CRYPTOGRAPHY

Lecture 4

Classical
Cryptography
Previous lecture

RECAP
 Extended Euclidean
Algorithm
Given a,b, solve for a.x + b.y=d, to determine the values of x & y. Let a=12345, b=11111, be the two integers,
we have already calculated gcd(12345,11111)=1, so we can write:
gcd(12345, 11111)=1=n*12345 + s*11111,
The problem is to determine the values of n & s ???

From the last line that reveals GCD

From our previous example of
Euclidean algorithm
From d
1=5 – 4*1
a. 12345 = 1*11111 + 1234
Substitute value of the remainder 4 from (c)
b. 11111 = 9*1234 + 5
1=5 – (1234 – 246*5)*1
c. 1234 = 246*5 + 4
1=247*5 -1234
d. 5 = 1*4 + 1
Substitute value of the remainder 5 from (b)
e. 4 = 4*1 + 0
1=247*(11111- 9*1234) -1234
1=247*11111 - 2224*1234
Substitute value of the remainder 1234 from (a)
1=247*11111 - 2224*(12345 – 1*11111)
1=2471*11111 – 2224*12345
 Finding Multiplicative
Inverse (a-1)

How to find?

1. Use the Extended Euclidean Algorithm to find integers s and t, such that a*s +
n*t=1
2. a-1≡ s mod n
From last slide
1=(– 2224)*12345 + (2471)*11111
Verification:
S=-2224, t= 2471
a * a-1≡1 mod 11111
a-1 ≡ s mod n 12345 *8887≡1 mod 11111
-2224≡ (-1)(11111) + 8887
a-1=8887
 Cryptanalysis of the
Affine Cipher (1)
Consider the Cipher-text:

Frequency occurrences of each letter

R D E,H,K F,V P,S A,L,M,U,X B,N,O,Y C,G,I,J,Q,T,W,Z
8 6 5 4 3 2 1 0 57

Hypothesis 1
R is encryption of e eK(4) = 17
D is encryption of t eK(19) = 3
Recall that , ek(x)=a*x + b, thus
4a + b=17 a=6 in Z26
19a + b=3 B=19

gcd(a,m)=gcd(6,26)=2>1 iIlegal key Cont…….

 Cryptanalysis of the
Affine Cipher (2)
Consider the Cipher-text:

Frequency occurrence of each letter

R D E,H,K F,V P,S A,L,M,U,X B,N,O,Y C,G,I,J,Q,T,W,Z
8 6 5 4 3 2 1 0 57

Hypothesis 2
R is encryption of e eK(4) = 17
E is encryption of t eK(19) = 4
Recall that , ek(x)=a*x + b, thus
4a + b=17 a=13 in Z26
19a + b=4 b=17

gcd(a,m)=gcd(13,26)=13>1 iIlegal key

 Cryptanalysis of the
Affine Cipher (3)
Consider the Cipher-text:

Frequency occurrence of each letter

R D E,H,K F,V P,S A,L,M,U,X B,N,O,Y C,G,I,J,Q,T,W,Z
8 6 5 4 3 2 1 0 57

Hypothesis 3
R is encryption of e eK(4) = 17
H is encryption of t eK(19) = 7
Recall that , ek(x)=a*x + b, thus
4a + b=17 a=8 in Z26
19a + b=7 b=11

gcd(a,m)=gcd(8,26)=2>1 iIlegal key

 Cryptanalysis of the
Affine Cipher (4)
Consider the Cipher-text:

Frequency occurrence of each letter

R D E,H,K F,V P,S A,L,M,U,X B,N,O,Y C,G,I,J,Q,T,W,Z
8 6 5 4 3 2 1 0 57
Hypothesis 4
R is encryption of e eK(4) = 17 4a + b=17 a=3 in Z26
K is encryption of t eK(19) = 10 19a + b=10 b=5

gcd(a,m)=gcd(3,26)=1 Looks a legal key Key=K(3,5)

Verify 3-1 mod 26=9 The decryption function dk(y)=9*y - 9

The ciphertext is:
Algorithmsarequitegeneraldefinitionsofarithmeticprocesses
 Classical
Cryptosystems
(Polyalphabetic)
 Polyalphabetic Ciphers
• polyalphabetic substitution ciphers
• improve security using multiple cipher alphabets
• make cryptanalysis harder with more alphabets to
guess and flatter frequency distribution
• use a key to select which alphabet is used for each
letter of the message
• use each alphabet in turn
• repeat from start after end of key is reached
 1. The Vigenere Cipher

Suppose key length (m)=6

Possible
Key word (K) = C I P H E R = (2,8,15,7,4,17)
keys= 26m
Plaintext (P) = thiscryptosystemisnotsecure
P t h i s c r y p t o s y

19 7 8 18 2 17 24 15 19 14 18 24
K 2 8 15 7 4 17 2 8 15 7 4 17
21 15 23 25 6 8 0 23 8 21 22 15
C V P X Z G I A X I V W P
P s t e m i s n o t s e c u R e
18 19 4 12 8 18 13 14 19 18 4 2 20 17 4
K 2 8 15 7 4 17 2 8 15 7 4 17 2 8 15
20 1 19 19 12 9 15 22 8 25 8 19 22 25 19
C U B T T M J P W I Z I T W Z T

Ciphertext (C) = VPXZGIAXIVWPUBTTMJPWIZITWZI

 Vigenère Cipher
• simplest polyalphabetic substitution cipher
• effectively multiple caesar ciphers
• key is multiple letters long K = k1 k2 ... kd
• ith letter specifies ith alphabet to use
• use each alphabet in turn
• repeat from start after d letters in message
• decryption simply works in reverse
 Example of Vigenère Cipher
• write the plaintext out
• write the keyword repeated above it
• use each key letter as a caesar cipher key
• encrypt the corresponding plaintext letter
• eg using keyword deceptive
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
 Implementing polyalphabetic
• Implementing polyalphabetic ciphers by hand can be very
tedious
• Various aids were devised to assist the process
• simple aids can assist with en/decryption
• The "Saint-Cyr Slide" was popularized and named by Jean
Kerckhoffs
• Saint-Cyr Slide is a simple manual aid
– a slide with repeated alphabet
– line up plaintext 'A' with key letter, eg 'C'
– then read off any mapping for key letter
• can bend round into a cipher disk
• or expand into a Vigenère Tableau
 Security of Vigenère Ciphers
• have multiple ciphertext letters for each
plaintext letter
• hence letter frequencies are obscured
• but not totally lost
• start with letter frequencies
– see if look monoalphabetic or not
• if not, then need to determine number of
alphabets, since then can attach each
 Autokey Cipher
• ideally want a key as long as the message
• Vigenère proposed the autokey cipher
• with keyword is prefixed to message as key
• knowing keyword can recover the first few letters
• use these in turn on the rest of the message
• but still have frequency characteristics to attack
• eg. given key deceptive
key: deceptivewearediscoveredsav
plaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGKZEIIGASXSTSLVVWLA
 One-Time Pad
• if a truly random key as long as the message is used,
the cipher will be secure
• called a One-Time pad
• is unbreakable since ciphertext bears no statistical
relationship to the plaintext
• since for any plaintext & any ciphertext there exists
a key mapping one to other
• can only use the key once though
• problems in generation & safe distribution of key
Cryptanalysis of the Vigenère Cipher
• The Vigenère Cipher makes use of a keyword of length m. The
number of possible key words of length m is 26m. e.g. Take
m=5, the key space has size 265=1.1 x 107, an exhaustive key
search would require long time

• So,
First step: determine the key length=m,
Second step: determine the key (word) itself
After that decryption of the message is easy.
 The Permutation Cipher

• This cryptosystem is really old.

• It was described in book by Giovanni Porta written in 1563.

• “Rail-fence” cipher is an example of permutation cipher.

 The Permutation Cipher
• In order to use the cipher a permutation has to be
defined. Let us use the following permutation as
example:

x 1 2 3 4 5 6 c 1 2 3 4 5 6
-1
π(x) 5 1 6 3 2 4 π (c) 2 5 4 6 1 3

• Since m = 6, the original message has to be broken on

n groups of six letters each. If last group is shorter,
necessary number of dummy letters can be appended
to the end.
• Each group is rearranged according to the permutation
defined previously.
• To decrypt a ciphertext message inverse permutation
should be applied in a similar way.
 The Permutation Cipher
Suppose m=6, and the key is the following permutation π:

x 1 2 3 4 5 6
π(x) 3 5 1 6 4 2

• Now suppose we are given the plaintext:

shesellsseashellsbytheseashore
• We first partition it into a group of 6:
shesel lsseas hellsb ythese ashore
• Now each group of 6 letters is rearranged according to the permutation table π:
EESLSH SALSES LSHBLE HSYEET HRAEOS
• This is ciphertext, which can be decrypted in a similar fashion using inversion
permutation π-1

x 1 2 3 4 5 6
Π-1(x) 3 6 1 5 2 4
 Rail Fence cipher
• write message letters out diagonally over a number
of rows
• then read off cipher row by row
• eg. write message out as:
m e m a t r h t g p r y
e t e f e t e o a a t
• giving ciphertext
MEMATRHTGPRYETEFETEOAAT
 Row Transposition Ciphers
• a more complex transposition
• write letters of message out in rows over a
specified number of columns
• then reorder the columns according to some
key before reading off the rows
Key: 4 3 1 2 5 6 7
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
 Product Ciphers
• ciphers using substitutions or transpositions are not
secure because of language characteristics
• hence consider using several ciphers in succession to
make harder, but:
– two substitutions make a more complex substitution
– two transpositions make more complex transposition
– but a substitution followed by a transposition makes a new
much harder cipher
• this is bridge from classical to modern ciphers
 The Hill Cipher

• As well as Vigenère, this cipher is polyalphabetic.

• It was invented by Lester S. Hill in 1929.

 The Hill Cipher
• To encrypt a message using the Hill Cipher one should perform
the following sequence of steps:
– Using the Table (below), plaintext message has to be
expressed as sequence of integers in such a way that p = (p1,
…, pm)
– The key is an m×m matrix
– The resulting ciphertext c = ek(p) = p×k will be a string (c1, …,
cm) of length m
• To decrypt the ciphertext one should apply the inverse linear
transformation. In other words
-1 -1
p = c× k , where k k mod 26 = I.

A B C D E F G H I J K L M N 0 P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
 The Hill Cipher
Example:
• Encrypting a message using the Hill Cipher is very simple. Decryption however is
more challenging.
• Suppose the key (K) is
11 8 
k   
 3 7 
• We can compute K-1, which is,
 7 18 
k   
 23 11 

• We are given the following ciphertext “july”, we need to encrypt two pieces of
plaintext ju (9,20) and ly (11,24):
11 8
9 20   99  60, 72  40  3, 4
3 7
and
11 24
11 8
  121  72, 88  168  11 22
3 7 

• Hence the encryption of july is DELW

 The Hill Cipher
Example:
• To decrypt, we use K-1, following computation are made:

 7 18 
3 4   21  92, 54  44  9, 20
and  23 11
 7 18 
11 22   77  506, 198  242  11, 24
 23 11
• Hence the correct plaintext is obtained

• In order to decrypt, it is needed the determinant of K to satisfy:

gcd( det(K), 26) =1=(53, 26)

To calculate inverse, the usual formula is:

1
a b  1  d  b
    
c d  ad  bc   c a 
 Quiz 2
• Encrypt and decrypt “TANK” using Hill cipher, where
•
11 8 
k   
 3 7
 Solution Quiz 2
• Cipher Text is:
– DWRS
Cryptanalysis of the Vigenère Cipher

Determine Key length

• There are two techniques that can be employed to

determine key length.
– Kasiski test
– Index of coincidence.
 Kasiski Test
• The Kasiski test was introduced in 1863 by a Prussian
military officer Friedrich Kasiski

• The method is based on the observation that two identical

segments of plaintext will be encrypted to the same
ciphertext as long as they are δ positions apart (δ ≡ 0 (mod
m)).

• Our goal is to find several identical pieces of text, each of

length at least three, and record the distance between their
starting position. m divides all of the distances δ1, δ2, …, δn.
Hence m be the greatest common divisor of the δi’s.
 Kasiski Test
• In the ciphertext trigram TYX occurs 3 times. The starting positions are 25,
181, and 235. The distance between the first and the second is 156
symbols, between the first and the third 210. The gcd of these two numbers
is 6, so we can assume that the keyword length is also 6.

MRGFNIATXZQVFFNUXFFYBTCE25TYXIIXGZKACJLRGKQYEIX
OYYAUAPXYIJLHPRGVTSFPAYNNYURZOPHXWYXLFRNUTZBR
FKAHFWFZESYUWZMOLLBSBZBJHFPLXKHVIVMZTZHUIWAET
IUEDFGLXDIEXIYJIUXPNNEIXABVCINTVCIEZYYDAZGZIW
181TYXJIKTRZLMFFKALGZNVKZXIIMXUUNAPGVXFUSMISKHVY

VOCRVXRIW235TYXZOIRFNUXZNXLDUDPZGVHVOWMOYJERLAUG
LVTUXTHRBUQZTYTXORNKBASFFXGHQVDSHUYJSYHDYUWYX
YYKHVTUCDACAHXSEVGJIEFZGLXRSBXSYKOEPPNYAKTUAC
EFYILFWEAHCIAUALLZNXMVCKLRRHGFNXMOYUESKPM
 Index of Coincidence
• Now we will use the index of coincidence to see if it gives the same result.
• The index of coincidence is defined as follows:

Suppose x  x1x2 ...xn is a string of n alphabetic

characters. The index of coincedence of x,
denoted Ic ( x ), is defined to be the probability that
two random elements of x are identical.

• If we denote the frequencies of A, B, C, …, Z in x by f1, f2, f3, …, f25. We can

n
choose two elements of x in   ways. There are  fi  ways of choosing two same
 2  2
elements. Hence, we have the formula
25
 fi  25
    fi (fi  1)
Ic ( x )     i  0
i 0 2

n n(n  1)
 
2
 Index of Coincidence
• Index of coincidence of a string written in English is approximately
equal to 0.065. Table 1

25
Ic ( x )   pi2  0.065
i 0

• Every language has such an IC, for example:

– Russian: 0.0529
– German: 0.0762
– Spanish: 0.0775

• Index of coincidence of a random string in English is approximately

equal to 2
 1  1
Ic  26     0.038
 26  26
 Index of Coincidence
• Now we rewrite the ciphertext c in the following way
c1  c1cm 1c2m 1 ...
c2  c2cm  2cm 2 ...
...
cm  cmc2mc3 m ...
• If c1, c2, …, cm are constructed in such a way that m is the keyword
length, then each Ic(ci) should be approximately equal to 0.065

• Following table contains Ic for different values of m:

m Ic
1 0.043
2 0.052; 0.051
3 0.05; 0.059; 0.045 This method also
4 0.049; 0.053; 0.052; 0.051 shows that m = 6
5 0.034; 0.05; 0.048; 0.038; 0.045
6 0.063; 0.07; 0.083; 0.062; 0.071; 0.048
7 0.033; 0.041; 0.038; 0.046; 0.041; 0.04; 0.047
Cryptanalysis of the Vigenère Cipher
Determine the Key Word

• To determine the keyword itself we use a method similar to the

index of coincidence.
• Each substring ci was produced using a monoalphabetic cipher.
Thus defining a shift g we can use the following formula
25 p f
Mg   i i g For values of pi, consult Table 1
i 0 n
where f1, f2, …, fi denotes the frequencies of A, B, …, Z in the
substring ci, and n is the length of the substring.
• If g is the correct shift value, Mg would be roughly equal to
0.065
• Now we have to determine the most suitable value of Mg for
each of the substrings.
 Cryptanalysis of the Vigenère Cipher
i Mg
0.062; 0.042; 0.033; 0.035; 0.041; 0.039; 0.030; 0.040; 0.036; 0.039; 0.026; 0.040;
1 0.043; 0.046; 0.038; 0.046; 0.032; 0.033; 0.042; 0.043; 0.037; 0.029; 0.047; 0.035;
0.032; 0.036
0.033; 0.037; 0.035; 0.035; 0.046; 0.042; 0.048; 0.040; 0.032; 0.028; 0.043; 0.040;
2 0.038; 0.046; 0.037; 0.026; 0.042; 0.065; 0.037; 0.033; 0.041; 0.044; 0.029; 0.036;
0.038; 0.034
0.038; 0.030; 0.038; 0.029; 0.043; 0.041; 0.052; 0.034; 0.041; 0.041; 0.036; 0.033;
3 0.040; 0.040; 0.028; 0.050; 0.031; 0.025; 0.036; 0.073; 0.039; 0.035; 0.034; 0.044;
0.033; 0.038
0.040; 0.043; 0.034; 0.047; 0.038; 0.031; 0.042; 0.064; 0.037; 0.027; 0.030; 0.042;
4 0.036; 0.036; 0.038; 0.039; 0.043; 0.041; 0.040; 0.034; 0.044; 0.042; 0.040; 0.033;
0.027; 0.034
0.030; 0.037; 0.034; 0.030; 0.046; 0.047; 0.041; 0.036; 0.035; 0.043; 0.047; 0.035;
5 0.038; 0.035; 0.033; 0.036; 0.049; 0.034; 0.027; 0.044; 0.065; 0.037; 0.026; 0.044;
0.045; 0.028
0.031; 0.039; 0.041; 0.041; 0.038; 0.044; 0.044; 0.034; 0.030; 0.037; 0.039; 0.036;
6 0.035; 0.039; 0.034; 0.034; 0.042; 0.059; 0.043; 0.029; 0.036; 0.043; 0.037; 0.033;
0.039; 0.035

• We have found the keyword, which is ARTHUR.

 Cryptanalysis of the Vigenère Cipher
• The recovered plaintext message (with spaces added) is:

many traces we found of him in the boggirt island where he had

hid his savage ally a huge driving wheel and a shaft half filled with
rubbish showed the position of an abandoned mine beside it were
the crumbling remains of the cottages of the miners driven away
no doubt by the foul reek of the surrounding swamp in one of
these a staple and chain with a quantity of gnawed bones showed
where the animal had been confined a skeleton with a tangle of
brown hair adhering to it lay among the debris.

(Taken from Hound of the Baskervilles, by Arthur Conan Doyle)

Cryptanalysis of the Hill
Cipher
• The Hill Cipher is difficult to break using only ciphertex but it can
be easily broken using known plaintext attack

• Suppose we possess m distinct plaintext-ciphertext pairs pj = (p1,j

, p2,j , …, pm,j) and cj = (c1,j, c2,j, …, cm,j), where m is the key
dimension. Let us define two m×m matrices X = (ci,j) and Y = (pi,j).
Then Y = X k.

Now it is easy to find the key, k = X-1Y,

where X X-1 mod 26 = I.

Cryptanalysis of the Hill
Cipher
• Assume we have ciphertext “IKNQYB” and we know that the plaintext
is “cipher”.
• Assume m = 2. ek(2, 8) = (8, 10), ek(15, 7) = (13, 16), and ek (4, 17) =
(24, 1). Using the second and the third plaintext-ciphertext pairs, we
come up with the following equation in the form Y = X k
 13 16   15 7 
  k
 24 1   4 17 
• To find the key, we need inverse modulo of X
1
 15 7   5 1
   
 4 17   8 9 
• Now
 5 1  13 16   11 3 
k    
 8 9  24 1   8 7 
 Rotor Machines
• before modern ciphers, rotor machines were most
common complex ciphers in use
• widely used in WW2
– German Enigma, Allied Hagelin, Japanese Purple
• implemented a very complex, varying substitution
cipher
• used a series of cylinders, each giving one
substitution, which rotated and changed after each
letter was encrypted
• with 3 cylinders have 263=17576 alphabets
Hagelin Rotor Machine
 Steganography
• an alternative to encryption
• hides existence of message
– using only a subset of letters/words in a longer
message marked in some way
– using invisible ink
– hiding in LSB in graphic image or sound file
• has drawbacks
– high overhead to hide relatively few info bits
Example

(a) Secret Image SI (b) Innocent image 1 (c) Innocent image 2

(d) Share 1

(e) Share 2

4 3/14/2023
5 (f) Stacking 1 & 2