EE 418 Network Security and Cryptography Lecture #3 October 6, 2016 Classical cryptosystems. Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Outline: 1. The Shift Cipher 2. The Substitution Cipher 3. The Affine Cipher 4. The Euclidean Algorithm Methods of making communicated messages unintelligible to attackers have been important throughout history. In today s lecture, we cover some classical (historical) cryptosystems that were primarily used before the advent of computers. In doing so, we will make use of number theory, especially modular arithmetic we just reviewed. We start with the shift cipher. 1 The Shift Cipher The shift cipher is one of the oldest known cryptosystems, often attributed to Julius Caesar. The idea used in this cryptosystem is to replace each letter in an alphabet by another letter at a distance K from it. Formally, let s associate each letter A, B,..., Z with an integer 0,..., 25. If we allow the key K to be any integer with 0 K 25, the shift cipher can be defined as: P = C = K = Z 26. For 0 K 25, y = e K (x) = (x + K) mod 26, (1) x = d K (y) = (y K) mod 26. (2) Example: Let K = 3 and let the plaintext be shift. Assume each letter is shifted right (or left) by 3 places. We then get VKLIW as the cipher for the right shift, ir PEFCQ, for the left shift. 1
Is the Shift Cipher Secure? NO. Let s try a brute force attack: Assume Eve knows a shift cipher algorithm is used for encryption, and she observes the ciphertext V KLIW. Given the small cardinality of the key space, Eve can try all the Handout # 1 7 possible 26 shifts in right direction. Upon shifting, the following plaintexts are obtained: shift, and so on. Since, shift is the only dictionary word in the list of 26 possible words, Eve can assume that it is indeed the plaintext that was encrypted. Thus, Eve not only recovers the plaintext, but also infers the original key K = 3. vkliw 1st left shift ujkhv 2nd left shift tijgu 3rd left shift Fig. 3. Brute force attack on the shift cipher. Fig. 1. Brute force attack on shift cipher. 2 The Substitution Cipher In the shift cipher cryptosystem, each letter (alphabet) of the plaintext is replaced with an alphabet at a fixed distance determined by the key K. Given the keyspace, K = Z 26, there are only 26 possible keys in this cipher. The substitution cipher overcomes this limitation, and provides a much larger keyspace. The idea of the substitution cipher is to replace each alphabet of the plaintext with an alphabet at an arbitrary distance. Formally, we can describe this cryptosystem as follows. Let P = C = Z 26. The keyspace K includes all possible permutations of the 26 symbols, 0, 1,..., 25. For each permutation π K: y = e π (x) = π(x), (3) d π (y) = π 1 (y). (4) 2
π 1 denotes inverse permutation to π. Is the Substitution Cipher Secure? Brute force attack: Since a key consists of a permutation of the 26 letters, the keyspace is very large (26! 4.0 10 26 ). Hence, the key space in the substitution cipher is much larger than the key space of the shift cipher, and a brute force attack (exhaustive) search will take a long time. However, other attacks are feasible against the substitution cipher. For example, frequency analysis may allow us to break this cipher, as we will show next week. 3 The Affine Cipher The idea of the affine cipher is to first scale and then shift, which is known as the affine transformation. y = e K (x) = (ax + b) mod 26, (5) d K (y) = a 1 (y b) mod 26. (6) In this scheme, the pair (a, b) denotes the cryptographic key K used for encryption/decryption. Here we need to know which pairs (a, b) are valid keys that yield an injective encryption function, and we need to know a 1 for decryption. Note: if a = 1, the affine cipher becomes identical to the shift cipher. Handout # 1 9 x X ax y=ax+b + + ax X x a ENCRYPTION b -b DECRYPTION a -1 Fig. 4. Schematic of the affine cipher cryptosystem Fig. 2. Schematic of the affine cipher cryptosystem 7.1 Decryption of the Affine Cipher Definition 2. The modular multiplicative inverse of an integer a Z m modulo m, denotedasa 1 3.1 Modular modmultiplicative m, isanelementa Inverse Z m such that aa a a 1 (mod m). Many of the cryptosystems If m is prime, every covered non-zero in this element course of Zinvolve m has afinding multiplicative the multiplicative inverse. The modular inverse multiplicative inverse of an integer a Z m can be found using either the Extended Euclidean Algorithm, or the of an integer a under modulo arithmetic with base integer m, and the Affine cipher is the first such cryptosystem that we Direct Modular Exponentiation method. Given the multiplicative inverse, the congruence y ax + b will consider. (mod Therefore, 26) canlet s be solved startfor byx defining/reviewing as follows. what the modular multiplicative inverse is. Definition 1. The modular multiplicative inverse ax y ofb an (mod integer 26), a Z m modulo m, denotes as a 1 (8) (mod m) is an element a Z m such that: a 1 (ax) 1 (y b) (mod 26), (9) a 1 a a a (ax) (a 1 a 1 (mod m) a)x 1x x (mod 26), (10) (7) x = a 1 (y b) mod 26. (11) 3.2 Decryption with Affine Cipher An example of an affine cipher. Given the modular multiplicative inverse, the congruence y ax+b (mod 26) can be solved for x as follows: Let a =9andb = 3. Let the plaintext be d that corresponds to the numerical value 3, based on table 1. ax y b (mod 26) (8) a 1 (ax) e K (d) a 1 =(9 (y b) 3+3)mod (mod 26) 26=4. (12) (9) For the decryption part, a 1 (ax) (a 1 a)x 1x x (mod 26) d K (4) = a 1 (4 b) x = mod26=9 a 1 (y 1 b) (4(mod 3) mod 26) 26 = 9 1 (mod 26) = 3, (13) (10) (11) which is the multiplicative inverse of 9 (mod 26), i.e. 9 3 1 (mod 26). Example: Let a = 9 and b = 3. Let the plaintext be d that corresponds to the numerical value 3,. 7.2 Problem with choice of a e K (d) = (9 3 + 3) mod 26 = 4. (12) Not all choices of a have a multiplicative inverse. As an example, consider the case where a =13 and b = 3. Assume the plaintext is the word busted. Using the table above, we can compute cipher for busted as follows. 3 e K (1) = (13 1+3)mod26=16=Q. (14)
For the decryption part, d K (4) = a 1 (4 b) mod 26 = 9 1 (4 3) mod 26 = 9 1 (mod 26) = 3, (13) which is the multiplicative inverse of 9 (mod 26), i.e. 9 3 1 (mod 26). 3.3 Problem with the Choice of a Not all choices of a have a multiplicative inverse. As an example, consider the case where a = 13 and b = 3. Assume the plaintext is the word busted. Using English letters conversion table, we can compute cipher for busted as follows. i.e. busted QDDQDQ. e K (1) = (13 1 + 3) mod 26 = 16 = Q. (14) e K (20) = (13 20 + 3) mod 26 = 3 = D. (15) e K (18) = (13 18 + 3) mod 26 = 3 = D. (16) e K (19) = (13 19 + 3) mod 26 = 16 = Q. (17) e K (4) = (13 4 + 3) mod 26 = 3 = D. (18) e K (3) = (13 3 + 3) mod 26 = 3 = Q. (19) Since multiple plaintexts will result in this ciphertext (for instance, the word dealer also encrypts to QDDQDQ), no unique decryption is possible here. This is due to the fact that a = 13 does not have a multiplicative inverse in Z 26. For your interest you can also work out the example for a = 2, and see that affine cipher does not work. It is thus important to characterize the integers that have multiplicative inverses mod 26, and in doing so, we have to review the concepts of prime number and greatest common divisor. Definition 2. An integer p > 1 is a prime number if it has not positive divisors other that 1 and p. If the size of our keyspace, m is a prime number, then every non-zero element Z m has a multiplicative inverse. Definition 3. Given two integers a and b, the greatest common divisor of a and b (denoted gcd (a, b)) is equal to the largest integer c that divides both a and b. Theorem 1. An integer a has an inverse (mod m) if and only if there exist numbers p and q such thar ap + qm = 1 (mod m) (20) Proof. Let s rewrite equation (20) as: 1 = ap + qm ap (mod m) (21) Equation (21) implies that a has a modular multiplicative inverse p (mod m). Let s now recall that some number r 1 (mod m) if and only we can write: for some b, implying that ap 1 (mod m) if and only if it holds that: r + bm = 1 (22) ap + mq = 1 (23) for some q. Equation (23) is, in turn, valid only if gcd(a, m) = 1. To see why, let c = gcd (a, m) and suppose c > 1. Then there exist positive integers α, β satisfying a = αc and m = βc. If ap + mq = 1 for some p, q, then pcα + qcα = 1, hence c(pα + qα) = 1. This is a contradiction since there are no positive integers that divide 1 (except 1 itself). The other direction of the theorem is also true: if gcd(a, m) = 1, then there exist integers p, q satisfying equation (20). These integers can be computed using the extended Euclidean algorithm, and integer p is a modular multiplicative inverse of a (mod m). 4
Theorem 2. If gcd(a, m) = 1 then ax y (mod m) has a unique solution. Example: Given m = 26, for a = 13 we have gcd(13, 26) = 13 1. Also if a = 2 then gcd(2, 26) = 2. But for a = 9, gcd(9, 26) = 1 and hence the affine cipher works. Similarly for a = 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25 we have gcd(a, 26) = 1. Hence, a can take a total of 12 values with unique inverses in Z 26, and b can take any of the 26 values in Z 26. Therefore the key space is limited to 12 26 = 312 values for K, and a brute force attack (exhaustive search is possible). 3.4 Computation of the Cardinality of the Key Space for the Affine Cipher Theorem 3 (Unique Factorization). For any integer m, there exists an integer n, a set of distinct primes p 1,..., p n, and a set of integers e 1,..., e n satisfying m = p e1 1 pe2 2 pen n (24) Furthermore, the sequences p 1,..., p n and e 1,..., e n are unique up to reordering of the p i s. Example: For x = 432, 432 = 2 4 3 3. (25) This factorization is unique up to a rearrangement of the terms on the right hand side (i.e., we can write 3 3 2 4 instead). Definition 4. Two integers a 1 and m 2 are said to be relatively prime if gcd(a, m) = 1. The number of integers in Z m that are relatively prime to m is known as the Euler-phi function, denoted by φ(m). Theorem 4. Let m = n i=1 where p i are distinct primes and e i > 0, 1 i n. Then φ(m) = n (p ei i i=1 p ei i, (26) p ei 1 i ). (27) Based on Theorem 2, the cardinality of the key space for the affine cipher is mφ(m). Example: For m = 60 and, 60 = 2 2 3 1 5 1, (28) φ(m) = (4 2) (3 1) (5 1) = 16. (29) The cardinality of the key space 60 16 = 960 keys. Sources for Today s Lecture: 1. Douglas R. Stinson, Cryptography, Theory and Practice, 3rd edition. CRC Press, 2005, p. 1 19. 2. Wade Trappe and Lawrence C. Washington Introduction to Cryptography with Coding Theory. Prentice Hall, 2002, p. 1 26 and 59 74. 3. Neil Daswani, Christoph Kern, and Anita Kesavan Foundations of Security, What Every Programmer Needs to Know. Apress, 2007, p. 203 221. 5