Cryptanalysis on short messages encrypted with M-138 cipher machine

Transcription

1 Cryptanalysis on short messages encrypted with M-138 cipher machine Tsonka Baicheva Miroslav Dimitrov Institute of Mathematics and Informatics Bulgarian Academy of Sciences July, 2017 Sofia

2 Introduction to M-138 I Showcase Aluminum board (1) with 25 channels.

3 Introduction to M-138 II 25 strips of paper bearing random-mixed repeated alphabets (2) of 26 letters (total of 52 letters).

4 Introduction to M-138 III A vertical rule (3) called the reading guide, which can be slid to the right or left.

5 The M-138 key I Encryption key The key consists of 25 strips out of 100 possible strips and an offset in the range [1, 25].

6 The M-138 key II Encryption key The key consists of 25 strips out of 100 possible strips and an offset in the range [1, 25]. Example: 42, 19, 26, 28, 02, 17, 49, 38, 87, 08, 94, 64, 92, 88, 37, 63, 39, 35, 30, 31, 05, 27, 34, 78, 60

7 The M-138 key III Encryption key The key consists of 25 strips out of 100 possible strips and an offset in the range [1, 25]. Example: 42, 19, 26, 28, 02, 17, 49, 38, 87, 08, 94, 64, 92, 88, 37, 63, 39, 35, 30, 31, 05, 27, 34, 78, 60 In the current key the offset is 13. The strips with numbers 42, 19,..., 60 are positioned in the aluminum frame from top to bottom.

8 The M-138 encryption procedure I Encryption procedure on message M The message is divided on blocks of 25 letters - m 1, m 2,..., m M 25

9 The M-138 encryption procedure II Encryption procedure on message M The message is divided on blocks of 25 letters - m 1, m 2,..., m M 25 We setup the strips (provided in the first part of the encryption key) in the aluminum frame.

10 The M-138 encryption procedure III Encryption procedure on message M The message is divided on blocks of 25 letters - m 1, m 2,..., m M 25 We setup the strips (provided in the first part of the encryption key) in the aluminum frame. We slide each strip left or right. At the end we should be able to read the message following the reading guide (from top to bottom).

11 The M-138 encryption procedure IV Encryption procedure on message M The message is divided on blocks of 25 letters - m 1, m 2,..., m M 25 We setup the strips (provided in the first part of the encryption key) in the aluminum frame. We slide each strip left or right. At the end we should be able to read the message following the reading guide (from top to bottom). Then, using the second part of the encryption key - the offset, we move the reading guide as many positions to the right, as specified in the offset value.

12 The M-138 encryption procedure V Encryption procedure on message M The message is divided on blocks of 25 letters - m 1, m 2,..., m M 25 We setup the strips (provided in the first part of the encryption key) in the aluminum frame. We slide each strip left or right. At the end we should be able to read the message following the reading guide (from top to bottom). Then, using the second part of the encryption key - the offset, we move the reading guide as many positions to the right, as specified in the offset value. The final step is to follow the reading guide. The resulting string is the encrypted text.

13 Example I Encryption key: 36, 61, 94, 13, 25, 01,... Plain message: SECRET...

14 Example II Encryption key: 36, 61, 94, 13, 25, 01,... Plain message: SECRET...

15 Example III Encryption key: 36, 61, 94, 13, 25, 01,... Plain message: SECRET... Encrypted message with offset 4: WRJAZE...

16 M-138 Key Space I In order to determine whether the brute-force attack is computationally feasible or not, we need to calculate the key space of the M-138. When an ordered subset from 100 strips with cardinality 25 is used, the key space is: Ω = ( ) 25! As example, the key space of 3DES, using three different keys, is

17 M-138 Key Space II If we are able to process 300, 000 keys/s, we will need approximately years to iterate through all possible elements of the key set (brute force). We need different strategy...

18 M-138 Ciphertext-only attack I To stimulate research on this topic Klaus Schmeh created the M-138 challenge introduced on the following web page(kk): m-138-challenge/, as well as some additional challenges here(mt): L3 on MT: message with length 100 L4 on MT = L1 on KK: message with length 75 L2 on KK: message with length 50 L1 on KK: message with length 25

19 M-138 Ciphertext-only attack II The best cryptanalysis strategy publicly available is on message with length 100: Implementation and Cryptanalysis of the M-138 in CrypTool 2.0, N. Rehwald. Universitat Kassel, (2015) We tried to attack the encrypted text with length 100, by using our implementation of the described method (inner and outer Hill Climbing algorithms combined with weighted N-gram fitness function). We optimized the speed of the algorithm by using only 3-grams as a fitness measure, which reduced the overheat.

20 M-138 Ciphertext-only attack III As the author of the M-138 cryptanalysis paper stated, he fails to recover the encrypted message with length 75. By testing the problem with our implementation we reached the same conclusion. We will describe a different strategy for cryptanalysis using deterministic algorithms.

21 M-138 COA - The problem PTIJJHDJPKYTMTKUVEPDHYKLHDEYMGLIJLNWKX VGZILQNCJRHWJNBJFUAQHNBJGXWZBESXNXPZH

22 M-138 COA - Stage I Triplets Cut Attack I Definition By triplet we define any three consecutive symbols positioned on the reading guide of a M-138 cipher machine. We define them as t(i, j), where i defines the starting position of the triplet, while j defines the block index we got the triplet from. For consistency, we should include the limitation i > 1 i < j 1.

23 M-138 COA - Stage I Triplets Cut Attack II Definition By rotor we define all triplets in a text, generated by M-138 cipher machine, with a common starting position. We define them as ROT (i), where i defines the starting position of the rotor. For consistency, we should include the limitation i > 1 i < j 1.

24 M-138 COA - Stage I Triplets Cut Attack III

25 M-138 COA - Stage I Triplets Cut Attack IV Analyzing various sources of parsed English texts, we estimated the expected logarithmic probability of chosen rotors on positions 0, 3, 6, 9, 12, 15, 18, 21 over specially chosen unencrypted texts (sentences or paragraphs), but divided by blocks of length 25. Few things should be considered: The logarithmic probability of a rotor is the sum of all the logarithmic probability of triplets it posses. The unencrypted texts were chosen in such a way, to guarantee at least 1 rotor with exactly 3 triplets. When organizing the texts by rotors, all the rotors with few or more than 3 triplets were discarded. Following the previous consideration, we discarded sentences (or paragraphs) with parsed length less than 53 or more than 72.

26 M-138 COA - Stage I Triplets Cut Attack V Triplets Cut Attack When we split an encrypted with M-138 cipher machine English text by rotors, and using the generated logarithmic probabilities of the rotors, we expect a logarithmic probabilities greater than The rotor consist of 9 letters, but its construction depends only on 3 strips. For each rotor and a fixed offset value, we can try all possible strip configurations, cut the undesired values and sort the results. Our experiments revealed, that iterating through all possible combinations of strips , for a given fixed offset value, roughly 97% of the rotors have a logarithmic probability less than

27 M-138 COA - Stage II DWS I By the Triplets Cut Attack we have considerably shrank the possible space of meaningful English texts. Then, we have implemented a search strategy called Deterministic Wave Search - DWS. By deterministic we mean that given two different instances of the same algorithm having equal starting states, will assure yielding of equal final results. An instance of the algorithm will always lead to an ending state.

28 M-138 COA - Stage II DWS II The strategy is the following: 1 The starting state is generated by a fixed position of ROT (0), and random positions of remaining rotors. For simplicity, we will declare the final strip as the last rotor. ROT (0) is the current rotor. 2 We iterate through all possible indexes of the right-adjacent rotor to the current rotor. The optimal logarithmic probability defines our next current rotor. If the index of the current rotor is i, the index of the next current rotor is (i+3) mod 25 - in the general case. If the current rotor is the eight rotor, the next current rotor will be the last rotor (the strip). If the current rotor is the last rotor (the strip), the next current rotor will be ROT (0).

29 M-138 COA - Stage II DWS III 3 We observe the searching results. If we make 8 consecutive hops (a cycle), without improving the optimal logarithmic probability, we announce the final result as a local optimum. 4 We iterate through all possible offsets, but not all possible indexes of ROT (0). To further optimize the speed of the algorithm, we limit the fixed starting position of ROT (0) to the top 150 optimal indexes of it. In case the desired configuration of plaintext ROT (0) is not among the top 150 results, almost always exists some rotor J in top 150 indexes, for which the common characters between the real ROT (0) and itself is no less than 6, which doesn t affect the attack.

30 M-138 COA - Stage II DWS IV

31 The attack in practice (75) Decrypted message: CRYPTOGRAPHYPROVIDESMEANSFORSECURE COMMUNICATIONSINTHEPRESENCEOFTHIRDPARTIES Extracted key: Used offset: +4