Block 2: Simple Ciphers and Classical Ciphers

and a Complexity Measure for Security

Objectives
After studying this material you should:
Understand the following concepts: additive cipher,
multiplicative cipher, modular arithmetic.
Understand how a key can set the parameters of a
mathematical transformation.
Understand in general terms how an adversary might
attack these ciphers.
Be able to define the terms one-way function, one way
hash function and one way trapdoor function and state
their relevance to cryptography.
Be able to outline how the complexity of a problem or
algorithm is measured.
Know what it means for a problem to be in complexity
class P.
Understand that in modern scalable cryptosystems
encryption and decryption are in P and cryptanalysis is
not.

Educational Software
The material in this block can seem a little abstract. To
visualise the concepts an educational program called
CrypTool about cryptography and cryptanalysis is
recommended.
You can download Cryptool from
http://www.cryptool.com/

A Cipher System
Key

Plaintext,
Message

Cipher

Ciphertext,
Cryptogram

Security does not depend on keeping the encoding algorithm

secret it depends on keeping the key secret.

Caesar Cipher
Plaintext: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ciphertext: DEFGHIJKLMNOPQRSTUVWXYZABC

Translation Ciphers
If the input and output alphabets are the same then an
encrypting transformation is just a permutation of the input
alphabet. If we compose permutations, that is apply them
successively, then the result is also a permutation.
compose permutations:
apply
write

then apply f :

f 2 for f f , f 3 for f f f ,

f g

superenciphering:
Caesar 3

JKLMNOPQRSTUVWXYZABCDEFGHI

Caesar 4

MNOPQRSTUVWXYZABCDEFGHIJKL

Caesar 17

: ZABCDEFGHIJKLMNOPQRSTUVWXY
Additive Ciphers

A translation cipher can be computed purely by arithmetic by

mapping each letter of the alphabet to a number in the range
0 to 25.
If we do the mapping as below, then the translation cipher
becomes an additive cipher.
A BC D E F G H I J K L M N O P Q R S T U V W X Y
Z
0 1 2 3 4 5 6 7 8 9 101112 13141516 1718 1920 2122 23 24 25

The encryption procedure can be reduced to modular

arithmetic
r x mod m

means that r is the remainder when x is divided by m.

Therefore, for some arbitrary k,
x km r

and

0 r m.

For a visualisation of the Caesar cipher in CrypTool from the

pull down menu choose:
Indiv. Procedures/Visualization of Algorithms/Caesar

The Caesar cipher is a mapping

a a 3 mod 26

sometimes written
a a 26 3

Decode by subtracting 3 modulo 26 or adding 3mod26

BUT

3 mod 26

is just

0 3 mod 26 26 3 mod 26 23 mod 26

Thus the decrypting transformation is

a a 26 23

Thus an additive cipher over an alphabet of size m has m

keys. The encrypting transformation is
a a m k

for 0 < k < m

and the decrypting transformation is

a am k

Modular arithmetic is used in RSA public key cryptography

which is used in WPA

Other Monoalphabetic Ciphers

Multiplicative ciphers
Encrypt:

a a m k

.
5

This is just multiplication modulo m.

Decrypt:

a a m k 1

k m k 1 k 1 m k 1

NOTE: Inverses mod m do not always exist.

Possible ambiguity:
Key k is 2 and 6 received
Two possible messages were sent (3 and 16), since
3 26 2 16 26 2 6

So this transformation is not invertible.

To avoid the problem choose key that does not share any
divisors with the modulus.
Keys are coprime or relatively prime to (have no common
factors with) the modulus.

Suitable Keys for a Multiplicative Cipher

Use a prime modulus, then any non-zero key can be used:
Calculation of the inverse of a key k where a

am k

Let m = number of positive integers < m that are coprime

with m; if m is prime m m 1 .
Then we use the fact that:

k m m 1. (FERMATS THEOREM)
kk m 1 m 1
k ( m ) 1 m k 1

If m is prime (m) = m -1 so
k 1 k m 2 mod m

For Example:
Suppose we want the multiplicative inverse of 3 mod 53.
Then we calculate

351 mod 53 3 3 312

3 3 10
3 35

2 2

3 6 18

3 18 54 1 mod 53

So

53

3 1 53 18

2 2

12

531441 10 mod 53

300 mod 53 35

35

1225 mod 53 6

as required.

Cryptanalysis of Multiplicative Ciphers

Suppose the plaintext is a and the ciphertext is b the
cryptanalyst must solve
a k m b

for some k. If m is prime

k ba 1 mod m

If the modulus is non-prime, then the plaintext may have a

common factor with m. The cryptanalyst must solve
( pq )k pr mod ps

which gives the equation

qk r mod ps

By calculating

k rq 1 mod ps

one possible value for the key is obtained. The others are
ks

, k 2s , k 3s , ...

10

Example
If we know that plaintext 15 produces ciphertext 12 mod 21
15k 12 mod 21
( pqk pr mod ps )
p 3, q 5, r 4
5k 4 mod 21 k 4 51 mod 21
4 17 mod 21 68 mod 21 5

Since s 7 the keys 12 and 19 are also possible so we need

some further plaintext - ciphertext pairs to determine a unique
value for the key.
Nevertheless, a multiplicative cipher is not significantly harder
to break than an additive cipher.

11

A Complexity Measure for Security

Technology is notoriously hard to predict:
Where a calculator on the ENIAC is equipped with 18,000
vacuum tubes and weighs 30 tons, computers in the future
may have only 1,000 vacuum tubes and weigh only 1 tons.
(Popular Mechanics, March 1949)
In this section we examine the theory that can give some
assurance that a cryptosystem will be secure in the future.
One-way Functions
The concept of a one-way function is fundamental to modern
cryptography.
Such a function, say f (x) , is a function that is easy to compute
but which is extremely difficult to invert.
Example 9.2-1 Factorisation
The question: What is the product of 2 3, 31, 52 and 111? has
easy answer, 6600

12

BUT the question: What are the prime factors of 6600? is

much harder.
OR
Factorise 1323

Variants on the Idea of One-Way Function

One-way Hash Functions
Hash function

y H (x )

is a many-to-one function.

Takes big number, or piece of text, or some other data and

computes from it a smaller number or bit vector.
The intention is that the probability of two distinct typical
arguments giving the same result is uniformly small.
Example
In CrypTool compute a hash of the starting example text using
the SHA-1 function.
From the pull down menu chose:

13

Indiv. Procedures/Hash/SHA-1
Write down the hash of startingexample-en
Now go to:
File/Open
and Open CrypTool-en and compute its hash using the SHA-1
function.
Write down the hash of CrypTool-en and compare it with that
of startingexample-en.
What do you observe?
One-way hash function is designed so that y H (x) is easy
to compute but given y finding any x such that y H (x) is
extremely hard and finding any x1 and x2 such that H ( x ) H ( x )
is extremely hard.
1

Hash functions are widely used in wireless systems to verify

the authenticity of messages
SHA-1 is a one-way hash function
Trapdoor One-way Functions
A trap door one-way function is a one-way function together
14

with a certain piece of additional information (the trapdoor)

that enables easy calculation of f-1.
For example: one of the factors of 1323 is 33

15

Cryptographic Applications of One-way Functions

Password Protection
Stream Cipher:
A one-way hash function could be used to create a secure
stream cipher as in the diagram below.

Counter

One Way
Hash Function

Output Stream

Since the input to the one-way function cannot be determined

from its output, the state of the counter cannot be determined.
Block Cipher (AES)
Public Key Cryptography (RSA)
Message Authentication in a Public Key System

16

Asymptotic Complexity
A problem with complexity n2 will be harder to solve than a
problem with complexity 10000n for all inputs of size greater
than 10,000.
Thus we choose to ignore constant factors to get a
degree of technology independence, since changes in
technology only affect constant factors.
The graph below shows how some functions vary with n.
A exp( Bn) Cn D log( En ) Fn 3G Hn 2 l

This is true regardless of the values of the constants A-I.

17

f(n)
400

Aexp(Bn)

350
300

Fn3G

Dlog(En)

Cn

250
200
150

Hn2I

100
50
0
0

10

15

20

25

30

n
Figure: Relative rate of Growth of common functions

18

Comparing the asymptotic magnitude of two

functions
Is

an b

for large enough n and for all values of a (>1) and b?

If we take logs of both sides we obtain the equivalent

condition
n log a n log b
n
log b

log a
n
log b

n
log a

So there will be a member of the set of natural numbers

n = {0, 1, 2, } to satisfy this condition for any a (>1) and b,
so a is always greater than b .
n

We ignore terms that are insignificant for very large n. Thus

for example we shall not distinguish between n4 and
n4+100n3+25n, since n4 becomes arbitrarily larger than
100n3+25n as n increases.

19

Notation for Asymptotic Complexity

Domain n = {0, 1, 2, }.
UPPER BOUND
f(n) grows no more quickly than g(n).

f (n) O ( g ( n))

LOWER BOUND
f(n) grows at least as quickly as g(n).

f (n) ( g ( n))

TIGHT BOUND
f (n) O ( g ( n)) and f ( n) ( g (n)) write f (n) ( g (n))
Example
Consider the function 10
This is

(1)

( n 5 )

(n log n )

(5 10

and

(10

n log n )

Recall for 5 10 we ignore constant factors like 5 and for

10 n
we ignore n because it grows more slowly than
10 .
n

log n

log n

It is also O(10 ) , O10 , O(5 10 ) and O(10 n

Note the 5 in 10 is not a constant factor.
Hence in addition (5 10 ) and (10 n ) .
n

log n

5 n

log n

20

Measuring the Complexity of a Problem

Primitive Operations
Problem solution time is measured by the number of steps, or
primitive operations that must be performed. Usually,
They can be computed in a time that is independent of their
arguments.
They have a finite domain - they accept as input only a
fixed number of distinct values.
They can be implemented by fixed size logic circuits.
More formally, the (time) complexity of a problem is generally
stated as the number of primitive steps required by some
model of computation.

21

Classifying Decision Problems P

Class P: functions whose complexity is no greater than
for some constant a.

o( n a )

Problems in P are regarded as easy or feasible, and

problems that are not are regarded as hard or infeasible or
intractable.
A problem has at least exponential time complexity if its
complexity is (a ) and such problems are provably intractable
for large n.
n

Example A polynomial function and an exponential

function
Compare operations required for n10 and 1.1n

n10

1.1n

210 1024

1.12 1.21

1000

100010 10 30

1.11000 2.47 10 41

22

Scalable cryptosystems
A cryptosystem is scalable if it allows us to set the
cryptanalyst a harder task whenever the time spent on
encryption and decryption is increased, by using a longer key.
To achieve scalability, it must be arranged that as the
cryptosystem is scaled up, the time required for cryptanalysis
increases much faster than the time spent on encryption and
decryption.
A modern scalable cryptosystem is designed so that
encryption and decryption are computationally feasible but
identification of the key by a cryptanalyst is infeasible.
A problem is considered feasible if it is in class P and
infeasible if it is not.
It follows that cryptosystems are designed so that
encryption and decryption are in P and cryptanalysis is
not.
By choosing a sufficiently large key the cryptographer can
ensure that the cryptanalyst cannot afford sufficient computer
power to attack it.
A user of AES can implement it as a scalable cryptosystem by
increasing its key length; AES supports key sizes of 128, 192,
and 256 bits. IEEE 802.11i recommends the use of AES.

23