Data and information security: 2. Classical cryptography

Size: px

Start display at page:

Download "Data and information security: 2. Classical cryptography"

Myron Rose
5 years ago
Views:

1 ICS 423: s Data and information security: 2. Classical cryptography UHM ICS 423 Fall 2014

2 Outline ICS 423: s s and crypto systems ciphers ciphers Breaking ciphers What did we learn?

3 Outline ICS 423: s s and crypto systems Definitions Coding vs encryption ciphers Definitions Coding vs encryption ciphers Breaking ciphers What did we learn?

4 Simple crypto system ICS 423: s Definition Definitions Coding vs encryption Given the types M of plaintexts C of ciphertexts K of keys

5 Simple crypto system ICS 423: s Definition Definitions Coding vs encryption... a simple crypto-system is a triple of algorithms S = K, E, D where K :K is called the key generation, E :K M Cis the encryption, and D :K C Mis the decryption

6 Simple crypto system ICS 423: s Definition Definitions Coding vs encryption... that together provide unique decryption: D(K, E(K, m)) = m (where K is the public key of K, classically K = K ) trapdoor encryption: ( ) A :C M. m. A(E(K, m))= m = ( c. A(c) = D(K, c) )

7 Using a cryptosystem ICS 423: s Definitions Coding vs encryption

8 ICS 423: s Definition Definitions Coding vs encryption A ciphers K is a pair of easily computable functions: encryption E K :M C, and decryption D K :C M, obtained when the key generation K of a crypto system S = K, E, D generates the key K.

9 Where do the plaintexts come from? ICS 423: s Remarks The spacemmay be monoalphabetic: it consists of symbols M = Σ polyalphabetic: it consists of blocks of symbols Definitions Coding vs encryption M = Σ N

10 Where do the plaintexts come from? ICS 423: s Remarks The spacemmay be monoalphabetic: it consists of symbols M = Σ polyalphabetic: it consists of blocks of symbols Definitions Coding vs encryption M = Σ N A plaintext is a string fromm.

11 Where do the plaintexts come from? ICS 423: s Remarks The spacemmay be monoalphabetic: it consists of symbols M = Σ polyalphabetic: it consists of blocks of symbols Definitions Coding vs encryption M = Σ N A plaintext is a string fromm. A well-formed message is a meaningful plaintext: a word, a sentence, a paragraph.

12 Where do the plaintexts come from? ICS 423: s Remarks The spacemmay be monoalphabetic: it consists of symbols M = Σ polyalphabetic: it consists of blocks of symbols Definitions Coding vs encryption M = Σ N A plaintext is a string fromm. A well-formed message is a meaningful plaintext: a word, a sentence, a paragraph. Not every plaintext is a well-formed message.

13 Coding ICS 423: s Definitions Coding vs encryption Definition A coding scheme is an injective function f :X G, where X is a source, and G Σ is a language (or code).

14 Recall the examples of coding Morse code: source: characters code: strings of dots and dashes telegraphic codes: ICS 423: s Definitions Coding vs encryption source answer my question! are you trying to weasel out? you are a skunk! not clearly coded, please repeat CODE LYOUI BYOXO BMULD AYYLU English, Chinese... : source: meaningful phrases code: orthography

15 Coding vs encryption ICS 423: s Definitions Coding vs encryption Terminology The elementsγ G Σ are called codewords. Codewords are used as well-formed messages.

16 Coding vs encryption ICS 423: s Definitions Upshot The difference between decryptionc D M Coding vs encryption decodingm G plays an important role in cryptanalysis: plaintext must be recognizable as a well-formed message

17 Outline ICS 423: s s and crypto systems ciphers ciphers Breaking ciphers What did we learn?

18 Examples ICS 423: s Encode letters as numbers a b c c e f g h i j k l m n o p q r s t u v w x y z

19 Example 1.1: Shift cipher (monoalphabetic: Cæsar k = 3, ROT13 k = ) ICS 423: s M =C=Z 26 ={0, 1, 2, 3,..., 25} K =Z 26 K = k E(k, m) = m+k mod 26 D(k, c) = c k mod 26

20 Example 1.1: Shift cipher (monoalphabetic: Cæsar k = 3, ROT13 k = ) E.g., the key k = 5 gives tx: i t i s v e r y c o l d m k c CY: N Y N X A J W D H T Q I ICS 423: s where a b c d e f g h i j k l m n o p q r s t u v w x y z

21 Example 1.2: Shift cipher (polyalphabetic) ICS 423: s M =C=Z N 26 K =Z N 26 K = k = k 1, k 2,...,k N E( k, m) = m+ k mod 26 D( k, c) = c k mod 26

22 Example 1.2: Shift cipher (polyalphabetic) E.g., the block length N = 6 and the keyword kd="monkey" give ICS 423: s tx: i t i s v e r y c o l d m kd: m o n k e y m o n k e y k c CY: U H V C Z B C M P Y P B where a b c c e f g h i j k l m n o p q r s t u v w x y z

23 Example 1.2: Shift cipher (polyalphabetic) One-time pad A polyalphabetic shift cipher where each key K Z N is used to encrypt 26 ICS 423: s a single message m Z N 26 is called a one-time-pad. It is perfectly secure, but it reduces the task to transfer an N-character message to the task to transfer an N-character key.

24 Example 1.2: Shift cipher (polyalphabetic) One-time pad A polyalphabetic shift cipher where some key K Z N is used to encrypt 26 ICS 423: s two messages m 1, m 2 Z N 26 is insecure.

25 Example 1.2: Shift cipher (polyalphabetic) One-time pad A polyalphabetic shift cipher where some key K Z N is used to encrypt 26 ICS 423: s two messages m 1, m 2 Z N 26 is insecure. Exercise Try to figure this out.

26 Example 1.2: Shift cipher (polyalphabetic) One-time pad A polyalphabetic shift cipher where some key K Z N is used to encrypt 26 ICS 423: s two messages m 1, m 2 Z N 26 is insecure. Exercise Try to figure this out. (We ll prove it later.)

27 Example 1.2: Shift cipher (polyalphabetic) Historic remarks Polyalphabetic shift ciphers are often called Vigenère s ciphers. Vigenère had nothing to do with them. He designed the first auto-keying cipher in Shift ciphers were described by Belasso in ICS 423: s Binary one-time pad was patented by Gilbert Vernam in 1917.

28 Example 1.3: Affine cipher (polyalphabetic) M =C=Z N 26, K = ( Z 26) N Z N 26 K = a, k ICS 423: s E( a, k, m) = a m+ k mod 26 D( a, k, c) = 1 a ( c k) mod 26 where a m = a 1 m 1, a 2 m 2,...,a N m N =,,..., a a 1 a 2 a N

29 Example 1.4: Substitition cipher (monoalphabetic) ICS 423: s M =C=Σ={a, b, c,...,z}, K = S(Σ) = the permutations of Σ K =σ E(σ, m) =σ(m) D(σ, c) =σ 1 (c)

30 Example 1.5: Substitition cipher (polyalphabetic) ICS 423: s M =C=Σ N, K = S(Σ) N K =σ E(σ, m) = σ 1 (m 1 ),σ 2 (m 2 ),...σ N (m N ) D(σ, c) = σ 1 1 (c 1),σ 1 2 (c 2),...σ 1 N (c N)

31 Outline ICS 423: s s and crypto systems ciphers ciphers Breaking ciphers What did we learn?

32 Example 2: cipher ICS 423: s M =C=Σ N, K = S(N) = the permutations of the block positions K =σ E(σ, m) = m σ(1), m σ(2),...m σ(n) D(σ, c) = m σ 1 (1), m σ 1 (2),...m σ 1 (N)

33 Example 2.1: Columnar cipher ICS 423: s Plaintext

34 Example 2.1: Columnar cipher ICS 423: s Encryption

35 Example 2.1: Columnar cipher ICS 423: s text

36 Outline ICS 423: s s and crypto systems ciphers ciphers Breaking ciphers What did we learn?

37 Cryptanalytic attacks Symmetric key attacks When k = k = K, the attacks are ciphertext only (COA): E(K, m 1 ),...,E(K, m l ) K ICS 423: s known plaintext (KPA), chosen plaintext (CPA): m 1,...,m l, E(K, m 1 ),...,E(K, m l ) K chosen ciphertext (CCA): c 1,...,c l, D(K, c 1 ),...,D(K, c l ) K

38 Cryptanalytic attacks Asymmetric key attacks When k is publicly known ciphertext only (COA): k, E(k, m 1 ),...,E(k, m l ) k ICS 423: s known plaintext (KPA), chosen plaintext (CPA): k, m 1,...,m l, E(k, m 1 ),...,E(k, m l ) k chosen ciphertext (CCA): k, c 1,...,c l, D(k, c 1 ),...,D(k, c l ) k adaptive chosen ciphertext (CCA2):... (later!)

39 COA on monoalphabetic shift cipher ICS 423: s M =C=Z 26 K =Z 26 k = k = k E(k, m) = m+k mod 26 D(k, c) = c k mod 26

40 COA on monoalphabetic shift cipher ICS 423: s M =C=Z 26 K =Z 26 k = k = k E(k, m) = m+k mod 26 D(k, c) = c k mod 26 Idea Since there are just #K = 26 possible keys, simply try one after the other.

41 COA on monoalphabetic shift cipher ICS 423: s CY: N Y N X A J W D H T Q I c k m tx 1 : m x m w z i v c g s p h

42 COA on monoalphabetic shift cipher ICS 423: s CY: N Y N X A J W D H T Q I c k m tx 2 : l w l v y h u b f r o g

43 COA on monoalphabetic shift cipher ICS 423: s CY: N Y N X A J W D H T Q I c k m tx 5 : i t i s v e r y c o l d

44 COA on substitution cipher ICS 423: s M =C=Σ={a, b, c,...,z}, K = S(Σ) = the permutations of Σ k = k =σ E(σ, m) =σ(m) D(σ, c) =σ 1 (c)

45 COA on substitution cipher ICS 423: s M =C=Σ={a, b, c,...,z}, K = S(Σ) = the permutations of Σ k = k =σ E(σ, m) =σ(m) D(σ, c) =σ 1 (c) Fact Since #K = 26! , enumerating the keys and searching for a well-formed plaintext will not help.

46 COA on substitution cipher Idea Align the letter frequencies of plaintext (e.g. English)... ICS 423: s

47 COA on substitution cipher Idea Align the letter frequencies of plaintext (e.g. English)... ICS 423: s

48 COA on substitution cipher Idea... with the letter frequencies of the ciphertext ICS 423: s Q W D S E O G B K M A Z C P J L F U X R I Y V T H N

49 COA on substitution cipher ICS 423: s Result e t a o i n s h r d l c u Q W D S E O G B K M A Z C m w f g y p b v k j x q z P J L F U X R I Y V T H N

50 COA on substitution cipher ICS 423: s Result a b c d e f g h i j k l m D R Z M Q L F B E V Y A P n o p q r s t u v w x y z O S X H K G W C I J T U N

51 COA on substitution cipher overview ICS 423: s N plaintext m c ciphertext Σ M E =σ Σ C sampletext t µ t µ m µ c N [0, 1]

52 COA on substitution cipher overview ICS 423: s N plaintext m c ciphertext Σ M E =σ Σ C sampletext t D =σ µ t µ m µ c N [0, 1]

53 COA on substitution cipher overview ICS 423: s Summary The ciphertext c inducesµ c The sampletext t inducesµ t The plaintext m is assumed to haveµ m µ t The decryption D is induced by the lower triangle The upper triangle validates the correctness of D: Is D(c) a meaningful plaintext?

54 COA on transposition cipher ICS 423: s Plaintext all work and no play makes johnny a dull boy

55 COA on transposition cipher ICS 423: s Encryption a l l w o r k a n d n o p l a y m a k e s j o h n n y a d u l l b o y x

56 COA on transposition cipher ICS 423: s text AKPKNL LALENL LNASYB WDYJAO ONMODY ROAHUX

57 COA on transposition cipher ICS 423: s Anagramming

58 COA on transposition cipher ICS 423: s Anagramming

59 COA on transposition cipher overview ICS 423: s N C E =π N M ciphertext c m plaintext Σ sampletext t µ m =µ t N [0, 1]

60 COA on transposition cipher overview ICS 423: s N C E =π N M D =π ciphertext c m plaintext Σ sampletext t µ m =µ t N [0, 1]

61 COA on transposition cipher overview ICS 423: s Summary The sampletext t inducesµ t The plaintext m is assumed to haveµ m =µ t The decryptionπis built by maximizing iµ t c i π

62 COA depends on redundancy of language ICS 423: s The COA cryptanalysis is entirely based on the biases and the redundancy ofm: if all elements ofmare equally likely to occur, then substitution ciphers resist COA if all elements ofmare mutually independent (i.e. equally likely to occur with each other), then transposition ciphers resist COA

63 COA depends on redundancy of language ICS 423: s However, a uniformly distributedmis suboptimal for communication, and error prone without redundancy

64 COA depends on redundancy of language ICS 423: s However, a uniformly distributedmis suboptimal for communication, and error prone without redundancy there are KPAs.

65 KPA on the one-time-pad ICS 423: s M =C=K =Z N 26 E( k, m) = m+ k D( k, c) = c k

66 KPA on the one-time-pad ICS 423: s M =C=K =Z N 26 E( k, m) = m+ k D( k, c) = c k Attack Given m and E( k, m) = m+ k the cryptanalyst derives k = E( k, m) m

67 Can we prove that there are no attacks? ICS 423: s

68 Can we prove that there are no attacks? ICS 423: s Proposition If all keys are equally likely, then the one-time-pad is secure, in the sense that the ciphertext provides no information about the plaintext.

69 Can we prove that there are no attacks? ICS 423: s We need tools for such proofs!

70 Outline ICS 423: s s and crypto systems ciphers ciphers Breaking ciphers What did we learn?

71 What did we learn? ICS 423: s A cipher hides messages: S K = M E K C D K

72 What did we learn? A crypto system generates ciphers: ICS 423: s

73 What did we learn? ICS 423: s A substitution cipher permutes the text alphabet: M =C=Σ N, K = S(Σ) N K =σ E(σ, m) = σ 1 (m 1 ),σ 2 (m 2 ),...σ N (m N ) D(σ, c) = σ 1 1 (c 1),σ 1 2 (c 2),...σ 1 N (c N)

74 What did we learn? ICS 423: s A transposition cipher permutes the text positions: M =C=Σ N, K = S(N) = the permutations of the block positions K =σ E(σ, m) = m σ(1), m σ(2),...m σ(n) D(σ, c) = m σ 1 (1), m σ 1 (2),...m σ 1 (N)

75 What did we learn? A substitution cipher is cryptanalyzed by maximizing the frequency correlation between the plaintext and ciphtertext: ICS 423: s N plaintext m c ciphertext Σ M E =σ Σ C sampletext t D =σ µ t µ m µ c N [0, 1]

76 What did we learn? A transposition cipher is cryptanalyzing by maximizing the frequency correlations within the ciphertext: ICS 423: s N C E =π N M ciphertext c m plaintext Σ sampletext t µ m =µ t N [0, 1]

77 Way ahead ICS 423: s To count the frequencies and study the correlations, we need bits of probability and information theory.

CSCI3381-Cryptography

CSCI3381-Cryptography Lecture 2: Classical Cryptosystems September 3, 2014 This describes some cryptographic systems in use before the advent of computers. All of these methods are quite insecure, from