Cryptanalysis. A walk through time. Arka Rai Choudhuri

Similar documents
Efficient Cryptanalysis of Homophonic Substitution Ciphers

26 HIDDEN MARKOV MODELS

Cryptography: A Fairy Tale for Mathematicians and Starring Mathematicians!

CSCI3381-Cryptography

Classical Cryptography

CPSC 467b: Cryptography and Computer Security

Ciphers: Making and Breaking

monoalphabetic cryptanalysis Character Frequencies (English) Security in Computing Common English Digrams and Trigrams Chapter 2

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Lecture (04) Classical Encryption Techniques (III)

one approach to improve security was to encrypt multiple letters invented by Charles Wheatstone in 1854, but named after his

Historical cryptography

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

Introduction to Cryptology. Lecture 2

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Classical Cryptography

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Unveiling the Chaocipher. Born in Dublin, Ireland on February 11, 1880, John F. Byrne created a cipher called the

5. Classical Cryptographic Techniques from modular arithmetic perspective

Simple Codes MTH 440

1999 version 2001 simplified version

Week 7 An Application to Cryptography

Clock Arithmetic and Euclid s Algorithm

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Number Theory in Cryptography

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Introduction to Cryptography

Video intypedia001en EXERCISES

Chapter 2 Classical Cryptosystems

last name ID 1 c/cmaker/cbreaker 2012 exam version a 6 pages 3 hours 40 marks no electronic devices SHOW ALL WORK

Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Data and information security: 2. Classical cryptography

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Innovation and Cryptoventures. Cryptology. Campbell R. Harvey. Duke University, NBER and Investment Strategy Advisor, Man Group, plc.

Cryptography. pieces from work by Gordon Royle

Jay Daigle Occidental College Math 401: Cryptology

What is Cryptography? by Amit Konar, Dept. of Math and CS, UMSL

Number theory (Chapter 4)

The Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and )

THE ZODIAC KILLER CIPHERS. 1. Background

Akelarre. Akelarre 1

Dan Boneh. Introduction. Course Overview

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

History of Maths andx

COMM1003. Information Theory. Dr. Wassim Alexan Spring Lecture 5

Polyalphabetic Ciphers

Historical cryptography. cryptography encryption main applications: military and diplomacy

Lecture 4: DES and block ciphers

I.T.I.S. E. DIVINI SAN SEVERINO MARCHE. CRIPTOGRAPHY Monday 9th January 2006

Chapter 2. A Look Back. 2.1 Substitution ciphers

Historical Ciphers. Required Reading. W. Stallings, Cryptography and Network Security, Chapter 2, Classical Encryption Techniques

Specialized Cryptanalytic Machines: Two examples, 60 years apart. Patrick Schaumont ECE Department Virginia Tech

Historical Ciphers. ECE Lecture 6. Why (not) to study historical ciphers? Required Reading. Secret Writing. Mary, Queen of Scots

... Assignment 3 - Cryptography. Information & Communication Security (WS 2018/19) Abtin Shahkarami, M.Sc.

Classical. More Ciphers. By Richard Spillman. Based on slides from the book Classical & Contemporary Cryptology By. & ontempory ryptology

A Weak Cipher that Generates the Symmetric Group

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 4: Enigma.

Hidden Markov Models for Vigenère Cryptanalysis

STATISTICAL TOOLS USED IN CRYPTOGRAPHIC EVALUATION

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

Chapter 2 : Perfectly-Secret Encryption

Historical cryptography

Cryptography - Session 2

Computer Security. 07. Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Cryptography Lecture 4 Block ciphers, DES, breaking DES

How Fast can be Algebraic Attacks on Block Ciphers?

ISSN: Received: Year: 2016, Number: 14, Pages: Published: Original Article **

Polyalphabetic Substitutions

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad

CHAPTER 4 REDUCTION OF VARIABLE LENGTH KEY SEARCH TIME OF VIGENERE CIPHER USING FIREFLY ALGORITHM

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Sol: First, calculate the number of integers which are relative prime with = (1 1 7 ) (1 1 3 ) = = 2268

Block Ciphers and Feistel cipher

icsc March 2011, CERN Computer Security Theme Lecture 1

Lecture Notes. Advanced Discrete Structures COT S

Lecture 8 - Cryptography and Information Theory

Modern symmetric encryption

secretsaremadetobefoundoutwithtime UGETGVUCTGOCFGVQDGHQWPFQWVYKVJVKOG Breaking the Code

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Cryptography 2017 Lecture 2

UNIVERSITY OF CALIFORNIA Santa Barbara. Cryptanalysis of the SIGABA

Mono alphabetic substitution cipher

Cryptography and Number Theory

18733: Applied Cryptography Anupam Datta (CMU) Course Overview

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

19 Lorenz Cipher Machine

University of Regina Department of Mathematics & Statistics Final Examination (April 21, 2009)

Cook-Levin Theorem. SAT is NP-complete

Powers in Modular Arithmetic, and RSA Public Key Cryptography

Introduction to Cryptographic Engineering. Steven M. Bellovin

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Modern symmetric-key Encryption

Exercise Sheet Cryptography 1, 2011

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Transcription:

Cryptanalysis A walk through time Arka Rai Choudhuri arkarai.choudhuri@gmail.com

How many can you identify?

History (or how I will give you hope of becoming world famous and earning $70 million along the way)

Disclaimer Cryptography s butt http://explosm.net/comics/3557/

AOUSATUPRSVNEG SOURAV SEN GUPTA USVRAO ENS PUTGA Transposition Cipher

Caesar cipher Simple shifting of letters. Only 13 possible keys. Easy to break exhaustively.

Substitution Cipher Earliest mention in the Kama-sutra. 26! Number of keys. 88 bits of secrecy.

Arab Cryptanalysis Al-Kindi On Deciphering Cryptographic Messages 9 th century FREQUENY ANALYSIS

Structure of the English language Move to digrams and trigrams for better results.

Mary Queen of Scots (16 th Century) Assassinate

Solved by Elizabeth s cryptanalyst

Vigenère cipher (16 th century) Overcome the statistical weakness of ciphers? Polyalphabetic ciphers A letter in the cipher can represent multiple letters from the plain text Not broken till the 19 th century.

How do we figure out the length?

Use properties of the English language. 25 i=0 p i 2 0.065 If p i follow the letter frequencies. Else, 25 1 26 2 0.038 i=0

Increase the keyword length? Create a keyword that is as long as the message. Can t use the methods discussed previously. Are we done?

Failed because the key wasn t random enough?

What is random? https://xkcd.com/221/ http://dilbert.com/strip/2001-10-25

Why does it work? Generate all possible plaintexts from a given ciphertext. All the keys will look random.

Zodiac Late 60s in the US. Killer sent ciphers to solve.

I LIKE KILLING PEOPLE BECAUSE IT IS SO MUCH FUN IT IS MORE FUN THAN KILLING WILD GAME IN THE FORREST BECAUSE MAN IS THE MOST DANGEROUE ANAMAL OF ALL TO KILL SOMETHING GI..

But who is the zodiac? 340 character cipher. Unsolved to this day.

Beale cipher

3 cipher - Location - Contents - Names of treasure owners

3 cipher - Location - Contents - Names of treasure owners Buried treasure of gold, silver and jewels estimated to be worth over US$63 million as of September 2011

Was it an elaborate hoax? Why has it withstood cryptanalysis for centuries?

Enigma Marian Rejewski

Differential Cryptanalysis Where your disillusionment dies.

DES L R Linear Operations Subkey S-Box Linear Operations L R

S-Box Substitution boxes Non-Linear Can t represent output bits as linear operation of input bits.

S-Box Substitution boxes Non-Linear Implemented by a table look-up

S-Box S1(101011)

S-Box S1(101011)

S-Box S1(101011) = 7

How can we use an S-box? X Key S

X S K 00 01 10 11 0 10 01 11 00 1 00 10 01 11 Inputs are known X 1 = 110 and X 2 = 010 Outputs of S-box known S(X 1 K) = 10 and S(X 2 K ) = 01

X S K 00 01 10 11 0 10 01 11 00 1 00 10 01 11 Inputs are known X 1 = 110 and X 2 = 010 Outputs of S-box known S(X 1 K) = 10 and S(X 2 K ) = 01 X 1 K 000,101 K {110,011}

X S K 00 01 10 11 0 10 01 11 00 1 00 10 01 11 Inputs are known X 1 = 110 and X 2 = 010 Outputs of S-box known S(X 1 K) = 10 and S(X 2 K ) = 01 X 1 K 000,101 K {110,011} K=011 X 2 K 001,110 K {011,100}

Differences Focus on input and output differences. We know the inputs X 1 and X 2. But the input to the S-boxes are X 1 K and X 2 K. XOR of the input to the S-box (X 1 K) (X 2 K) = X 1 X 2 The difference is independent of the key.

TINY DES (TDES) L R 8 8 Expand 12 F R, K = S(expand R K) 6 6 SL SR 12 K i 4 4 8 8 L R

x 0 x 5 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 C 5 0 A E 7 2 8 D 4 3 9 6 F 1 B 1 1 C 9 6 3 E B 2 F 8 4 5 D A 0 7 2 F A E 6 D 8 2 4 1 7 9 0 3 5 B C 3 0 A 3 C 8 2 1 E 9 7 F 6 B 5 D 4 K 1 = k 2 k 4 k 5 k 6 k 7 k 1 k 10 k 11 k 12 k 14 k 15 k 8 K 2 = k 4 k 6 k 7 k 0 k 1 k 3 k 11 k 12 k 13 k 15 k 8 k 9 K 3 = k 6 k 0 k 1 k 2 k 3 k 5 k 12 k 13 k 14 k 8 k 9 k 10 K 4 = k 0 k 2 k 3 k 4 k 5 k 7 k 13 k 14 k 15 k 9 k 10 k 11

x 0 x 5 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 C 5 0 A E 7 2 8 D 4 3 9 6 F 1 B 1 1 C 9 6 3 E B 2 F 8 4 5 D A 0 7 2 F A E 6 D 8 2 4 1 7 9 0 3 5 B C 3 0 A 3 C 8 2 1 E 9 7 F 6 B 5 D 4 K 1 = k 2 k 4 k 5 k 6 k 7 k 1 k 10 k 11 k 12 k 14 k 15 k 8 K 2 = k 4 k 6 k 7 k 0 k 1 k 3 k 11 k 12 k 13 k 15 k 8 k 9 K 3 = k 6 k 0 k 1 k 2 k 3 k 5 k 12 k 13 k 14 k 8 k 9 k 10 K 4 = k 0 k 2 k 3 k 4 k 5 k 7 k 13 k 14 k 15 k 9 k 10 k 11 expand R = expand r 0 r 1 r 7 = (r 4 r 7 r 2 r 1 r 5 r 7 r 0 r 2 r 6 r 5 r 0 r 3 )

X 1 X 2 = 001000 SR X 1 SR X 2 = 0010 with probability ¾ If X 1 X 2 = 000000 SR X 1 SR X 2 = 0000 with probability 1 Chosen plaintext attack P = (L 0 R 0 and P = ( L 0 R 0 ) P P = (L 0 R 0 ( L 0 R 0 ) = 0000 0000 0000 0010 = 0x0002

Is the expand function linear? expand X 1 expand X 1 = expand(x 1 X 2 ) R 0 R 0 = 0000 0010 expand R 0 expand R 0 = expand R 0 R 0 = expand 0000 0010 = 000000 001000 F R 0, K F R 0, K = S e R 0 K S(e R 0 K) = 0000 0010 with probability ¾

With probability 3 4 3 4 R 2 R 2 = L 1 F R 1, K 2 ( L 1 F( R 1, K 2 )) = L 1 L 1 (F R 1, K 2 F( R 1, K 2 )) = R 0 R 0 (F R 1, K 2 F( R 1, K 2 )) = 0000 0010 0000 0010 = 0000 0000

Recovering the key What do we have? P P (L 0 L 0 ) (R 0 R 0 ) C C (L 4 L 4 ) (R 4 R 4 ) R 4 = L 3 F R 3, K 4 and R 4 = L 3 F R 3, K 4 R 4 = L 3 F L 4, K 4 and R 4 = L 3 F L 4, K 4 L 3 = R 4 F L 4, K 4 and L 3 = R 4 F L 4, K 4

If C C = 0x0202, with high probability, L 3 = L 3 R 4 F L 4, K 4 = R 4 F L 4, K 4 R 4 R 4 = F L 4, K 4 F L 4, K 4

If C C = 0x0202, with high probability, L 3 = L 3 R 4 F L 4, K 4 = R 4 F L 4, K 4 R 4 R 4 = F L 4, K 4 F L 4, K 4 Let, L 4 = l 0 l 1 l 2 l 3 l 4 l 5 l 6 l 7 and L 4 = l 0 l 1 l 2 l 3 l 4 l 5 l 6 l 7 Then 0000 0010 = SL(l 4 l 7 l 2 l 1 l 5 l 7 k 0 k 2 k 3 k 4 k 5 k 7 ) SR(l 0 l 2 l 6 l 5 l 0 l 3 k 13 k 14 k 15 k 9 k 10 k 11 ) (SL l 4 l 7 l 2 l 1 l 5 l 7 k 0 k 2 k 3 k 4 k 5 k 7 SR l 0 l 2 l 6 l 5 l 0 l 3 k 13 k 14 k 15 k 9 k 10 k 11 )

Algorithm 1. Pick plaintext pairs with the given difference. 2. Run the algorithm with the unknown key to get ciphertext pairs. 3. Discard ciphertext pairs that don t satisfy output difference. 4. For all possible values of the 6 key bits identified, check if the derived condition holds.

These key bits can be guessed separately from the others. The remaining keys bits can be guessed by exhaustive search with one cipher text. Thus an overall complexity of about 2 11 which is better than the exhaustive search over the entire keyspace.

Swept under the rug What is a good probability? How many plaintextpairs do we need? Are there assumptions that we ve taken for granted?

Thank you

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback