Cryptoanalysis

1
Cryptoanalysis

• It not very common to teach cryptoanalysis on a
  basic course on communications security. It is
  probably because cryptoanalysis is not very
  useful anymore.
• Cryptoanalysis has a role in checking weaknesses
  in new algorithms and giving the theory how to
  design cryptoalgorithms.
• It is only a myth that modern cryptoalgorithms
  are broken by top-bright mathematicians working
  with pen and paper and some supercomputers of
  course, provided that the algorithms are used as
  they should be.
• In the second world war codes were indeed broken
  by mathematics but now they are usually too good.
• In some years computers get faster and do the
  cracking with brute force but before that time
  the analysist should hope for errors in usage
  leading to a compromise. Errors are common.

2
Cryptoanalysis

• Known cryptoanalytic methods were usually
  developed long time ago and are mostly of
  historical interest.
• Older cryptoalgorithms are made by substitution
  and transposition of letters. (modern work with
  bits)
• Monoalphabetic substitution uses one list of
  characters and letters are substituted according
  to it. No monoalphabetic substitution algorithm
  is safe as they can be easily cracked by
  statistical analysis of probability of letters.
• Polyalphabetic substitution algorithms use
  several substitution lists.
• Permutation algorithms change the order of
  letters. Pure permutation algorithms are simple
  to crack.
• Basically, in order to crack these kind of
  algorithms you need to guess a word or 3-4
  letters, after which guessing gets easier.

3
Cryptoanalysis

• Monoalphabetic
• Replace the letter in the upper row with one in
  the lower row.
• a b c d e f g h i j k ...
• j m n g z y l t b u s ...
• Polyalphabetic (example, VIGENERE)
• t h i s i s a c l e a r t e x t w h i c h
  i w r o t e
• k e y w o r d k e y w o r d k e y w o r d .....
• Use the key letter for encrypting the letter in
  the clear text letter by e.g.
• cipher_letter (clear_letter key_letter)
  modulo 26
• Thus, every 7th letter is encypted by the same
  key and the ciphertext is a composition of 7
  monoalphabetic ciphers.

4
Cryptoanalysis

• If there is enough cipher text, monoalphabetic
  cipher is easy to break since letters have
  different frequences.
• Most common letters (every cryptoanalysis should
  memorize these, they are said to be easy to
  remember)
• English etaoinshrdlu
• French esarintulo
• German enirstaduhl
• Italian eiaorints
• If there is not enough text, like there is only
  one cipher message, we still can look for likely
  words or letter combinations. If anything is
  repeated, it is a common sequence. In English
  there is a common ending /ation, common word the
  and so on.
• This statistical cryptoanalysis works also with
  polyalphabetic substitution ciphers, simply take
  every Kth letter provided you get the key length
  K in some way.

5
Cryptoanalysis

• Polyalphabetic substitution cipher can be much
  more difficult, like ENIGMA, but with a simple
  algorithm, like VIGENERE, we can use Kasiskis
  attack
• look for repeated letter sequences in the cipher
  text and calculate their distance.
• Some repetitions are pure chance, but some are
  caused by the same letters both in the clear text
  and in the key. Then the distance is a multiple
  of the key length.
• Looking at all these repetitions we can deduce
  the likely key length.
• When the key length K is known, take every Kth
  letter from the cipher text and decrypt it as a
  monoalphabetic substitution cipher.

6
Cryptoanalysis

• Statistical analysis can be made stronger by
  having all frequences of two, three and four
  letter combinations in a language. A machine can
  be used to find the best match.
• Statistical analysis using simple letter or
  letter combination frequences is too elementary.
• A more advanced method is to calculate some
  invariants.
• Let us look this way to proceed calculating
  invariants, such as Kappa, Chi and Phi.
• There are statistical tests, such as Friedmans
  Kappa-test and Kullbacks Phi-test based on these
  invariants.
• (These researchers helped Americans to break
  Japanese codes in the Second World War. )
• Usually you would have a computer to do the
  testing.

7
Cryptoanalysis

• Kappa and Chi
• Let us consider two texts
• Kappa is the coincidence of letters
• Different languages have different typical values
  for Kappa
• N Kullback(1976)
  Eyraud(1953)
• English 26 6.61 6.75
• German 26 7.62 8.20
• French 26 7.78 8.00
• Russian 32 5.29 4.70
• Spanish 26 7.76 7.69
• Kappa can thus identify the language for
  substitution cipher.

8
Cryptoanalysis

• Chi is defined as follows. Consider the texts
• Let and be the numbers letters and
  occur in T and U
• Definition
• where is the number of letters in the
  alphabet of the language.
• Let us also define
• Let designate a cyclic permutation of to
  the right (take the first letter and move it to
  be the last, repeat r times).
• The Kappa-Chi Theorem states that

9
Cryptoanalysis

• Let us define
• Kappa-Phi Theorem states that
• One can show that
• Phi will not change in transpositions.
• Phi will not change in monoalphabetic
  substitutions.
• Chi (and Psi) of two texts with the same length
  created with the same cipher, will not change in
  monoalphabetic substitutions, nor in
  transpositions.

10
Cryptoanalysis

• Renyis entropy concept
• is called Renyis
  -entropy
• Example, for a sample text of 280 characters in
  English one may measure e.g.

These characteristic numbers are typically
invariant and can find the language, maybe more,
maybe even identify the text.
11
Cryptoanalysis

• In the Second World War time...
• Japanese ambassy code was used in a way leading
  to a compromise using these kind of invariants.
• Letters had formal structure so it was possible
  to guess many words, and formal beginnings or
  endings to letters.
• Furthermore, when a letter was addressed to the
  USA, it was handed out in clear text in exactly
  the same form it was received in cryptotext, thus
  Americans got clear text, cipher text pairs.
• Now it is rather easy to see that statistical
  invariants identifying a text may help a good way
  in deciphering.

12
Cryptoanalysis

• A good attack against some polyalphabetic
  substitution algorithms is also missing match
  attack. We first must guess that somewhere in the
  clear text there is some known reasonably long
  word, like bombing.
• Polyalphabetic substitution ciphers never encrypt
  any letter to the same letter.
• We shift the known word to the right in the clear
  text and try to find a place where no letter
  matches with the known word and the cipher text.
• This may be the cipher text for the word. Then
  some letters are quessed and deciphering gets
  easier.
• If there are many matches, we need a computer to
  investigate all cases.
• Naturally, we do not need to know the known word,
  but may try to guess what there could be.

13
Cryptoanalysis

• A pure transposition cipher simply changes the
  order of letters.
• Though there are not so many combinations (N!) in
  a cipher text of length N if N is small, there is
  one problem
• We can go through all combinations but there may
  be several possible clear texts that could be the
  answers.
• This is because a pure transposition is an
  anagram and anagrams do not have a unique answer.
  
• Example Newton once wrote to Leibniz
• It may mean data aequatione quodcumque fluentes
  quantitates involvente, fluxiones invenire et
  vice versa
• but who knows, and besides, who knows what Newton
  meant with the phrase in Latin anyway.
• Clearly, transposition may strengthen a
  cryptoalgorithm.

14
Cryptoanalysis

• Viasiras attack against encryption of Bazeries
  is yet another example how some polyalphabetic
  substitution ciphers can be broken.
• The encrytion is made using 20 tables (or wheels)
  and on each wheel there are 20 letters. A table
  may contain several times the same letter and
  thus cannot contain all letters.
• The tables are moved to some starting point
  determined by the key. Encyption starts at some
  table and moves to the next table for the next
  letter.
• In Viasiras attack you try to find such a
  starting place for the tables that all letters in
  the cipher text could have been produced the
  encyption devise. There will not be so many such
  places. This attack is simple, but illustrates
  how the encyption devises specific structure
  influences cryptoanalysis.

15
Cryptoanalysis

• Linear cryptoanalysis
• Uses densities of letter combinations and a
  linear transform in order to get the key.
• Example
• FDYSW IJXNZ NSNRE NHUWA WMIEJ EXWASX
• ISIGO JNTBD BWDPU ....
• Convert letters to numbers and group them by
  three
• 5 2 24 18 22 8 9 23 13 25 13 18 13 17 4
  13 7 20
• 22 0 22 12 8 4 8 4 23 4 18 8 13 19 1 3
  1 22 3 15 20
• ...

16
Cryptoanalysis

• Let us assume that we notice that some
  combinations appear often, like 13 17 4, 22 0 22
  and 6 16 9. If this is English,German or French,
  the ending /ation is the most common. Thus we may
  suppose that these combinations are /ati, /tio
  and /ion.
• These combinations in numbers are 0 19 8, 19 8 14
  and 8 14 13. Let us try to find a linear
  transform X so that
• Thus we get

Clearly, we found the key Ministry o(f). In
practice this is harder.
17
Cryptoanalysis

• There are much more classical cryptoanalytic
  methods.
• Most of the classical methods do not work with
  modern ciphers.
• Two methods are currently used with symmetric
  algorithms linear cryptoanalysis and
  differential cryptoanalysis.
• Linear cryptoanalysis is a variant of the method
  decribed before with letter-based ciphers.
• Differential cryptoanalysis studies the
  differences in cipher text if the clear text is
  changed very little, or vice versa.
• Both methods have been shown to work with DES,
  but they reduce attacks on DES from brute force
  attack of
• trials only to and respectively.
  
• The way DES is broken in practice is by brute
  force.

18
Cryptoanalysis

• Brute force is thus a way to crack symmetric
  cryptoalgorithms with too short keys, and it can
  be made e.g. with thousands of computers in the
  Internet.
• With public key cryptosystems the question is
  more involved. There is no known lower boundary
  of complexity for breaking a public key
  cryptosystem.
• They are though to be based on hard mathematical
  problems, but mathematicians solve hard long
  lasting problems every now and then.
• Cryptoanalysis is no longer very useful for
  cracking good cryptoalgorithms, fortunately they
  are sometimes used incorrectly. An unlucky case
  of incorrect usage may cause the algorithm to be
  compromised.

19
Cryptoanalysis

• One such case was with ENIGMA, the same text was
  encrypted twice and the double encipherment
  created flaws that cryptoanalysists could take
  advantage of.
• Present situation in cryptoanalysis, apart from
  some lucky errors leading into compromises, is
  that good algorithms cannot be cracked before the
  key sizes become too small.
• Key sizes are chosen small, maybe for better
  performance but some claim keysize is chosen
  small enough so that the intelligence of some
  countries can open them.
• Accoring to one article in Signal magazine,
  Americans have not been able to decrypt Soviet
  ciphers after they were modernized.
• Secret information has been obtained all the
  time, but by theft, bribery or blackmail.
• This lecture was based on Friedrich L. Bauer
  Decrypted Secrets, 3rd edition, Springer, 2002.