1 / 32

David Evans cs.virginia/~evans

Lecture 2: Breaking Unbreakable Ciphers. Confronted with the prospect of defeat, the Allied cryptanalysts had worked night and day to penetrate German ciphers. It would appear that fear was the main driving force, and that adversity is one of the foundations of successful codebreaking.

ceana
Download Presentation

David Evans cs.virginia/~evans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 2: Breaking Unbreakable Ciphers Confronted with the prospect of defeat, the Allied cryptanalysts had worked night and day to penetrate German ciphers. It would appear that fear was the main driving force, and that adversity is one of the foundations of successful codebreaking. Simon Singh, The Code Book David Evans http://www.cs.virginia.edu/~evans CS551: Security and Privacy University of Virginia Computer Science

  2. Menu • Survey Results • Vigenère – “Le Chiffre Indéchiffrable” • Shannon Principles: Perfect Ciphers University of Virginia CS 551

  3. Survey Results • Forged email: 15 out of 41 • Broken into systems: 8 out of 41 • PGP: 1 regular, 3 occasional • Movies/Books: Sneakers (14), Hackers (4), Mission Impossible (2), Wargames (2), Cryptonomicon (2), Matrix, Takedown, Enemy of the State, Cuckoo’s Egg, Maximum Security, The Net University of Virginia CS 551

  4. Vigenère • Invented by Blaise de Vigenère, ~1550 • Considered unbreakable for 300 years • Broken by Charles Babbage but kept secret to help British in Crimean War • Attack discovered independently by Friedrich Kasiski, 1863. University of Virginia CS 551

  5. Vigenère Encryption Key is a N-letter string. EK (P) = C where Ci = (Pi + Ki mod N) mod Z (size of alphabet) E“KEY” (“test”) = DIQD C0 = (‘t’ + ‘K’) mod 26 = ‘D’ C1 = (‘e’ + ‘E’) mod 26 = ‘I’ C2 = (‘s’ + ‘Y’) mod 26 = ‘Q’ C3 = (‘t’ + ‘K’) mod 26 = ‘D’ University of Virginia CS 551

  6. Babbage’s Attack • Use repetition to guess key length: Sequence XFO appears at 65, 71, 122, 176. Spacings = (71 – 65) = 6 = 3 * 2 (122 – 65) = 57 = 3 * 19 (176 – 122) = 54 = 3 * 18 Key is probably 3 letters long. University of Virginia CS 551

  7. Key length - Frequency • Once you know key length, can slice ciphertext and use frequencies: L0: DLQLCNSOLSQRNKGBSEVYNDOIOXAXYRSOSGYKY VZXVOXCDNOOSOCOWDKOOYROEVSRBXENI Frequencies: O: 12, S: 7, Guess O = e Ci = (Pi + Ki mod N) mod Z ‘O’ = (‘e’ + K0) mod 26 14 = 5 + 9 => K0 = ‘K’ University of Virginia CS 551

  8. Sometimes, not so lucky... L1: LMISQITVYJSSSJAHYECYSXOXGWYGJMRRXEGWRPEJXSI SLIGHTVSXILWHXYXJPERISWTM S: 9, X: 7; I: 6 guess S = ‘e’ ‘S’ = (‘e’ + K1) mod 26 19 = 5 + 14 => K1 = ‘N’ ‘X’ = (‘e’ + K1) mod 26 24 = 5 + 19 => K1 = ‘M’ ‘I’ = (‘e’ + K1) mod 26 10 = 5 + 5 => K1 = ‘E’ University of Virginia CS 551

  9. University of Virginia CS 551

  10. Vigenère Simplification • Use binary alphabet: Ci = (Pi + Ki mod N) mod 2 Ci = Pi Ki mod N • Use a key as long as P: Ci = Pi Ki • One-time pad – perfect cipher! University of Virginia CS 551

  11. Ways to Convince • “I tried really hard to break my cipher, but couldn’t. I’m a genius, so I’m sure no one else can break it either.” • “Lots of really smart people tried to break it, and couldn’t.” • Mathematical arguments – key size (dangerous!), statistical properties of ciphertext, depends on some provably (or believed) hard problem • Invulnerability to known cryptanalysis techniques (but what about undiscovered techniques?) • Show that ciphertext could match multiple reasonable plaintexts without knowing key • Simple monoalphabetic secure for about 10 letters of English: XBCF CF FWPHGW • This is secure • Spat at troner University of Virginia CS 551

  12. Real World Standard • Attacker probably has details of algorithm • Attacker has a limited amount of ciphertext, often has known plaintext, occasionally has chosen plaintext • Breaking a cipher means the attacker can read a secret message University of Virginia CS 551

  13. “Academic” Standard • Assume attacker has full details of the algorithm • Assume attacker has an unlimited number of chosen plaintext/ciphertext pairs • Assume attacker can perform a very large number of computations, up to, but not including, 2n, where n is the key size in bits (i.e. assume that the attacker can’t mount a brute force attack, but can get close). University of Virginia CS 551

  14. Shannon’s Theory [1945] Message space: { M1, M2,..., Mn } Assume finite number of messages Each message has probability p(M1) + p(M2) + ... + p(Mn) = 1 Key space: { K1, K2,..., Kl } (Based on Eli Biham’s notes) University of Virginia CS 551

  15. Perfect Cipher: Definition Ka A perfect cipher: there is some key that maps any message to any ciphertext with equal probability. For any i, j: p (Mi|Cj) = p (Mi) C1 M1 Kb C2 M2 ... ... Mn Cn University of Virginia CS 551

  16. Perfect Cipher Definition:  i, j: p (Mi|Cj) = p (Mi) p(M) p(C | M) = p(C) p(M | C) So, a cipher is perfect iff:  M, C p(C) = p (C | M) =  p(K) EK(M) = C Sum over all keys such that EK(M) = C. K University of Virginia CS 551

  17. Perfect Cipher So, a cipher is perfect iff:  M, C p(C) =  p(K) EK(M) = C Or:  C  p(K) is independent of MEK(M) = C Without knowing anything about the key, any ciphertext is equally likely to match and plaintext. K K University of Virginia CS 551

  18. Example: Monoalphabetic • Random monoalphabetic substitution for one letter message:  C,M: p(C) = p(C | M) = 1/26. University of Virginia CS 551

  19. Example: One-Time Pad For each bit: p(Ci = 0) = p(Ci = 0 | Mi = 0) = p(Ci = 0 | Mi = 1) = ½ sinceCi = Ki Mi p (Ki Mi = 0) = p (Ki = 1) * p (Mi = 1) + p (Ki = 0) * p (Mi = 0) Truly random K meansp (Ki = 1) = p (Ki = 0) = ½ = ½ * p (Mi = 1) + ½ * p (Mi = 0) = ½ * (p (Mi = 1) + p (Mi = 0)) = ½ All key bits are independent, so: p(C) = p(C | M) QED. University of Virginia CS 551

  20. Perfect Cipher Keyspace Theorem Theorem: If a cipher is perfect, there must be at least as many keys (l) are there are possible messages (n). University of Virginia CS 551

  21. Proof by Contradiction Suppose there is a perfect cipher with l < n. (More messages than keys.) Let C0 be some ciphertext with p(C0) > 0. There exist mmessages M such that M = DK(C0 ) n - mmessagesM0 such that M0 DK(C0 ) We know 1  m  l< n so n - m > 0 and there is at least one message M0. University of Virginia CS 551

  22. Proof, cont. Consider the message M0 where M0 DK(C0 ) for any K. So, p (C0 |M0) = 0. In a perfect cipher, p (C0 |M0) = p (C0) > 0. Contradiction! It isn’t a perfect cipher. Hence, all perfect ciphers must have l  n. University of Virginia CS 551

  23. Example: Monoalphabetic Random monoalphabetic substitution is not a perfect cipher for messages of up to 20 letters: l = 26!n = 2620 l < n its not a perfect cipher. In previous proof, could choose C0 = “AB” and M0 = “ee” and p (C0 |M0) = 0. University of Virginia CS 551

  24. Example: Monoalphabetic Is random monoalphabetic substitution a perfect cipher for messages of up to 2 letters? l = 26!n = 262 l  n. No! Showing l  n does not prove its perfect. University of Virginia CS 551

  25. Information Theory • [Shannon 1948] • Entropy (H): • Amount of information in a message H(M) = log2n where n is the number of possible meanings H (month of year) • = log2 12  3.6 (need 4 bits to encode a year) University of Virginia CS 551

  26. Rate • Absolute rate: how much information can be encoded R = log2Z (Z=size of alphabet) REnglish = • Actual rate of a language: r = H(M) / N Mis an N-letter message. r of months spelled out using ASCII: log2 26  4.7 bits / letter = log2 12 / (8 letters * 8 bits/letter)  0.06 University of Virginia CS 551

  27. Rate of English • r(English) is about 1.3 bits/letter (.28 letters/letter). • How do we get this? • How many meaningful 20-letter messages in English? r = H(M) / N 1.3 = H(M)/20 H(M) = 26 = log2n n = 226 = 6.7 million (of 2*1028 possible) One out of 7 * 1020 randomly selected 20-letter groups University of Virginia CS 551

  28. Redundancy • Redundancy (D) is defined: D = R – r • Redundancy in English: D = 4.7 – 1.3 = 3.4 bits/letter Each letter is 1.3 bits of content, and 3.4 bits of redundancy. (~72%) • ASCII: 1 byte per letter D = 8 – 1.3 = 6.7 84% redundancy, 14% information University of Virginia CS 551

  29. Unicity Distance • Entropy of cryptosystem: (K = number of possible keys) H(K) = log2K H(64-bit key) = 64 • Unicity: U = H(K)/D Minimum amount of ciphertext needed for brute-force attack to succeed. University of Virginia CS 551

  30. Unicity Examples • One-Time Pad H(K) = infinite U = H(K)/D = infinite • Monoalphabetic Substitution H(K) = log2 26!87 D = 3.4 (redundancy in English) U = H(K)/D  25.5 Intuition: if you have 25 letters, probably only matches one possible plaintext. D = 0 (random bit stream) U = H(K)/D = infinite University of Virginia CS 551

  31. Unicity • Theoretical and probabilistic measure of how much ciphertext is needed to determine a unique plaintext • Does not indicate how much ciphertext is needed for cryptanalysis • If you have less than unicity distance ciphertext, can’t tell if guess is right. • As redundancy approaches 0, hard to cryptanalyze even simple cipher. University of Virginia CS 551

  32. Charge • Problem Set 1: due next Monday • Next time: • Project team assignments • If I don’t have your survey yet, make sure I get it today! • DES – most widely used modern cipher University of Virginia CS 551

More Related