Shift cipherexample

1
Shift cipher--example

• Suppose a plaintext word cryptography
• Change each letter by shifting the letter three
  position rightward
• The cipherword is FUBSWRJUDSKB

Question if given the above cipherword, how to
get original word?
Change each letter by shifting the letter three
position leftward.
This kind of cryptosystem is called Caesar
Cipher
Convention plaintext by small letter but
ciphertext by CAPITAL LETTER. For encryption and
decryption change letters a z to number 0
25.
2
Shift cipherformal definition

• Let P C K, Z26 , for 0? K ? 25, define
• eK(x) x K mod 26
• and
• dK(y) y - K mod 26
• (x, y ? Z26 )

3
Shift cipher -- security
Two basic properties for a cryptosystem
1. Each encryption function eK and each
decryption dK should be efficiently
computable. 2. An opponent upon seeing
a ciphertext string y, should be unable to
determine the key K that was used, or the
plaintext string x.
Question is shift cipher secure?
Of course NOT, since there are only 26 possible
keys, it is easy to be broken by exhaustive key
search.
Example page 6 from handout (Dr. Stinson book)
JBCRCLQRWCRVNBJENBWRWN
Plaintext astitchintimesavesnine (K9)
On average, a plaintext will be computed after
trying 26/213 times.
4
Shift ciphergeneric form

• Let P C K, Zm , for 0? K ? m 1, define
• eK(x) x K mod m
• and
• dK(y) y - K mod m
• (x, y ? Zm and m is a positive integer)

Note plaintext is English text.
introduce math whenever needed.
5
Basic Mathnumber theory

• Integers Z ,-3,-2,-1,0,1,2,3,
• Zn0,1,,n-1
• Greatest common divisor dgcd(a,b)
• e.g., gcd(21,26)1, gcd(6,26)2.
• If gcd(a,b) 1, then a and b are co-prime, or a
  is relatively prime to b.
• Zn 0? b ? n gcd(b,n)1
• Fact (Zn,?) forms a group.

6
Basic Math--Modular arithmetic

• Suppose a, b integers, m positive integer.
• a ? b mod m if m divides a b. i.e., a mod m
  b mod m, or a b ? 0 mod m.
• It is called that a is congruent to b modulo m,
  and m is called the modulus.
• Using a mod m 0, e.g., 101 mod 73, -101 mod 74
  (not 3)
• Given any m, define Zm 0,1,,m-1, equipped
  with two operation and ? with modulo m,
• (Zm, ) is an abelian group. (Zm, , ?) is a
  ring.

7
Group (Abstract Algebra)

• Definition (G, )
• Closed
• Associative
• Identity element 1,
• Inverse element
• If commutative, called abelian group.
• Example
• (Z, ) infinite group,
• (Zn , ) group of order n (modulo n).
• (Zn, ?) is not a group
• (Zn, ?) is a group of order ?(n).

8
Ring (Abstract algebra)

• Definition (R, , ?)
• (R, ) abelian group with identity denoted 0.
• ? is associative
• Exist a multiplicative identity 1 ? 0
• ? is distributive over .
• If a ? b b ? a, then commutative ring.
• Example
• (Z, , ?) infinite commutative ring
• (Zn , , ?) commutative ring (modulo n)
• (Zn, , ?) is not a ring.
• An element a of a ring R is called a unit of an
  invertible element if a has an inverse.
• The set of units in a ring R forms a group under
  ?, called the group of unit of R.
• Example the group of units of Zn is Zn.

9
Abstract algebra--field

• Definition (F, , ?)
• A commutative ring in which all non-zero elements
  have multiplicative inverse.
• Example
• (Z, , ?) is not a field.
• (R, , ?) is a field.
• Fact
• (Zn, , ?) is a field iff n is a prime.

10
Substitution cipherformal definition

• Let P C Z26 , K, consists of all possible
  permutations of the 26 symbols 0,1, , 25 ( or
  a,b,,z). For each permutation ? ?K, , define
• e?(x) ?(x)
• and
• d?(y) ?-1(y)
• (?-1 is the inverse permutation of ? )

11
Substitution cipherexample

• Given following random permutation ?,
• a b c d e f g h i j k l m
  n o p q r s t u v w x y
  z
• X N Y A H P O G ZQ WB T S F L
  R C VMU E K J D I
• Thus e?(a) X, e?(b) N, etc. Correspondingly,
  d?(X) a, d?(N) b, d?(A) d, d?(B) l, etc.
• Given plaintext cryptography
• The ciphertext YCDLMFOCXLGD
• Given ciphertext MGZVYZLGHCMHJMYXSSFMNHAHYCDLMHA

t
h
i
s
ciphertextcannotbedecrypted
--The plaintext
12
Substitution cipher -- security
Question what is the key space?
A key is a permutation of 26 letters, so 26!
permutations, i.e., more than 4.0 ? 1026 . Thus
exhaustive key search is infeasible.
However, using frequency analysis, substitution
cipher is easily broken.
Question what is the relationship between shift
and substitution cipher?
Shift cipher is a special case of substitution
cipher which includes only 26 of 26! possible
permutations.
13
Affine cipher--introduction

• Also a special case of substitution cipher
• Encryption function e(x) axb mod 26
• where a, b ? Z26 and gcd(a, 26) 1.
• Why gcd(a, 26) 1? See Basic Math-number theory
• Therefore, when gcd(a, 26) 1, ax (y b) mod
  26 has a unique solution x, i.e., x a-1(y - b)
  mod 26. That is to say
• given ciphertext y, decrypt y to get
  plaintext x by computing a-1(y - b) mod 26.

14
Basic Math-number theory

• Theorem the congruence ax ? b mod m has a unique
  solution x ? Zm for each b ? Zm if and only if
  gcd(a, m) 1.
• Theorem suppose a ? Zm and gcd(a, m) 1. Then
  there exists a unique element ? Zm , denoted by
  a-1, such that aa-1 ? a-1a ? 1 mod m. a-1 is
  called the multiplicative inverse of a.

15
Affine ciphersecurity

• In Z26 , 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23
  and 25 are relatively prime to 26.
• 1-1 1, 3-1 9, 5-1 21, 7-1 15, ., 25-1
  25
• Therefore Affine cipher has 12 ? 26 312
  possible keys. (Of course this is much too small
  to be secure)

16
Basic Math-number theory

• Theorem suppose m ?i1n piei , where the pis
  are distinct primes and ei gt 0, then the number
  of integers in Zm that are relatively prime to
  m, denoted by ? (m), is ? (m) ?i1n (piei -
  piei-1 ). ? (m) is called Euler phi-function.
• 262?13 21?131,
• ? (26)(21 -20)(131- 130)1?1212
  
• 100 22?52 , ? (100)(22 -21)(52- 51)2 ?2040
• Zn ? (n)

17
Affine cipherformal definition

• Let P C Z26 and let
• K, (a,b) ? Z26 ? Z26
  gcd(a,26)1
• For K (a,b)? K, define
• eK(x)(axb) mod 26
• and
• dK(y)a-1(y-b) mod 26
• (x, y ? Z26 )

18
Affine cipherexample

• Example 1.3, page 11 (see handouts, Dr. Stinson
  book).
• Suppose K(7,3) then
• eK(x) (7x3) mod 26
• dK(y) 15y-19 mod 26 (i.e., 7-1(y-3) mod 26)
• Check dK(eK(x))x
• Given plaintext hot
• Get ciphertext AXG

19
Vigenere cipher--introduction

• In substitution ciphers, once a key is chosen,
  each character in the plaintext is constantly
  mapped into a unique character in ciphertext,
  called monoalphabetic cryptosystems.
• If the same character at different locations in
  plaintext is mapped into different characters in
  ciphertext, called polyalphabetic cryptosystems.
• Vigenere cipher is a kind of polyalphabetic
  cipher
• Each key consists of m characters, called
  keyword.
• Encrypt m characters at a time, i.e., each
  plaintext element is equivalent to m characters.
• Devised by Blaise de Vigenere in the sixteen
  century.

20
Vigenere cipherformal definition

• Let m be an positive integer.
• Define P C K, (Z26)m.
• For each K (k1,k2,,km), define
• eK(x1,x2,,xm) (x1 k1, x2 k2,,
  xm km)
• and
• dK(y1,y2,,ym) (y1- k1, y2- k2,, ym- km)
• Where all operations are performed in Z26, i.e,
  mod 26..

21
Vigenere cipherexample

• Example 1.4, page 12 from handouts (Dr. Stinson
  book).
• Suppose m6 and keyword CIPHER
• Given plaintext
• thiscryptosystemisnotsecure
• The ciphertext will be
• VPXZGIAXIVWPUBTTMJPWIZITWZT
• On the contrary, subtract the keyword from
  ciphertext to get the plaintext.

22
Vigenere ciphersecurity
Question what is the key space? Suppose the
keyword length is m.
There are total 26m possible keys.
Suppose m5, then 265 1.1 ? 107 , which is
large enough to preclude exhaustive key search by
hand.
However, we will see that there will be a
systemic method to break Vigenere cipher.
We see that one character could be mapped into m
different characters when the character is in m
different positions.
23
Hill cipher -- introduction

• Another polyalphabetic cipher.
• Invented in 1929 by Lester S. Hill.
• Let m be an positive integer, and let P C
  (Z26)m
• First divide the characters in plaintext into
  blocks of m characters, take m linear
  combinations of the m characters, thus producing
  the m characters in ciphertext.

24
Hill cipher -- example
Suppose m2, a plaintext element is written as
x(x1,x2) and a ciphertext element as y(y1,y2).
Here y1 would be a linear combination of x1 and
x2, as would y2.
Suppose we take y1(11x1 3x2) mod 26 y2(8x1
7x2) mod 26 then y1 and y2 can be computed
from x1 and x2
We can write the above computations in matrix
notation
11 8
(y1, y2) (x1, x2) ( )
3 7
11 8
or y xK where y(y1, y2) , x(x1, x2), and
K( )
3 7
Assume all operations are performed by modulo 26.
25
Hill cipher theoretical foundation

• Given plaintext x, we get ciphertext y xK
• If given ciphertext y, we should get plaintext x
  by yK-1

Thus, for Hill cipher to work, the matrix K must
have an inverse K-1.
From linear algebra, suppose Im is an identity
matrix, K is m?m matrix, Then KK-1Im. So,
yK-1xKK-1xImx.
26
Hill cipher example
Example 1.5, suppose key is
K-1( )
7 18 23 11
K( )

• 8
• 3 7

then
Given plaintext july , the ciphertext is
DELW
On the other hand, from DELW, we can get july.
27
Hill cipher algebra foundation

• Determinant of a matrix A, denoted by det A
• -- if A(aij) is 2?2, then det A a11a22 a12a21
• -- if A(aij) is 3?3, then det A a11a22a33
  a12a23a31 a13a21a32
• - a13a22a31 - a12a21a33 - a11a23a32

k11 k12 k21 k22
with kij ? Z26
K( )
2. Theorem suppose
Then K has an inverse if and only if det K is
invertible in Z26 if and only if
gcd(det K, 26)1 Moreover,
k22 -k12 -k21 k11
K-1(det K)-1( )
Where det K k11k22 k12k21
compute the inverse matrix of example 1.5.
28
Hill cipher formal definition

• Let m ? 2, be a positive integer. Let P C
  (Z26)m and let
• K, m?m invertible matrices over Z26
• For each key K, define
• eK(x) xK and dK(y) yK-1
• where all operations are performed in Z26.

29
Permutation cipher--introduction

• All previous ciphers include substitutions
  plaintext characters are replaced by different
  ciphertext characters.
• The permutation cipher will keep the plaintext
  characters unchanged, but alter their position by
  rearranging them using a permutation.
• Suppose X is a finite set,
• a permutation over X is a bijective function
  ? X?X. thus the inverse permutation ?-1 X?X is
  defined by the rule
• ?-1(x) x if and only if ?(x) x

30
Permutation cipherformal definition

• Let m be a positive integer, Let P C (Z26)m
  and let K consists of all permutations of
  1,2,, m. For a key (i.e., a permutation) ?
• Define
• e?(x1,,xm) (x?(1),, x?(m))
• and
• d?(y1,,ym) (y?-1(1),, y?-1(m))
• Where ?-1 is the inverse permutation of ?.

31
Permutation cipherexample

• Example 1.7, page 19. Suppose m6.
• x 1 2 3 4 5
  6
• ?(x) 3 5 1 6 4 2
  
• Then
• x 1 2 3 4 5
  6
• ?-1(x) 3 6 1 5 2
  4
• Given plaintext shesellsseashellsbytheseash
  ore
• first split by m6 shesel lsseas hellsb
  ythese ashore
• Get ciphertext by ? EESLSH SALSES LSHBLE HSYEET
  HRAEOS
• Comments the permutation cipher is a special
  case of Hill cipher. (See textbook for detail)

32
Stream cipher--introduction

• All previous ciphers encrypt plaintext elements
  using the same key, i.e., yy1y2eK(x1)eK(x2) .
• this type is called block cipher.
• On the contrary, stream cipher generate a
  keystream zz1z2 and use it to encryption
  i.e., yy1y2ez1(x1)ez2(x2)
• Synchronous stream cipher the keystream is
  constructed from the key, independent of
  plaintext text.
• Periodic stream cipher with period d if zid
  zi for i?1.
• Non-Synchronous stream cipher the keystream is
  constructed from plaintext text and/or
  ciphertext, as well as the key

33
Stream cipher-- comments

• Block cipher can be considered as a special case
  of stream cipher where the keystream is constant
  ziK for i?1
• Vigenere cipher is a periodic synchronous stream
  cipher with period m
• suppose K(k1, k2 ,,km) is the key in Vigenere
  cipher,
• Then the keystream is z k1k2km k1k2km k1k2

34
Synchronous Stream cipher binary format

• Stream cipher is more suitable for binary string.
• In this case, P C Z2 and
• ez(x)(xz) mod 2 and dz(y)(yz) mod 2, i.e.,
  ez(x) and dz(y) use same exclusive-or operation.
• Suppose Kz1,,zm c0,,cm-1, define
• zmi ?m-1j0cjzij mod 2 for all i?1
• i.e., a key element is the linear combination of
  its previous m key elements.
• (z1,,zm) called initialization vector, cannot
  be (0,,0) and (c0,,cm-1) called coefficients
  with c01. If (c0,,cm-1) is chosen
  appropriately, then any non-zero (z1,,zm) will
  generate a keystream of period of 2m-1.

35
Binary stream cipher--example

• Example 1.8, page 23
• suppose m4 and (z1, z2, z3 , z4)(1,0,0,0), (c0,
  c1,c2, c3)(1,1,0,0)
• So zi4(zizi1) mod 2.
• The keystream will be 100010011010111 1000, the
  period is 15.
• In fact, any other non-zero initialization vector
  will give period 15.
• Another appealing property of binary stream
  cipher is that it can be implemented by hardware
  LFSR (linear feedback shift register).

z1
z2
z3
z4
36
Non-synchronous stream cipherautokey cipher

• Let P C Z26 and let Kz1. Define zixi-1 for
  all i?2. (i.e, plaintext itself as key)
• For 0? z ? 25, define
• ez(x)(xz) mod 26
• and
• dz(y)(y-z) mod 26
• (x,y ? Z26 ).

37
Autokey cipher--example

• Example 1.9, page 24.
• Suppose the key is K8,
• the plaintext is rendezvous
• the ciphertext will be ZVRQHDUJIM