Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
L. Brankovic, based on text, Data security by D. Denning and lecture notes by M. Miller
These lecture notes (based on Cryptography and Data Security by D. Denning [1])
Note that in-text references and quotes are omitted for clarity of the slides. When you write an essay or report it is very important that you use both in-text references and quotes where appropriate.
MOILVGOFXTMXZFLZAEQ
Friedman (1918) observed that a large proportion of letters in the ciphertext comes from the encipherment where both key and plaintext letters fall in the high frequency category.
MOILVGOFXTMXZFLZAEQ
6 of the remaining 7 pairs have either the plaintext or the key letter belonging to the high frequency category.
To break the cipher we start with the assumption that all ciphertext letters correspond to high frequency pairs. In this way we reduce the number of initial possibilities for each pair, and then we use diagram and trigram distributions to verify the initial guesses and determine the actual pairs.
Example: We consider the first three ciphertext letters in the previous example (MOI), and we examine the possible pairs for each of the three letters. For M we get:
plaintext letter: key letter: ciphertext letter: ABCDEFGHIJKLMNOPQRSTUVWXYZ MLKJIHGFEDCBAZYXWVUTSRQPON
MMMMMMMMMMMMMMMMMMMMMMMMMM
The high frequency pairs for all three letters are: M: E-I, I-E, T-T O: A-O, O-A, H-H I: A-I, I-A, E-E, R-R There re 3*3*4=36 possible combinations of pairs. Many of them produce highly unlikely trigrams. Some of the trigrams are shown below. Trigram THE occurring in both plaintext and key is the most likely. plaintext: EAA EAI THE THR key: IOI IOA THE THR ciphertext: MOI MOI ... MOI MOI
Rotor machines are used to implement polyalphabetic ciphers with a long period. A Rotor machine consists of a collection of cylinders that can rotate independently of each other. Each cylinder has: 26 input pins on its front face, one for each letter in the alphabet 26 output pins on its rear face. Each input pin is wired to a unique output pin. Thus each cylinder encodes a fixed permutation of the alphabet. After encoding a character in the plaintext, a cylinder is rotated; this changes the relative position of the cylinder and its neighbours.
Rotor Machines
Rotor Machines
C1
a b c d e f g
C2
C3
C4
Rotor Machines
The rotor machine encryption depends on:
fixed permutations inside each cylinder initial position of each cylinder the rule by which the cylinders are rotated.
Formally, if a Rotor machine consists of k cylinders, the fixed permutation (mapping) inside cylinder i is defined by fi(a) and ji denotes the position of cylinder i, then the mapping of cylinder i is defined by: Fi(a) = ( fi(a - ji) mod 26 + ji) mod 26 The mapping (encipherment) of the whole Rotor machine is:
Rotor Machines
After each of the plaintext characters is enciphered, one or more of the cylinders move to a new position, changing the encipherment of the Rotor machine.
A Rotor machine with k cylinders is capable of providing 26k different encipherments; for example, if there are 4 cylinders, there are 264 = 456,976 different encipherments.
Rotor Machines
A Rotor machine Enigma, used by Germans in World War II, was pretty complex and included a plugboard that permuted the plaintext, and a reflecting rotor that caused each rotor to encrypt each plaintext letter twice. Enigma rotated its cylinders according to the following rule:
After each plaintext character is enciphered, the first cylinder advances to the next position; after the first cylinder has reached a certain position, the second cylinder advances to its next position; after the second cylinder has made the complete rotation, the third cylinder advances to its next position, and so on.
Rotor Machines
Enigma was broken during the World War II by Allies, first by Polish cryptographers. Germans kept modifying Enigma as the war progressed, and the British kept breaking the new versions. A contributing factor to this successful cryptanalysis was the fact that Germans reused the code-books (keys), and had very stereotyped military messages, often starting with a same phrase.
One-Time Pads
Consider a substitution cipher whose key is a random sequence of characters, as long as the message. Such cipher is called one-time pad, and achieves perfect secrecy (recall that the perfect secrecy is achieved when the ciphertext provides no information about the plaintext - any ciphertext can be obtained from any plaintext using some key). The computer implementation of one-time pad is based on the cryptographic device for telegraphic communications; the device was designed in 1917 by Gilbert Vernam, an employee of American Telephone and Telegraph Company (A.T. & T.).
One-Time Pads
The code used was Baudot code with 32 characters, where each character was represented as a combination of 5 marks and spaces, corresponding to bits 1 and 0. A key was a nonrepeating random sequence of characters, also represented as marks and spaces (0s and 1s); the key was punched on a paper tape, and each key-tape was meant to be used more than once. This cipher is known as Vernam cipher, and it generates a ciphertext bit stream C = Ek(M) = c1c2 where ci = (mi + ki) mod 2, i = 1,2,...
The Vernam cipher is efficiently implemented on modern computers by taking exclusive-or of each plaintext/key bit pair: ci = mi ki Deciphering is performed with the same operation: mi = ci ki (To verify this, recall that x x = 0 and x 0 = x , for x=1 or 0; thus ci ki = mi ki ki = mi 0 = mi )
One-Time Pads
One-Time Pads
If a key-tape is used more than once, the cipher is breakable, as it is equivalent to a running-key cipher. To see why, suppose that two plaintext streams M and M are enciphered with the same key stream K, giving ciphertext streams C and C. Then ci = mi ki and ci = mi ki, for i = 1, 2, ...
Let C be the stream obtained by taking the exclusive-or of C and C; then ci = ci ci = mi ki mi ki = mi mi Thus C corresponds to the encipherment of M under key M, which is equivalent to running-key cipher.
One-Time Pads
Army cryptologist Mayor Joseph Mauborgne suggested that each key-tape is used only once, and the one-time pad was born.
Playfair Ciphers
The key for Playfair cipher is given by 5 5 matrix of 25 letters (J was not used). For example,
H I E M V
A C F N W
R O G Q X
P D K T Y
S B L U Z
Playfair Ciphers
If m1 and m2 are in the same row, then c1 and c2 are the two characters to the right of m1 and m2, respectively (the first column is considered to be to the right of the last column). If m1 and m2 are in the same column, then c1 and c2 are the two characters below m1 and m2, respectively (the first row is considered to be below the last row). If m1 and m2 are in different rows and columns, then c1 and c2 are the other two corners of the rectangle having m1 and m2 as corners, where c1 is in m1s row, and c2 is in m2s row. If m1 = m2, a null letter (for example, X) is inserted into the plaintext between m1 and m2 to eliminate the double. If the plaintext has an odd number of characters, a null letter is appended to the end of the plaintext.
Playfair Ciphers
Example: Let the key be
H I E M V A C F N W R O G Q X P D K T Y S B L U Z
Stream ciphers convert plaintext into ciphertext one bit (or one byte) at a time; in the same plaintext message, the same plaintext bit (or byte) is encrypted with a different key every time it appears (eventually the key will repeat in the periodic ciphers). Example: Vigenere, Vernam, rotor machine.
Block ciphers convert plaintext into ciphertext one block (typically 64 or 128 bits) at a time; in the same plaintext message, the same block is encrypted with the same key every time it appears (thus to the same ciphertext). Example: Playfair, transposition with period d, monoalphabetic substitution (blocksize 1)
Advantage: block ciphers can reuse keys, and provide both confusion and diffusion.
Stream Ciphers
In a typical stream cipher, a stream of plaintext bits is XORed with a stream of key bits to produce the stream of ciphertext bits. ci = pi ki
To decrypt, ciphertext bits are XORed with the identical stream of key bits to produce the plaintext. ci ki = pi ki ki = pi
Stream Ciphers
Key
Pi
Ki
Ci
Ki
Key
Pi
Plaintext
Ciphertext
Plaintext
Encryption
Decryption
Stream Ciphers
If the key stream is non-repeating and random, this is a one-time pad it is perfectly secure. In practice, one-time pad is rarely used because of the need for secure exchange of long keys. Keys used in practice look random, but are deterministically generated and can be reproduced at the decryption end. Stream ciphers differ in ways the key is generated and fall into 2 categories: self-synchronizing and synchronous.
Pi Plaintext
Ci Ciphertext
Pi Plaintext
Encryption
Decryption
The output function takes as its input the internal state, and generates the key as its output.
The output function must be cryptographically strong, otherwise Bad Barry can intercept the ciphertext stream, generate the key stream an obtain plaintext.
Approximately equal number of 0s and 1s, for a stream of bits Approximately equal number of all the possible 256 bytes, for byte stream
2. The period of the key-stream should be as long as possible 3. The input key that is passed to Pseudo Random Number Generator (PRNG) should be sufficiently long at least 128bits.
Block Ciphers
Recall that a block cipher takes as input an n-bit block of plaintext and produces an n-bit block of ciphertext.
In order to enable encryption, for a given key each plaintext block must encrypt into a unique ciphertext block. Such mapping is called reversible (one-to-one).
Be careful not to confuse this with the discussions about perfect secrecy where any ciphertext can come from any plaintext, but for different keys.
Block Cipher
Example:
Reversible mapping Plaintext Ciphertext 00 11 01 10 10 00 11 01 Irreversible mapping Plaintext Ciphertext 00 11 01 10 10 01 11 01
Block Cipher
The mapping between plaintext and ciphertext blocks should be arbitrary (equivalent to general monoalphabetic cipher). Note that here the statistical properties of the plaintext are not preserved in the ciphertext, providing that the block size is large enough.
Block Cipher
How about the block size? If it is small this converts to monoalphabetic substitution cipher - not secure.
If it is very large, and mapping is arbitrary, the system is very secure, but implementation is not feasible.
If, on the other hand, mapping is not arbitrary but given with a system of equations, the implementation is easy but the system is not secure.
Roughly speaking, confusion obscures the local structure of the plaintext, while the diffusion obscures the global structure.
Each round has the same structure but uses a different subkey - the subkeys K1,,K2 K3 Kn are derived from K and are different from each other. Each round first applies a round function F to the right half of the data, and takes the XOR of the result and the left half of the data. Then the two halves are interchanged.
Feistel Cipher
The parameters of the Feistel cipher: Block size - the larger the block size, the greater security but slower encryption/decryption; typical block size is 64 bits (the new encryption standard AES uses 128 bit blocks). Key size - the larger the key size, the greater security but slower encryption/decryption; 64 bits is now consider insufficient - 128 bits is a common key size. Number of rounds - typically 16 Subkey generation algorithm - the more complex the algorithm, the cipher harder to break, but also harder to analyse and discover weaknesses Round function - the more complex the function, the cipher harder to break, but also harder to analyse and discover weaknesses
The Feistel decryption is essentially the same as encryption - the only difference being that the subkeys are used in reverse order.
We shall illustrate this by showing that LD1 = RE15 and RD1 = LE15. At the end of the encryption we have: LE16 = RE15 RE16 = LE15 F(RE15, K16) At the beginning of decryption we have: LD1 = RD0 = LE16 = RE15 RD1 = LD0 F(RD0, K16) = = RE16 F(RE15, K16) = = (LE15 F(RE15, K16)) F(RE15, K16) = LE15
Feistel Decryption
References
1. D. Denning. Cryptography and Data Security, Addison Wesley, 1982.
2.
W. Stallings. Cryptography and Network Security, 6th Edition, Pearson Education, 2014.