Historical Ciphers. ECE Lecture 6. Why (not) to study historical ciphers? Required Reading. Secret Writing. Mary, Queen of Scots

Transcription

1 ECE - Lecture Required Reading W tallings, Cryptography and Network ecurity, Historical Ciphers Chapter, Classical Encryption Techniques A Menezes et al, Handbook of Applied Cryptography, Chapter 73 Classical ciphers and historical development Why (not) to study historical ciphers? ecret Writing AGAINT Not similar to modern ciphers Long abandoned FOR Basic components became a part of modern ciphers Under special circumstances modern ciphers can be reduced to historical ciphers Influence on world events The only ciphers you can break! teganography (hidden messages) Codes (replace words) ubstitution Transformations ubstitution Ciphers (replace letters) Cryptography (encrypted messages) Transposition Ciphers (change the order of letters) elected world events affected by cryptology 5 - trial of Mary Queen of cots - substitution cipher 97 - Zimmermann telegram, America enters World War I Battle of England, Battle of Atlantic, D-day - ENIGMA machine cipher 9 world s first computer, Colossus - German Lorenz machine cipher 95s operation Venona breaking ciphers of soviet spies stealing secrets of the U atomic bomb one-time pad Mary, Queen of cots cottish Queen, a cousin of Elisabeth I of England Forced to flee cotland by uprising against her and her husband Treated as a candidate to the throne of England by many British Catholics unhappy about a reign of Elisabeth I, a Protestant Imprisoned by Elisabeth for 9 years Involved in several plots to assassinate Elisabeth Put on trial for treason by a court of about noblemen, including Catholics, after being implicated in the Babington Plot by her own letters sent from prison to her co-conspirators in the encrypted form

2 Mary, Queen of cots cont cipher used for encryption was broken by codebreakers of Elisabeth I it was so called nomenclator mixture of a code and a substitution cipher Mary was sentenced to death for treachery and executed in 57 at the age of Zimmermann Telegram sent on January, 97 from the Foreign ecretary of the German Empire, Arthur Zimmermann, to the German ambassador in Washington instructed the ambassador to approach the Mexican government with a proposal for military alliance against the U offered Mexico generous material aid to be used to reclaim a part of territories lost during the Mexican-American War of -, specifically Texas, New Mexico, and Arizona sent using a telegram cable that touched British soil encrypted with cipher 75, which British codebreakers had partly broken intercepted and decrypted Zimmermann Telegram British foreign minister passed the ciphertext, the message in German, and the English translation to the American ecretary of tate, and he has shown it to the President Woodrow Wilson A version released to the press was that the decrypted message was stolen from the German embassy in Mexico After publishing in press, initially believed to be a forgery On February, Germany had resumed "unrestricted" submarine warfare, which caused many civilian deaths, including American passengers on British ships On March 3, 97 and later on March 9, 97, Arthur Zimmermann was quoted saying "I cannot deny it It is true On April, 97, President Wilson asked Congress to declare war on Germany On April, 97, Congress complied, bringing the United tates into World War I Ciphers used predominantly in the given period() Cryptography Cryptanalysis BC hift ciphers Monoalphabetic substitution cipher Frequency analysis al-kindi, Baghdad IX c 5 Invention of the Vigenère Cipher Homophonic ciphers Black chambers XVIII c 99 ( nd ed) 999 Vigenère cipher Kasiski s method (imple polyalphabetic substitution ciphers) 99 Invention of rotor machines Index of coincidence William Friedman Electromechanical machine ciphers (Complex polyalphabetic substitution ciphers) 9 Vernam cipher (one-time pad) 3 9

3 Ciphers used predominantly in the given period() Cryptography Cryptanalysis ubstitution Ciphers () Monalphabetic (simple) substitution cipher 99 hennon s theory of secret systems one-time pad tream Ciphers -P networks 977 Publication of DE DE Triple DE AE Reconstructing ENIGMA Rejewski, Poland Polish cryptological bombs, and perforated sheets British cryptological bombs, Bletchley Park, UK Breaking Japanese Purple cipher DE crackers M = m m m 3 m m N C = f(m ) f(m ) f(m 3 ) f(m ) f(m N ) Generally f is a random permutation, eg, f = a b c d e f g h i j k l m n o p q r s t u v w x y z s l t a v m c e r u b q p d f k h w y g x z j n i o Key = f Number of keys =!» Monalphabetic substitution ciphers implifications () A Caesar Cipher B hift Cipher c i = f(m i ) = m i + 3 mod m i = f - (c i ) = c i - 3 mod No key c i = f(m i ) = m i + k mod m i = f - (c i ) = c i - k mod Key = k Number of keys = Coding characters into numbers A Û B Û C Û D Û 3 E Û F Û 5 G Û H Û 7 I Û J Û 9 K Û L Û M Û N Û 3 O Û P Û 5 Q Û R Û 7 Û T Û 9 U Û V Û W Û X Û 3 Y Û Z Û 5 Caesar Cipher: Example Monalphabetic substitution ciphers implifications () Plaintext: Ciphertext: I C A M E I A W I C O N Q U E R E D L F D P H L V D Z L F R Q T X H U H G C Affine Cipher c i = f(m i ) = k m i + k mod gcd (k, ) = m i = f - (c i ) = k - (c i - k ) mod Key = (k, k ) Number of keys = = 3 3

4 Most frequent single letters Average frequency in a random string of letters: = 3 = 3% Average frequency in a long English text: E 3% T, N, R, I, O, A, %-9% D, H, L 35%-5% C, F, P, U, M, Y, G, W, V 5%-3% B, X, K, Q, J, Z < % Most frequent digrams, and trigrams Digrams: TH, HE, IN, ER, RE, AN, ON, EN, AT Trigrams: THE, ING, AND, HER, ERE, ENT, THA, NTH, WA, ETH, FOR, DTH Relative frequency of letters in a long English text by tallings A B C D E F G H I J K L M N O P Q R T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z a b c d e f g h i j k l m n o p q r s t u v w x y z in a long English plaintext in the corresponding ciphertext for a shift cipher a b c d e f g h i j k l m n o p q r s t u v w x y z a b c d e f g h i j k l m n o p q r s t u v w x y z in a long English plaintext in the corresponding ciphertext for a general monoalphabetic substitution cipher Frequency analysis attack: relevant frequencies a b c d e f g h i j k lm n o p q r s t u v w x y z Long English text T a b c d e f g h i j k lm n o p q r s t u v w x y z Ciphertext of the long English text T a b c d e f g h I j k l m n o p q r s t u v w x y z hort English message M a b c d e f g h I j k lm n o p q r s t u v w x y z Ciphertext of the short English message M

5 Ciphertext: Frequency analysis attack () tep : Establishing the relative frequency of letters in the ciphertext FMXVE DKAPH FERBN DKRXR REFM ORUD DKDV HVUFE DKAPR KDLYE VLRHH RH Frequency analysis attack () tep : Assuming the relative frequency of letters in the corresponding message, and deriving the corresponding equations Assumption: Most frequent letters in the message: E and T Corresponding equations: A B C D E F G H I J K L M N O P Q R T U V W X Y Z R - D - 7 E, H, K - 5 E R T D f(e) = R f(t) = D f() = 7 f(9) = 3 Frequency analysis attack (3) tep 3: Verifying the assumption for the case of affine cipher f() = 7 f(9) = 3 k + k º 7 (mod ) 9 k + k º 3 (mod ) 5 k º - (mod ) 5 k º (mod ) Breaking the affine cipher () tep : olving the equation of the form a x º b mod n for x = k gcd(5, ) = Thus, one solution 5 k º (mod ) k = (5 - ) mod = 7 mod = However, gcd(k, ) = Thus, our initial assumption incorrect ubstitution Ciphers () Polyalphabetic substitution cipher M = m m m d m d+ m d+ m d m d+ m d+ m 3d C = f (m ) f (m ) f d (m d ) f (m d+ ) f (m d+ ) f d (m d ) f (m d+ ) f ( m d+ ) f d (m 3d ) d is a period of the cipher Key = d, f, f,, f d Number of keys for a given period d = (!) d» ( ) d a b c d e f g h i j k l m n o p q r s t u v w x y z a b c d e f g h i j k l m n o p q r s t u v w x y z in a long English plaintext in the corresponding ciphertext for a polyalphabetic substitution cipher %» 3 % 5

6 Polyalphabetic substitution ciphers implifications () A Vigenère cipher: polyalphabetic shift cipher Invented in 5 c i = f i mod d (m i ) = m i + k i mod d mod m i = f - i mod d(c i ) = c i - k i mod d mod Key = k, k,, k d- Number of keys for a given period d = () d plaintext: Key = nsa 3 Vigenère quare a b c d e f g h i j k l m n o p q r s t u v w x y z a b c d e f g h i j k l m n o p q r s t u v w x y z b c d e f g h i j k l m n o p q r s t u v w x y z a c d e f g h i j k l m n o p q r s t u v w x y z a b d e f g h i j k l m n o p q r s t u v w x y z a b c e f g h i j k l m n o p q r s t u v w x y z a b c d f g h i j k l m n o p q r s t u v w x y z a b c d e g h i j k l m n o p q r s t u v w x y z a b c d e f h i j k l m n o p q r s t u v w x y z a b c d e f g i j k l m n o p q r s t u v w x y z a b c d e f g h j k l m n o p q r s t u v w x y z a b c d e f g h i k l m n o p q r s t u v w x y z a b c d e f g h i j l m n o p q r s t u v w x y z a b c d e f g h i j k m n o p q r s t u v w x y z a b c d e f g h i j k l n o p q r s t u v w x y z a b c d e f g h i j k l m o p q r s t u v w x y z a b c d e f g h i j k l m n p q r s t u v w x y z a b c d e f g h i j k l m n o q r s t u v w x y z a b c d e f g h i j k l m n o p r s t u v w x y z a b c d e f g h i j k l m n o p q s t u v w x y z a b c d e f g h i j k l m n o p q r t u v w x y z a b c d e f g h i j k l m n o p q r s u v w x y z a b c d e f g h i j k l m n o p q r s t v w x y z a b c d e f g h i j k l m n o p q r s t u w x y z a b c d e f g h i j k l m n o p q r s t u v x y z a b c d e f g h i j k l m n o p q r s t u v w y z a b c d e f g h i j k l m n o p q r s t u v w x z a b c d e f g h i j k l m n o p q r s t u v w x y Plaintext: Key: Encryption: Ciphertext: Vigenère Cipher - Example TO BE OR NOT TO BE NA T O B E O R N O T T O B E G G B R G R A G T G G B R GGBRGRAGTGGBR Determining the period of the polyalphabetic cipher Kasiski s method Ciphertext: G G B R G R A G T G G B R Distance = 9 Period d is a divisor of the distance between identical blocks of the ciphertext In our example: d = 3 or 9 Index of coincidence method () n i - number of occurances of the letter i in the ciphertext i = a z N - length of the ciphertext p i = probability that the letter of the ciphertext is equal to i Index of coincidence method () Measure of roughness: z z M R = æ ö ç p - = - å i p è ø å i i= a i= a p i = lim N z å p i i= a n i N = MR 3 period 5

7 Index of coincidence method (3) Index of coincidence method () Measure of roughness Index of coincidence z The approximation of å z pi i =a Definition: Probability that two random elements of the ciphertext are identical z ni (ni -) ni z Formula: i=a I C = å i =a å N å (n -) n = (N -) N Polyalphabetic substitution ciphers implifications () i MR = IC - = MR period i i=a - (N -) N 3 5 Military Enigma B Rotor machines used before and during the WWII Country Germany: UA: Japan: UK: Poland: Machine Period Enigma d= 5 =,9 M-35, Hagelin M-9 Purple Typex d= (-k), k=5, 7, 9 Lacida d= 3 35 =, Functional diagram & dataflow Enigma Daily Keys 7

8 Order of rotors (Walzenlage) Positions of rings (Ringstellung) combinations 3 combinations Plugboard Connections (teckerverbindung) Initial Positions of Rotors (Grundstellung) ~ 5 5 combinations 3 combinations Number of possible internal connections of Enigma 3 Total Number of Keys 3» 75 Larger number of keys than DE Estimated number of atoms in the universe

9 Broken by Polish Cryptologists 93-9 Enigma Timetable: 939 Jul 5-, 939: A secret meeting takes place in the Kabackie Woods near the town Pyry (outh of Warsaw), where the Poles hand over to the French and British Intelligence ervice their complete solution to the German Enigma cipher, and two replicas of the Enigma machine Marian Rejewski (born 95) Jerzy Różycki (born 99) Henryk Zygalski (born 97) Improvements and new methods developed by British cryptologists Alan Turing (born 9) Gordon Welchman (born 9) Enigma Timetable: : Alan Turing develops an idea of the British cryptological Bombe based on the known-plaintext attack Gordon Welchman develops an improvement to the Turing s idea called diagonal board Harold Doc Keen, engineer at British Tabulating Machines (BTM) becomes responsible for implementing British Bombe 9

10 May, 9: First British cryptological bombe developed to reconstruct daily keys goes into operation Over Bombes are used in England throughout the war Each bombe weighed one ton, and was 5 feet high, 7 feet long, feet wide Enigma Timetable: 93 Apr, 93: The production of the American Bombe starts in the National Cash Register Company (NCR) in Dayton, Ohio The engineering design of the bombe comes from Joseph Desch Machines were operated by members of the Women s Royal Naval ervice, Wrens ubstitution Ciphers (3) 3 Running-key cipher M = m m m 3 m m N K = k k k 3 k k N K is a fragment of a book C = c c c 3 c c N c i = m i + k i mod m i = c i - k i mod Key: book (title, edition), position in the book (page, row) a b c d e f g h i j k l m n o p q r s t u v w x y z a b c d e f g h i j k l m n o p q r s t u v w x y z in a long English plaintext in the corresponding ciphertext for a running-key cipher %» 3 % ubstitution Ciphers () Polygram substitution cipher M = m m m d - M m d+ m d+ m d - M m d+ m d+ m 3d - M 3 C = c c c d - C c d+ c d+ c d - C c d+ c d+ c 3d - C 3 d is the length of a message block C i = f(m i ) M i = f - (C i ) Key = d, f Number of keys for a given block length d = ( d )! Key: P L A Y F Playfair Cipher PLAYFAIR I A DIGRAM CIPHER I R D G M C H E B K N O Q T U V W X Z Convention (tallings) message ciphertext 5 P O L A N D A K A Y Q R Convention (Handbook) message ciphertext P O L A N D K A A Y R Q

11 Ciphering: Hill Cipher 99 Hill Cipher Deciphering: M [xd] = C [xd] K - [dxd] C [xd] = M [xd] K [dxd] message block = ciphertext block inverse key matrix k, k,, k d (c, c,, c d ) = (m, m,, m d ) k d, k d,, k dd ciphertext block = message block key matrix where K [dxd] K - [dxd] = key matrix inverse key matrix =,,,,,,,,,,,,,,,, identity matrix Hill Cipher - Known Plaintext Attack () Hill Cipher - Known Plaintext Attack () Known: C = (c, c,, c d ) M = (m, m,, m d ) C = (c, c,, c d ) M = (m, m,, m d ) C d = (c d, c d,, c dd ) M d = (m d, m d,, m dd ) c, c,, c d c, c,, c d c d, c d,, c dd = m, m,, m d m, m,, m d m d, m d,, m dd k, k,, k d k, k,, k d k d, k d,, k dd We know that: (c, c,, c d ) = (m, m,, m d ) K [dxd] (c, c,, c d ) = (m, m,, m d ) K [dxd] (c d, c d,, c dd ) = (m d, m d,, m dd ) K [dxd] C [dxd] = M [dxd] K [dxd] K [dxd] = M - [dxd] C [dxd] ubstitution Ciphers (5) Homophonic substitution cipher M = { A, B, C,, Z } C = {,,, 3,, 99 } c i = f(m i, random number) m i = f - (c i ) Transposition ciphers M = m m m 3 m m N C = m f() m f() m f(3) m f() m f(n) Letters of the plaintext are rearranged without changing them f: E 7, 9, 7,, A,, 5, 9 U 5,, 9 X 33

12 a b c d e f g h i j k l m n o p q r s t u v w x y z a b c d e f g h i j k l m n o p q r s t u v w x y z in a long English plaintext in the corresponding ciphertext for a transposition cipher Transposition cipher Example Plaintext: CRYPTANALYT Key: Encryption: Ciphertext: KRI 3 K R I C R Y P T A N A L Y T YNCTLRAYPAT Gilbert Vernam, AT&T Major Joseph Mauborgne One-time Pad Vernam Cipher c i = m i Å k i 9 One-time Pad Equivalent version c i = m i + k i mod m i k i c i m i k i c i TO BE OR NOT TO BE AX TC VI URD WM OF TL UG JZ HFW PK PJ All bits of the key must be chosen at random and never reused All letters of the key must be chosen at random and never reused Perfect Cipher Claude hannon Communication Theory of ecrecy ystems, 9 " m Î M c Î C P(M=m C=c) = P(M = m) The cryptanalyst can guess a message with the same probability without knowing a ciphertext as with the knowledge of the ciphertext Is substitution cipher a perfect cipher? C = XRZ P(M=ADD C=XRZ) = P(M=ADD) ¹

13 Is one-time pad a perfect cipher? -P Networks C = XRZ P(M=ADD C=XRZ) ¹ P(M=ADD) ¹ M might be equal to CAT, PET, ET, ADD, BBC, AAA, HOT, HI, HER, BET, WA, NOW, etc P P Basic operations of -P networks Avalanche effect ubstitution -box Permutation P-box m m m m3 m m5 m m7 m m9 m m m m m m3 m P P c c c c c3 c c5 c5 c c7 c7 c c c9 c c c c c c c c3 c c hannon Product Ciphers LUCIFER Horst Feistel, Walt Tuchman IBM Computationally secure ciphers based on the idea of diffusion and confusion Confusion relationship between plaintext and ciphertext is obscured, eg through the use of substitutions Diffusion spreading influence of one plaintext letter to many ciphertext letters, eg through the use of permutations m m m3 m m5 m m7 m m9 m m m m5 m m7 m k, k, k 3, k 3, P k, k, K 3, k 3, P k, K, k 3, k 3, c c c3 c c5 c c7 c c9 c c c c5 c c7 c rounds 3

14 LUCIFER- external look plaintext block bits LUCIFER key 5 bits bits ciphertext block