letters in the message: E and T

Corresponding equations:

E → R T → D

4 → 17 19 → 3

f(4) = 17 f(19) = 3


Step 3: Verifying the assumption for the case of affine cipher

4⋅k1 + k2 ≡ 17 (mod 26) 19⋅k1 + k2 ≡ 3 (mod 26)

15⋅k1 ≡ -14 (mod 26)

15⋅k1 ≡ 12 (mod 26)

Substitution Ciphers (2) 2. Polyalphabetic substitution cipher

M = m1 m2 … md

Key = d, f1, f2, …, fd Number of keys for a given period d = (26!)d ≈ (4 ⋅ 1026)d

md+1 md+2 … m2d m2d+1 m2d+2 … m3d

….. C = f1(m1) f2(m2) … fd(md)

f1(md+1) f2(md+2) … fd(m2d ) f1(m2d+1 ) f2( m2d+2) … fd(m3d )

….. d is a period of the cipher

0

2

4

6

8

10

12

14



Character frequency in the corresponding ciphertext for a polyalphabetic substitution cipher

0

2

4

6

8

10

12

14


1 26

⋅ 100% ≈ 3.8 %

Polyalphabetic substitution ciphers Simplifications (1)

A. Vigenère cipher: polyalphabetic shift cipher Invented in 1568

ci = fi mod d(mi) = mi + ki mod d mod 26

Key = k0, k1, … , kd-1

mi = f-1i mod d(mi) = mi - ki mod d mod 26

Number of keys for a given period d = (26)d

6

Vigenère Square

a b c d e f g h i j k l m n o p q r s t u v w x y z b c d e f g h i j k l m n o p q r s t u v w x y z a c d e f g h i j k l m n o p q r s t u v w x y z a b d e f g h i j k l m n o p q r s t u v w x y z a b c e f g h i j k l m n o p q r s t u v w x y z a b c d f g h i j k l m n o p q r s t u v w x y z a b c d e g h i j k l m n o p q r s t u v w x y z a b c d e f h i j k l m n o p q r s t u v w x y z a b c d e f g i j k l m n o p q r s t u v w x y z a b c d e f g h j k l m n o p q r s t u v w x y z a b c d e f g h i k l m n o p q r s t u v w x y z a b c d e f g h i j l m n o p q r s t u v w x y z a b c d e f g h i j k m n o p q r s t u v w x y z a b c d e f g h i j k l n o p q r s t u v w x y z a b c d e f g h i j k l m o p q r s t u v w x y z a b c d e f g h i j k l m n p q r s t u v w x y z a b c d e f g h i j k l m n o q r s t u v w x y z a b c d e f g h i j k l m n o p r s t u v w x y z a b c d e f g h i j k l m n o p q s t u v w x y z a b c d e f g h i j k l m n o p q r t u v w x y z a b c d e f g h i j k l m n o p q r s u v w x y z a b c d e f g h i j k l m n o p q r s t v w x y z a b c d e f g h i j k l m n o p q r s t u w x y z a b c d e f g h i j k l m n o p q r s t u v x y z a b c d e f g h i j k l m n o p q r s t u v w y z a b c d e f g h i j k l m n o p q r s t u v w x z a b c d e f g h i j k l m n o p q r s t u v w x y

plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z

1

2

3

Key = “nsa”

Plaintext: TO BE OR NOT TO BE

Encryption: T O B E O R N O T T O B E

Vigenère Cipher - Example

Key: NSA

G G B R G R A G T G G B R

Ciphertext: GGBRGRAGTGGBR

Determining the period of the polyalphabetic cipher Kasiski’s method

Ciphertext: G G B R G R A G T G G B R

Distance = 9

Period d is a divisor of the distance between identical blocks of the ciphertext

In our example: d = 3 or 9

Index of coincidence method (1)

ni - number of occurances of the letter i in the ciphertext

N - length of the ciphertext

pi = frequency of the letter i for a long ciphertext

i = a .. z

pi = lim ni N N→ ∞

1=∑=

z

aiip

Measure of roughness:


261

261.. 2

2

−=⎟⎠⎞

⎜⎝⎛ −= ∑∑

==

z

ai

z

ai

ppRM ii

M.R. 0.028 0.014 0.006 0.003 period 1 2 5 10


Index of coincidence

The approximation of

Definition: Probability that two random elements of the ciphertext are identical

Formula:

∑=

z

ai

pi2

∑=

=

z

ai

CI ..

ni 2

N 2

=

z

∑ i=a

(ni -1) ⋅ ni

(N -1) ⋅ N

7


Measure of roughness

M.R. = I.C. - = 1 26

z

∑ i=a

(ni -1) ⋅ ni

(N -1) ⋅ N - 1

26

M.R. 0.028 0.014 0.006 0.003 period 1 2 5 10

Polyalphabetic substitution ciphers Simplifications (2)

B. Rotor machines used before and during the WWII

Germany: Enigma d=26⋅25⋅26 = 16,900 U.S.A.: M-325, Hagelin M-209 Japan: “Purple” UK: Typex d=26⋅(26-k)⋅26, k=5, 7, 9 Poland: Lacida d=24⋅31⋅35 = 26,040

Period Country Machine

Military Enigma Functional diagram & dataflow

Enigma Daily Keys Order of rotors (Walzenlage)

6 combinations

8

Positions of rings (Ringstellung)

263 combinations

Plugboard Connections (Steckerverbindung)

~ 0.5 · 1015 combinations

Initial Positions of Rotors (Grundstellung)

263 combinations

Number of possible internal connections of Enigma

Estimated number of atoms in the universe

3 · 10114

1080

Total Number of Keys

3.6 · 1022 ≈ 275

Larger number of keys than DES.

Broken by Polish Cryptologists 1932-1940

Marian Rejewski (born 1905)

Jerzy Różycki (born 1909)

Henryk Zygalski (born 1907)

9

Jul 25-26, 1939: A secret meeting takes place in the Kabackie Woods near the town Pyry (South of Warsaw), where the Poles hand over to the French and British Intelligence Service their complete solution to the German Enigma cipher, and two replicas of the Enigma machine.

Enigma Timetable: 1939 Improvements and new methods developed by British cryptologists

1939-1945

Alan Turing (born 1912)

Gordon Welchman (born 1906)

1939-1940: Alan Turing develops an idea of the British cryptological “Bombe” based on the known-plaintext attack. Gordon Welchman develops an improvement to the Turing’s idea called “diagonal board”. Harold “Doc” Keen, engineer at British Tabulating Machines (BTM) becomes responsible for implementing British “Bombe”.

Enigma Timetable: 1939-1940

May, 1940: First British cryptological bombe developed to reconstruct daily keys goes into operation. Over 210 Bombes are used in England throughout the war. Each bombe weighed one ton, and was 6.5 feet high, 7 feet long, 2 feet wide. Machines were operated by members of the Women’s Royal Naval Service, “Wrens”.

10

Enigma Timetable: 1943

Apr, 1943: The production of the American Bombe starts in the National Cash Register Company (NCR) in Dayton, Ohio. The engineering design of the bombe comes from Joseph Desch.

Substitution Ciphers (3)

3. Running-key cipher

M = m1 m2 m3 m4 . . . . mN K = k1 k2 k3 k4 . . . . kN

C = c1 c2 c3 c4 . . . . cN

K is a fragment of a book

ci = mi + ki mod 26

mi = ci - ki mod 26

Key: book (title, edition), position in the book (page, row)

0

2

4

6

8

10

12

14



Character frequency in the corresponding ciphertext for a running-key cipher

1 26

⋅ 100% ≈ 3.8 %

0 2 4 6 8 10 12 14


Substitution Ciphers (4) 4. Polygram substitution cipher

M = m1 m2 … md - M1

Key = d, f Number of keys for a given block length d = (26d)!

md+1 md+2 … m2d - M2 m2d+1 m2d+2 … m3d - M3

….. C = c1 c2 … cd - C1

d is the length of a message block

cd+1 cd+2 … c2d - C2 c2d+1 c2d+2 … c3d - C3

…..

Ci = f(Mi) Mi = f-1(Ci)

Playfair Cipher

Key: PLAYFAIR IS A DIGRAM CIPHER

P L A Y F

I R S D G

M C H E B

K N O Q T

U V W X Z

P O L A N D A K A Y Q R

message ciphertext

1854

Convention 1 (Stallings)

Convention 2 (Handbook)

P O L A N D K A A Y R Q

message ciphertext

Hill Cipher

C[1xd] = M[1xd] · K[dxd]

(c1, c2, …, cd) = (m1, m2, …, md)

k11, k12, …, k1d kd1, kd2, …, kdd

Ciphering:

ciphertext block = message block · key matrix

1929

11

Hill Cipher

M[1xd] = C[1xd] · K-1[dxd]

K[dxd] · K-1[dxd] =

1, 0, …, 0, 0 0, 1, …, 0, 0 …………… 0, 0, …, 1, 0 0, 0, …, 0, 1

Deciphering:

where

identity matrix inverse key matrix key matrix · =

message block = ciphertext block · inverse key matrix

Hill Cipher - Known Plaintext Attack (1)

Known: C1 = (c11, c12, …, c1d) M1 = (m11, m12, …, m1d) C2 = (c21, c22, …, c2d) M2 = (m21, m22, …, m2d) …………………………………………………. Cd = (cd1, cd2, …, cdd) Md = (md1, md2, …, mdd)

We know that:

(c11, c12, …, c1d) = (m11, m12, …, m1d) · K[dxd]

(c21, c22, …, c2d) = (m21, m22, …, m2d) · K[dxd] ………………………………………………… (cd1, cd2, …, cdd) = (md1, md2, …, mdd) · K[dxd]

Hill Cipher - Known Plaintext Attack (2)

c11, c12, …, c1d m11, m12, …, m1d

c21, c22, …, c2d m21, m22, …, m2d ………………. ………………….. cd1, cd2, …, cdd md1, md2, …, mdd

k11, k12, …, k1d k21, k22, …, k2d kd1, kd2, …, kdd

=

C[dxd] = M[dxd] · K[dxd]

K[dxd] = M-1[dxd] · C[dxd]

Substitution Ciphers (5) 4. Homophonic substitution cipher

M = { A, B, C, …, Z } C = { 0, 1, 2, 3, …, 99 }

f: E → 17, 19, 27, 48, 64 A → 8, 20, 25, 49 U → 45, 68, 91 …… X → 33

ci = f(mi, random number) mi = f-1(ci)

Transposition ciphers

M = m1 m2 m3 m4 . . . . mN C = mf(1) mf(2) mf(3) mf(4) . . . . mf(N)

Letters of the plaintext are rearranged without changing them

0

2

4

6

8

10

12

14



Character frequency in the corresponding ciphertext for a transposition cipher

0

2

4

6

8

10

12

14


12

Transposition cipher Example

Plaintext: CRYPTANALYST

Key: KRIS

Encryption: K R I S C R Y P T A N A L Y S T

2 3 1 4

Ciphertext: YNSCTLRAYPAT

One-time Pad Vernam Cipher

Gilbert Vernam, AT&T Major Joseph Mauborgne

1926

ci = mi ⊕ ki

mi ki ci

01110110101001010110101 11011101110110101110110 10101011011111111000011

All bits of the key must be chosen at random and never reused

One-time Pad Equivalent version

ci = mi + ki mod 26

mi ki ci

TO BE OR NOT TO BE AX TC VI URD WM OF TL UG JZ HFW PK PJ

All letters of the key must be chosen at random and never reused

Perfect Cipher Claude Shannon

Communication Theory of Secrecy Systems, 1948

∀ m ∈ M c ∈ C

P(M=m | C=c) = P(M = m)

The cryptanalyst can guess a message with the same probability without knowing a ciphertext

as with the knowledge of the ciphertext

Is substitution cipher a perfect cipher?

C = XRZ

P(M=ADD | C=XRZ) = 0

P(M=ADD) ≠ 0

Is one-time pad a perfect cipher?

C = XRZ

P(M=ADD | C=XRZ) ≠ 0

P(M=ADD) ≠ 0

M might be equal to CAT, PET, SET, ADD, BBC, AAA, HOT, HIS, HER, BET, WAS, NOW, etc.

13

S-P Networks

S

S

S

S

. . . .

P

S

S

S

S

. . . .

P

S

S

S

S

. . . .

.

.

.

.

.

.

.

.

.

.

.

.

.

Basic operations of S-P networks

Permutation

P-box S-box

Substitution

0 0 0 1 1 1 0

0 1 1 0 0 1 0

0 0 0 1 1 1 0

1 1 0 1 1 1 0

Avalanche effect

S

S

S

S

. . . .

P

S

S

S

S

. . . .

P

S

S

S

S

. . . .

.

.

.

.

.

.

.

.

.

.

.

.

.

m1 m2 m3 m4

m5 m6 m7 m8

m9 m10 m11 m12

m61 m62 m63 m64

m1 → c1→ c1 c2 → c2 c3 c4

c5 → c5 c6 c7 → c7 c8 → c8

c9 c10 c11 → c11 c12

c61 → c61 c62 c63 c64 → c64

Shannon Product Ciphers

•  Computationally secure ciphers based on the idea of diffusion and confusion •  Confusion

relationship between plaintext and ciphertext is obscured, e.g. through the use of substitutions

•  Diffusion spreading influence of one plaintext letter to many ciphertext letters, e.g. through the use of permutations

LUCIFER

. . . .

P

. . . .

P

. . . .

.

.

.

.

.

.

.

.

.

.

.

.

.

Horst Feistel, Walt Tuchman IBM

S0 S1

k1,1

S0 S1

k2,1

S0 S1

k3,1

S0 S1

k32,1 S0

S1

k32,2 S0

S1

k32,16

S0 S1

k2,2

S0 S1

k1,2 S0

S1

k1,16

S0 S1

K2,16

S0 S1

K3,2 S0

S1

k3,16

16 rounds

m1 m2 m3 m4

m5 m6 m7 m8

m9 m10 m11 m12

m125 m126 m127 m128

c1 c2 c3 c4

c5 c6 c7 c8

c9 c10 c11 c12

c125 c126 c127 c128

LUCIFER- external look

LUCIFER

128 bits

plaintext block

128 bits

ciphertext block

key

512 bits

chapter 2, classical encryption techniques historical...

Documents