What is cryptology?

Examples
Pigpen cipher (early 1700s): Spartan cipher (ca 500 BC):

Two essential parts:

1 Cryptography:
• encryption of plaintext to ciphertext
• decryption of ciphertext to plaintext
2 Cryptanalysis:
• breaking cryptography
• necessary when developing and analysing cryptographic
systems

How can crypto systems be constructed? How can they be broken?

1 2

Crypto systems: definition Desired properties of crypto systems

A crypto system S can be defined as a tuple S = hM, C, K, E, Di

M – set of plaintexts (messages)
C – set of ciphertext (cryptograms) 1 The algorithms E and D must be efficient and easy to use.
K – set of keys 2 The algorithms E and D should be assumed known.
E – set of encryption transforms Ek : M → C 3 Without knowing k, it should be computationally infeasible to
deduce
D – set of decryption transforms Dk : C → M
• m from c, where c = Ek (m)
• Dk from c even if m is known, for m = Dk (c)
• For every k ∈ K there are Ek ∈ E, Dk ∈ D such that for all
• Ek from m even if c is known, for c = Ek (m)
m ∈ M, Dk (Ek (m)) = m. (Every m can be decrypted after • c such that Ek (m) = c for any m, unless Ek and m are known
being encrypted.)
• For every k ∈ K and c ∈ C there is only one m ∈ M such that
Ek (m) = c. (Different m can not be encrypted to same c.)

3 4
 Classification of crypto systems Cryptanalysis attacks

1 Type of operation used, e.g.:

1 Ciphertext only: c (and E) known
• substitution
• brute force (try all keys) – impractical with large K
• transposition
• heuristic search/dictionary attack – only for non-random keys
2 Number of keys used • statistical analysis, given type of plaintext (e.g. English)
• one: symmetric, shared-key, secret-key, conventional
2 Known plaintext: one or more pairs hm, ci known
• two: asymmetric, two-key, public-key
• e.g. login: prompt, %PDF- header of PDF files
3 How the plaintext is processed
• block cipher: one “block” (e.g. 128 bits) at a time, 3 Chosen plaintext: can choose which plaintext to encrypt
typically using the same key (and adapt it to results of analysis)
• stream cipher: one element (e.g. 8 bits) at a time, 4 Chosen ciphertext: useful e.g. for asymmetric crypto systems
using a sequence/stream of keys

5 6

Crypto system strength Crypto system strength (cont)

Computationally secure variants:

Not by secret algorithms (“security by obscurity”) but by strength of
algorithm and key. Beware of “snake oil”! • Empirically secure
• has withstood the test of time – no serious weaknesses found,
• Unconditionally secure algorithm: but no proof that there aren’t any
• unbreakable regardless of amount of ciphertext, time and • e.g. DES
computational resources • Provably secure
• but only if used correctly!
• proved that breaking it is at least as hard as solving some hard
• Computationally secure algorithm: problem, e.g.
• cost of breaking exceeds value of information • factorising large numbers,
• time required to break cipher exceeds the useful lifetime of info • computing discrete logarithm (find x s.t y = ax mod p given
• Principle of Adequate Protection: y , a, p)
Information must be protected only until it loses its value, and These have no known efficient algorithms, but no proof that
to a degree consistent with its value. there aren’t any. (Quantum computing?)
• e.g. RSA

7 8
 Computational security Classical crypto systems: shift cipher
Substitute each element (letter) with the one k positions later in
Speed of computation increases rapidly (cf. “Moore’s law”)! the alphabet (modulo size of alphabet).
Ek (m) = (m + k) mod n,
Example: brute force average time required Dk (c) = (m − k) mod n where n is size of alphabet.
Key size 1 encr/µs 10M encr/µs
32 bits 36 min 2.15 ms Typically, interpret letters a, b, c, . . . , z as numbers 0, 1, 2, . . . , 25 =
56 bits 1142 years 10 hrs Z26 .
128 bits 5.4 · 1024 years 6.4 · 1018 years • Example: classical Cæsar cipher, k = 3:
meet me after the toga party
The DES algorithm (56 bit keys, standardised 1977) was broken PHHW PH DIWHU WKH WRJD SDUWB
• in 22 hrs 15 min in Jan 1999 (using $250 000 hardware + • Example: rot13, k = 13, used on Internet for possibly offensive
100 000 PC/workstations). jokes.
• in 6.4 days in March 2007 (using $10 000 hardware, 120 Exercise:
FPGAs) 1 check that this forms a crypto system
2 write a program for encryption/decryption
9 10

Breaking shift ciphers General substitution cipher

Instead of just shifting the alphabet, mix it: the key is the
How can we break a shift cipher? substitution, e.g.
abcdefghijklmnopqrstuvwxyz
Use brute force: try all keys. DXVRHQKLEWFJIATMZPYCGBNOSU
Feasible for simple shift cipher: and encrypting “brutus” yields “XPGCGY”.
• the algorithm is known
• there are few keys Now: 26! different keys (> 4 · 1026 )
• brute force not feasible (≈ 6 · 106 years at 106 tests/µs)
• it is (often) easy to recognize the plaintext

So how can we break it?

11 12
 Breaking substitution ciphers Improving substitution ciphers
Easy if we know the language:
• analyse the relative frequencies of letters in the ciphertext
• compare and match with standard frequencies for the language
Multiliteral ciphers
14
• Playfair cipher: encrypt digrams to digrams
12.75 • considered “unbreakable”, used in WWI and WWII – easily
12
broken with a few hundred letters of ciphertext
10
9.25
• Hill cipher: encrypt n letters to n letters
8 7.75 7.75
8.5
• difficult with ciphertext-only attack, but easy with known
7.5
7.25
plaintext
6
6

4.25
4 3.5
3
3.5
3.75
3
Polyalphabetical ciphers
2.75 2.75

2
2
1.5 1.5
2.25
• use several different monoalphabetical substitutions
1.25
0.5 0.5 0.5
0.25 0.25
0
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Figure 2.6 Relative Frequency of Letters in English Text

13 14

More difficult for short ciphertexts

• use digram analysis: relative frequencies of pairs of letters
• or trigrams etc.

Statistical analysis: generally useful method for recognizing

Polyalphabetical ciphers Breaking Vigenère: principles
plaintext.

For m = m1 , . . . , mn and k = k1 , . . . , kd ,
c = Ek1 (m1 ), . . . , Ekd (md ), Ek1 (md+1 ), . . . , Ekd (m2d ), . . . The cipher can be broken because of the periodicity of the key:
• if two identical strings happen to be at the same place relative
Example: Vigenère cipher (ca 1553, “unbreakable” until 1850/60s) to the key, they are encrypted the same
• combine d normal shift ciphers: Eki (m) = (m + ki ) mod n • the distance between repetitions in the ciphertext is a clue to
m= renaissance the length of the key
• e.g. k= BANDBANDBAN • with the key length d , break d shift ciphers using frequency
c= SEADJSFDOCR analysis

Lab 1: break it!

15 16
 Strengthen polyalphabetical ciphers
Lengthen the key, e.g. book ciphers: use a predefined part of a
book as key
• more difficult to break
• still possible: the key has language structure
Remove structure of key: one-time-pad
• use a random key as long as the message
• use each key only once
• unconditionally secure: unbreakable!
17
Encrypting binary data
Vernam cipher:
ci = Ek (mi ) = mi ⊕ k
mi = Dk (ci ) = ci ⊕ k
where ⊕ is bitwise exclusive-or: 1 ⊕ 0 = 0 ⊕ 1 = 1, otherwise 0.
Check: m = Dk (Ek (m))= (m ⊕ k) ⊕ k= m ⊕ (k ⊕ k)= m ⊕ 0 = m
Very useful for stream ciphers and one-time-pad.
Very bad if you use same key twice
• e.g. known plaintext attack (both m1 and c1 known):
c1 ⊕ m1 = (m1 ⊕ k) ⊕ m1 = (m1 ⊕ m1 ) ⊕ k = k
and if k is reused, c2 ⊕ k = m2 .
Exercise: why doesn’t even brute force work on one-time-pad?
18