You are on page 1of 18


Plaintext- original message Ciphertext coded message Enciphering, encryption process of converting from plaintext to ciphertext eciphering, !ecryption restoring the plaintext from the ciphertext Cryptography area of study schemes for enciphering Cryptographic "y"te#, cipher scheme of enciphering Cryptanaly"i" techniques for deciphering a message without knowledge of the enciphering details Cryptology areas of cryptography and cryptanalysis

1. SYMM !"#$ $#%& " M'( ) *. S+,S!#!+!#'- ! $&-#.+ S /. !"0-S%'S#!#'- ! $&-#.+ S 1. "'!'" M0$&#- S 2. S! 30-'3"0%&Y

Symmetric 4conventional5 encryption scheme has the following ingredients

!here are * requirements for secure use of conventional encryption6 1. 7e need a strong encryption algorithm the opponent should 8e una8le to decrypt ciphertext or to discover the key even if s9he is in the possession of a num8er of ciphertexts together with the plaintext that produced each ciphertext *. Sender and receiver must have o8tained copies of the secret key in a secure fashion and must keep the key secure. #f someone can discover the key and knows the algorithm: all communication using this key is reada8le 7e assume that it is impractical to decrypt a message on the 8asis of the ciphertext plus knowledge of the encryption9decryption algorithm: i.e. we do not need to keep the algorithm secret; we need to keep only the key secret. )et<s consider essential elements of a symmetric encryption scheme6


7e can write6 Y=


?= (>4Y5 'pponent knows Y: : (. &e may 8e interested to recover ? or9and >. >nowledge of > gives him opportunity to read future messages.

$ryptographic systems are characteri@ed 8y 1. !he type of operations used for transforming plaintext to ciphertext 4su8stitution: transposition5. Aundamental requirement no information 8e lost *. !he num8er of keys used 41 key symmetric: single-key: secretkey; * keys asymmetric: two-key: pu8lic-key5 /. !he way in which the plaintext is processed 48lock cipher: stream cipher5. Stream cipher may 8e viewed as a 8lock cipher with 8lock si@e equal to 1 element.

!here are two general approaches to attacking a conventional encryption scheme6 1. Cryptanaly"i") attempts to use characteristics of the plaintext or even some plaintext-ciphertext pairs to deduce a specific plaintext or key 8eing used *. *r+te,-orce attac.) every possi8le key is tried until an intelligi8le translation into plaintext is o8tained. 'n average: half of all possi8le keys should 8e tried to achieve success.


Uncon!itionally "ec+re encryption "che#e ciphertext generated 8y the scheme does not contain enough information to determine uniquely the corresponding plaintext: no matter how much ciphertext is availa8le. xcepting a scheme known as one-time pad: there is no encryption algorithm that is unconditionally secure. !herefore: encryption algorithm should meet one or 8oth of the following criteria6 !he cost of 8reaking the cipher exceeds the value of the encrypted !he time required to 8reak the cipher exceeds the useful lifetime of information the information Such algorithm is called co#p+tationally "ec+re. !a8le 8elow shows how much time is involved for various key si@es. !he 2B-8it key si@e is used with the ( S 4(ata ncryption Standard5: 1BC-8it for triple ( S: 1*C-8it for 0 S 40dvanced ncryption Standard5. "esults are also shown for su8stitution codes that use *B-character key: in which all possi8le permutations of the *B characters serve as keys. #t is assumed that it take 1 Ds to perform a single decryption or encryption 4in last column 1E B decryptions per 1 Ds5



0ll forms of cryptanalysis for symmetric encryption try to exploit the fact that traces of structure or pattern in the plaintext may survive encryption and 8e discerni8le in the ciphertext. $ryptanalysis for pu8lic-key schemes tries to use mathematical properties of pair of keys to deduce one from the other.

0 su8stitution technique is one in which the letters of plaintext are replaced 8y other letters or 8y num8ers. #f the plaintext is viewed as a sequence of 8its: then su8stitution involves replacing plaintext 8it patterns with ciphertext 8it patterns

#t was used 8y Fulius $aesar. !he $aesar cipher involves replacing each letter of the alpha8et with the letter standing three places further down the alpha8et Aor example Plain: meet me after the toga party Cipher: PHHW PH DIWHU WKH WRJD SDUWB !ransformation is made using the following mapping6 Plain: a bc d efgh i ! l mno p" r # t $ % &'y ( Cipher: D ) * + H I J K , - . / P 0 R S 1 U 2 W 3 4 5 6 B C )et us assign a numerical equivalent to each letter from E to *2. !hen the algorithm may 8e expressed as follows. Aor each plaintext letter p: su8stitute the ciphertext letter $6 $= 4p5=4pG/5 mod *B 0 shift may 8e of any amount: so that general $aesar algorithm is



$= 4p5=4pGk5 mod *B: where k takes on a value in the range 1 to *2. !he decryption algorithm is simply p=(4$5=4$-k5 mod *B #f it is known that a given ciphertext is a $aesar cipher: then a 8ruteforce cryptanalysis is easily performed6 simply try all possi8le *2 keys. !hree important characteristics of this pro8lem ena8le us to use 8ruteforce cryptanalysis6 1. !he encryption and decryption algorithms are known *. !here are only *2 keys to try /. !he language of the plaintext is known and easily recogni@a8le #n most networking situations algorithms are assumed to 8e known. ,rute-force analysis is impractical when algorithm employs large of keys. !he /rd characteristic is also significant. #f the language of the plaintext is not known: then the plaintext output may not 8e recogni@a8le.



Aurthermore: if the input is compressed in some manner: again recognition is difficult. ,elow is example of compression 8y I#%6

#f this file is then encrypted with a simple su8stitution cipher 4expanded to include more than Just *B characters5: then the plaintext may not 8e recogni@ed

7ith only *2 keys $aesar cipher is far from secure. 0 dramatic increase in the key space may 8e achieved 8y allowing an ar8itrary su8stitution. #f instead of Plain: a bc d e fgh i ! l mno p" r # t $ %&'y ( Cipher: D ) * + H I J K , - . / P 0 R S 1 U 2 W 3 4 5 6 B C the cipher line can 8e any permutation of the *B alpha8etic sym8ols: then there are *BK or greater than 1L1E *B possi8le keys. !here is however another line of attack. #f the cryptanalyst knows the nature of the plaintext 4e.g.: noncompressed nglish text5: then the analyst can exploit the regularities of the language.


)et<s consider example of ciphertext6 +I.S'N+'&?M'%N3%'I% NS3I7SI'%A% S?+(,M !S?0#I N+ %&I&M(IS&I'7SA%0%%(!SN%.+I7YM?+I+&S? %Y %'%(ISI+A%'M,I7%A+%I&M(F+(!M'&M. 0s a first step: relative frequency of the letters can 8e determined and compared to a standard frequency distri8ution for nglish6

!he relative frequencies of the letters in the ciphertext 4in percentages56


% 1/.// I 11.BH S C.// + C.// ' H.2E & 2.C/ ( 2.EE 2.EE N 1.1H ? 1.1H A /.// 7 /.// . *.2E ! *.2E 0 1.BH , 1.BH 3 1.BH Y 1.BH # E.C/ F E.C/ $ E.EE > E.EE ) E.EE - E.EE " E.EE

M B.BH $omparing this with Aig.*.2: it seems likely that cipher letters % and I are the equivalents of plain letters e and t: 8ut it is not certain which is which. !he letters S:+:':M: and & are all of the relatively high frequency and pro8a8ly correspond to plain letters from the set Oa:h:i:n:o:r:sP. !he letters with the lowest frequencies 40:,:3:Y:#:F5 are likely included in the set O8:J:k:q:v:x:@P. -ow we could make some tentative assignments and start to fill plaintext to see if it looks like a reasona8le QskeletonR of a message. 0nother way: to consider frequency of two-letter com8inations: is known as digrams. !he most common digram is th. #n our ciphertext: the most common digram is I7: which appears / times. So: we make correspondence6 I t: 7 h. !hen: % is equated with e. -ow notice that sequence I7% appears in the ciphertext: and we can translate it as QtheR. -ext: notice I7SI in the first line. #f they form a complete word: it will 8e thSt. #f so: S equates with a. So far: then: we have


+I.S'N+'&?M'%N3%'I% NS3I7SI'%A% S?+(,M !S?0#I t a e t e e e ta tat t e e e te a t h at a et e e e a th t a a N+ %&I&M(IS&I'7SA%0%%(!SN%.+I7YM?+I+&S? ha e ee t he %Y %'%(ISI+A%'M,I7%A+%I&M(F+(!M'&M. $ontinued analysis of frequencies plus trial and error may lead us to the solution6 it was disclosed yesterday that several informal 8ut direct contacts have 8een made with political representatives of the viet cong in Moscow !wo principal methods are used in su8stitution ciphers to lessen the extent to which the structure of the plaintext survives in the ciphertext6 'ne approach is to encrypt multiple letters of the plaintext 4%layfair $ipher: &ill $ipher5: and the other is to use multiple cipher alpha8ets 4%olyalpha8etic $iphers5

!he 8est-known multiple-letter encryption cipher is the %layfair 4invented in 1C21 8y Sir $harles 7heatstone: 8ut it 8ears the name of his friend ,aron %layfair of St. 0ndrews: who championed the cipher at the ,ritish foreign office5: which treats digrams in the plaintext as single units and translates these units into ciphertext digrams.


!he %layfair algorithm is 8ased on the use of a 2x2 matrix of letters constructed using a keyword. #n the case of keyword monarchy: matrix is as follows6 M $ ) + ' & A % N Y 3 . 7 0 , #9F S ? " ( > ! I

!he matrix is constructed 8y filling in the letters of the keyword 4minus duplicates5 from left to right and from top to 8ottom: and then filling in the remainder of the matrix with the remaining letters in alpha8etic order. !he letters # and F count as one letter. %laintext is encrypted two letters at a time: according to the following rules6 1. "epeating plaintext letters that would fall in the same pair are separated with a filler letter: such as x: so that balloon will 8e treated as ba l' lo on *. %laintext letters that would fall in the same row of matrix are each replaced with the letter to the right: with the first element of the row circularly following the last. Aor example: ar is encrypted as R-. /. %laintext letters that fall in the same column are each replaced 8y the letter 8eneath: with the top element of the row circularly following the last. Aor example: m$ is encrypted as C-.


1. 'therwise: each plaintext letter is replaced 8y the letter that lies in its own row and the column occupied 8y the other plaintext letter. !hus: h# 8ecomes BP: and ea 8ecomes I- 4or J-: as the encipherer wishes5. 0s far as num8er of digrams is *Bx*B=BHB is significantly greater than num8er of letters: frequency analysis 8ecomes much more difficult. Aor these reasons: %layfair cipher was for a long time considered un8reaka8le. #t was used as standard field system 8y the ,ritish 0rmy in 7orld 7ar # and still enJoyed considera8le use 8y +.S.0rmy and other 0llied forces during 7orld 7ar ##. (espite this level of confidence in its security: the %layfair cipher is relatively easy to 8reak 8ecause it still leaves much of the structure of the plaintext language intact. 0 few hundred letters of ciphertext are generally sufficient.

#t was developed 8y the mathematician )ester &ill in 1M*M. !he encryption algorithm takes m successive plaintext letters and su8stitutes for them m ciphertext letters. !he su8stitution is determined 8y m linear equations in which each character is assigned a numerical value6
a 8 c d e f g h i J k E 1 * / 1 2 B H C M 1 E l 1 1 m 1 * n 1 / o 1 1 p 1 2 q 1 B r 1 H s 1 C t 1 M u * E v * 1 w * * x * / y * 1 @ *2

Aor m=/: the system can 8e descri8ed as follows6 $1=4k11p1Gk1*p*Gk1/p/5 mod *B $*=4k*1p1Gk**p*Gk*/p/5 mod *B $/=4k/1p1Gk/*p*Gk//p/5 mod *B


!his can 8e expressed in terms of column vectors and matrices6 $=>% mod *B: where $ and % are column vectors of length /: representing the plaintext and ciphertext: and > is /x/ matrix: representing the encryption key. 'perations are performed mod *B. Aor example: consider the plaintext QpayformoneyR: and use the encryption key >= 1H *1 * 1H 1C * 2 *1 1M

!he first / letters of the plaintext are represented 8y the vector 412 E *15. !hen >412 E *15 = 4/H2 C1M 1CB5 mod *B = 411 1/ 1C5 = )-S. $ontinuing in this fashion: the ciphertext for the entire plaintext is )-S&() 7M!"7. (ecryption requires using the inverse of the matrix >. !he inverse > -1 of a matrix > is defined 8y > > -1 = >-1 >=#: where # is the unit matrix 41-s on the diagonal: other elements @eroes5. !he inverse of the matrix does not always exist: 8ut when it does: it satisfies the preceding equation. #n this case: the inverse is


>-1= 1 12 *1 M 1H E 12 B 1H

!his is demonstrated as follows6 > >-1 = 11/ 11* C2C 1M2 1M1 2* 0nd after taking mod *B of the o8tained. #n general terms: the &ill system can 8e expressed as follows6 $=

11* HCE /B2 elements a8ove: unit matrix is

4%5=>% mod *B

%= (>4$5=>-1$ mod *B = >-1>% = % 0s with %layfair: the strength of the &ill cipher is that it completely hides single-letter frequencies. 0lthough the &ill cipher is strong against a ciphertext-only attack 4opponent has only ciphertext5: it is easily 8roken with a known plaintext attack 4opponent has pairs plaintext ciphertext5. Aor an mLm &ill cipher: suppose we have m plaintext-ciphertext pairs: each of length m. 7e la8el the pairs %J=4p1J: p*J:T: pmJ5 and $J=4c1J: c*J:T: cmJ5 such that $J=>%J for 1U=JU=m and for some unknown key matrix >. -ow define two mLm matrices ?=4 piJ5 and Y=4 ciJ5.


!hen we can form matrix equation Y=>?. #f ? has an inverse: then we can determine >=Y?-1. #f ? is not inverti8le: then a new version of ? can 8e formed until an inverti8le ? is o8tained. Suppose that the plaintext QfridayR is encrypted using a *L* &ill cipher to yield the ciphertext %.$A>+. !hus: we know that >42 1H5 = 412 1B5; >4C /5 = 4* 25; >4E *15 = 41E *E5. +sing the first * plaintext-ciphertext pairs: we have

12 1B

* 2 C = K mod *B 2 1H /

!he inverse of ? can 8e computed6

2 C M * = 1H / 1 12

12 K = 1B
)et<s transformation6

* M 2 1

* 1/H = 12 11M
now that

BE H C mod *B = 1EH 1M /
this key matrix produces required


H 1M H 1M H 1M

C 2 /2 + 1/B 1H1 12 = = mod *B = / 1H M2 + 21 11B 1B C C 2B + *1 CE * = = mod *B = / / 12* + M 1B1 2 C E 1M* 1E = mod *B = / *1 H* *E