The Web Cryptology Game CODEBREAKERS.EU edition 2015

Transcription

1 Lecture 5 in which we return to the dream about le chiffre indechiffrable. We will see this dream come true and next we will try, step by step, to break this unbreakable cipher. As you might remember, the method of breaking monoalphabetic ciphers was developed before IX century BC. Since that time cryptologists have been aware that vulnerability to character frequency analysis has been a weak point of this type of ciphers. We can only assume that to find a way of eliminating that vulnerability has been the objective of quite a number of cryptologists. Preserving the structure of the letter frequency has been the Achilles heel of the monoalphabetic cipher, so it seemed natural to ask - how could we mask the natural frequencies of characters? Finding the right answer to that question has taken a few centuries. EVERYTHING IS A CODE In 1586 a book, titled Traicté des Chiffres, by Blaise de Vigenère was published. The work contained, among others, the sentence everything in this world is a code, which is music to the ears of every cryptographer. In his book, Vigenère described the systems of encrypting information available and known in his times, and presented a few interesting new ideas. Quite paradoxically, nowadays cryptographers use the term Vigenère tableau (also called Vigenère table or Vigenère square ) in reference to something representing a simplification of his actual ideas. Since the Vigenère table is currently a standard example of using polyalphabetic ciphers, we need to familiarize ourselves with it. Let us construct a cipher alphabet table in which every successive line is shifted by one position in relation to the preceding line, as presented below. Traicté des Chiffres Blaise de Vigenère

2 Of course, the lines of Vigenère table might also be constructed by means of cipher alphabets in which particular characters are not arranged in alphabetical order. In particular, it is possible to construct a cipher alphabet table based on a keyword. It is important to shift the lines of the table by one position and as a result of the operation a different cipher alphabet is obtained. It is relatively easy to use the table. Let us assume that we are using the keyword VIGENR (formed out of the Renaissance cryptographer s surname) and the plaintext BLAISE (equivalent of the cryptographer s first name). Let us take the first character of the plaintext and the first character of the key: B and V. We choose the line starting with the letter V and find the cipher text counterpart of the letter B, its counterpart is the letter W. Then, we take the next character of the plaintext, the letter L, and another character of the key, the letter I. We find the counterpart of the letter L in the line of the table starting with the letter I, that is the letter T. We proceed in this manner until we run out of the keyword letters. Then, we return to the letter V and continue encrypting. As a result, we obtain the cryptogram WTGMFV. Blaise de Vigenère Traicté des Chiffres Blaise de Vigenère Using various cipher alphabets during the encryption process of the same plaintext must lead to obscuring the statistical properties of the plaintext and the code message and, among others, to making the structure of the frequency analysis diagram more even than in the monoalphabetic cipher. Let us check how these assumptions work in practice by encoding the following plaintext by means of the VIGENR keyword:

3 SAMPLE PLAINTEXT IN ENGLISH USED TO DEMONSTRATE THE CHARACTERISTIC FEATURES OF THE POLYALPHABETIC CIPHER ACCORDING TO THE VIGENER SYSTEM THE EXPECTED OUTCOME OF USING THE VIGENER CIPHER IS DISTORTING CHARACTER FREQUENCY IN RELATION TO THE MONOALPHABETIC SUBSTITUTION CIPHER We obtain the following ciphertext: NISTYVKTGMAKZFZMAVIORMFYPAKHGFYMSSAJOZGXRKCMILNIVKZIEZNBOGSVVBAVRJJNZ LRGJTEEYGCIHIGZXKOTUVMIIGBIYQTKGFOPKZVXZVKVFPNBKQGYZMDTRTOMJSHKXWSIBW PAORTKCMBMTVIMXGVGCMXMFUDAXYCKDVMGURMIIXRIAZKUHVIKEMAIZTGXVFIBUXUVHWT SNCKPGFRKDKYYOJOQZYGZJVIMCYZZ COULD IT BE INDECHIFFERREABLE? The statistical structure of the ciphertext has been considerably deformed in comparison to that of a monoalphabetic cipher. The frequency structure is more even and does not permit an easy identification of the characteristic peaks and valleys in the frequency chart. If we use a longer keyword, the frequency structure would be even more discouraging, reaching in the extreme cases almost uniform frequency distribution. The Vigenère cipher quite understandably gained the laurel of being dubbed le chiffre indechiffrable. His formula obviously resisted the attack based on the frequency analysis, and it was the only method of attack known at the time.and a following frequency diagram of the ciphertext. EARLY ATTACKS The Vigenère cipher remained secure for almost 300 years. The first scratch on its surface was made by a retired German officer, Friedrich Kasiski, born in Człuchów (nowadays located in Poland). Kasiski discovered the method of determining the key length. Knowing the key length the codebreaker could divide the cryptogram into groups of letters enciphered with the same cipher alphabet. Assuming, for instance, that the key was 5 letters long, the codebreaker took the first,

4 sixth, eleventh letter and so on to form the first group; then the second, seventh, twelveth letter and so on to form the second group, until he grouped all of the letters of the ciphertext into as many groups as the number of the letters in the keyword. Each group was transformed using a different cipher alphabet, but each and every character within the group was ciphered with exactly the same unknown cipher alphabet, which in turn allowed the codebreaker to apply the classic character frequency attack to each group individually. Kasiski s method was efficient only under specific circumstances, however, we will not discuss his method in detail here. In 1883, one of the most important works in the history of cryptology,a book written by a French scientist of Flemish origin, Auguste Kerckhoffs, titled La Criptographie Militaire, was published. In the book, Kerckhoffs Auguste Kerckhoffs presented two techniques of attacks on ciphers: the method of position symmetry and the method of superimposition. In this lecture we shall apply the position symmetry attack, accompanied by one of the most commonly used methods of attacking ciphers, the attack with a known or probable plaintext. BREAKING INTO THE POLYALPHABETIC CIPHER Before we start, it is worth recalling the initial fragment of the Vigenère table: The cipher alphabets in the successive lines of the table are created by shifting the characters by one position in relation to the previous line. Naturally, not all polyalphabetic systems were based on the Vigenère table consisting of regular alphabets. Alphabets with the distorted structure, e.g. generated on the basis of a keyword, were employed equally often. An example of such an alphabet has been provided below: A B C D E A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B C D E F G H I J K L M N O P Q R S T U V W X Y Z A C D E F G H I J K L M N O P Q R S T U V W X Y Z A B D E F G H I J K L M N O P Q R S T U V W X Y Z A B C E F G H I J K L M N O P Q R S T U V W X Y Z A B C D Vigenère tableau The cipher alphabets in the successive lines of the table are created by shifting the characters by one position in relation to the previous line. Naturally, not all polyalphabetic systems were based on the Vigenère table consisting of regular alphabets. Alphabets with the distorted structure, e.g.

5 generated on the basis of a keyword, were employed equally often. An example of such an alphabet has been provided below: K E Y W O R D K E Y W O R D A B C F G H I J L M N P Q S T U V X Z E Y W O R D A B C F G H I J L M N P Q S T U V X Z K Y W O R D A B C F G H I J L M N P Q S T U V X Z K E W O R D A B C F G H I J L M N P Q S T U V X Z K E Y O R D A B C F G H I J L M N P Q S T U V X Z K E Y W R D A B C F G H I J L M N P Q S T U V X Z K E Y W O D A B C F G H I J L M N P Q S T U V X Z K E Y W O R Vigenère tableau Irrespective of whether the ciphering alphabets have regular or distorted structures, one can note a particular feature of the table created by shifting the ciphering alphabets: each diagonal from the top right to the bottom left corner is composed of the same letters. Kerckhoffs s position symmetry attack is based right on that observation. To illustrate principle of that attack let us look at the example Kerckhoffs provided in his book. Please ignore the fact that the plaintext of the analyzed message is in French - this is of no importance to the method itself. Kerckhoffs analysed the following cryptogram: RBNBJ JHGTS PTABG JXZBG JICEM QAMUW IVGAG NEIMW REZKZ SUABR RBPBJ CGYBG JJMHE NPMUZ CHGWO UDCKO JKKBC PVPMJ NPGKW PWADW CPBVM RBZBH JWZDN MEUAO JFBMN KEXHZ AWMWK AQMTG LVGHC QBMWE The ciphertext is divided into groups of 5 words. This allows us to conclude that Kerckhoffs either assumed or knew the length of the keyword: five characters (had he not known the length of the keyword, he could have determined it using Kasiski's method). Knowing the events that the ciphertext referred to Kerckhoffs assumed that the text of the initial phrase of the ciphertext was as follows: le general wolseley telegraphie (General Wolseley telegraphs). Let us enter the probable phrase under the corresponding letters of the ciphertext: RBNBJ JHGTS PTABG JXZBG JICEM QAM legen eralw olsel eytel egrap hie

6 Let us create a table in which the columns correspond to the successive characters of the plaintext, and whose lines contain the five ciphering alphabets corresponding to the five characters of the keyword. We will enter the ciphertext characters into the lines corresponding to the position where they occurred and into columns corresponding to their equivalents in the probable text. For example, the third character of the ciphertext is N, which corresponds to the letter g of the plaintext. Therefore, we enter the character N into the third line of the table, into the column marked with the letter g. Having analyzed the first five characters of the ciphertext, we then return to the first alphabet, and enter the letter J (of the ciphertext) into the first line under the letter e of the plaintext. We repeat the described process for all the characters of the probable plaintext. We need to remember that the ciphertext counterparts should be entered into the appropriate lines of the table (i.e. lines with numbers corresponding to the numbers of the characters of the currently analyzed five-letter word). 1 J Q R P 2 B I A T H X 3 G M N C A Z 4 E B T 5 Z G J M S Just one look at the obtained table allows us to conclude that its second and fourth line is identical (this means that the second and fourth letter in the keyword are the same). Let us also note that (this is exactly where the position symmetry principle comes into play) the letter J can be found both in the first and fifth line, shifted by nine positions this means that the whole fifth line was shifted by 9 positions in relation to the first line. In order to ensure that the line of reasoning is clear, let us, for now, complete the table only with the conclusions resulting from the observations above: 1 G J M Q R S P Z 2 E B I A T H X 3 G M N C A Z 4 E B I A T H X 5 Z G J M Q R S P

7 However, also the third and fifth line are connected (by the letter M, with a shift by 11 positions), similarly as the second and third line (by the letter A, also with a shift by 11 positions). By completing the table with the conclusions from the successive relations between the lines, we get the following results: 1 G H J M Q N X R E S P B I C A Z T 2 E S P B I C A Z T G H J M Q N X R 3 G H J M Q N X R E S P B I C A Z T 4 E S P B I C A Z T G H J M Q N X R 5 I C A Z T G H J M Q N X R E S P B Auguste Kerckhoffs, La Criptographie Militaire We have 17 out of 26 ciphering alphabet characters at our disposal, and we can partially decode the cipher text. As a result, we obtain the following text (the unknown letters have been marked with asterisks): legen eralw olsel eytel egrap hie** s*ail iaqu* latte n*seu lemen tq*el eserv ice*e tra** **r** e**ec ommun From here, we can go in one of the two directions. We recommend the first method to those who know French: try and complete the missing fragments of the plaintext. Even the elementary knowledge of French allows us to recognize the phrase attend seulement que (is only waiting for) in the second line. Having obtained new characters of the probable text, we then return to completing the table of the ciphering alphabets, and apply the position symmetry method again. If the result is not sufficient to enable us to read the whole ciphertext, we keep repeating both stages of the process until we succeed.

8 The other of the two possible directions is based on analysis of the table itself. Let us look at the fragments we have underlined once again. 1 G H J M Q N X R E S P B I C A Z T 2 E S P B I C A Z T G H J M Q N X R 3 G H J M Q N X R E S P B I C A Z T 4 E S P B I C A Z T G H J M Q N X R 5 I C A Z T G H J M Q N X R E S P B It seems obvious that the basic ciphering alphabet has been generated by the keyword RESPUBLICA. After making this observation, completing the table of the ciphering alphabets and the final decoding of the intercepted message seem trivial. BUT HOW TO GUESS THE PROBABLE TEXT? The position symmetry proves to be a highly efficient attack method provided that we know or can easily guess a substantial part of the plaintext. Normally the codebreaker starts with a less ambitious assumption than the one demonstrated by Kerckhoffs. In the example presented below he assumed initially that the probable phrase is Le general. The application of the position symmetry method revealed next two letters e : Being familiar with the surnames of the enemy s generals allowed Kerckhoffs to make an assumption that the name in question was Wolseley, and this (again through applying the position symmetry method) led to revealing further letters e, l, e and e:

9 The word telegraphie may not be as straightforward as the surname of one of the general, but the fact that we know we are dealing with transferring of secret information makes the word easy to decipher. The example above demonstrates how a cryptologist, with the help of his intuition, can break into a cipher of which he has little data. LENGTH OF THE KEYWORD Kerckhoffs could have determined the length of the keyword by means of Kasiski's method. Had he lived a couple of years longer, he could have used the so-called index of coincidence, which was invented in about 1920 by an American cryptologist, William Friedman. Attention! The calculator of this index can be found in the team panel, in the tools section, the highest calculation results indicate a probable number of keyword letters. GOOD LUCK! The Codebreakers.eu Team