Partial preview of the text
Download Cryptanalysis - Lecture Slides - Cryptography and Data Security | COMP 7120 and more Study notes Computer Science in PDF only on Docsity!
Cryptanalysis^ Ā^ Assumption: (Kerckhoffsā principle) thecryptosystem used is known to theopponent.
Ā^ designer should not assume what systemused can remain secret. Ā^ attack models: kind of informationavailable to the adversary.
Attack models^ Ā^
x=plaintext, y=ciphertext.
1.^
ciphertext only attack: only y is known.(weakest type of attack models)
2.^
known plaintext attack: some (x,y) wherexĆ
y is known.
3.^
chosen plaintext attack: temporary accessto e
(x)k^
[encryption machine]
4.^
chosen ciphertext attack: temporary accessto d
(y) [decryption machine]k
Table 1.1. Letter Frequency
Z
M
Y
L
X
K
W
J
V
I
U
H
T
G
S
F
R
E
Q
D
P
C
O
B
N
A
Z
U
X
C
Q
L
J
D
K
R
V
H
B
S
P
N
Y
I
G
O
F
A
W
T
M
E
Common Digram and Trigram^ Ā^ Common Digrams:^ Ā^ TH, HE, IN, ER, AN,RE, ED, ON, ES, ST,EN, AT, TO, NT, HA,ND, OU, EA, NG, AS,OR, TI, IS, ET, IT,AR, TE, SE, HI, OF
Ā^ Common Trigram: Ā^ THE, ING, AND,HER, ERE, ENT,THA, NTH, WAS,ETH, FOR, DTH
Table 1.1 vs. Table 1.
Z
U
X
C
Q
L
J
D
K
R
V
H
B
S
P
N
Y
I
G
O
F
A
W
T
M
E
Z
U
W
P
T
M
Q
L
J
A
I
S
G
V
C
F
Y
K
O
H
N
E
B
D
X
R
Cryptanalysis: affine cipher^ Ā^ Encryption e
(x)= a x + b mod 26.k
Ā^ āaā and ābā are unknown.
Ā^ Matching Table 1.1 and Table 1.2 canreduce the number of ways to solve āaāand ābā.
(read e.g. 1.10, page 28-29).
Ā^ NOTE: since the key space is small(how many ?), we can easily solve byan exhaustive search program.
Cryptanalysis: Vigenere cipher^ Ā^ keyword of length m:
k = (k
, k 1
, ā¦, k 2
)m
Ā^ m=key word length.
Ā^ y
= (y
, y 1
, ā¦, y 2
) is observedn
Ā^ n=(large) ciphertext length. assume m|n.
Ā^ e
(xk
) = xi
+ ki
(mod 26), i=1,..,m is thei
āpositionā in each block of size m. Ā Cryptanalysis: need to find m and
k.
Cryptanalysis: Vigenere cipher^ Ā^ e.g. 1.12 (page 34) ciphertext:
Ā^ CHREEVOAHMAERATBIAXXWTNXBEā¦
Ā^ Q: how to find m and keyword
k^
Ā^ A: Kasiski test. Ā^ NOTE: CHR appeared five times atposition 1, 166, 236, 276, and 286.
Ā^ ādistancesā are multiple of 5. Hence m=5. Ā^ Other systematic method?
Using I
( x c
) to find m
Ā^ y
= (y
, y 1
, ā¦, y 2
) be the ciphertext.n
Ā^ Divide
y^
into m (guess) sub-strings as
Ā^ y
= y 1
, y^1
m+
, y 2m+
Ā^ y
= y 2
, y^2
m+
, y 2m+
Ā^ ⦠Ā^ y
= ym
, ym
, y2m
, ā¦3m
Ā^ Compute I
(yc
), i=1, 2, .., m.i^
Ā^ for correct m, the values of I
( y c^ i
)^ ā
Ā^ for incorrect m, the values of I
( y c i
)^ ā
Block length m determination^ Ā^ Recall I
( x c
Ī£^
[f^ (fi^
-1)]/[n(n-1)]i^
Ā^ If
x^ is a regular English text, I
( x )c
2 pi
Ā^ pi^
=the relative frequency in Table 1.1. (i=0,1,ā¦,25)
Ā^ Note: I
( x ) remains unchanged with permutation.c
Ā^ If
x^ is a random text, I
( x )c
Ā^ For m indices
Ic
(y^ ), i=1, 2, .., m.i
Ā^ if m is correct,
y i^
is a sub-string of regular English
text, and the values of I
( y c i
)^ ā
Ā^ if m is incorrect,
y i^
is a sub-string of random test,
and values of I
( y c i
)^ ā
Find key
k
Ā^ Divide
y^
into m sub-strings as
Ā^ y
= y 1
, y^1
m+
, y 2m+
Ā^ y
= y 2
, y^2
m+
, y 2m+
Ā^ ⦠Ā^ y
= ym
, ym
, y2m
, ā¦3m
Ā^ Note: Each letter in
y i^
has been shifted by the
same amount g=k
. We search for g such thati
Mg^
=^ Σ
pj^
Qj+g
2 pj
ā0.065. [why ?]
Ā^ Q
is the relative letter frequency inj+g
y i.
Example 1.12. Find key
k
Ā^ e.g. 1.12 (page 34) ciphertext:
Ā^ CHREEVOAHMAERATBIAXXWTNXBEā¦
Ā^ m=5. Divide the ciphertext into 5substrings.
y^1
,^ y
y^5
Ā^ For each g=0,1,2,ā¦,25 compute M
( y g^
)i
as shown in Table 1.4 (page 35) Ā The correct key index g are boxed.^ Ā^ k
=(9,0,13,4,19)=JANET. (show!)
Hill cipher^ Ā^ P=C=(Z
m
Ā^ K=(Z
mxm
,^
key
K^
is a mxm matrix.
Ā^ plaintext:
x = (x
, x 1
, ā¦, x 2
)m
Ā^ ciphertext :
y = (y
, y 1
, ā¦, y 2
)m
Ā^ e
( x k
x K
(mod 26),
Ā^ d
( y k
)^
=^
y K
-1^ (mod 26).
Cryptanalysis: Hill cipher^ Ā^ Can be hard to break with ciphertextonly.
Ā^ statistical frequency analysis is not useful.why not?
Ā^ However, it is quite simple to breakunder known plaintext attack.
Ā^ collect at least m pairs of (
x ,^ i
y ) and solvei^
a mxm matrix equation. (how?)