Cryptanalysis on short messages encrypted with M-138 cipher machine

Similar documents
TMA4155 Cryptography, Intro

B. Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

Block Ciphers Security of block ciphers. Symmetric Ciphers

Chapter 4 The Data Encryption Standard

Classical Cryptography

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

Network Security: Secret Key Cryptography

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

Math 1111 Math Exam Study Guide

Lecture 1: Introduction

The number theory behind cryptography

Classification of Ciphers

DUBLIN CITY UNIVERSITY

Diffie-Hellman key-exchange protocol

DES Data Encryption standard

Towards a Cryptanalysis of Scrambled Spectral-Phase Encoded OCDMA

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

Chapter 4 MASK Encryption: Results with Image Analysis

Stream Ciphers And Pseudorandomness Revisited. Table of contents

Encryption Systems 4/14/18. We have seen earlier that Python supports the sorting of lists with the built- in.sort( ) method

CPSC 467: Cryptography and Computer Security

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Purple. Used by Japanese government. Not used for tactical military info. Used to send infamous 14-part message

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

V.Sorge/E.Ritter, Handout 2

EE 418: Network Security and Cryptography

Symmetric-key encryption scheme based on the strong generating sets of permutation groups

Some Cryptanalysis of the Block Cipher BCMPQ

MA 111, Topic 2: Cryptography

EE 418 Network Security and Cryptography Lecture #3

CRYPTANALYSIS OF THE PERMUTATION CIPHER OVER COMPOSITION MAPPINGS OF BLOCK CIPHER

DUBLIN CITY UNIVERSITY

Math 1111 Math Exam Study Guide

ElGamal Public-Key Encryption and Signature

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

Codes and Nomenclators

HEURISTIC SEARCH CRYPTANALYSIS OF THE ZODIAC 340 CIPHER. A Project Report. Presented to. The faculty of the Department of Computer Science

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Course Business. Harry. Hagrid. Homework 2 Due Now. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Location: Right here

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

Drill Time: Remainders from Long Division

A Novel Encryption System using Layered Cellular Automata

Dr. V.U.K.Sastry Professor (CSE Dept), Dean (R&D) SreeNidhi Institute of Science & Technology, SNIST Hyderabad, India. P = [ p

SECURITY OF CRYPTOGRAPHIC SYSTEMS. Requirements of Military Systems

A basic guitar is a musical string instrument with six strings. In standard tuning they have the notes E, A, D, G, B and E

Finding the key in the haystack

Seventeenth Annual University of Oregon Eugene Luks Programming Competition

Related Ideas: DHM Key Mechanics

Secret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design:

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

A Secure Image Encryption Algorithm Based on Hill Cipher System

A STENO HIDING USING CAMOUFLAGE BASED VISUAL CRYPTOGRAPHY SCHEME

Application: Public Key Cryptography. Public Key Cryptography

Differential Cryptanalysis of REDOC III

Information Security Theory vs. Reality

Encryption at the Speed of Light? Towards a cryptanalysis of an optical CDMA encryption scheme

o Broken by using frequency analysis o XOR is a polyalphabetic cipher in binary

Keywords: dynamic P-Box and S-box, modular calculations, prime numbers, key encryption, code breaking.

Successful Implementation of the Hill and Magic Square Ciphers: A New Direction

אני יודע מה עשית בפענוח האחרון: התקפות ערוצי צד על מחשבים אישיים

New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256

Codebreaker Lesson Plan

Data security (Cryptography) exercise book

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

1 Introduction to Cryptology

Public Key Cryptography

Discrete Mathematics and Probability Theory Spring 2018 Ayazifar and Rao Midterm 2 Solutions

More Challenges These challenges should only be attempted after difficulty challenges have been successfully completed in all the required objectives.

Generic Attacks on Feistel Schemes

Explaining Differential Fault Analysis on DES. Christophe Clavier Michael Tunstall

A Cryptosystem Based on the Composition of Reversible Cellular Automata

Public-key Cryptography: Theory and Practice

FPGA Implementation of Secured Image STEGNOGRAPHY based on VIGENERE CIPHER and X BOX Mapping Techniques

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Avoiding Selective Attacks with using Packet Hiding Approaches in Wireless Network

Introduction to Cryptography

Number Theory and Security in the Digital Age

<Simple LSB Steganography and LSB Steganalysis of BMP Images>

M.E(I.T) Student, I.T Department, L.D College Of Engineering, Ahmedabad, Gujarat, India

Chapter 3 LEAST SIGNIFICANT BIT STEGANOGRAPHY TECHNIQUE FOR HIDING COMPRESSED ENCRYPTED DATA USING VARIOUS FILE FORMATS

Cryptanalysis of Ladder-DES

Introduction to Cryptography

EFFICIENT VISUAL CRYPTOGRAPHY FOR GENERAL ACCESS STRUCTURES WITH STAMPING AND SYNTHESIZING

Random Bit Generation and Stream Ciphers

Introduction to Cryptography CS 355

Pseudorandom Number Generation and Stream Ciphers

Interleaving And Channel Encoding Of Data Packets In Wireless Communications

Math 319 Problem Set #7 Solution 18 April 2002

Vernam Encypted Text in End of File Hiding Steganography Technique

CS Project 1 Fall 2017

Side Channel Attacks on Smartphones and Embedded Devices using Standard Radio Equipment

Amalgamation of Cyclic Bit Operation in SD-EI Image Encryption Method: An Advanced Version of SD-EI Method: SD-EI Ver-2

Secure Function Evaluation

Historical cryptography 2. CSCI 470: Web Science Keith Vertanen

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Secure Distributed Computation on Private Inputs

Transcription:

Cryptanalysis on short messages encrypted with M-138 cipher machine Tsonka Baicheva Miroslav Dimitrov Institute of Mathematics and Informatics Bulgarian Academy of Sciences 10-14 July, 2017 Sofia

Introduction to M-138 I Showcase Aluminum board (1) with 25 channels.

Introduction to M-138 II 25 strips of paper bearing random-mixed repeated alphabets (2) of 26 letters (total of 52 letters).

Introduction to M-138 III A vertical rule (3) called the reading guide, which can be slid to the right or left.

The M-138 key I Encryption key The key consists of 25 strips out of 100 possible strips and an offset in the range [1, 25].

The M-138 key II Encryption key The key consists of 25 strips out of 100 possible strips and an offset in the range [1, 25]. Example: 42, 19, 26, 28, 02, 17, 49, 38, 87, 08, 94, 64, 92, 88, 37, 63, 39, 35, 30, 31, 05, 27, 34, 78, 60

The M-138 key III Encryption key The key consists of 25 strips out of 100 possible strips and an offset in the range [1, 25]. Example: 42, 19, 26, 28, 02, 17, 49, 38, 87, 08, 94, 64, 92, 88, 37, 63, 39, 35, 30, 31, 05, 27, 34, 78, 60 In the current key the offset is 13. The strips with numbers 42, 19,..., 60 are positioned in the aluminum frame from top to bottom.

The M-138 encryption procedure I Encryption procedure on message M The message is divided on blocks of 25 letters - m 1, m 2,..., m M 25

The M-138 encryption procedure II Encryption procedure on message M The message is divided on blocks of 25 letters - m 1, m 2,..., m M 25 We setup the strips (provided in the first part of the encryption key) in the aluminum frame.

The M-138 encryption procedure III Encryption procedure on message M The message is divided on blocks of 25 letters - m 1, m 2,..., m M 25 We setup the strips (provided in the first part of the encryption key) in the aluminum frame. We slide each strip left or right. At the end we should be able to read the message following the reading guide (from top to bottom).

The M-138 encryption procedure IV Encryption procedure on message M The message is divided on blocks of 25 letters - m 1, m 2,..., m M 25 We setup the strips (provided in the first part of the encryption key) in the aluminum frame. We slide each strip left or right. At the end we should be able to read the message following the reading guide (from top to bottom). Then, using the second part of the encryption key - the offset, we move the reading guide as many positions to the right, as specified in the offset value.

The M-138 encryption procedure V Encryption procedure on message M The message is divided on blocks of 25 letters - m 1, m 2,..., m M 25 We setup the strips (provided in the first part of the encryption key) in the aluminum frame. We slide each strip left or right. At the end we should be able to read the message following the reading guide (from top to bottom). Then, using the second part of the encryption key - the offset, we move the reading guide as many positions to the right, as specified in the offset value. The final step is to follow the reading guide. The resulting string is the encrypted text.

Example I Encryption key: 36, 61, 94, 13, 25, 01,... Plain message: SECRET...

Example II Encryption key: 36, 61, 94, 13, 25, 01,... Plain message: SECRET...

Example III Encryption key: 36, 61, 94, 13, 25, 01,... Plain message: SECRET... Encrypted message with offset 4: WRJAZE...

M-138 Key Space I In order to determine whether the brute-force attack is computationally feasible or not, we need to calculate the key space of the M-138. When an ordered subset from 100 strips with cardinality 25 is used, the key space is: Ω = ( 100 25 ) 25! 25 2 166. As example, the key space of 3DES, using three different keys, is 2 168.

M-138 Key Space II If we are able to process 300, 000 keys/s, we will need approximately 2 122.89 years to iterate through all possible elements of the key set (brute force). We need different strategy...

M-138 Ciphertext-only attack I To stimulate research on this topic Klaus Schmeh created the M-138 challenge introduced on the following web page(kk): http://scienceblogs.de/klausis-krypto-kolumne/ m-138-challenge/, as well as some additional challenges here(mt): http://www.mysterytwisterc3.org/. L3 on MT: message with length 100 L4 on MT = L1 on KK: message with length 75 L2 on KK: message with length 50 L1 on KK: message with length 25

M-138 Ciphertext-only attack II The best cryptanalysis strategy publicly available is on message with length 100: Implementation and Cryptanalysis of the M-138 in CrypTool 2.0, N. Rehwald. Universitat Kassel, (2015) We tried to attack the encrypted text with length 100, by using our implementation of the described method (inner and outer Hill Climbing algorithms combined with weighted N-gram fitness function). We optimized the speed of the algorithm by using only 3-grams as a fitness measure, which reduced the overheat.

M-138 Ciphertext-only attack III As the author of the M-138 cryptanalysis paper stated, he fails to recover the encrypted message with length 75. By testing the problem with our implementation we reached the same conclusion. We will describe a different strategy for cryptanalysis using deterministic algorithms.

M-138 COA - The problem PTIJJHDJPKYTMTKUVEPDHYKLHDEYMGLIJLNWKX VGZILQNCJRHWJNBJFUAQHNBJGXWZBESXNXPZH

M-138 COA - Stage I Triplets Cut Attack I Definition By triplet we define any three consecutive symbols positioned on the reading guide of a M-138 cipher machine. We define them as t(i, j), where i defines the starting position of the triplet, while j defines the block index we got the triplet from. For consistency, we should include the limitation i > 1 i < j 1.

M-138 COA - Stage I Triplets Cut Attack II Definition By rotor we define all triplets in a text, generated by M-138 cipher machine, with a common starting position. We define them as ROT (i), where i defines the starting position of the rotor. For consistency, we should include the limitation i > 1 i < j 1.

M-138 COA - Stage I Triplets Cut Attack III

M-138 COA - Stage I Triplets Cut Attack IV Analyzing various sources of parsed English texts, we estimated the expected logarithmic probability of chosen rotors on positions 0, 3, 6, 9, 12, 15, 18, 21 over specially chosen unencrypted texts (sentences or paragraphs), but divided by blocks of length 25. Few things should be considered: The logarithmic probability of a rotor is the sum of all the logarithmic probability of triplets it posses. The unencrypted texts were chosen in such a way, to guarantee at least 1 rotor with exactly 3 triplets. When organizing the texts by rotors, all the rotors with few or more than 3 triplets were discarded. Following the previous consideration, we discarded sentences (or paragraphs) with parsed length less than 53 or more than 72.

M-138 COA - Stage I Triplets Cut Attack V Triplets Cut Attack When we split an encrypted with M-138 cipher machine English text by rotors, and using the generated logarithmic probabilities of the rotors, we expect a logarithmic probabilities greater than -13.0. The rotor consist of 9 letters, but its construction depends only on 3 strips. For each rotor and a fixed offset value, we can try all possible strip configurations, cut the undesired values and sort the results. Our experiments revealed, that iterating through all possible combinations of strips 970200, for a given fixed offset value, roughly 97% of the rotors have a logarithmic probability less than -13.0.

M-138 COA - Stage II DWS I By the Triplets Cut Attack we have considerably shrank the possible space of meaningful English texts. Then, we have implemented a search strategy called Deterministic Wave Search - DWS. By deterministic we mean that given two different instances of the same algorithm having equal starting states, will assure yielding of equal final results. An instance of the algorithm will always lead to an ending state.

M-138 COA - Stage II DWS II The strategy is the following: 1 The starting state is generated by a fixed position of ROT (0), and random positions of remaining rotors. For simplicity, we will declare the final strip as the last rotor. ROT (0) is the current rotor. 2 We iterate through all possible indexes of the right-adjacent rotor to the current rotor. The optimal logarithmic probability defines our next current rotor. If the index of the current rotor is i, the index of the next current rotor is (i+3) mod 25 - in the general case. If the current rotor is the eight rotor, the next current rotor will be the last rotor (the strip). If the current rotor is the last rotor (the strip), the next current rotor will be ROT (0).

M-138 COA - Stage II DWS III 3 We observe the searching results. If we make 8 consecutive hops (a cycle), without improving the optimal logarithmic probability, we announce the final result as a local optimum. 4 We iterate through all possible offsets, but not all possible indexes of ROT (0). To further optimize the speed of the algorithm, we limit the fixed starting position of ROT (0) to the top 150 optimal indexes of it. In case the desired configuration of plaintext ROT (0) is not among the top 150 results, almost always exists some rotor J in top 150 indexes, for which the common characters between the real ROT (0) and itself is no less than 6, which doesn t affect the attack.

M-138 COA - Stage II DWS IV

The attack in practice (75) Decrypted message: CRYPTOGRAPHYPROVIDESMEANSFORSECURE COMMUNICATIONSINTHEPRESENCEOFTHIRDPARTIES Extracted key: 79 42 66 12 18 88 27 54 91 85 72 90 76 78 36 28 30 41 48 2 8 22 59 98 33 Used offset: +4

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback