1 / 32

Classical Cryptography

Classical Cryptography. 2. Cryptanalysis. Cryptanalysis. [2] Cryptanalysis Assumption:(Kerckhoffs’ principle) The opponent knows the cryptosystem being used Attack models: ciphertext only attack known plaintext attack chosen plaintext attack chosen ciphertext attack. Cryptanalysis.

acton-gates
Télécharger la présentation

Classical Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Classical Cryptography 2. Cryptanalysis

  2. Cryptanalysis • [2] Cryptanalysis • Assumption:(Kerckhoffs’ principle) The opponent knows the cryptosystem being used • Attack models: • ciphertext only attack • known plaintext attack • chosen plaintext attack • chosen ciphertext attack

  3. Cryptanalysis • Statistical properties of the English language: (see Table 1.1) • E: probability about 0.120 • T, A, O, I, N, S, H, R: between 0.06 and 0.09 • D, L: 0.04 • C, U, M, W, F, G, Y, P, B: between 0.015 and 0.028 • V, K, J, X, Q, Z: 0.01 • Most common digrams: • TH, HE, IN, ER, AN, ND, … • Most common trigrams: • THE, ING, AND, END, …

  4. Cryptanalysis Table 1.1

  5. Cryptanalysis • <1> Cryptanalysis of the Affine Cipher • Ciphertext obtained form an Affine Cipher: • FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDKAPRKDLYEVLRHHRH • Frequency analysis: Table 1.2 • Most frequent ciphertext characters: • R: 8 occurrences • D: 7 occurrences • E,H,K: 5 occurrences • We now guess the mapping and solve the equation eK(x)=ax+b mod 26

  6. Cryptanalysis Table 1.2

  7. Cryptanalysis • Guess e→R,t→D • eK(4)=17, eK(19)=3 • a=6, b=19 • ILLEGAL (gcd(a,26)>1) • Guess e→R,t→E • eK(4)=17, eK(19)=4 • a=13, b=17 • ILLEGAL (gcd(a,26)>1) • Guess e→R,t→H • eK(4)=17, eK(19)=7 • a=8, b=11 • ILLEGAL (gcd(a,26)>1)

  8. Cryptanalysis • Guess e→R,t→K • eK(4)=17, eK(19)=10 • a=3, b=5 • LEGAL • dK(y)=9y-19 • Plaintext: • algorithmsarequitegeneraldefinitionsofarithmeticprocesses

  9. Cryptanalysis • <2> Crytanalysis of the Substitution Cipher • Ciphertext obtained from a Substitution Cipher • YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJNDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZNZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJXZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR • Frequency analysis: Table 1.3 • Z occurs most: guess dK(Z)=e • occur at least 10 times: C,D,F,J,M,R,Y • These are encryptions of {t,a,o,i,n,s,h,r} • But the frequencies do not vary enough to guess

  10. Cryptanalysis Table 1.3

  11. Cryptanalysis • We now look at digrams: -Z or Z- • 4 times: DZ,ZW • Guess dK(W)=d: ed→ZW • 3 times: NZ,ZU • Guess dk(N)=h: he→NZ • We have ZRW: guess dk(R)=n, end→ZRW • We have CRW: guess dk(C)=a, and→CRW • We have RNM, which decrypts to nh- • Suggest h- begins a word: M should be a vowel • We have CM: guess dk(M)=i (ai is more likely than ao)

  12. Cryptanalysis • We have DZ(4 times) and ZD(2 times) • Guess dK(D)∈{r,s,t} • Since o is a common letter • Guess eK(o)∈{F,J,Y} • We have CFM and CJM: guess dK(Y)=o (aoi is impossible) • Guess NMD→his : dK(D)=s • Guess HNCMF→chair: dK(H)=c, dK(F)=r • dK(J)=t: the→JNZ

  13. Cryptanalysis • Now easy to determine the others

  14. Cryptanalysis • <3> Cryptanalysis of the Vigenère Cipher • Kasiski test (1863): • Search the ciphertext for pairs of identical segments (length at least 3) • Record the distance between the starting positions of the 2 segments • If we obtain several such distances d1,d2,…, we would conjecture that the key length m divides all of the di’s • m divides the gcd of the di’s

  15. Cryptanalysis • Friedman’s index of coincidence (1920) • Suppose X=x1x2…xn is a string of n alphabetic characters • Index of coincidenceof X, denoted IC(X): the probability that 2 random elements of X are identical • We denote the frequencies of A,B,..,Z in X by f0,f1,…,f25

  16. Cryptanalysis • Using the expected probabilities in Table 1.1 p0,…,p25: the expected probability of A,…,Z • Suppose a ciphertext Y=y1y2…yn • Define m substrings of Y1,…,Ym of Y • Each value IC(Yi) should be roughly equal to 0.065

  17. Cryptanalysis • If m is not the keyword length • Yi will look much more random • A completely random string will have

  18. Cryptanalysis • Ciphertext obtained from a Vigenere Cipher • CHREEVOAHMAERATBIAXXWTNXBEEOPHBSBQMQEQERBWRVXUOAKXAOSXXWEAHBWGJMMQMNKGRFVGXWTRZXWIAKLXFPSKAUTEMNDCMGTSXMXBTUIADNGMGPSRELXNJELXVRVPRTULHDNQWTWDTYGBPHXTFALJHASVBFXNGLLCHRZBWELEKMSJIKNBHWRJGNMGJSGLXFEYPHAGNRBIEQJTAMRVLCRREMNDGLXRRIMGNSNRWCHRQHAEYEVTAQEBBIPEEWEVKAKOEWADREMXMTBHHCHRTKDNVRZCHRCLQOHPWQAIIWXNRMGWOIIFKEE • CHR occurs in 5 places: 1,166,236,276,286 • The distances from the 1st one: 165,235,275,285 • g.c.d. is 5: we guess m=5

  19. Cryptanalysis • We check the indices of coincidences: • m=1: IC(Y)=0.045 • m=2: IC(Y1)=0.046, IC(Y2)=0.041 • m=3: IC=0.043, 0.050, 0.047 • m=4: IC=0.042, 0.039, 0.046, 0.040 • m=5: IC=0.063, 0.068, 0.069, 0.061, 0.072 • We sure m=5

  20. Cryptanalysis • Now we want to determine the key K=(k1,k2,…,km) • f0,f1,…f25: the frequencies of A,B,…,Z • n’=n/m: the length of the string Yi • The probability distribution of the 26 letters in Yi: • Yi is obtained by shift encryption using a shift ki • We hope that the shifted probability distribution would be close to p0,…,p25

  21. Cryptanalysis • Define the quantity Mg: For each ki, i=1, …, m for 0 ≤ g ≤ 25 • If g=ki: • If g≠ki, Mg will smaller than 0.065 • Return to the previous example: • Computes the values Mg, for 1≤i≤5 (Table 1.4) • For each i, look for a value of Mg close to 0.065 • From Table 1.4: K=(9,0,13,4,19) • The keyword is JANET

  22. Table 1.4

  23. Cryptanalysis • <4> Cryptanalysis of the Hill Cipher • Hill Cipher is difficult to break with a ciphertext-only attack • We use a known plaintext attack • Suppose the unknown key is an m╳m matrix and we have at least m distinct plaintext-ciphertext pairs • xj=(x1,j,x2,j,…,xm,j) • yj=(y1,j,y2,j,…,ym,j) yj=eK(xj), for 1≤j≤m

  24. Cryptanalysis • We define 2 m╳m matrices X=(xi,j) and Y=(yi,j) • Y=XK • K=X-1Y • e.g.: m=2, plaintext: friday, ciphertext: PQCFKU • eK(5,17)=(15,16) • eK(8,3)=(2,5) • eK(0,24)=(10,20)

  25. Cryptanalysis • e.g. (cont.)

  26. Cryptanalysis • <5> Cryptanalysis of the LFSR Stream Cipher • Recall this system is mudulo 2 • yi=(xi+zi) mod 2 • (z1,…,zm)=(k1,…km) i≥1, c0,…,cm-1∈Z2

  27. Cryptanalysis • We use a known-plaintext attack here • If plaintext length ≥ 2m • We can solve the system of m linear equations:

  28. Cryptanalysis • e.g.: suppose the system uses a 5-stage LFSR • Plaintext: 101101011110010 • Ciphertext: 011001111111000 • Keystream bits: 110100100001010

  29. Cryptanalysis • e.g. (cont.) • zi+5=(zi+zi+3) mod 2

More Related