Examples of CryptanalysisLet’s begin with the substitution ciphertext constructed previously:QWMMPQDVKUVFDTXJQVDBOPIDUHDQQUGDLAMWJGXBGURRBPBURMKULDVXOOKUJUOVDJQDGBWHLDJQQMUODQUBIMWBOVWUVXPBUBIOKUBGXBGURROKUJUOVDJQVPWMMDJOUQDVKDBVKDCDAQXEDFKXOKLPWBIQVKDQDOWJXVAPTVKDQAQVDHXQURMKULDVXOOKUJUOVDJQVKDJDTPJDVKDVPVURBWHLDJPTCDAQXQPTDBPJHPWQQXEDBDNDJVKDRDQQFDFXRRQDDVKUVQXHMRDQWLQVXVWVXPBXQNDJAQWQODMVXLRDVPOJAMVUBURAVXOUVVUOCQWe find the following character counts, scaled to that of a 1000 character input text.A 24.0964B 54.2169C 9.0361D 129.5181E 6.0241F 12.0482G 18.0723H 18.0723I 12.0482J 54.2169K 51.2048L 24.0964M 36.1446N 6.0241O 57.2289P 45.1807Q 96.3855R 39.1566S 0T 15.0602U 81.3253V 99.3976W 39.1566X 57.2289Y 0Z 0The distributions look like a frequency preserving substitution cipher. We guess thatthe enciphering takes E ↦→ D and T ↦→ V or T ↦→ Q. The most frequent characters are D, V,Q, V, U, O, J, K, B and E, N, S, Y, Z are of lowest frequency.andEquating high frequency and low frequency characters, we might first guess{E, I, O, A, T, N, R, S} ↦→ {D, V, Q, U, O, J, K, B}{J, K, Q, X, Z} ↦→ {E, N, S, Y, Z}How would you go about reconstructing the entire text?Index of CoincidenceIn the 1920’s William Friedman introduced the index of coincidence as a measure of thevariation of character frequencies in text from a uniform distribution. The index of coincidenceof a text space (e.g. that of all plaintext or ciphertext) is defined to be theprobability that two randomly chosen characters are equal. In a language over an alphabet3.2. Cryptanalysis by Frequency Analysis 21
of size n, suppose that p i is the probability of a random character is the i-th character ina string of length N. Then, in the limit as the string length N goes to infinity, the indexof coincidence in that language is:n∑p 2 i .Over an alphabet of 26 characters, the coincidence index of random text is∑26i=1i=1(1/26) 2 = 1/26 ∼ = 0.0385.For English text, the coincidence index is around 0.0661. For a finite string of length N,we the index of coincidence is defined to be:∑ ni=1 n i(n i − 1),N(N − 1)where n i is the number of occurrences of the i-th character in the string.Theorem 3.1 The expected index of coincidence of a ciphertext of length N, output froma period m cipher, which is defined by m independent substitutions ciphers at each positionin arithmetic progression the i + jm, is( )( )1 N − m (m − 1) Nim N − 1 X + i n ,m N − 1where i X is the index of coincidence of the space X, the size of the alphabet is n, and andi n = 1/n is the index of coincidence of random text in that space.Example 3.2 Consider the ciphertext enciphered with a Vigenère cipher:OOEXQGHXINMFRTRIFSSMZRWLYOWTTWTJIWMOBEDAXHVHSFTRIQKMENXZPNQWMCVEJTWJTOHTJXWYIFPSVIWEMNUVWHMCXZTCLFSCVNDLWTENUHSYKVCTGMGYXSYELVAVLTZRVHRUHAGICKIVAHORLWSUNLGZECLSSSWJLSKOGWVDXHDECLBBMYWXHFAOVUVHLWCSYEVVWCJGGQFFVEOAZTQHLONXGAHOGDTERUEQDIDLLWCMLGZJLOEJTVLZKZAWRIFISUEWWLIXKWNISKLQZHKHWHLIEIKZORSOLSUCHAZAIQACIEPIKIELPWHWEUQSKELCDDSKZRYVNDLWTMNKLWSIFMFVHAPAZLNSRVTEDEMYOTDLQUEIIMEWEBJWRXSYEVLTRVGJKHYISCYCPWTTOEWANHDPWHWEPIKKODLKIEYRPDKAIWSGINZKZASDSKTITZPDPSOILWIERRVUIQLLHFRZKZADKCKLLEEHJLAWWVDWHFALOEOQWThe coincidence index of this text is 0.0439. This would suggest a period of approximately5. We will see that this is a bad estimate. Note that this doesn’t disprove the theorem, itjust shows that the statistical errors are too great and that we would need a much largersample size to converge to this theoretical expectation, or that the substitutions employedwere not independent.22 Chapter 3. Elementary Cryptanalysis
- Page 1 and 2: Author (David R. Kohel) /Title (Cry
- Page 4 and 5: CONTENTS1 Introduction to Cryptogra
- Page 6: PrefaceWhen embarking on a project
- Page 10 and 11: information. We introduce here some
- Page 12 and 13: ut strings in A ∗ map injectively
- Page 14 and 15: CHAPTERTWOClassical Cryptography2.1
- Page 16 and 17: LV MJ CW XP QO IG EZ NB YH UA DS RK
- Page 18 and 19: As a special case, consider 2-chara
- Page 20 and 21: Note that if d k = 1, then we omit
- Page 22: ExercisesSubstitution ciphersExerci
- Page 25: Ciphertext-only AttackThe cryptanal
- Page 29 and 30: Note that ZKZ and KZA are substring
- Page 31: Checking possible keys, the partial
- Page 34 and 35: sage: X = pt.frequency_distribution
- Page 36 and 37: CHAPTERFOURInformation TheoryInform
- Page 38 and 39: For each of these we can extend our
- Page 40 and 41: in terms of the cryptosystem), then
- Page 42 and 43: CHAPTERFIVEBlock CiphersData Encryp
- Page 44 and 45: Deciphering. Suppose we begin with
- Page 46 and 47: The Advanced Encryption Standard al
- Page 48 and 49: 1. Malicious substitution of a ciph
- Page 50 and 51: locks M j−1 , . . . , M 1 as well
- Page 52: where X = K ⊕ M = (X 1 , X 2 , X
- Page 55 and 56: 6.2 Properties of Stream CiphersSyn
- Page 57 and 58: Exercise. Verify that the equality
- Page 59 and 60: n 2 n − 11 12 33 74 155 316 637 1
- Page 61 and 62: Exercise 6.6 In the previous exerci
- Page 63 and 64: Exercise 6.9 Compute the first 8 te
- Page 65 and 66: which holds since −4 = 17 + (−1
- Page 67 and 68: must therefore have a divisor of de
- Page 69 and 70: Shrinking Generator cryptosystemLet
- Page 72 and 73: CHAPTEREIGHTPublic Key Cryptography
- Page 74 and 75: Initial setup:1. Alice and Bob publ
- Page 76 and 77:
We apply this rule in the RSA algor
- Page 78 and 79:
the discrete logarithm problem (DLP
- Page 80 and 81:
Man in the Middle AttackThe man-in-
- Page 82:
Exercise 8.6 Fermat’s little theo
- Page 85 and 86:
k < p − 1 with GCD(k, p − 1) =
- Page 88 and 89:
CHAPTERTENSecret SharingA secret sh
- Page 90:
using any t shares (x 1 , y 1 ), .
- Page 93 and 94:
sage-------------------------------
- Page 95 and 96:
sage: x.is_unit?Type:builtin_functi
- Page 97 and 98:
Python (hence SAGE) has useful data
- Page 99 and 100:
sage: n = 12sage: for i in range(n)
- Page 101 and 102:
sage: I = [55+i for i in range(3)]
- Page 103 and 104:
sage: I = [7, 4, 11, 11, 14, 22, 14
- Page 105 and 106:
ExercisesRead over the above SAGE t
- Page 107 and 108:
102
- Page 109 and 110:
Solution. The block length is the n
- Page 111 and 112:
Solution.below.The coincidence inde
- Page 113 and 114:
analysis of the each of the decimat
- Page 115 and 116:
arbitrary permutation of the alphab
- Page 117 and 118:
In order to understand naturally oc
- Page 119 and 120:
We do this by first verifying the e
- Page 121 and 122:
Solution.None provided.Linear feedb
- Page 123 and 124:
Multiplying each through by the con
- Page 125 and 126:
Solution. The linear complexity of
- Page 127 and 128:
If a, b, and c are as above, then f
- Page 129 and 130:
Exercise 8.5 Use SAGE to find a lar
- Page 131 and 132:
Solution. Now we can verify that e
- Page 133 and 134:
which has no common factors with p
- Page 135 and 136:
sage: p = 2^32+61sage: m = (p-1).qu
- Page 137 and 138:
sage: a5 := a^n5sage: c5 := c^n5sag
- Page 139 and 140:
The application of this function E
- Page 141 and 142:
5. (∗) How many elements a of G h
- Page 143:
1. The value f(0) of the polynomial