# Cryptography/Print version

Cryptography

The current, editable version of this book is available in Wikibooks, the open-content textbooks collection, at
https://en.wikibooks.org/wiki/Cryptography

Permission is granted to copy, distribute, and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 3.0 License.

# Introduction

Cryptography is the study of information hiding and verification. It includes the protocols, algorithms and strategies to securely and consistently prevent or delay unauthorized access to sensitive information and enable verifiability of every component in a communication.

Cryptography is derived from the Greek words: kryptós, "hidden", and gráphein, "to write" - or "hidden writing". People who study and develop cryptography are called cryptographers. The study of how to circumvent the use of cryptography for unintended recipients is called cryptanalysis, or codebreaking. Cryptography and cryptanalysis are sometimes grouped together under the umbrella term cryptology, encompassing the entire subject. In practice, "cryptography" is also often used to refer to the field as a whole, especially as an applied science. At the dawn of the 21 century in an ever more interconnected and technological world cryptography started to be ubiquitous as well as the reliance on the benefits it brings, especially the increased security and verifiability.

Cryptography is an interdisciplinary subject, drawing from several fields. Before the time of computers, it was closely related to linguistics. Nowadays the emphasis has shifted, and cryptography makes extensive use of technical areas of mathematics, especially those areas collectively known as discrete mathematics. This includes topics from number theory, information theory, computational complexity, statistics and combinatorics. It is also a branch of engineering, but an unusual one as it must deal with active, intelligent and malevolent opposition.

An example of the sub-fields of cryptography is steganography — the study of hiding the very existence of a message, and not necessarily the contents of the message itself (for example, microdots, or invisible ink) — and traffic analysis, which is the analysis of patterns of communication in order to learn secret information.

When information is transformed from a useful form of understanding to an opaque form of understanding, this is called encryption. When the information is reverted back into a useful form, it is called decryption. Intended recipients or authorized use of the information is determined by whether the user has a certain piece of secret knowledge. Only users with the secret knowledge can transform the opaque information back into its useful form. The secret knowledge is commonly called the key, though the secret knowledge may include the entire process or algorithm that is used in the encryption/decryption. The information in its useful form is called plaintext (or cleartext); in its encrypted form it is called ciphertext. The algorithm used for encryption and decryption is called a cipher (or cypher).

## Common goals in cryptography

In essence, cryptography concerns four main goals. They are:

1. message confidentiality (or privacy): Only an authorized recipient should be able to extract the contents of the message from its encrypted form. Resulting from steps to hide, stop or delay free access to the encrypted information.
2. message integrity: The recipient should be able to determine if the message has been altered.
3. sender authentication: The recipient should be able to verify from the message, the identity of the sender, the origin or the path it traveled (or combinations) so to validate claims from emitter or to validated the recipient expectations.
4. sender non-repudiation: The remitter should not be able to deny sending the message.

Not all cryptographic systems achieve all of the above goals. Some applications of cryptography have different goals; for example some situations require repudiation where a participant can plausibly deny that they are a sender or receiver of a message, or extend this goals to include variations like:

1. message access control: Who are the valid recipients of the message.
2. message availability: By providing means to limit the validity of the message, channel, emitter or recipient in time or space.

## Common forms of cryptography

Cryptography involves all legitimate users of information having the keys required to access that information.

• If the sender and recipient must have the same key in order to encode or decode the protected information, then the cipher is a symmetric key cipher since everyone uses the same key for the same message. The main problem is that the secret key must somehow be given to both the sender and recipient privately. For this reason, symmetric key ciphers are also called private key (or secret key) ciphers.
• If the sender and recipient have different keys respective to the communication roles they play, then the cipher is an asymmetric key cipher as different keys exist for encoding and decoding the same message. It is also called public key encryption as the user publicly distributes one of the keys without a care for secrecy. In the case of confidential messages to the user, they distribute the encryption key. Asymmetric encryption relies on the fact that possession of the encryption key will not reveal the decryption key.
• Digital Signatures are a form of authentication with some parallels to public-key encryption. The two keys are the public verification key and the secret signature key. As in public-key encryption, the verification key can be distributed to other people, with the same caveat that the distribution process should in some way authenticate the owner of the secret key. Security relies on the fact that possession of the verification key will not reveal the signature key.
• Hash Functions are unkeyed message digests with special properties.

Other:

Poorly designed, or poorly implemented, crypto systems achieve them only by accident or bluff or lack of interest on the part of the opposition. Users can, and regularly do, find weaknesses in even well-designed cryptographic schemes from those of high reputation.

Even with well designed, well implemented, and properly used crypto systems, some goals aren't practical (or desirable) in some contexts. For example, the sender of the message may wish to be anonymous, and would therefore deliberately choose not to bother with non-repudiation. Alternatively, the system may be intended for an environment with limited computing resources, or message confidentiality might not be an issue.

In classical cryptography, messages are typically enciphered and transmitted from one person or group to some other person or group. In modern cryptography, there are many possible options for "sender" or "recipient". Some examples, for real crypto systems in the modern world, include:

1. a computer program running on a local computer,
2. a computer program running on a 'nearby' computer which 'provides security services' for users on other nearby systems,
3. a human being (usually understood as 'at the keyboard'). However, even in this example, the presumed human is not generally taken to actually encrypt or sign or decrypt or authenticate anything. Rather, he or she instructs a computer program to perform these actions. This 'blurred separation' of human action from actions which are presumed (without much consideration) to have 'been done by a human' is a source of problems in crypto system design, implementation, and use. Such problems are often quite subtle and correspondingly obscure; indeed, generally so, even to practicing cryptographers with knowledge, skill, and good engineering sense.

When confusion on these points is present (e.g., at the design stage, during implementation, by a user after installation, or ...), failures in reaching each of the stated goals can occur quite easily—often without notice to any human involved, and even given a perfect cryptosystem. Such failures are most often due to extra-cryptographic issues; each such failure demonstrates that good algorithms, good protocols, good system design, and good implementation do not alone, nor even in combination, provide 'security'. Instead, careful thought is required regarding the entire crypto system design and its use in actual production by real people on actual equipment running 'production' system software (e.g., operating systems) -- too often, this is absent or insufficient in practice with real-world crypto systems.

Although cryptography has a long and complex history, it wasn't until the 19th century that it developed anything more than ad hoc approaches to either encryption or cryptanalysis (the science of finding weaknesses in crypto systems). Examples of the latter include Charles Babbage's Crimean War era work on mathematical cryptanalysis of polyalphabetic ciphers, repeated publicly rather later by the Prussian Kasiski. During this time, there was little theoretical foundation for cryptography; rather, understanding of cryptography generally consisted of hard-won fragments of knowledge and rules of thumb; see, for example, Auguste Kerckhoffs' crypto writings in the latter 19th century. An increasingly mathematical trend accelerated up to World War II (notably in William F. Friedman's application of statistical techniques to cryptography and in Marian Rejewski's initial break into the German Army's version of the Enigma system). Both cryptography and cryptanalysis have become far more mathematical since WWII. Even then, it has taken the wide availability of computers, and the Internet as a communications medium, to bring effective cryptography into common use by anyone other than national governments or similarly large enterprise.

# History

## Classical Cryptography

The earliest known use of cryptography is found in non-standard hieroglyphs carved into monuments from Egypt's Old Kingdom (ca 4500 years ago). These are not thought to be serious attempts at secret communications, however, but rather to have been attempts at mystery, intrigue, or even amusement for literate onlookers. These are examples of still another use of cryptography, or of something that looks (impressively if misleadingly) like it. Later, Hebrew scholars made use of simple Substitution ciphers (such as the Atbash cipher) beginning perhaps around 500 to 600 BCE. Cryptography has a long tradition in religious writing likely to offend the dominant culture or political authorities.

The Greeks of Classical times are said to have known of ciphers (e.g., the scytale transposition cypher claimed to have been used by the Spartan military). Herodutus tells us of secret messages physically concealed beneath wax on wooden tablets or as a tattoo on a slave's head concealed by regrown hair (these are not properly examples of cryptography per se; see secret writing). The Romans certainly did (e.g., the Caesar cipher and its variations). There is ancient mention of a book about Roman military cryptography (especially Julius Caesar's); it has been, unfortunately, lost.

In India, cryptography was apparently well known. It is recommended in the Kama Sutra as a technique by which lovers can communicate without being discovered. This may imply that cryptanalytic techniques were less than well developed in India ca 500 CE.

Cryptography became (secretly) important still later as a consequence of political competition and religious analysis. For instance, in Europe during and after the Renaissance, citizens of the various Italian states, including the Papacy, were responsible for substantial improvements in cryptographic practice (e.g., polyalphabetic ciphers invented by Leon Alberti ca 1465). And in the Arab world, religiously motivated textual analysis of the Koran led to the invention of the frequency analysis technique for breaking monoalphabetic substitution cyphers sometime around 1000 CE.

Cryptography, cryptanalysis, and secret agent betrayal featured in the Babington plot during the reign of Queen Elizabeth I which led to the execution of Mary, Queen of Scots. And an encrypted message from the time of the Man in the Iron Mask (decrypted around 1900 by Étienne Bazeries) has shed some, regrettably non-definitive, light on the identity of that legendary, and unfortunate, prisoner. Cryptography, and its misuse, was involved in the plotting which led to the execution of Mata Hari and even more reprehensibly, if possible, in the travesty which led to Dreyfus' conviction and imprisonment, both in the early 20th century. Fortunately, cryptographers were also involved in setting Dreyfus free; Mata Hari, in contrast, was shot.

Mathematical cryptography leapt ahead (also secretly) after World War I. Marian Rejewski, in Poland, attacked and 'broke' the early German Army Enigma system (an electromechanical rotor cypher machine) using theoretical mathematics in 1932. The break continued up to '39, when changes in the way the German Army's Enigma machines were used required more resources than the Poles could deploy. His work was extended by Alan Turing, Gordon Welchman, and others at Bletchley Park beginning in 1939, leading to sustained breaks into several other of the Enigma variants and the assorted networks for which they were used. US Navy cryptographers (with cooperation from British and Dutch cryptographers after 1940) broke into several Japanese Navy crypto systems. The break into one of them famously led to the US victory in the Battle of Midway. A US Army group, the SIS, managed to break the highest security Japanese diplomatic cipher system (an electromechanical 'stepping switch' machine called Purple by the Americans) even before WWII began. The Americans referred to the intelligence resulting from cryptanalysis, perhaps especially that from the Purple machine, as 'Magic'. The British eventually settled on 'Ultra' for intelligence resulting from cryptanalysis, particularly that from message traffic enciphered by the various Enigmas. An earlier British term for Ultra had been 'Boniface'.

## World War II Cryptography

By World War II mechanical and electromechanical cryptographic cipher machines were in wide use, but they were impractical manual systems. Great advances were made in both practical and mathematical cryptography in this period, all in secrecy. Information about this period has begun to be declassified in recent years as the official 50-year (British) secrecy period has come to an end, as the relevant US archives have slowly opened, and as assorted memoirs and articles have been published.

The Germans made heavy use (in several variants) of an electromechanical rotor based cypher system known as Enigma. The German military also deployed several mechanical attempts at a one-time pad. Bletchley Park called them the Fish cyphers, and Max Newman and colleagues designed and deployed the world's first programmable digital electronic computer, the Colossus, to help with their cryptanalysis. The German Foreign Office began to use the one-time pad in 1919; some of this traffic was read in WWII partly as the result of recovery of some key material in South America that was insufficiently carefully discarded by a German courier.

The Japanese Foreign Office used a locally developed electrical stepping switch based system (called Purple by the US), and also used several similar machines for attaches in some Japanese embassies. One of these was called the 'M-machine' by the US, another was referred to as 'Red'. All were broken, to one degree or another by the Allies.

Other cipher machines used in WWII included the British Typex and the American SIGABA; both were electromechanical rotor designs similar in spirit to the Enigma.

## Modern Cryptography

The era of modern cryptography really begins with Claude Shannon, arguably the father of mathematical cryptography. In 1949 he published the paper Communication Theory of Secrecy Systems in the Bell System Technical Journal, and a little later the book Mathematical Theory of Communication with Warren Weaver. These, in addition to his other works on information and communication theory established a solid theoretical basis for cryptography and for cryptanalysis. And with that, cryptography more or less disappeared into secret government communications organizations such as the NSA. Very little work was again made public until the mid '70s, when everything changed.

Second was the publication of the paper New Directions in Cryptography by Whitfield Diffie and Martin Hellman. This paper introduced a radically new method of distributing cryptographic keys, which went far toward solving one of the fundamental problems of cryptography, key distribution. It has become known as Diffie-Hellman key exchange. The article also stimulated the almost immediate public development of a new class of enciphering algorithms, the asymmetric key algorithms.

Prior to that time, all useful modern encryption algorithms had been symmetric key algorithms, in which the same cryptographic key is used with the underlying algorithm by both the sender and the recipient who must both keep it secret. All of the electromechanical machines used in WWII were of this logical class, as were the Caesar and Atbash cyphers and essentially all cypher and code systems throughout history. The 'key' for a code is, of course, the codebook, which must likewise be distributed and kept secret.

Of necessity, the key in every such system had to be exchanged between the communicating parties in some secure way prior to any use of the system (the term usually used is 'via a secure channel') such as a trustworthy courier with a briefcase handcuffed to a wrist, or face-to-face contact, or a loyal carrier pigeon. This requirement rapidly becomes unmanageable when the number of participants increases beyond some (very!) small number, or when (really) secure channels aren't available for key exchange, or when, as is sensible crypto practice keys are changed frequently. In particular, a separate key is required for each communicating pair if no third party is to be able to decrypt their messages. A system of this kind is also known as a private key, secret key, or conventional key cryptosystem. D-H key exchange (and succeeding improvements) made operation of these systems much easier, and more secure, than had ever been possible before.

In contrast, with asymmetric key encryption, there is a pair of mathematically related keys for the algorithm, one of which is used for encryption and the other for decryption. Some, but not all, of these algorithms have the additional property that one of the keys may be made public since the other cannot be (by any currently known method) deduced from the 'public' key. The other key in these systems is kept secret and is usually called, somewhat confusingly, the 'private' key. An algorithm of this kind is known as a public key / private key algorithm, although the term asymmetric key cryptography is preferred by those who wish to avoid the ambiguity of using that term for all such algorithms, and to stress that there are two distinct keys with different secrecy requirements.

As a result, for those using such algorithms, only one key pair is now needed per recipient (regardless of the number of senders) as possession of a recipient's public key (by anyone whomsoever) does not compromise the 'security' of messages so long as the corresponding private key is not known to any attacker (effectively, this means not known to anyone except the recipient). This unanticipated, and quite surprising, property of some of these algorithms made possible, and made practical, widespread deployment of high quality crypto systems which could be used by anyone at all. Which in turn gave government crypto organizations worldwide a severe case of heartburn; for the first time ever, those outside that fraternity had access to cryptography that wasn't readily breakable by the 'snooper' side of those organizations. Considerable controversy, and conflict, began immediately. It has not yet subsided. In the US, for example, exporting strong cryptography remains illegal; cryptographic methods and techniques are classified as munitions. Until 2001 'strong' crypto was defined as anything using keys longer than 40 bits—the definition was relaxed thereafter. (See S Levy's Crypto for a journalistic account of the policy controversy in the US).

Note, however, that it has NOT been proven impossible, for any of the good public/private asymmetric key algorithms, that a private key (regardless of length) can be deduced from a public key (or vice versa). Informed observers believe it to be currently impossible (and perhaps forever impossible) for the 'good' asymmetric algorithms; no workable 'companion key deduction' techniques have been publicly shown for any of them. Note also that some asymmetric key algorithms have been quite thoroughly broken, just as many symmetric key algorithms have. There is no special magic attached to using algorithms which require two keys.

In fact, some of the well respected, and most widely used, public key / private key algorithms can be broken by one or another cryptanalytic attack and so, like other encryption algorithms, the protocols within which they are used must be chosen and implemented carefully to block such attacks. Indeed, all can be broken if the key length used is short enough to permit practical brute force key search; this is inherently true of all encryption algorithms using keys, including both symmetric and asymmetric algorithms.

This is an example of the most fundamental problem for those who wish to keep their communications secure; they must choose a crypto system (algorithms + protocols + operation) that resists all attack from any attacker. There being no way to know who those attackers might be, nor what resources they might be able to deploy, nor what advances in cryptanalysis (or its associated mathematics) might in future occur, users may ONLY do the best they know how, and then hope. In practice, for well designed / implemented / used crypto systems, this is believed by informed observers to be enough, and possibly even enough for all(?) future attackers. Distinguishing between well designed / implemented / used crypto systems and crypto trash is another, quite difficult, problem for those who are not themselves expert cryptographers. It is even quite difficult for those who are.

### Revision of modern history

In recent years public disclosure of secret documents held by the UK government has shown that asymmetric key cryptography, D-H key exchange, and the best known of the public key / private key algorithms (i.e., what is usually called the RSA algorithm), all seem to have been developed at a UK intelligence agency before the public announcement by Diffie and Hellman in '76. GCHQ has released documents claiming that they had developed public key cryptography before the publication of Diffie and Hellman's paper. Various classified papers were written at GCHQ during the 1960s and 1970s which eventually led to schemes essentially identical to RSA encryption and to Diffie-Hellman key exchange in 1973 and 1974. Some of these have now been published, and the inventors (James Ellis, Clifford Cocks, and Malcolm Williamson) have made public (some of) their work.

# Classical Cryptography

Cryptography has a long and colorful history from Caesar's encryption in first century BC to the 20th century.

There are two major principles in classical cryptography: transposition and substitution.

## Transposition ciphers

Lets look first at transposition, which is the changing in the position of the letters in the message such as a simple writing backwards

    Plaintext: THE PANEL IN THE WALL MOVES
Encrypted: EHT LENAP NI EHT LLAW SEVOM


or as in a more complex transposition such as:

    THEPAN
ELINTH
EWALLM
OVESAA


then take the columns:

    TEEO HLWV EIAE PNLS ATLA NHMA


(the extra letters are called space fillers) The idea in transposition is NOT to randomize it but to transform it to something that is not recognizable with a reversible algorithm (an algorithm is just a procedure, reversible so your correspondent can read the message).

We discuss transposition ciphers in much more detail in a later chapter, Cryptography/Transposition ciphers.

## Substitution ciphers

The second most important principle is substitution. That is, substituting a Symbol for a letter of your plaintext (or word or even sentence). Slang even can sometimes be a form of cipher (the symbols replacing your plaintext), ever wonder why your parents never understood you? Slang, though, is not something you would want to store a secret in for a long time. In WWII, there were Navajo CodeTalkers who passed along info from unit to unit. From what I hear (someone verify this) the Navajo language was a very exclusive almost unknown and unwritten language. So the Japanese were not able to decipher it.

Even though this is a very loose example of substitution, whatever works works.

## Caesar Cipher

One of the most basic methods of encryption is the use of Caesar Ciphers. It simply consist in shifting the alphabet over a few characters and matching up the letters.

The classical example of a substitution cipher is a shifted alphabet cipher

   Alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher: BCDEFGHIJKLMNOPQRSTUVWXYZA
Cipher2: CDEFGHIJKLMNOPQRSTUVWXYZAB
etc...


Example:(using cipher 2)

          Plaintext: THE PANEL IN THE WALL MOVES
Encrypted: VJG RCPGN KP VJG YCNN OQXGU


If this is the first time you've seen this it may seem like a rather secure cipher, but it's not. In fact this by itself is very insecure. For a time in the 1500-1600s this was the most secure (mainly because there were many people who were illiterate) but a man (old what's his name) in the 18th century discovered a way to crack (find the hidden message) of every cipher of this type he discovered frequency analysis.

We discuss substitution ciphers in much more detail in a later chapter, Cryptography/Substitution ciphers.

## Frequency Analysis

In the shifted alphabet cipher or any simple randomized cipher, the same letter in the cipher replaces each of the same ones in your message (e.g. 'A' replaces all 'D's in the plaintext, etc.). The weakness is that English uses certain letters more than any other letter in the alphabet. 'E' is the most common, etc. Here's an exercise count all of each letter in this article. You'll find that in the previous sentence there are 2 'H's,7 'E's, 3 'R's, 3 'S's, etc. By far 'E' is the most common letter; here are the other frequencies [Frequency tables|http://rinkworks.com/words/letterfreq.shtml]. Basically you experiment with replacing different symbols with letters (the most common with 'E', etc.).

      Encrypted: VJG TCKP KP URCKP


First look for short words with limited choices of words, such as 'KP' this may be at, in, to, or, by, etc. Let us select in. Replace 'K' with 'I' and 'P' with 'N'.

      Encrypted: VJG TCIN IN URCIN


Next select VJG this is most likely the (since the huge frequency of 'the' in a normal sentence, check a couple of the preceding sentences).

      Encrypted: THE TCIN IN URCIN


generally this in much easier in long messages the plaintext is 'THE RAIN IN SPAIN'

We discuss many different ways to "attack", "break", and "solve" encrypted messages in a later section of this book, "Part III: Cryptanalysis", which includes a much more detailed section on Cryptography/Frequency analysis.

## Combining transposition and substitution

A more secure encryption is a transposed substitution cipher.

Take the above message in encrypted form

      Encrypted:VJG RCPGN KP VJG YCNN OQXGU


now spiral transpose it

          VJGRC
NNOQP
CAAXG
YUNGN
GJVPK


The message starts in the upper right corner and spirals to the center (again the AA is a filler) Now take the columns:

       VNCYG JNAUJ GOANV RQXGP CPGNK


Now this is more resistant to Frequency analysis, see what we did before that started recognizable patterns results in:

       TNCYE HNAUH EOANT RQXEN CNENK


A problem for people who crack codes.

## Multiliteral systems

The vast majority of classical ciphers are "uniliteral" -- they encrypt a plaintext 1 letter at a time, and each plaintext letter is encrypted to a single corresponding ciphertext letter.

A multiliteral system is one where the ciphertext unit is more than one character in length. The major types of multiliteral systems are:[1]

• biliteral systems: 2 letters of ciphertext per letter of plaintext
• dinomic systems: 2 digits of ciphertext per letter of plaintext
• Triliteral systems: 3 letters of ciphertext per letter of plaintext
• trinomic systems: 3 digits of ciphertext per letter of plaintext
• monome-dinome systems, also called straddling checkerboard systems: 1 digit of ciphertext for some plaintext letters, 2 digits of ciphertext for the remaining plaintext letters.
• biliteral with variants and dinomic with variants systems: several ciphertext values decode to the same plaintext letter (homophonic substitution cipher)
• Syllabary square systems: 2 letters or 2 digits of ciphertext decode to an entire syllable or a single character of plaintext.[2]

# Cryptography in Popular Culture

## Books

Digital Fortress, by Dan Brown

## Television series

BBC series Spooks, about MI5, with references to GCHQ

# Timeline of Notable Events

The desire to keep stored or send information secret dates back into antiquity. As society developed so did the application of cryptography. Below is a timeline of notable events related to cryptography.

## BCE

• 3500s - The Sumerians develop cuneiform writing and the Egyptians develop hieroglyphic writing.
• 1500s - The Phoenicians develop an alphabet
• 600-500 - Hebrew scholars make use of simple monoalphabetic substitution ciphers (such as the Atbash cipher)
• c. 400 - Spartan use of scytale (alleged)
• c. 400BCE - Herodotus reports use of steganography in reports to Greece from Persia (tatoo on shaved head)
• 100-0 - Notable Roman ciphers such as the Caeser cipher.

## 1 - 1799 CE

• ca 1000 - Frequency analysis leading to techniques for breaking monoalphabetic substitution ciphers. It was probably developed among the Arabs, and was likely motivated by textual analysis of the Koran.
• 1450 - The Chinese develop wooden block movable type printing
• 1450-1520 - The Voynich manuscript, an example of a possibly encrypted illustrated book, is written.
• 1466 - Leone Battista Alberti invents polyalphabetic cipher, also the first known mechanical cipher machine
• 1518 - Johannes Trithemius' book on cryptology
• 1553 - Belaso invents the (misnamed) Vigenère cipher
• 1585 - Vigenère's book on ciphers
• 1641 - Wilkins' Mercury (English book on cryptography)
• 1586 - Cryptanalysis used by spy master Sir Francis Walsingham to implicate Mary Queen of Scots in the Babington Plot to murder Queen Elizabeth I of England. Queen Mary was eventually executed.
• 1614 - Scotsman John Napier (1550-1617) published a paper outlining his discovery of the logarithm. Napier also invented an ingenious system of moveable rods (referred to as Napier's Rods or Napier's bones) which were a precursor of the slide rule. These were based on logarithms and allowed the operator to multiply, divide and calculate square and cube roots by moving the rods around and placing them in specially constructed boards.
• 1793 - Claude Chappe establishes the first long-distance semaphore "telegraph" line
• 1795 - Thomas Jefferson invents the Jefferson disk cipher, reinvented over 100 years later by Etienne Bazeries and widely used a a tactical cypher by the US Army.

## 1800-1899

• 1809-14 George Scovell's work on Napoleonic ciphers during the Peninsular War
• 1831 - Joseph Henry proposes and builds an electric telegraph
• 1835 - Samuel Morse develops the Morse code.
• c. 1854 - Babbage's method for breaking polyalphabetic cyphers (pub 1863 by Kasiski); the first known break of a polyaphabetic cypher. Done for the English during the Crimean War, a general attack on Vigenère's autokey cipher (the 'unbreakable cypher' of its time) as well as the much weaker cypher that is today termed "the Vigenère cypher". The advance was kept secret and was, in essence, reinvented somewhat later by the Prussian Friedrich Kasiski, after whom it is named.
• 1854 - Wheatstone invents Playfair cipher
• 1883 - Auguste Kerckhoffs publishes La Cryptographie militare, containing his celebrated "laws" of cryptography
• 1885 - Beale ciphers published
• 1894 - The Dreyfus Affair in France involves the use of cryptography, and its misuse, re: false documents.

## 1900 - 1949

• c 1915 - William Friedman applies statistics to cryptanalysis ( coincidence counting, etc.)
• 1917 - Gilbert Vernam develops first practical implementation of a teletype cipher, now known as a stream cipher and, later, with Mauborgne the one-time pad
• 1917 - Zimmermann telegram intercepted and decrypted, advancing U.S. entry into World War I
• 1919 - Weimar Germany Foreign Office adopts (a manual) one-time pad for some traffic
• 1919 - Hebern invents/patents first rotor machine design -- Damm, Scherbius and Koch follow with patents the same year
• 1921 - Washington Naval Conference - U.S. negotiating team aided by decryption of Japanese diplomatic telegrams
• c. 1924 - MI8 (Yardley, et al.) provide breaks of assorted traffic in support of US position at Washington Naval Conference
• c. 1932 - first break of German Army Enigma machine by Rejewski in Poland
• 1929 - U.S. Secretary of State Henry L. Stimson shuts down State Department cryptanalysis "Black Chamber", saying "Gentlemen do not read each other's mail."
• 1931 - The American Black Chamber by Herbert O. Yardley is published, revealing much about American cryptography
• 1940 - break of Japan's Purple machine cipher by SIS team
• December 7, 1941 - U.S. Naval base at Pearl Harbor surprised by Japanese attack, despite U.S. breaks into several Japanese cyphers. U.S. enters World War II
• June 1942 - Battle of Midway. Partial break into Dec 41 edition of JN-25 leads to successful ambush of Japanese carriers and to the momentum killing victory.
• April 1943 - Admiral Yamamoto, architect of Pearl Harbor attack, is assassinated by U.S. forces who know his itinerary from decrypted messages
• April 1943 - Max Newman, Wynn-Williams, and their team (including Alan Turing) at the secret Government Code and Cypher School ('Station X'), Bletchley Park, Bletchley, England, complete the "Heath Robinson". This is a specialized machine for cypher-breaking, not a general-purpose calculator or computer.
• December 1943 - The Colossus was built, by Dr Thomas Flowers at The Post Office Research Laboratories in London, to crack the German Lorenz cipher (SZ42). Colossus was used at Bletchley Park during WW II - as a successor to April's 'Robinson's. Although 10 were eventually built, unfortunately they were destroyed immediately after they had finished their work - it was so advanced that there was to be no possibility of its design falling into the wrong hands. The Colossus design was the first electronic digital computer and was somewhat programmable. A epoch in machine capability.
• 1944 - patent application filed on SIGABA code machine used by U.S. in WW II. Kept secret, finally issued in 2001
• 1946 - VENONA's first break into Soviet espionage traffic from early 1940s
• 1948 - Claude Shannon writes a paper that establishes the mathematical basis of information theory
• 1949 - Shannon's Communication Theory of Secrecy Systems pub in Bell Labs Technical Journal, based on work done during WWII.

## 1950 - 1999

• 1951 - U.S. National Security Agency founded, subsuming the US Army and US Navy 'girls school' departments
• 1968 - John Anthony Walker walks into the Soviet Union's embassy in Washington and sells information on KL-7 cipher machine. The Walker spy ring operates until 1985
• 1964 - David Kahn's The Codebreakers is published
• June 8, 1967 - USS Liberty incident in which a U.S. SIGINT ship is attacked by Israel, apparently by mistake, though some continue to dispute this
• January 23, 1968 - USS Pueblo, another SIGINT ship, is captured by North Korea
• 1969 - The first hosts of ARPANET, Internet's ancestor, are connected
• 1974? - Horst Feistel develops the Feistel network block cipher design at IBM
• 1976 - the Data Encryption Standard was published as an official Federal Information Processing Standard (FIPS) for the US
• 1976 - Diffie and Hellman publish New Directions in Cryptography article
• 1977- RSA public key encryption invented at MIT
• 1981 - Richard Feynman proposes quantum computers. The main application he had in mind was the simulation of quantum systems, but he also mentioned the possibility of solving other problems.
• 1986 In the wake of an increasing number of break-ins to government and corporate computers, the US Congress passes the Computer Fraud and Abuse Act, which makes it a crime to break into computer systems. The law, however, does not cover juveniles.
• 1988 - First optical chip developed, it uses light instead of electricity to increase processing speed.
• 1989 - Tim Berners-Lee and Robert Cailliau built the prototype system which became the World Wide Web at CERN
• 1991 - Phil Zimmermann releases the public key encryption program PGP along with its source code, which quickly appears on the Internet.
• 1992 - Release of the movie Sneakers (film)|Sneakers, in which security experts are blackmailed into stealing a universal decoder for encryption systems (no such decoder is known, likely because it is impossible).
• 1994 - 1st ed of Bruce Schneier's Applied Cryptography is published
• 1994 - Secure Sockets Layer (SSL) encryption protocol released by Netscape
• 1994 - Peter Shor devises an algorithm which lets quantum computers determine the factorization of large integers quickly. This is the first interesting problem for which quantum computers promise a significant speed-up, and it therefore generates a lot of interest in quantum computers.
• 1994 - DNA computing proof of concept on toy traveling salesman problem; a method for input/output still to be determined.
• 1994 - Russian crackers siphon $10 million from Citibank and transfer the money to bank accounts around the world. Vladimir Levin, the 30-year-old ringleader, uses his work laptop after hours to transfer the funds to accounts in Finland and Israel. Levin stands trial in the United States and is sentenced to three years in prison. Authorities recover all but$400,000 of the stolen money.
• 1994 - Formerly proprietary trade secret, but not patented, RC4 cipher algorithm is published on the Internet
• 1994 - first RSA Factoring Challenge from 1977 is decrypted as The Magic Words are Squeamish Ossifrage
• 1995 - NSA publishes the SHA1 hash algorithm as part of its Digital Signature Standard; SHA0 had a flaw corrected by SHA1
• 1997 - Ciphersaber, an encryption system based on RC4 that is simple enough to be reconstructed from memory, is published on Usenet
• 1998 - RIPE project releases final report
• October 1998 - Digital Millennium Copyright Act (DMCA) becomes law in U.S., criminalizing production and dissemination of technology that can circumvent measures taken to protect copyright
• October 1999 - DeCSS, a computer program capable of decrypting content on a DVD, is published on the Internet
• 1999: Bruce Schneier develops the Solitaire cipher, a way to allow field agents to communicate securely without having to rely on electronics or having to carry incriminating tools like a one-time pad. Unlike all previous manual encryption techniques -- except the one-time pad -- this one is resistant to automated cryptanalysis. It is published in Neal Stephenson's Cryptonomicon (2000).

## 2000 and beyond

• January 14, 2000 - U.S. Government announce restrictions on export of cryptography are relaxed (although not removed). This allows many US companies to stop the long running, and rather ridiculous process of having to create US and international copies of their software.
• March 2000 - President Clinton says he doesn't use e-mail to communicate with his daughter, Chelsea Clinton, at college because he doesn't think the medium is secure.
• September 6, 2000 - RSA Security Inc. released their RSA algorithm into the public domain, a few days in advance of their US patent 4405829 expiring. Following the relaxation of the U.S. government export restrictions, this removed one of the last barriers to the world-wide distribution of much software based on cryptographic systems. It should be noted that the IDEA algorithm is still under patent and also that government restrictions still apply in some places.
• 2000 - U.K. Regulation of Investigatory Powers Act 2000|Regulation of Investigatory Powers Act requires anyone to supply their cryptographic key to a duly authorized person on request
• 2001 - Belgian Rijndael algorithm selected as the U.S. Advanced Encryption Standard after a 5 year public search process by National Institute for Standards and Technology (NIST)
• September 11, 2001 - U.S. response to terrorist attacks hampered by Communication during the September 11, 2001 attacks|lack of secure communications
• November 2001 - Microsoft and its allies vow to end "full disclosure" of security vulnerabilities by replacing it with "responsible" disclosure guidelines.
• 2002 - NESSIE project releases final report / selections
• 2003 - CRYPTREC project releases 2003 report / recommendations
• 2004 - the hash MD5 is shown to be vulnerable to practical collision attack
• 2005 - potential for attacks on SHA1 demonstrated
• 2005 - agents from the U.S. FBI demonstrate their ability to crack WEP using publicly available tools
• 2007 - NIST announces w:NIST hash function competition
• 2012 - proclamation of a winner of the w:NIST hash function competition is scheduled
• 2015 - year by which NIST suggests that 80-bit keys for symmetric key cyphers be phased out. Asymmetric key cyphers require longer keys which have different vulnerability parameters.

# Goals of Cryptography

Crytography is the science of secure communication in the presence of third parties (sometimes called "adversaries").

Modern cryptographers and cryptanalysts work in many areas including

• data confidentiality
• data integrity
• authentication
• forward secrecy
• end-to-end auditable voting systems
• digital currency

Classical cryptography focused on "data confidentiality"—keeping pieces of information secret, i.e. of designing technical systems such that an observer can infer as few as possible - optimally none - information from observing the system. The motivation for this is that the owner of the system wants to prevent the observer from taking advantage (e.g. monetary, influential, emotional) of the possible intelligence.

This secrecy or hiding is achieved by removing contextual information from the system's observable state and/or behaviour, without which the observer cannot gain intelligence about the system.

## Examples

The term is very often used in conjunction in the context of message exchange between two entities, but of course not restricted to this case.

### Hiding System State Alone

It may be advantageous for an ATM machine to hide the information as to how much cash is still available in the machine. It may e.g. only disclose the information that no more bank notes are available from it to the holder of a valid debit card.

### Hiding Communication Content

Two companies doing business with each other may not wish to disclose the information on pricing of their products to third parties tapping into their communications.

### Hiding the Fact of Communicating

Well known entities with well known fields of activity may wish to hide the fact that they are communicating at all since an observer aware of their fields of activity may already from the fact of some communication happening, be able to infer information.

# Symmetric Ciphers

A symmetric key cipher (also called a secret-key cipher, or a one-key cipher, or a private-key cipher, or a shared-key cipher) Shared_secretis one that uses the same (necessarily secret) key to encrypt messages as it does to decrypt messages.

Until the invention of asymmetric key cryptography (commonly termed "public key / private key" crypto) in the 1970s, all ciphers were symmetric. Each party to the communication needed a key to encrypt a message; and a recipient needed a copy of the same key to decrypt the message. This presented a significant problem, as it required all parties to have a secure communication system (e.g. face-to-face meeting or secure courier) in order to distribute the required keys. The number of secure transfers required rises impossibly, and wholly impractically, quickly with the number of participants.

### Formal Definition

Any cryptosystem based on a symmetric key cipher conforms to the following definition:

• M : message to be enciphered
• K : a secret key
• E : enciphering function
• D : deciphering function
• C : enciphered message. C := E(M, K)
• For all M, C, and K, M = D(C,K) = D(E(M,K),K)

### Reciprocal Ciphers

Some shared-key ciphers are also "reciprocal ciphers." A reciprocal cipher applies the same transformation to decrypt a message as the one used to encrypt it. In the language of the formal definition above, E = D for a reciprocal cipher.

An example of a reciprocal cipher is Rot 13, in which the same alphabetic shift is used in both cases.

The xor-cipher (often used with one-time-pads) is another reciprocal cipher.[3]

Reciprocal ciphers have the advantage that the decoding machine can be set up exactly the same as the encoding machine -- reciprocal ciphers do not require the operator to remember to switch between "decoding" and "encoding".[4]

Symmetric key ciphers are typically much less computational overhead Overhead_(computing) than Asymmetric ciphers, sometimes this difference in computing overhead per character can be several orders of magnitude[5]. As such they are still used for bulk encryption of files and data streams for online applications.

### Use

To set up a secure communication session Session_key between two parties the following actions take place Transport_Layer_Security:

1. Alice tells Bob (in cleartext) that she wants a secure connection.
2. Bob generates a single use (session), public/private (asymmetric) key pair (Kpb Kpr).
3. Alice generates a single use (session) symmetric key. This will be the shared secret (Ks).
4. Bob sends Alice the public key (Kpb).
5. Alice encrypts her shared session key Ks with the Public key Kpb Ck := E(Ks, Kpb) and sends it to Bob
6. Bob decrypts the message with his private key to obtains the shared session key Ks := D(Ck, Kpr)
7. Now Alice and Bob have a shares secret (symmetric key) to secure communication on this connection for this session
8. Either party can encrypt a message simply by C := E(M, Ks) and decrypt is by M = D(C,K) = D(E(M,Ks),Ks)

This is the Basis for Diffie–Hellman Diffie_Hellman_key_exchange key exchange Key exchange and its more advanced successors Transport_Layer_Security.

## Examples

This page or section of the Cryptography book is a stub. You can help Wikibooks by expanding it.

# Asymmetric Ciphers

In cryptography, an asymmetric key algorithm uses a pair of different, though related, cryptographic keys to encrypt and decrypt. The two keys are related mathematically; a message encrypted by the algorithm using one key can be decrypted by the same algorithm using the other. In a sense, one key "locks" a lock (encrypts); but a different key is required to unlock it (decrypt).

Some, but not all, asymmetric key cyphers have the "public key" property, which means that there is no known effective method of finding the other key in a key pair, given knowledge of one of them. This group of algorithms is very useful, as it entirely evades the key distribution problem inherent in all symmetric key cyphers and some of the asymmetric key cyphers. One may simply publish one key while keeping the other secret. They form the basis of much of modern cryptographic practice.

## A Postal Analogy

An analogy which can be used to understand the advantages of an asymmetric system is to imagine two people, Alice and Bob, sending a secret message through the public mail. In this example, Alice has the secret message and wants to send it to Bob, after which Bob sends a secret reply.

With a symmetric key system, Alice first puts the secret message in a box, and then locks the box using a padlock to which she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he uses an identical copy of Alice's key (which he has somehow obtained previously) to open the box, and reads the message. Bob can then use the same padlock to send his secret reply.

In an asymmetric key system, Bob and Alice have separate padlocks. Firstly, Alice asks Bob to send his open padlock to her through regular mail, keeping his key to himself. When Alice receives it she uses it to lock a box containing her message, and sends the locked box to Bob. Bob can then unlock the box with his key and read the message from Alice. To reply, Bob must similarly get Alice's open padlock to lock the box before sending it back to her. The critical advantage in an asymmetric key system is that Bob and Alice never need send a copy of their keys to each other. This substantially reduces the chance that a third party (perhaps, in the example, a corrupt postal worker) will copy a key while it is in transit, allowing said third party to spy on all future messages sent between Alice and Bob. In addition, if Bob were to be careless and allow someone else to copy his key, Alice's messages to Bob will be compromised, but Alice's messages to other people would remain secret, since the other people would be providing different padlocks for Alice to use...

## Actual Algorithms - Two Linked Keys

Fortunately cryptography is not concerned with actual padlocks, but with encryption algorithms which aren't vulnerable to hacksaws, bolt cutters, or liquid nitrogen attacks.

Not all asymmetric key algorithms operate in precisely this fashion. The most common have the property that Alice and Bob own two keys; neither of which is (so far as is known) deducible from the other. This is known as public-key cryptography, since one key of the pair can be published without affecting message security. In the analogy above, Bob might publish instructions on how to make a lock ("public key"), but the lock is such that it is impossible (so far as is known) to deduce from these instructions how to make a key which will open that lock ("private key"). Those wishing to send messages to Bob use the public key to encrypt the message; Bob uses his private key to decrypt it.

## Weaknesses

Of course, there is the possibility that someone could "pick" Bob's or Alice's lock. Unlike the case of the one-time pad or its equivalents, there is no currently known asymmetric key algorithm which has been proven to be secure against a mathematical attack. That is, it is not known to be impossible that some relation between the keys in a key pair, or a weakness in an algorithm's operation, might be found which would allow decryption without either key, or using only the encryption key. The security of asymmetric key algorithms is based on estimates of how difficult the underlying mathematical problem is to solve. Such estimates have changed both with the decreasing cost of computer power, and with new mathematical discoveries.

Weaknesses have been found in promising asymmetric key algorithms in the past. The 'knapsack packing' algorithm was found to be insecure when an unsuspected attack came to light. Recently, some attacks based on careful measurements of the exact amount of time it takes known hardware to encrypt plain text have been used to simplify the search for likely decryption keys. Thus, use of asymmetric key algorithms does not ensure security; it is an area of active research to discover and protect against new and unexpected attacks.

Another potential weakness in the process of using asymmetric keys is the possibility of a 'Man in the Middle' attack, whereby the communication of public keys is intercepted by a third party and modified to provide the third party's own public keys instead. The encrypted response also must be intercepted, decrypted and re-encrypted using the correct public key in all instances however to avoid suspicion, making this attack difficult to implement in practice.

## A Brief History

The first known asymmetric key algorithm was invented by Clifford Cocks of GCHQ in the UK. It was not made public at the time, and was reinvented by Rivest, Shamir, and Adleman at MIT in 1976. It is usually referred to as RSA as a result. RSA relies for its security on the difficulty of factoring very large integers. A breakthrough in that field would cause considerable problems for RSA's security. Currently, RSA is vulnerable to an attack by factoring the 'modulus' part of the public key, even when keys are properly chosen, for keys shorter than perhaps 700 bits. Most authorities suggest that 1024 bit keys will be secure for some time, barring a fundamental breakthrough in factoring practice or practical quantum computers, but others favor longer keys.

At least two other asymmetric algorithms were invented after the GCHQ work, but before the RSA publication. These were the Ralph Merkle puzzle cryptographic system and the Diffie-Hellman system. Well after RSA's publication, Taher Elgamal invented the Elgamal discrete log cryptosystem which relies on the difficulty of inverting logs in a finite field. It is used in the SSL, TLS, and DSA protocols.

A relatively new addition to the class of asymmetric key algorithms is elliptic curve cryptography. While it is more complex computationally, many believe it to represent a more difficult mathematical problem than either the factorisation or discrete logarithm problems.

## Practical limitations and hybrid cryptosystems

One drawback of asymmetric key algorithms is that they are much slower (factors of 1000+ are typical) than 'comparably' secure symmetric key algorithms. In many quality crypto systems, both algorithm types are used; they are termed 'hybrid systems'. PGP is an early and well-known hybrid system. The receiver's public key encrypts a symmetric algorithm key which is used to encrypt the main message. This combines the virtues of both algorithm types when properly done.

We discuss asymmetric ciphers in much more detail later in the Public Key Overview and following sections of this book.

# Random number generation

The generation of random numbers is essential to cryptography. One of the most difficult aspect of cryptographic algorithms is in depending on or generating, true random information. This is problematic, since there is no known way to produce true random data, and most especially no way to do so on a finite state machine such as a computer.

There are generally two kinds of random number generators: non-deterministic random number generators, sometimes called "true random number generators" (TRNG), and deterministic random number generators, also called pseudorandom number generators (PRNG).[10]

Many high-quality cryptosystems use both -- a hardware random-number generator to periodically re-seed a deterministic random number generator.

Quantum mechanical theory suggests that some physical processes are inherently random (though collecting and using such data presents problems), but deterministic mechanisms, such as computers, cannot be. Any stochastic process (generation of random numbers) simulated on a computer, however, is not truly random, but only pseudorandom.

Within the limitations of pseudorandom generators, any quality pseudorandom number generator must:

• have a uniform distribution of values, in all dimensions
• have no detectable pattern, ie generate numbers with no correlations between successive numbers
• have a very long cycle length
• have no, or easily avoidable, weak initial conditions which produce patterns or short cycles

## Methods of Pseudorandom Number Generation

Keeping in mind that we are dealing with pseudorandom number generation (i.e. numbers generated from a finite state machine, as a computer), there are various ways to randomly generate numbers.

In C and C++ the function rand() returns a pseudo-random integer between zero and RAND_MAX (internally defined constant), defined with the srand() function; otherwise it will use the default seed and consistently return the same numbers when the program is restarted. Most such libraries have short cycle lengths and are not usable for cryptographic purposes.

"Numerical Recipes in C" reviews several random number generators and recommends a modified version of the DES cypher as their highest quality recommended random number generator. "Practical Cryptography" (Ferguson and Schneier) recommend a design they have named Fortuna; it supersedes their earlier design called Yarrow.

## Methods of nondeterministic number generation

As of 2004, the best random number generators have 3 parts: an unpredictable nondeterministic mechanism, entropy assessment, and conditioner. The nondeterministic mechanism (also called the entropy source) generates blocks of raw biased bits. The entropy assessment part produces a conservative estimate of the min-entropy of some block of raw biased bits. The conditioner (also called a whitener, an unbiasing algorithm, or a randomness extractor) distills the block of raw bits into a much smaller block of conditioned output bits -- an output block of bits half the size of the estimated entropy (in bits) of the raw biased bits -- eliminating any systematic bias. If the estimate is good, the conditioned output bits are unbiased full-entropy bits even if the nondeterministic mechanism degrades over time. In practice, the entropy assessment is the difficult part.[11]

# Hashes

A digest, sometimes simply called a hash, is the result of a hash function, a specific mathematical function or algorithm, that can be described as ${\displaystyle f(message)=hash}$. "Hashing" is required to be a deterministic process, and so, every time the input block is "hashed" by the application of the same hash function, the resulting digest or hash is constant, maintaining a verifiable relation with the input data. Thus making this type of algorithms useful for information security.

Other processes called cryptographic hashes, function similarly to hashing, but require added security, in the form or a level of guarantee that the input data can not feasibly be reversed from the generated hash value. I.e. That there is no useful inverse hash function ${\displaystyle f'(hash)=message}$

This property can be formally expanded to provide the following properties of a secure hash:

• Preimage resistant : Given H it should be hard to find M such that H = hash(M).
• Second preimage resistant: Given an input m1, it should be hard to find another input, m2 (not equal to m1) such that hash(m1) = hash(m2).
• Collision-resistant: it should be hard to find two different messages m1 and m2 such that hash(m1) = hash(m2). Because of the birthday paradox this means the hash function must have a larger image than is required for preimage-resistance.

A hash function is the implementation of an algorithm that, given some data as input, will generate a short result called a digest. A useful hash function generates a fixed length of hashed value.

For Ex: If our hash function is 'X' and we have 'wiki' as our input... then X('wiki')= a5g78 i.e. some hash value.

## Applications of hash functions

Non-cryptographic hash functions have many applications,[1] but in this section we focus on applications that specifically require cryptographic hash functions:

A typical use of a cryptographic hash would be as follows: Alice poses to Bob a tough math problem and claims she has solved it. Bob would like to try it himself, but would yet like to be sure that Alice is not bluffing. Therefore, Alice writes down her solution, appends a random nonce, computes its hash and tells Bob the hash value (whilst keeping the solution secret). This way, when Bob comes up with the solution himself a few days later, Alice can verify his solution but still be able to prove that she had the solution earlier.

In actual practice, Alice and Bob will often be computer programs, and the secret would be something less easily spoofed than a claimed puzzle solution. The above application is called a commitment scheme. Another important application of secure hashes is verification of message integrity. Determination of whether or not any changes have been made to a message (or a file), for example, can be accomplished by comparing message digests calculated before, and after, transmission (or any other event) (see Tripwire, a system using this property as a defense against malware and malfeasance). A message digest can also serve as a means of reliably identifying a file.

A related application is password verification. Passwords should not be stored in clear text, for obvious reasons, but instead in digest form. In a later chapter, Password handling will be discussed in more detail—in particular, why hashing the password once is inadequate.

A hash function is a key part of message authentication (HMAC).

Most distributed version control systems (DVCSs) use cryptographic hashes.[2]

For both security and performance reasons, most digital signature algorithms specify that only the digest of the message be "signed", not the entire message. The Hash functions can also be used in the generation of pseudo-random bits.

SHA-1, MD5, and RIPEMD-160 are among the most commonly-used message digest algorithms as of 2004. In August 2004, researchers found weaknesses in a number of hash functions, including MD5, SHA-0 and RIPEMD. This has called into question the long-term security of later algorithms which are derived from these hash functions. In particular, SHA-1 (a strengthened version of SHA-0), RIPEMD-128 and RIPEMD-160 (strengthened versions of RIPEMD). Neither SHA-0 nor RIPEMD are widely used since they were replaced by their strengthened versions.

Other common cryptographic hashes include SHA-2 and Tiger.

Later we will discuss the "birthday attack" and other techniques people use for Breaking Hash Algorithms.

## Hash speed

When using hashes for file verification, people prefer hash functions that run very fast. They want a corrupted file can be detected as soon as possible (and queued for retransmission, quarantined, or etc.). Some popular hash functions in this category are:

• BLAKE2b
• SHA-3

In addition, both SHA-256 (SHA-2) and SHA-1 have seen hardware support in some CPU instruction sets.

When using hashes for password verification, people prefer hash functions that take a long time to run. If/when a password verification database (the /etc/passwd file, the /etc/shadow file, etc.) is accidentally leaked, they want to force a brute-force attacker to take a long time to test each guess.[3] Some popular hash functions in this category are:

• Argon2
• scrypt
• bcrypt
• PBKDF2

1. applications of non-cryptographic hash functions are described in Data Structures/Hash Tables and Algorithm Implementation/Hashing.
2. Eric Sink. "Version Control by Example". Chapter 12: "Git: Cryptographic Hashes".
3. "Speed Hashing"

# Common flaws and weaknesses

Cryptography relies on puzzles. A puzzle that can not be solved without more information than the cryptanalyst has or can feasibly acquire is an unsolvable puzzle for the attacker. If the puzzle can be understood in a way that circumvents the secret information the cryptanalyst doesn't have then the puzzle is breakable. Obviously cryptography relies on an implicit form of security through obscurity where there currently exists no likely ways to understand the puzzle that will break it. The increasing complexity and subtlety of the mathematical puzzles used in cryptography creates a situation where neither cryptographers or cryptanalysts can be sure of all facets of the puzzle and security.

Like any puzzle, cryptography algorithms are based on assumptions - if these assumptions are flawed then the underlying puzzle may be flawed.

Secret knowledge assumption - Certain secret knowledge is not available to unauthorised people. Attacks such as packet sniffing, keylogging and meet in the middle attacks try to breach this assumption.

Secret knowledge masks plaintext - The secret knowledge is applied to the plaintext so that the nature of the message is no longer obvious. In general the secret knowledge hides the message in way so that the secret knowledge is required in order rediscover the message. Attacks such as chosen plaintext, brute force and frequency analysis try to breach this assumption

### Security

But passwords must protect access and messages against more than just human attackers. There are many machine-based ways of attacking cryptographic algorithms and cryptosystems, so passwords should also be hard to attack automatically. To prevent one important class of automatic attack, the brute force search, passwords must be difficult for the bad guys to guess. be both long (single character passwords are easily guessed, obviously) and, ideally, random—that is, without pattern of any kind. A long enough password will require so much machine time as to be impractical for an attacker. A password without pattern will offer no shortcut to brute force search. These considerations suggest several properties passwords should possess:

• sufficient length to preclude brute force search (common recommendations as of 2010 are at least 8 characters, and more when any class of character is not allowed (e.g. if lower case is not permitted, or non alphanumeric characters are not permitted, ..., a longer password is required); more length is required if the password should remain unbreakable into the future (when computers will be faster and brute force searches more effective)
• no names (pets, friends, relatives, ...), no words findable in any dictionary, no phrases found in any quotation book
• no personally connected numbers or information (telephone numbers, addresses, birthdays)

Password handling is simultaneously one of the few Solved Problems of Cryptography, *and* one of the most misunderstood.

Any web server that stores user passwords in plain text in some file or database somewhere, is doing it wrong.[2][3][4][5][6]

Passwords are usually not stored in cleartext, for obvious reasons, but instead in digest form. To authenticate a user, the password presented by the user is salted, hashed, and compared with the stored hash.[7]

PBKDF2 was originally designed to "generating a cryptographic key from a password", but it turns out to be good for generating password digests for safe storage for authentication purposes.[8][9]

In 2013, because only 3 algorithms are available for generating password digests for safe storage for authentication purposes—PBKDF2, bcrypt, and scrypt[6]—In 2013, the Password Hashing Competition (PHC) was announced. [10][11][12][13]

### passphrase hashing algorithm

 To do: mention some historic password hashing algorithms, such as the Purdy polynomial by Wikipedia: George B. Purdy; the traditional DES-based scheme that truncates the user's password to eight characters; and also say a few words about how the Modular Crypt Format Wikipedia: Crypt (C) makes it easier to transition to a new password hashing algorithm.

The main difference between a password hashing algorithm and other cryptographic hash algorithms is that a password hashing algorithm should make it difficult for attackers who have massively parallel GPUs and FPGAs to recover a passphrase—even if the passphrase is relatively weak—from the stored password digest. The most common way of doing this is to design the algorithm so the amount of time it takes for such an attacker to recover a weak passphrase should be much longer than the amount of time it takes for an authorized server, when given the correct passphrase, to verify that it is in fact correct.

The password verification utility passwd uses a secret password and non-secret salt to generate password hash digests using the crypt (C) library, which in turn uses many password hashing algorithms.

Often a single shadow password file stores password hash digests generated by several different hash algorithms. The particular hash algorithm used can be identified by a unique code prefix in the resulting hashtext, following a pseudo-standard called Modular Crypt Format.[14][15][16]

Any available hash algorithm is vastly superior to the shameful[17] practice of simply storing passwords in plain text; or storing "encrypting" passwords that can be quickly decrypted to recover the original password.

Unfortunately, practically all available hash algorithms were not originally designed for password hashing.

While one iterations of SHA-2 and SHA-3 are more than adequate for calculating a file verification digest, a message authentication code, or a digital signature when applied to long files, they are too easy to crack when applied to short passwords even when iterated a dozen times. Practically all available hash algorithms as of 2013 are either

(a) already known to be relatively easy to crack (recover a weak password) using GPU-based brute-force password cracking tools, or (b) are too new or haven't been studied enough to know whether it's easy to crack or not.[18]

For example, systems have been built that can recover a valid password from any Windows XP LM hash or 6-printable-character password in at most 6 minutes,[19][20] and can recover any 8-printable-character password from a NTLM hash in at most 5.5 hours.[19]

For example, systems have been built that can run through a dictionary of possible words and common "leet speak" substitutions[20] in order to recover the password that produced some given MD5 hash at a rate of 180 Ghashes/second,[21] or produced some given DEC crypt() digest at a rate of 73 Mhashes/second.[22]

A technique called "key stretching" makes key search attacks more expensive.[23]

1. Burr, Dodson, Polk. "Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology" section A.2.2 "Min Entropy Estimates": "Experience suggests that a significant share of users will choose passwords that are very easily guessed ("password" may be the most commonly selected password, where it is allowed)." [1]
2. a b
3. "Increase the security of an already stored password hash". quote: "a new open competition for password hashing algorithms has been launched, using the model of the previous AES, eSTREAM and SHA-3 competitions. Submissions are due for the end of January 2014."
4. Simson Garfinkel, Alan Schwartz, Gene Spafford. "Practical Unix & Internet Security". 2003. section "4.3.2.3 crypt16( ), DES Extended, and Modular Crypt Format". "The Modular Crypt Format (MCF) specifies an extensible scheme for formatting encrypted passwords. MCF is one of the most popular formats for encrypted passwords"
5. Dennis Fisher. "Cryptographers aim to find new password hashing algorithm". 2013.
6. a b Paul Roberts. "Update: New 25 GPU Monster Devours Passwords In Seconds". 2012.
7. a b
8. Jeremi M. Gosney. "Password Cracking HPC". 2012.
9. Arnold Reinhold. "HEKS: A Family of Key Stretching Algorithms". 1999.

# S-box

In cryptography, an S-Box (Substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext — Claude Shannon's property of confusion.[1] In many cases, the S-Boxes are carefully chosen to resist cryptanalysis.

In general, an S-Box takes some number of input bits, m, and transforms them into some number of output bits, n: an m×n S-Box can be implemented as a lookup table with ${\displaystyle 2^{m}}$ words of n bits each. Fixed tables are normally used, as in the Data Encryption Standard (DES), but in some ciphers the tables are generated dynamically from the key; e.g. the Blowfish and the Twofish encryption algorithms. Bruce Schneier describes IDEA's modular multiplication step as a key-dependent S-Box.

Given a 6-bit input, the 4-bit output is found by selecting the row using the outer two bits (the first and last bits), and the column using the inner four bits. For example, an input "011011" has outer bits "01" and inner bits "1101"; the corresponding output would be "1001".

The 8 S-Boxes of DES were the subject of intense study for many years out of a concern that a backdoor — a vulnerability known only to its designers — might have been planted in the cipher. The S-Box design criteria were eventually published[2] after the public rediscovery of differential cryptanalysis, showing that they had been carefully tuned to increase resistance against this specific attack. Other research had already indicated that even small modifications to an S-Box could significantly weaken DES.

There has been a great deal of research into the design of good S-Boxes, and much more is understood about their use in block ciphers than when DES was released.

## References

1. Chandrasekaran, J. et al. (2011). "A Chaos Based Approach for Improving Non Linearity in the S-Box Design of Symmetric Key Cryptosystems". in Meghanathan, N. et al.. Advances in Networks and Communications: First International Conference on Computer Science and Information Technology, CCSIT 2011, Bangalore, India, January 2-4, 2011. Proceedings, Part 2. Springer. p. 516. ISBN 978-3-642-17877-1.
2. Coppersmith, Don (1994). "The Data Encryption Standard (DES) and its strength against attacks" (PDF). IBM Journal of Research and Development 38 (3): 243–250. doi:10.1147/rd.383.0243. Retrieved 2007-02-20.

# Basic Design Principles

Good ciphers often attempt to have the following traits.

## Kerckhoffs's principle

Kerckhoffs's principle, also called Kerckhoffs's law:

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

In the words of Claude Shannon, "The enemy knows the system." (Shannon's maxim).

 To do: Say something about "security through obscurity" here. Perhaps also something about Kerckhoff's other 5 principles.

## Diffusion

Having good diffusion means that making a small change in the plain text should ideally cause as much as possible of cipher text to have a fifty percent possibility of change.

For example a Caesar cipher has almost no diffusion while a block cypher may contain lots of it.

## Confusion

For good confusion the relationship between the cypher text and the plain text should be as complex as possible.

# Open Algorithms

Creating a good cryptographic algorithm that will stand against all that the best cryptanalysis can throw at it, is hard. Very hard. So, this is why most people design algorithms by first designing the basic system, then refining it, and finally letting it lose for all to see.

Why, do this? Surely, if you let everyone see your code that turns a plain bit of text into garbled rubbish, then they will be able to reverse it! This assumption is unfortunately wrong. Now the algorithms that have been/ are being made are so strong, that just reversing the algorithm is not effective when trying to crack it. And when you let people look at your algorithm, they may spot a security flaw that nobody else could see. We talk more about this counter-intuitive idea in another chapter, Basic Design Principles#Kerckhoffs's principle.

AES, one of the newest and strongest (2010) algorithms in the world, was created by a team of two people, and was put forward into a sort of competition, where only the best algorithm would be examined and put forward to be selected for the title of the Advanced Encryption Standard. There were about 35 entrants, and although all of them appeared strong at first, it soon became clear that some of these apparently strong algorithms were in fact, very weak!

AES is a good example of open algorithms.

# Mathematical Background

See Talk page for other suggestions.

## Introduction

Modern public-key (asymmetric) cryptography is based upon a branch of mathematics known as number theory, which is concerned solely with the solution of equations that yield only integer results. These type of equations are known as diophantine equations, named after the Greek mathematician Diophantos of Alexandria (ca. 200 CE) from his book Arithmetica that addresses problems requiring such integral solutions.

One of the oldest diophantine problems is known as the Pythagorean problem, which gives the length of one side of a right triangle when supplied with the lengths of the other two side, according to the equation

${\displaystyle a^{2}+b^{2}=c^{2}\ }$

where ${\displaystyle c\ }$ is the length of the hypotenuse. While two sides may be known to be integral values, the resultant third side may well be irrational. The solution to the Pythagorean problem is not beyond the scope, but is beyond the purpose of this chapter. Therefore, example integral solutions (known as Pythagorean triplets) will simply be presented here. It is left as an exercise for the reader to find additional solutions, either by brute-force or derivation.

Pythagorean Triplets
${\displaystyle a\ }$ ${\displaystyle b\ }$ ${\displaystyle c\ }$
3 4 5
5 12 13
7 24 25
8 15 17

## Prime Numbers

### Description

Asymmetric key algorithms rely heavily on the use of prime numbers, usually exceedingly long primes, for their operation. By definition, prime numbers are divisible only by themselves and 1. In other words, letting the symbol | denote divisibility (i.e. - ${\displaystyle a|b}$ means "${\displaystyle b}$ divides into ${\displaystyle a}$"), a prime number strictly adheres to the following mathematical definition

${\displaystyle p\ }$ | ${\displaystyle b\ }$ Where ${\displaystyle b=1\ }$ or ${\displaystyle p\ }$ only

The Fundamental Theorem of Arithmetic states that all integers can be decomposed into a unique prime factorization. Any integer greater than 1 is considered either prime or composite. A composite number is composed of more than one prime factor

${\displaystyle c\ }$ | ${\displaystyle b\ }$ where ultimately ${\displaystyle b=p_{0}^{e_{0}}p_{1}^{e_{1}}\cdot \cdot \cdot p_{n}^{e_{n}}\ }$

in which ${\displaystyle p_{n}\ }$ is a unique prime number and ${\displaystyle e_{n}\ }$ is the exponent.

#### Numerical Examples

543,312 = 24 ${\displaystyle \cdot }$ 32 ${\displaystyle \cdot }$ 50 ${\displaystyle \cdot }$ 73 ${\displaystyle \cdot }$ 111
553,696 = 25 ${\displaystyle \cdot }$ 30 ${\displaystyle \cdot }$ 50 ${\displaystyle \cdot }$ 70 ${\displaystyle \cdot }$ 113 ${\displaystyle \cdot }$ 131


As can be seen, according to this systematic decomposition, each factorization is unique.

In order to deterministically verify whether an integer ${\displaystyle a\ }$ is prime or composite, only the primes ${\displaystyle p\leq {\sqrt {c}}\ }$ need be examined. This type of systematic, thorough examination is known as a brute-force approach. Primes and composites are noteworthy in the study of cryptography since, in general, a public key is a composite number which is the product of two or more primes. One (or more) of these primes may constitute the private key.

There are several types and categories of prime numbers, three of which are of importance to cryptography and will be discussed here briefly.

### Fermat Primes

Fermat numbers take the following form

${\displaystyle F_{n}=2^{2^{n}}+1\ }$

If Fn is prime, then it is called a Fermat prime.

#### Numerical Examples

${\displaystyle F_{0}=2^{2^{0}}+1=3\ }$
${\displaystyle F_{1}=2^{2^{1}}+1=5\ }$
${\displaystyle F_{2}=2^{2^{2}}+1=17\ }$
${\displaystyle F_{3}=2^{2^{3}}+1=257\ }$
${\displaystyle F_{4}=2^{2^{4}}+1=65,537\ }$
${\displaystyle F_{5}=2^{2^{5}}+1=4,294,967,297\ }$


The only Fermat numbers known to be prime are ${\displaystyle F_{0}-F_{4}\ }$. Moreover, the primality of all Fermat numbers was disproven by Euler, who showed that ${\displaystyle F_{5}=641\cdot 6,700,417}$.

### Mersenne Primes

Mersenne primes - another type of formulaic prime generation - follow the form

${\displaystyle M_{p}=2^{p}-1\ }$

where ${\displaystyle p\ }$ is a prime number. The [8] Wolfram Alpha engine reports Mersenne Primes, an example input request being "4th Mersenne Prime".

#### Numerical Examples

The first four Mersenne primes are as follows

${\displaystyle M_{2}=2^{2}-1=3\ }$
${\displaystyle M_{3}=2^{3}-1=7\ }$
${\displaystyle M_{5}=2^{5}-1=31\ }$
${\displaystyle M_{7}=2^{7}-1=127\ }$


Numbers of the form Mp = 2p without the primality requirement are called Mersenne numbers. Not all Mersenne numbers are prime, e.g. M11 = 211−1 = 2047 = 23 · 89.

### Coprimes (Relatively Prime Numbers)

Two numbers are said to be coprime if the largest integer that divides evenly into both of them is 1. Mathematically, this is written

${\displaystyle \gcd(a,b)=1\ }$

where ${\displaystyle \gcd \ }$ is the greatest common divisor. Two rules can be derived from the above definition

If ${\displaystyle ab\ }$ | ${\displaystyle c\ }$ and ${\displaystyle \gcd(b,c)=1\ }$, then ${\displaystyle a\ }$ | ${\displaystyle c\ }$
If ${\displaystyle ab=c^{2}\ }$ with ${\displaystyle \gcd(a,b)=1\ }$, then both ${\displaystyle a\ }$ and ${\displaystyle b\ }$ are squares, i.e. - ${\displaystyle a=a_{0}^{2}\ }$, ${\displaystyle b=b_{0}^{2}\ }$

### The Prime Number Theorem

The Prime Number Theorem estimates the probability that any integer, chosen randomly will be prime. The estimate is given below, with ${\displaystyle \pi (x)\ }$ defined as the number of primes ${\displaystyle \leq x\ }$

${\displaystyle \pi (x)\approx {\frac {x}{\ln x}}\ }$

${\displaystyle \pi (x)\ }$ is asymptotic to ${\displaystyle {\frac {x}{\ln x}}\ }$, that is to say ${\displaystyle \quad \lim _{x\to \infty }{\frac {\pi (x)}{\ln x}}=1\ }$. What this means is that generally, a randomly chosen number is prime with the approximate probability ${\displaystyle {\tfrac {1}{x}}\ }$.

## The Euclidean Algorithm

### Introduction

The Euclidean Algorithm is used to discover the greatest common divisor of two integers. In cryptography, it is most often used to determine if two integers are coprime, i.e. - ${\displaystyle \gcd(a,b)=1\ }$.

In order to find ${\displaystyle \gcd(a,b)\ }$ where ${\displaystyle a>b\ }$ efficiently when working with very large numbers, as with cryptosystems, a method exists to do so. The Euclidean algorithm operates as follows - First, divide ${\displaystyle a\ }$ by ${\displaystyle b\ }$, writing the quotient ${\displaystyle q_{1}\ }$, and the remainder ${\displaystyle r_{1}\ }$. Note this can be written in equation form as ${\displaystyle a=q_{1}b+r_{1}\ }$. Next perform the same operation using ${\displaystyle b\ }$ in ${\displaystyle a\ }$'s place: ${\displaystyle b=q_{2}r_{1}+r_{2}\ }$. Continue with this pattern until the final remainder is zero. Numerical examples and a formal algorithm follow which should make this inherent pattern clear.

### Mathematical Description

${\displaystyle a=q_{1}b+r_{1}\ }$
${\displaystyle b=q_{2}r_{1}+r_{2}\ }$
${\displaystyle r_{1}=q_{3}r_{2}+r_{3}\ }$
${\displaystyle r_{2}=q_{4}r_{3}+r_{4}\ }$
${\displaystyle \cdot \ }$
${\displaystyle \cdot \ }$
${\displaystyle \cdot \ }$
${\displaystyle r_{n-2}=q_{n}r_{n-1}+r_{n}\ }$


When ${\displaystyle r_{n}=0\ }$, stop with ${\displaystyle \gcd(a,b)=r_{n-1}\ }$.

### Numerical Examples

Example 1 - To find gcd(17,043,12,660)

17,043 = 1 ${\displaystyle \cdot }$ 12,660 + 4383
12,660 = 2 ${\displaystyle \cdot }$ 4,383 + 3894
4,383 = 1 ${\displaystyle \cdot }$ 3,894 + 489
3,894 = 7 ${\displaystyle \cdot }$ 489 + 471
489 = 1 ${\displaystyle \cdot }$ 471 + 18
471 = 26 ${\displaystyle \cdot }$ 18 + 3
18 = 6 ${\displaystyle \cdot }$ 3 + 0


gcd (17,043,12,660) = 3 \ [/itex]

Example 2 - To find gcd(2,008,1,963)

2,008 = 1 ${\displaystyle \cdot }$ 1,963 + 45
1,963 = 43 ${\displaystyle \cdot }$ 45 + 28
45 = 1 ${\displaystyle \cdot }$ 28 + 17
28 = 1 ${\displaystyle \cdot }$ 17 + 11
17 = 1 ${\displaystyle \cdot }$ 11 + 6
11 = 1 ${\displaystyle \cdot }$ 6 + 5
6 = 1 ${\displaystyle \cdot }$ 5 + 1
5 = 5 ${\displaystyle \cdot }$ 1 + 0


gcd (2,008,1963) = 1 Note: the two number are coprime.

### Algorithmic Representation

Euclidean Algorithm(a,b)
Input:     Two integers a and b such that a > b
Output:    An integer r = gcd(a,b)
1.   Set a0 = a, r1 = r
2.   r = a0 mod r1
3.   While(r1 mod r ${\displaystyle \neq }$ 0) do:
4.      a0 = r1
5.      r1 = r
6.      r = a0 mod r1
7.   Output r and halt


## The Extended Euclidean Algorithm

In order to solve the type of equations represented by Bézout's identity, as shown below

${\displaystyle au+bv=\gcd(a,b)\ }$

where ${\displaystyle a\ }$, ${\displaystyle b\ }$, ${\displaystyle u\ }$, and ${\displaystyle v\ }$ are integers, it is often useful to use the extended Euclidean algorithm. Equations of the form above occur in public key encryption algorithms such as RSA (Rivest-Shamir-Adleman) in the form ${\displaystyle ed+w(p-1)(q-1)=1\ }$ where ${\displaystyle \gcd(e,(p-1)(q-1))=1\ }$. There are two methods in which to implement the extended Euclidean algorithm; the iterative method and the recursive method.

As an example, we shall solve an RSA key generation problem with e = 216 + 1, p = 3,217, q = 1,279. Thus, 62,537d + 51,456w = 1.

### Methods

#### The Iterative Method

This method computes expressions of the form ${\displaystyle r_{i}=ax_{i}+by_{i}}$ for the remainder in each step ${\displaystyle i}$ of the Euclidean algorithm. Each modulus can be written in terms of the previous two remainders and their whole quotient as follows:

${\displaystyle r_{i}=r_{i-2}-\left\lfloor {\frac {r_{i-2}}{r_{i-1}}}\right\rfloor \cdot r_{i-1}}$

By substitution, this gives:

${\displaystyle r_{i}=(ax_{i-2}+by_{i-2})-\left\lfloor {\frac {r_{i-2}}{r_{i-1}}}\right\rfloor \cdot (ax_{i-1}+by_{i-1})}$
${\displaystyle r_{i}=a(x_{i-2}-\left\lfloor {\frac {r_{i-2}}{r_{i-1}}}\right\rfloor \cdot x_{i-1})+b(y_{i-2}-\left\lfloor {\frac {r_{i-2}}{r_{i-1}}}\right\rfloor \cdot y_{i-1})}$

The first two values are the initial arguments to the algorithm:

${\displaystyle r_{1}=a=a(1)+b(0)\ }$
${\displaystyle r_{2}=b=a(0)+b(1)\ }$

The expression for the last non-zero remainder gives the desired results since this method computes every remainder in terms of a and b, as desired.

##### Example
Step Quotient Remainder Substitute Combine terms
1 4,110,048 = a 4,110,048 = 1a + 0b
2 65,537 = b 65,537 = 0a + 1b
3 62 46,754 = 4,110,048 - 65,537 ${\displaystyle \cdot }$ 62 46,754 = (1a + 0b) - (0a + 1b) ${\displaystyle \cdot }$ 62 46,754 = 1a - 62b
4 1 18,783 = 65,537 - 46,754 ${\displaystyle \cdot }$ 1 18,783 = (0a + 1b) - (1a - 62b) ${\displaystyle \cdot }$ 1 18,783 = -1a + 63b
5 2 9,188 = 46,754 - 18,783 ${\displaystyle \cdot }$ 2 9,188 = (1a - 62b) - (-1a + 62b) ${\displaystyle \cdot }$ 2 9,188 = 3a - 188b
6 2 407 = 18,783 - 9,188 ${\displaystyle \cdot }$ 2 407 = (-1a + 63b) - (3a - 188b) ${\displaystyle \cdot }$ 2 407 = -7a + 439b
7 22 234 = 9,188 - 407 ${\displaystyle \cdot }$ 22 234 = (3a - 188b) - (-7a + 439b) ${\displaystyle \cdot }$ 22 234 = 157a - 9,846b
8 1 173 = 407 - 234 ${\displaystyle \cdot }$ 1 173 = (-7a + 439b) - (157a - 9,846b) ${\displaystyle \cdot }$ 1 173 = -164a + 10,285b
9 1 61 = 234 - 173 ${\displaystyle \cdot }$ 1 61 = (157a - 9,846b) - (-164a + 10,285b) ${\displaystyle \cdot }$ 1 61 = 321a + 20,131b
10 2 51 = 173 - 61 ${\displaystyle \cdot }$ 2 51 = (-164a + 10,285b) - (321a +20,131b) ${\displaystyle \cdot }$ 2 51 = -806a + 50,547b
11 1 10 = 61 - 51 ${\displaystyle \cdot }$ 1 61 = (321a +20,131b) - (-806a + 50,547b) ${\displaystyle \cdot }$ 1 10 = 1,127a - 70,678b
12 5 1 = 51 -10 ${\displaystyle \cdot }$ 5 1 = (-806a + 50,547b) - (1,127a - 70,678b) ${\displaystyle \cdot }$ 5 1 = -6,441a + 403,937b
13 10 0 End of algorithm

Putting the equation in its original form ${\displaystyle ed+w(p-1)(q-1)=1\ }$ yields ${\displaystyle (65,537)(403,937)+(-6,441)(3,217-1)(1,279-1)=1\ }$, it is shown that ${\displaystyle d=403,937\ }$ and ${\displaystyle w=-6,441\ }$. During the process of key generation for RSA encryption, the value for w is discarded, and d is retained as the value of the private key In this case

d = 0x629e1 = 01100010100111100001


#### The Recursive Method

This is a direct method for solving Diophantine equations of the form ${\displaystyle au+bv=\gcd(a,b)\ }$. Using this method, the dividend and the divisor are reduced over a series of steps. At the last step, a trivial value is substituted into the equation, and is then worked backward until the solution is obtained.

##### Example

Using the previous RSA vales of ${\displaystyle (p-1)(p-1)=4,110,048\ }$ and ${\displaystyle e=2^{16}+1=65,537\ }$

Euclidean Expansion Collect Terms Substitute Retrograde Substitution Solve For dx
4,110,048 w0 + 65,537d0 = 1
(62 ${\displaystyle \cdot }$ 65,537 + 46,754) w0 + 65,537d0 = 1
65,537 (62w0 + d0) + 46,754w0 = 1 w1 = 62w0 + d0 4,595 = (62)(-6441) + d0 d0 = 403,937
65,537 w1 + 46,754d1 = 1 d1 = w0 w1 = -6,441
(1 ${\displaystyle \cdot }$ 46,754 + 18,783) w1 + 46,754d1 = 1
46,754 (w1 + d1) + 18,783w1 = 1 w2 = w1 + d1 -1,846 = 4,595 + d1 d1 = -6,441
46,754 w2 + 18,783d2 = 1 d2 = w1
(2 ${\displaystyle \cdot }$ 18,783 + 9,188) w2 + 18,783d2 = 1
18,783 (2w2 + d2) + 9,188w2 = 1 w3 = 2w2 + d2 903 = (2)(-1,846) + d2 d2 = 4,595
18,783 w3 + 9,188d3 = 1 d3 = w2
(2 ${\displaystyle \cdot }$ 9,188 + 407) w3 + 9,188d3 = 1
9,188 (2w3 + d3) + 407w3 = 1 w4 = 2w3 + d3 -40 = (2)(903) + d3 d3 = -1846
9,188 w4 + 407d4 = 1 d4 = w3
(22 ${\displaystyle \cdot }$ 407 + 234) w4 + 407d4 = 1
407 (22w4 + d4) + 234w4 = 1 w5 = 22w4 +d4 23 = (22)(-40) + d4 d4 = 903
407 w5 + 234d5 = 1 d5 = w4
(1 ${\displaystyle \cdot }$ 234 + 173) w5 + 234d5 = 1
234 (w5 + d5) + 173w5 = 1 w6 = w5 +d5 -17 = 23 + d5 d5 = -40
234 w6 + 173d6 = 1 d6 = w5
(1 ${\displaystyle \cdot }$ 173 + 61) w6 + 173d6 = 1
173 (w6 + d6) + 61w6 = 1 w7 = w6 +d6 6 = -17 + d6 d6 = 23
173 w7 + 61d7 = 1 d7 = w6
(2 ${\displaystyle \cdot }$ 61 + 51) w7 + 61d7 = 1
61 (2w7 + d7) + 51w7 = 1 w8 = 2w7 +d7 -5 = (2)(6) + d7 d7 = -17
61 w8 + 51d8 = 1 d8 = w7
(1 ${\displaystyle \cdot }$ 51 + 10) w8 + 51d8 = 1
51 (w8 + d8) + 10w8 = 1 w9 = w8 +d8 1 = -5 + d8 d8 = 6
51 w9 + 10d9 = 1 d9 = w8
(5 ${\displaystyle \cdot }$ 10 + 1) w9 + 10d9 = 1
10 (5w9 + d9) + 1w9 = 1 w10 = 5w9 +d9 0 = (5)(1) + d9 d9 = -5
10 w10 + 1d10 = 1 d10 = w9
(1 ${\displaystyle \cdot }$ 10 + 0) w10 + 1d10 = 1
1 (10w10 + d10) + 0w10 = 1 w11 = 10w10 +d10 1 = (10)(0) + d10 d10 = 1
1 w11 + 0d11 = 1 d11 = w10 w11 = 1, d11 = 0

## Euler's Totient Function

Significant in cryptography, the totient function (sometimes known as the phi function) is defined as the number of nonnegative integers ${\displaystyle a\ }$ less than ${\displaystyle n\ }$ that are coprime to ${\displaystyle n\ }$. Mathematically, this is represented as

${\displaystyle \phi (n)=\left|{\bigg \{}0\leq a\leq n|\gcd(a,n)=1{\bigg \}}\right|}$

Which immediately suggests that for any prime ${\displaystyle p\ }$

${\displaystyle \phi (p)=p-1\ }$

The totient function for any exponentiated prime is calculated as follows

${\displaystyle \phi (p^{\alpha })\ }$
${\displaystyle =p^{\alpha }-p^{\alpha -1}\ }$
${\displaystyle =p^{\alpha }\left(1-{\tfrac {1}{p}}\right)\ }$

The Euler totient function is also multiplicative

${\displaystyle \phi (ab)=\phi (a)\phi (b)\ }$

where ${\displaystyle \gcd(a,b)=1\ }$

## Finite Fields and Generators

A field is simply a set ${\displaystyle \mathbb {F} }$ which contains numerical elements that are subject to the familiar addition and multiplication operations. Several different types of fields exist; for example, ${\displaystyle \mathbb {R} }$, the field of real numbers, and ${\displaystyle \mathbb {Q} }$, the field of rational numbers, or ${\displaystyle \mathbb {C} }$, the field of complex numbers. A generic field is usually denoted ${\displaystyle \mathbb {F} }$.

### Finite Fields

Cryptography utilizes primarily finite fields, nearly exclusively composed of integers. The most notable exception to this are the Gaussian numbers of the form ${\displaystyle a+bi\ }$ which are complex numbers with integer real and imaginary parts. Finite fields are defined as follows

${\displaystyle \left(\mathbb {Z} /n\mathbb {Z} \right)=\mathbb {Z} _{n}\ }$ The set of integers modulo ${\displaystyle n\ }$
${\displaystyle \left(\mathbb {Z} /p\mathbb {Z} \right)=\mathbb {Z} _{p}\ }$ The set of integers modulo a prime ${\displaystyle p\ }$

Since cryptography is concerned with the solution of diophantine equations, the finite fields utilized are primarily integer based, and are denoted by the symbol for the field of integers, ${\displaystyle \mathbb {Z} }$.

A finite field ${\displaystyle \mathbb {F} _{n}\ }$ contains exactly ${\displaystyle n\ }$ elements, of which there are ${\displaystyle n-1\ }$ nonzero elements. An extension of ${\displaystyle \mathbb {Z} _{n}\ }$ is the multiplicative group of ${\displaystyle \mathbb {Z} _{n}\ }$, written ${\displaystyle \left(\mathbb {Z} /n\mathbb {Z} \right)^{*}=\mathbb {Z} _{n}^{*}\ }$, and consisting of the following elements

${\displaystyle a\in \mathbb {Z} _{n}^{*}\ }$ such that ${\displaystyle \gcd(a,n)=1\ }$

in other words, ${\displaystyle \mathbb {Z} _{n}^{*}\ }$ contains the elements coprime to ${\displaystyle n\ }$

Finite fields form an abelian group with respect to multiplication, defined by the following properties

${\displaystyle \centerdot }$ The product of two nonzero elements is nonzero ${\displaystyle \left(ab=c|c\neq 0\right)\ }$
${\displaystyle \centerdot }$ The associative law holds ${\displaystyle \left(\left(ab\right)c=a\left(bc\right)\right)\ }$
${\displaystyle \centerdot }$ The commutative law holds ${\displaystyle \left(ab=ba\right)\ }$
${\displaystyle \centerdot }$ There is an identity element ${\displaystyle \left(I\cdot a=a\right)\ }$
${\displaystyle \centerdot }$ Any nonzero element has an inverse ${\displaystyle \left(a\cdot a^{-1}=1\right)\ }$


A subscript following the symbol for the field represents the set of integers modulo ${\displaystyle n\ }$, and these integers run from ${\displaystyle 0\ }$ to ${\displaystyle n-1\ }$ as represented by the example below

${\displaystyle \mathbb {Z} _{12}=\{0,1,2,3,4,5,6,7,8,9,10,11\}\ }$

The multiplicative order of ${\displaystyle \mathbb {Z} _{n}}$ is represented ${\displaystyle \mathbb {Z} _{n}^{*}}$ and consists of all elements ${\displaystyle a\in \mathbb {Z} _{n}}$ such that ${\displaystyle \gcd(a,n)=1\ }$. An example for ${\displaystyle \mathbb {Z} _{12}}$ is given below

${\displaystyle \mathbb {Z} _{12}^{*}=\{1,5,7,11\}\ }$

If ${\displaystyle p\ }$ is prime, the set ${\displaystyle \mathbb {Z} _{p}^{*}}$ consists of all integers ${\displaystyle a\ }$ such that ${\displaystyle 1\leq a\leq p\ }$. For example

Composite n Prime p
${\displaystyle \mathbb {Z} _{9}=\{0,1,2,3,4,5,6,7,8\}}$ ${\displaystyle \mathbb {Z} _{11}=\{0,1,2,3,4,5,6,7,8,9,10\}}$
${\displaystyle \mathbb {Z} _{9}^{*}=\{1,2,4,5,7,8\}}$ ${\displaystyle \mathbb {Z} _{11}^{*}=\{1,2,3,4,5,6,7,8,9,10\}}$

### Generators

Every finite field has a generator. A generator ${\displaystyle g\ }$ is capable of generating all of the elements in the set ${\displaystyle \mathbb {Z} _{n}}$ by exponentiating the generator ${\displaystyle g\,{\bmod {\,}}n\ }$. Assuming ${\displaystyle g\ }$ is a generator of ${\displaystyle \mathbb {Z} _{n}^{*}}$, then ${\displaystyle \mathbb {Z} _{n}^{*}}$ contains the elements ${\displaystyle g^{i}\,{\bmod {\,}}n\ }$ for the range ${\displaystyle 0\leq i\leq \phi (n)-1}$. If ${\displaystyle \mathbb {Z} _{n}^{*}}$ has a generator, then ${\displaystyle \mathbb {Z} _{n}}$ is said to be cyclic.

The total number of generators is given by

${\displaystyle \phi \left(\phi \left(n\right)\right)}$

#### Examples

For ${\displaystyle n=p=13\ }$ (Prime)

${\displaystyle \mathbb {Z} _{13}=\{0,1,2,3,4,5,6,7,8,9,10,11,12\}}$
${\displaystyle \mathbb {Z} _{13}^{*}=\{1,2,3,4,5,6,7,8,9,10,11,12\}}$

Total number of generators ${\displaystyle \phi \left(\phi \left(13\right)\right)=\phi \left(12\right)=4}$ generators

Let ${\displaystyle g=2\ }$, then ${\displaystyle g=\{2,4,8,3,6,12,11,9,5,10,7,1\}\ }$, ${\displaystyle g=2\ }$ is a generator

Since ${\displaystyle 2\ }$ is a generator, check if ${\displaystyle \gcd(i,p-1)=1\ }$
${\displaystyle 2^{2}=4\ }$, and ${\displaystyle i=2\ }$, ${\displaystyle \gcd \left(2,12\right)=2\neq 1\ }$, therefore, ${\displaystyle 4\ }$ is not a generator
${\displaystyle 2^{3}=8\ }$, and ${\displaystyle i=3\ }$, ${\displaystyle \gcd \left(3,12\right)=3\neq 1\ }$, therefore, ${\displaystyle 4\ }$ is not a generator

Let ${\displaystyle g=6\ }$, then ${\displaystyle g=\{6,10,8,9,2,12,7,3,5,4,11,1\}\ }$, ${\displaystyle g=6\ }$ is a generator
Let ${\displaystyle g=7\ }$, then ${\displaystyle g=\{7,10,5,9,11,12,6,3,8,4,2,1\}\ }$, ${\displaystyle g=7\ }$ is a generator
Let ${\displaystyle g=11\ }$, then ${\displaystyle g=\{11,4,5,3,7,12,2,9,8,10,6,1\}\ }$, ${\displaystyle g=11\ }$ is a generator

There are a total of ${\displaystyle 4\ }$ generators, ${\displaystyle \left(2,6,7,11\right)}$ as predicted by the formula ${\displaystyle \phi \left(\phi \left(n\right)\right).}$

For ${\displaystyle n=10\ }$ (Composite)

${\displaystyle \mathbb {Z} _{9}=\{0,1,2,3,4,5,6,7,8,9\}\ }$
${\displaystyle \mathbb {Z} _{9}^{*}=\{1,3,7,9\}\ }$

Total number of generators ${\displaystyle \phi \left(\phi \left(10\right)\right)=\phi \left(4\right)=2\ }$ generators

Let ${\displaystyle g=3\ }$, then ${\displaystyle g=\{3,9,7,1,3,9,7,1,3\}\ }$, ${\displaystyle g=3\ }$ is a generator
Let ${\displaystyle g=7\ }$, then ${\displaystyle g=\{7,9,3,1,7,9,3,1,7\}\ }$, ${\displaystyle g=7\ }$ is a generator

There are a total of ${\displaystyle 2\ }$ generators ${\displaystyle \left(3,7,\right)\ }$ as predicted by the formula ${\displaystyle \phi \left(\phi \left(n\right)\right).}$


## Congruences

### Description

Number theory contains an algebraic system of its own called the theory of congruences. The mathematical notion of congruences was introduced by Karl Friedrich Gauss in Disquisitiones (1801).

### Definition

If ${\displaystyle a\ }$ and ${\displaystyle b\ }$ are two integers, and their difference is evenly divisible by ${\displaystyle m\ }$, this can be written with the notation

${\displaystyle \left(a-b\right)|m\ }$

This is expressed by the notation for a congruence

${\displaystyle a\equiv b\,{\bmod {\,}}m}$

where the divisor ${\displaystyle m\ }$ is called the modulus of congruence. ${\displaystyle a\equiv b\,{\bmod {\,}}m}$ can equivalently be written as

${\displaystyle a-b=mk\ }$

where ${\displaystyle k\ }$ is an integer.

Note in the examples that for all cases in which ${\displaystyle a\equiv 0\,{\bmod {\,}}m}$, it is shown that ${\displaystyle a|m\ }$. with this in mind, note that

${\displaystyle a\equiv 0\,{\bmod {\,}}2}$ Represents that ${\displaystyle a\ }$ is an even number.

${\displaystyle a\equiv 1\,{\bmod {\,}}2}$ Represents that ${\displaystyle a\ }$ is an odd number.

#### Examples

${\displaystyle a\equiv b\,{\bmod {\,}}m}$ ${\displaystyle a-b=mk\ }$
${\displaystyle 14\equiv 5\,{\bmod {\,}}3}$ ${\displaystyle 14-5=3\cdot 3\ }$
${\displaystyle -13\equiv 7\,{\bmod {\,}}4}$ ${\displaystyle (-13)-7=4\cdot (-5)\ }$
${\displaystyle 90\equiv 0\,{\bmod {\,}}18}$ ${\displaystyle 90-0=18\cdot 5\ }$

### Properties of Congruences

All congruences (with fixed ${\displaystyle m\ }$) have the following properties in common

${\displaystyle a\equiv a\,{\bmod {\,}}m}$
${\displaystyle a\equiv b\,{\bmod {\,}}m}$ if and only if ${\displaystyle b\equiv a\,{\bmod {\,}}m}$
If ${\displaystyle a\equiv b\,{\bmod {\,}}m}$ and ${\displaystyle b\equiv c\,{\bmod {\,}}m}$ then ${\displaystyle a\equiv c\,{\bmod {\,}}m}$
${\displaystyle a\equiv b\,{\bmod {\,}}1}$ implies that ${\displaystyle a=b\ }$
Given ${\displaystyle a\equiv a\,{\bmod {\,}}m}$ there exists a unique ${\displaystyle b\ }$ such that ${\displaystyle 0\leq b\leq m-1\ }$

These properties represent an equivalence class, meaning that any integer is congruent modulo ${\displaystyle m\ }$ to one specific integer in the finite field ${\displaystyle \mathbb {Z} _{m}}$.

### Congruences as Remainders

If the modulus of an integer ${\displaystyle m>2\ }$, then for every integer ${\displaystyle a\ }$

${\displaystyle a=mk+r\,\left(r\in \mathbb {Z} _{m}\right)}$

which can be understood to mean ${\displaystyle r\ }$ is the remainder of ${\displaystyle a\ }$ divided by ${\displaystyle m\ }$, or as a congruence

${\displaystyle a\equiv r\,{\bmod {\,}}m}$

Two numbers that are incongruent modulo ${\displaystyle m\ }$ must have different remainders. Therefore, it can be seen that any congruence ${\displaystyle a\equiv b\,{\bmod {\,}}m}$ holds if and only if ${\displaystyle a\ }$ and ${\displaystyle b\ }$ are integers which have the same remainder when divided by ${\displaystyle m\ }$.

#### Example

${\displaystyle 10\equiv 3\,{\bmod {\,}}7}$ is equivalent to
${\displaystyle 10=\left(7\cdot 1\right)+3\ }$ implies
${\displaystyle 3\ }$ is the remainder of ${\displaystyle 10\ }$ divided by ${\displaystyle 7\ }$


### The Algebra of Congruences

Suppose for this section we have two congruences, ${\displaystyle a\equiv b\,{\bmod {\,}}m}$ and ${\displaystyle c\equiv d\,{\bmod {\,}}m}$. These congruences can be added or subtracted in the following manner

${\displaystyle a+c\equiv b+d\,{\bmod {\,}}m}$
${\displaystyle a-c\equiv b-d\,{\bmod {\,}}m}$

If these two congruences are multiplied together, the following congruence is obtained

${\displaystyle ac\equiv bd\,{\bmod {\,}}m}$

or the special case where ${\displaystyle c=d\ }$

${\displaystyle ac\equiv bc\,{\bmod {\,}}m}$

Note: The above does not mean that there exists a division operation for congruences. The only possibility for simplifying the above is if and only if ${\displaystyle c\ }$ and ${\displaystyle m\ }$ are coprime. Mathematically, this is represented as

${\displaystyle ac\equiv bc\,{\bmod {\,}}m}$ implies that ${\displaystyle a\equiv b\,{\bmod {\,}}m}$ if and only if ${\displaystyle \gcd \left(c,m\right)=1}$

The set of equivalence classes defined above form a commutative ring, meaning the residue classes can be added, subtracted and multiplied, and that the operations are associative, commutative and have additive inverses.

### Reducing Modulo m

Often, it is necessary to perform an operation on a congruence ${\displaystyle a\equiv b\,{\bmod {\,}}m}$ where ${\displaystyle b>m\ }$, when what is desired is a new integer ${\displaystyle d\ }$ such that ${\displaystyle 0\leq d\leq m-1\ }$ with the resultant ${\displaystyle d\ }$ being the least nonnegative residue modulo m of the congruence. Reducing a congruence modulo ${\displaystyle m\ }$ is based on the properties of congruences and is often required during exponentiation of a congruence.

#### Algorithm

Input: Integers ${\displaystyle b\ }$ and ${\displaystyle m\ }$ from ${\displaystyle a\equiv b\,{\bmod {\,}}m}$ with ${\displaystyle b>m\ }$
Output: Integer ${\displaystyle d\ }$ such that ${\displaystyle 0\leq d\leq m-1\ }$

1. Let ${\displaystyle q=\left\lfloor {\tfrac {b}{m}}\right\rfloor }$
2.     ${\displaystyle c=qm\ }$
3.     ${\displaystyle d=b-c\ }$
4. Output ${\displaystyle d\ }$


#### Example

Given ${\displaystyle 289\equiv 49\,{\bmod {\,}}5}$

${\displaystyle 9=\left\lfloor {\tfrac {49}{5}}\right\rfloor }$
${\displaystyle 45=9\cdot 5\ }$
${\displaystyle 4=49-45\ }$

∴ ${\displaystyle 289\equiv 49\equiv 4\,{\bmod {\,}}5}$


Note that ${\displaystyle 4\ }$ is the least nonnegative residue modulo ${\displaystyle 5\ }$

### Exponentiation

Assume you begin with ${\displaystyle a\equiv b\,{\bmod {\,}}m}$. Upon multiplying this congruence by itself the result is ${\displaystyle a^{2}\equiv b^{2}\,{\bmod {\,}}m}$. Generalizing this result and assuming ${\displaystyle n\ }$ is a positive integer

${\displaystyle a^{n}\equiv b^{n}\,{\bmod {\,}}m}$

#### Example

${\displaystyle 9\equiv 4\,{\bmod {\,}}13}$
${\displaystyle 81\equiv 16\,{\bmod {\,}}13}$
${\displaystyle 729\equiv 64\,{\bmod {\,}}13}$

This simplifies to

${\displaystyle 81\equiv 16\,{\bmod {\,}}13}$ implies ${\displaystyle 16\equiv 3\,{\bmod {\,}}13}$
${\displaystyle 729\equiv 64\,{\bmod {\,}}13}$ implies ${\displaystyle 256\equiv 9\,{\bmod {\,}}13}$


### Repeated Squaring Method

Sometimes it is useful to know the least nonnegative residue modulo ${\displaystyle m\ }$ of a number which has been exponentiated as ${\displaystyle a^{2}\equiv \,{\bmod {\,}}m}$. In order to find this number, we may use the repeated squaring method which works as follows:

1. Begin with ${\displaystyle a\equiv \,{\bmod {\,}}m}$
2. Square ${\displaystyle a\ }$ and ${\displaystyle b\ }$ so that ${\displaystyle a^{2}\equiv b^{2}\,{\bmod {\,}}m}$
3. Reduce ${\displaystyle b\ }$ modulo ${\displaystyle m\ }$ to obtain ${\displaystyle a^{\equiv }b_{1}\,{\bmod {\,}}m}$
4. Continue with steps 2 and 3 until ${\displaystyle a^{2^{n}}\equiv b_{n}\,{\bmod {\,}}m}$ is obtained.
Note that ${\displaystyle n\ }$ is the integer where ${\displaystyle 2^{n+1}\ }$ would be just larger than the exponent desired
5. Add the successive exponents until you arrive at the desired exponent
6. Multiply all ${\displaystyle b_{i}\ }$'s associated with the ${\displaystyle a\ }$'s of the selected powers
7. Reduce the resulting ${\displaystyle b\,{\bmod {\,}}m}$ for the desired result


#### Example

To find ${\displaystyle 6^{149}{\bmod {\,}}11}$:

${\displaystyle 6\equiv 6\,{\bmod {\,}}11}$
${\displaystyle 6^{2}=36\equiv 3\,{\bmod {\,}}11}$
${\displaystyle 6^{4}\equiv 9\,{\bmod {\,}}11}$
${\displaystyle 6^{8}\equiv 81\equiv 4\,{\bmod {\,}}11}$
${\displaystyle 6^{16}\equiv 16\equiv 5\,{\bmod {\,}}11}$
${\displaystyle 6^{32}\equiv 25\equiv 3\,{\bmod {\,}}11}$
${\displaystyle 6^{64}\equiv 9\,{\bmod {\,}}11}$
${\displaystyle 6^{128}\equiv 81\equiv 4\,{\bmod {\,}}11}$

${\displaystyle 128+16+4+1\ }$

Multiplying least nonnegative residues associated with these exponents:

${\displaystyle 4\cdot 5\cdot 9\cdot 6=1080\ }$
${\displaystyle 1080\,{\bmod {\,}}11=2}$

Therefore:

${\displaystyle 6^{149}\equiv 2\,{\bmod {\,}}11}$


### Inverse of a Congruence

#### Description

While finding the correct symmetric or asymmetric keys is required to encrypt a plaintext message, calculating the inverse of these keys is essential to successfully decrypt the resultant ciphertext. This can be seen in cryptosystems Ranging from a simple affine transformation

${\displaystyle C\equiv aP+b\,{\bmod {\,}}N}$

Where

${\displaystyle P\equiv a^{-1}C+b^{-1}\,{\bmod {\,}}N}$

To RSA public key encryption, where one of the deciphering (private) keys is

${\displaystyle d_{A}=e_{A}^{-1}\,{\bmod {\,}}\phi \left(n_{A}\right)}$

#### Definition

For the elements ${\displaystyle a\in \mathbb {Z} _{m}}$ where ${\displaystyle \gcd \left(a,m\right)=1}$, there exists ${\displaystyle b\in \mathbb {Z} _{m}}$ such that ${\displaystyle ab\equiv 1\,{\bmod {\,}}m}$. Thus, ${\displaystyle b\ }$ is said to be the inverse of ${\displaystyle a\ }$, denoted ${\displaystyle a^{-n}\,{\bmod {\,}}m}$ where ${\displaystyle n\ }$ is the ${\displaystyle n^{th}\ }$ power of the integer ${\displaystyle b\ }$ for which ${\displaystyle ab\equiv 1\,{\bmod {\,}}m}$.

##### Example
Find ${\displaystyle 633^{-1}\,{\bmod {\,}}2801}$

This is equivalent to saying ${\displaystyle 633b\equiv 1\,{\bmod {\,}}2801}$

First use the Euclidean algorithm to verify ${\displaystyle \gcd \left(633,2801\right)=1\ }$.
Next use the Extended Euclidean algorithm to discover the value of ${\displaystyle b\ }$.
In this case, the value is ${\displaystyle 177\ }$.

Therefore, ${\displaystyle 633^{-1}\,{\bmod {\,}}2801=177}$

It is easily verified that ${\displaystyle \left(633\right)\left(177\right)\equiv 1\,{\bmod {\,}}2801}$


### Fermat's Little Theorem

#### Definition

Where ${\displaystyle p\ }$ is defined as prime, any integer will satisfy the following relation:

${\displaystyle a^{p}\equiv a\,{\bmod {\,}}p}$

#### Example

When ${\displaystyle a=2\ }$ and ${\displaystyle p=19\ }$

${\displaystyle 2^{2}\equiv 23\,{\bmod {\,}}19}$
${\displaystyle 2^{4}\equiv 529\equiv 16\,{\bmod {\,}}19}$
${\displaystyle 2^{8}\equiv 256\equiv 9\,{\bmod {\,}}19}$
${\displaystyle 2^{16}\equiv 81\equiv 5\,{\bmod {\,}}19}$
${\displaystyle 16+2+1=19\ }$ implies that ${\displaystyle 5\cdot 23\cdot 2=230\equiv 2\,{\bmod {\,}}19}$

#### Conditions and Corollaries

An additional condition states that if ${\displaystyle a\ }$ is not divisible by ${\displaystyle p\ }$, the following equation holds

${\displaystyle a^{p-1}\equiv 1\,{\bmod {\,}}p}$

Fermat's Little Theorem also has a corollary, which states that if ${\displaystyle a\ }$ is not divisible by ${\displaystyle p\ }$ and ${\displaystyle n\equiv m\,{\bmod {\,}}\left(p-1\right)}$ then

${\displaystyle a^{n}\equiv a^{m}\,{\bmod {\,}}p}$

#### Euler's Generalization

If ${\displaystyle \gcd \left(a,m\right)=1\ }$, then ${\displaystyle a^{\phi \left(m\right)}\equiv 1\,{\bmod {\,}}m}$

### Chinese Remainder Theorem

If one wants to solve a system of congruences with different moduli, it is possible to do so as follows:

${\displaystyle x\equiv a_{1}\,{\bmod {\,}}m_{1}}$
${\displaystyle x\equiv a_{2}\,{\bmod {\,}}m_{2}}$
${\displaystyle \cdots }$
${\displaystyle x\equiv a_{k}\,{\bmod {\,}}m_{k}}$

A simultaneous solution ${\displaystyle x\ }$ exists if and only if ${\displaystyle \gcd \left(m_{i},m_{j}\right)=1}$ with ${\displaystyle \left(i\neq j\right)\ }$, and any two solutions are congruent to one another modulo ${\displaystyle M=m_{1}m_{2}\ldots m_{k}\ }$.

The steps for finding the simultaneous solution using the Chinese Remainder theorem are as follows:

1. Compute ${\displaystyle M\ }$
2. Compute ${\displaystyle M_{i}=M/m_{i}\ }$ for each of the different ${\displaystyle i\ }$'s
3. Find the inverse ${\displaystyle N\ }$ of ${\displaystyle M_{i}\,{\bmod {\,}}m_{i}}$ for each ${\displaystyle i\ }$ using the Extended Euclidean algorithm
4. Multiply out ${\displaystyle a_{i}M_{i}N_{i}\ }$ for each ${\displaystyle i\ }$
5. Sum all ${\displaystyle a_{i}M_{i}N_{i}\ }$
6. Compute ${\displaystyle \sum _{i=1}^{k}a_{i}M_{i}N_{i}\,{\bmod {\,}}M}$ to obtain the least nonnegative residue

#### Example

Given:

${\displaystyle x\equiv 1\,{\bmod {\,}}11}$
${\displaystyle x\equiv 2\,{\bmod {\,}}7}$
${\displaystyle x\equiv 3\,{\bmod {\,}}5}$
${\displaystyle x\equiv 4\,{\bmod {\,}}9}$

${\displaystyle M=3465\ }$

${\displaystyle M_{11}=315\ }$
${\displaystyle M_{7}=495\ }$
${\displaystyle M_{5}=693\ }$
${\displaystyle M_{9}=385\ }$

Using the Extended Euclidean algorithm:

${\displaystyle 315N\equiv 1\,{\bmod {\,}}11\,\,\,N=-3}$
${\displaystyle 315N\equiv 1\,{\bmod {\,}}7\,\,\,N=3}$
${\displaystyle 315N\equiv 1\,{\bmod {\,}}5\,\,\,N=2}$
${\displaystyle 315N\equiv 1\,{\bmod {\,}}9\,\,\,N=4}$

${\displaystyle \sum _{i=1}^{4}={\begin{cases}1\cdot 315\cdot \left(-3\right)=-945\\2\cdot 495\cdot 3=2970\\3\cdot 639\cdot 2=4158\\4\cdot 385\cdot 4=6160\end{cases}}}$

${\displaystyle \sum =12343}$

${\displaystyle x=12343\,{\bmod {\,}}3465=1948}$


If ${\displaystyle p\ }$ is prime and ${\displaystyle >2\ }$, examining the nonzero elements of ${\displaystyle \mathbb {Z} _{p}=\{1,2,\ldots ,p-1\}}$, it is sometimes important to know which of these are squares. If for some ${\displaystyle a\in \mathbb {Z} _{p}^{*}}$, there exists a square such that ${\displaystyle b^{2}=a\ }$. Then all squares for ${\displaystyle \mathbb {Z} _{p}^{*}}$ can be calculated by ${\displaystyle b^{2}\,{\bmod {\,}}p}$ where ${\displaystyle b=1,2,\ldots ,\left(p-1\right)/2\ }$. ${\displaystyle a\in \mathbb {Z} _{n}^{*}}$ is a quadratic residue modulo ${\displaystyle n\ }$ if there exists an ${\displaystyle x\in \mathbb {Z} _{n}^{*}}$ such that ${\displaystyle a\equiv x^{2}\,{\bmod {\,}}n}$. If no such ${\displaystyle x\ }$ exists, then ${\displaystyle a\ }$ is a quadratic non-residue modulo ${\displaystyle n\ }$. ${\displaystyle a\ }$is a quadratic residue modulo a prime ${\displaystyle p\ }$ if and only if ${\displaystyle a^{\tfrac {p-1}{2}}\,\mod \,p=1}$.

### Example

For the finite field ${\displaystyle \mathbb {Z} _{19}}$, to find the squares ${\displaystyle \mathbb {Z} _{19}=\{1,2,\ldots ,9\},}$, proceed as follows:

${\displaystyle {\begin{matrix}1^{2}=1&2^{2}=4&3^{2}=9\\4^{2}=16&5^{2}=6&6^{2}=2\\7^{2}=11&8^{2}=7&9^{2}=5\end{matrix}}}$



The values above are quadratic residues. The remaining (in this example) 9 values are known as quadratic nonresidues. the complete listing is given below.

${\displaystyle p=19\ }$
Quadratic residues: ${\displaystyle 1,2,4,5,6,7,9,11,16\ }$
Quadratic nonresidues: ${\displaystyle 3,8,10,12,13,14,15,17,18\ }$


### Legendre Symbol

The Legendre symbol denotes whether or not ${\displaystyle a\ }$ is a quadratic residue modulo the prime ${\displaystyle p\ }$ and is only defined for primes ${\displaystyle p\ }$ and integers ${\displaystyle a\ }$. The Legendre of ${\displaystyle a\ }$ with respect to ${\displaystyle p\ }$ is represented by the symbol ${\displaystyle L\left({\tfrac {a}{p}}\right)}$. Note that this does not mean ${\displaystyle a\ }$ divided by ${\displaystyle p\ }$. ${\displaystyle L\left({\tfrac {a}{p}}\right)}$ has one of three values: ${\displaystyle 0,1,-1\ }$.

${\displaystyle L\left({\tfrac {a}{p}}\right){\begin{cases}0,&{\mbox{if }}p{\mbox{ divides }}a{\mbox{ evenly}}\\1,&{\mbox{if }}a{\mbox{ is a quadratic residue modulo }}p\\-1,&{\mbox{if }}a{\mbox{ is a quadratic nonresidue modulo }}p\end{cases}}}$

### Jacobi Symbol

The Jacobi symbol applies to all odd numbers ${\displaystyle n>3\ }$ where ${\displaystyle n=p_{1}^{e_{1}}p_{2}^{e_{2}}\ldots p_{m}^{e_{m}}\ }$, then:

${\displaystyle J\left({\tfrac {a}{n}}\right)=L\left({\tfrac {a}{p_{1}}}\right)^{e_{1}}L\left({\tfrac {a}{p_{2}}}\right)^{e_{2}}\ldots L\left({\tfrac {a}{p_{m}}}\right)^{e_{m}}}$

If ${\displaystyle n\ }$ is prime, then the Jacobi symbol equals the Legendre symbol (which is the basis for the Solovay-Strassen primality test).

## Primality Testing

### Description

In cryptography, using an algorithm to quickly and efficiently test whether a given number is prime is extremely important to the success of the cryptosystem. Several methods of primality testing exist (Fermat or Solovay-Strassen methods, for example), but the algorithm to be used for discussion in this section will be the Miller-Rabin (or Rabin-Miller) primality test. In its current form, the Miller-Rabin test is an unconditional probabilistic (Monte Carlo) algorithm. It will be shown how to convert Miller-Rabin into a deterministic (Las Vegas) algorithm.

### Pseudoprimes

Remember that if ${\displaystyle p\ }$ is prime and ${\displaystyle gcd\left(b,m\right)=1}$, Fermat's Little Theorem states:

${\displaystyle a^{p-1}\equiv 1\,{\bmod {\,}}p}$

However, there are cases where ${\displaystyle p\ }$ can meet the above conditions and be nonprime. These classes of numbers are known as pseudoprimes.

${\displaystyle m\ }$ is a pseudoprime to the base ${\displaystyle a\ }$, with ${\displaystyle gcd\left(a,m\right)=1}$ if and only if the least positive power of ${\displaystyle a\ }$ that is congruent to ${\displaystyle 1{\bmod {\,}}p}$ evenly divides ${\displaystyle p-1\ }$.

If Fermat's Little Theorem holds for any ${\displaystyle p\ }$ that is an odd composite integer, then ${\displaystyle p\ }$ is referred to as a pseudoprime. This forms the basis of primality testing. By testing different ${\displaystyle a\ }$'s, we can probabilistically become more certain of the primality of the number in question.

The following three conditions apply to odd composite integers:

I. If the least positive power of ${\displaystyle a\ }$ which is congruent to ${\displaystyle 1\,{\bmod {\,}}n}$ and divides ${\displaystyle n-1\ }$ which is the order of ${\displaystyle a\ }$ in ${\displaystyle \mathbb {Z} _{n}^{*}}$, then ${\displaystyle n\ }$ is a pseudoprime.
II. If ${\displaystyle n\ }$ is a pseudoprime to base ${\displaystyle a_{1}\ }$ and ${\displaystyle a_{2}\ }$, then ${\displaystyle n\ }$ is also a pseudoprime to ${\displaystyle a_{1}a_{2}\,{\bmod {\,}}n}$ and ${\displaystyle a_{1}a_{2}^{-1}\,{\bmod {\,}}n}$.
III. If ${\displaystyle n\ }$ fails ${\displaystyle a^{p-1}\equiv 1\,{\bmod {\,}}p}$, for any single base ${\displaystyle a\in \mathbb {Z} _{p}^{*}}$, then ${\displaystyle n\ }$ fails ${\displaystyle a^{p-1}\equiv 1\,{\bmod {\,}}p}$ for at least half the bases ${\displaystyle a\in \mathbb {Z} _{p}^{*}}$.

An odd composite integer for which ${\displaystyle a^{p-1}\equiv 1\,{\bmod {\,}}p}$ holds for every ${\displaystyle a\in \mathbb {Z} _{p}^{*}}$ is known as a Carmichael Number.

## Elliptic Curves

### Description

As I Have Gone Alone in the, and with my treasures Bold, i can keep my secrets where and hint of riches new and old, Begin it where warm waters halt, and take it in the canyon down, not too far, but too far to walk, put in below the home of brown, from there it's no place for the meek, the end is ever drawing neigh, there'll be no paddle up your creek, just heavy loads and water high,

# Computer Security is More Than Encryption

Computer security has three main elements that can easily be remembered using the acronym CIA: Confidentiality, Integrity, Availability.

• Confidentiality is the task of ensuring that only those entities (persons or systems) cleared for access can read information. Cryptography is a key element in ensuring confidentiality.
• Integrity is the task of ensuring that information is correct, and stays that way.
• Availability is the task of ensuring that systems responsible for delivering, storing and processing information are accessible when needed, by those who need them. This includes, for example, protection against denial of service (DoS) attacks.

# Unbroken is Not Necessarily Unbreakable

In cryptography, an unbroken algorithm is not necessarily an unbreakable one. There have been many cryptographic algorithms made and deployed in various situations throughout the world, some dating back from the time of Julius Caesar! More recent algorithms, AES Rijndael for example, are very strong, and have survived close scrutiny for many years and have remained secure. But, many other algorithms such as the Vigniere cipher were once believed to be totally unbreakable, but then all of a sudden, they may as well be written in plaintext. It was once thought that the simple XOR cipher could be the answer to an unbreakable algorithm, but new methods of cryptanalysis were born, and now, it can be cracked within moments.

Today's 'secure' ciphers such as AES and Twofish may be secure now, but in the future, with the advent of faster computers, better techniques and even quantum computing, these ciphers will only last so long.

# Basic Code-Breaking Principles

The study of code-breaking is known as Cryptanalysis. This, along with cryptography, constitutes Cryptology.

This page or section of the Cryptography book is a stub. You can help Wikibooks by expanding it.

# Proportionality of Secrecy

"The more secret information you know, the more successful the concealment of the plaintext."

It is important to realize that any crypto system in its design is an exercise in resource allocation and optimization.

If we were to return to the postal analogy used in the discussion of Asymmetric Ciphers. Suppose Alice has a secret message to send to Bob in the mail. Alice could put the message in her lock box and use Bob's padlock to lock it allowing Bob to open it with his key, as describe earlier. But if it were a really important message or Alice and Bob had a higher expectation of the opponent they wished to thwart (Bob's girlfriend knows where Bob keeps his keys) Alice and Bob might want to resort to a more complicated crypto system. For example Bob could have multiple keys, one he keeps on his key chain, one he keeps in a rented Post Office box and one that is in a box in a Swiss bank vault. Bob might welcome this sort of security for really serious messages but for day to day messages between Bob and Alice Bob will no doubt find a daily flight to Switzerland rather expensive inconvenient. All crypto systems must face a resource trade-off between convenience and security.

This page or section of the Cryptography book is a stub. You can help Wikibooks by expanding it.

# Key Lengths

## Key Length

Key length is directly proportional to security. In modern cryptosystems, key length is measured in bits (i.e., AES uses 256 bit keys), and each bit of a key increases the difficulty of a brute-force attack exponentially. It is important to note that in addition to adding more security, each bit slows down the cryptosystem as well. Because of this, key length -- like all things security -- is a tradeoff. In this case between practicality and security.

Furthermore, different types of cryptosystems require vastly different key lengths to maintain security. For instance, modulo-based public key systems such as Diffie-Hellman and RSA require rather long keys (generally around 1,024 bits), whereas symmetric systems, both block and stream, are able to use shorter keys (generally around 256 bits). Furthermore, elliptic curve public key systems are capable of maintaining security at key lengths similar to those of symmetric systems. While most block ciphers will only use one key length, most public key systems can use any number of key lengths.

As an illustration of relying on different key lengths for the same level of security, modern implementations of public key systems (see GPG and PGP) give the user a choice of keylengths. Usually ranging between 768 and 4,096 bits. These implementations use the public key system (generally either RSA or ElGamal) to encrypt a randomly generated block-cipher key (128 to 256 bits) which was used to encrypt the actual message.

## Entropy

Equal to the importance of key length, is information entropy. Entropy, defined generally as "a measure of the disorder of a system" has a similar meaning in this sense: if all of the bits of a key are not securely generated and equally random (whether truly random or the result of a cryptographically secure PRNG operation), then the system is much more vulnerable to attack. For example, if a 128 bit key only has 64 bits of entropy, then the effective length of the key is 64 bits. This can be seen in the DES algorithm. DES actually has a key length of 64 bits, however 8 bits are used for parity, therefore the effective key length is 56 bits.

## Common Mistakes

The fundamental deficiency in advantages of long block cipher keys when compare it to short cipher keys could be in difficulties to screening physical random entropy in short digits. Perhaps we can't store screening mechanism of randomness in secret, so we can't get randomness of entropy 2^256 without energy, which will be liner to appropriate entropy. For example, typical mistake of random generator implementation is simple addiction of individual digits with probability 0.5. This generator could be easy broken by bruteforce by neighbor bits wave functions. In this point of view, using block ciphers with large amount of digits, for ex. 10^1024 and more have a practical sense. [citation needed]

Other typical mistake is using public key infrastructure to encrypt session keys, because in this key more preferable to use Diffie-Hellman algorithm. Using the Diffie-Hellman algorithm to create session keys gives "forward secrecy".

# Random Quality

"The higher the entropy of a random source, the better the quality of the random data it generates."

Many cryptographic algorithms call for a random source, either in key-generation, or some other primitive. Implementors must be extremely cautious in selecting that random source, or they will open themselves up to attack. For example, the only formally proven encryption technique, the one time pad, requires a completely random and unbiased key-stream that is at least as long as the message itself, and is never reused. There are many implicit complications presented in this requirement, as the only sources of "true randomness" are in the physical world (silicon decay is an example), and are impossible to implement in software. Thus, it is often only feasible to obtain pseudo-randomness. Pseudo-Random Number Generators, or PRNGs, use multiple sources that are thought to be difficult to predict (mouse movement, least significant digits of the computer clock, network statistics, etc.) in order to generate an entropy pool, which is passed through assorted algorithms which attempt to remove any biases, and then used as a seed for a pre-determined static set of numbers. Even with all of the sources of entropy, a determined attacker can usually reduce the effective strength of an implementation by cutting out some of the factors—for instance making educated guesses on the time. PRNGs that are thought to be acceptable for cryptographic purposes are called Cryptographically-Secure Pseudo-Random Number Generators, or CSPRNGs.

## Entropy

In terms of information theory, entropy is defined as the measure of the amount of information expressed in a string of bits. For example a traditional gender classification contains 1-bit of entropy as it can be represented using a 1 for males and a 0 for females. The quality of a random source is determined by just how much entropy it generates, if the entropy is less than the actual number of bits then there is some repetition of information. The more information that is repeated, or the shorter the period of some PRNG, the lower the entropy and the weaker and more predictable the source of randomness. Therefore in cryptography one seeks to get as close to perfect randomness as possible with the resources available - where a perfect random number generator creates a sequence of bits which are unpredictable no matter how large a sample of previously generated bits is obtained.

# Statistical Weaknesses

## Letter Frequency

Whenever you consider any available language, it gives information about the frequency of letters that occur most frequently in it. The same matter is more enough for cryptanalysis (process of discovering ciphertexts) which is more beneficial when encryption is performed using the Conventional Classical Encryption Techniques.

This gives statistical information of data that cryptanalysts can use in order to decrypt the encrypted data, provided the language in which data is present is known.

# Faults

The strength of your encryption method is based not only on your encryption method, but also on your ability to use it effectively. A perfect encryption method which is finicky to use and hard to get right is not likely to be useful in building a high quality security system.

For example, the One-Time Pad cypher is the only known provably unbreakable algorithm (in the very strong sense of a more effective than brute force search attack being impossible), but this proof applies ONLY if the key used is completely randomly chosen (there is currently no known method for making such a choice[citation needed] nor is there any known method for demonstrating that any particular choice is random), if the key is a long as the plaintext, if the key is never reused, and if the key never becomes known to the enemy. These conditions are so difficult to ensure that the One-Time Pad is almost never used in actual practice, whatever its theoretical advantages.

Any use of the One-Time Pad violating those assumed requirements is insecure, sometimes trivially so. For instance, statistical analysis techniques may be immediately applicable, under certain kinds of misuse.

This page or section of the Cryptography book is a stub. You can help Wikibooks by expanding it.

# No Peer Reviews

"The more people who can examine a cipher, the more likely a flaw will be found. No peer review (a closed algorithm) can result in weak ciphers."

This page or section of the Cryptography book is a stub. You can help Wikibooks by expanding it.

# Social Engineering and Coercion

In encryption, the weakest link is almost always a person.

While you could spend many hours attempting to decipher an encrypted message, or intercept a password, you can easily trick a person into telling you this information.

Suppose Bob works for a large company and encrypts document E with key K. Suppose Eve, wishing to decrypt document E, calls Bob and pretends to work for the company's information security department. Eve would pretend a problem existed with the computers, servers, etc. and ask Bob for his key, K, which she would use to decrypt E. This is an example of social engineering.

Randall Munroe in an xkcd comic once presented a scenerio in which bad guys find it more convenient to hit Bob with a \$5 wrench until he gives up his key rather than attempt to break the crypto system.

# Brute force attack

A brute force attack against a cipher consists of breaking a cipher by trying all possible keys. Statistically, if the keys were originally chosen randomly, the plaintext will become available after about half of the possible keys are tried. As we discuss in Basic Design Principles, the underlying assumption is, of course, that the cipher is known. Since A. Kerckhoffs first published it, a fundamental maxim of cryptography has been that security must reside only in the key. As Claude E. Shannon said a few decades later, 'the enemy knows the system'. In practice, it has been excellent advice.

As of the year 2002, symmetric ciphers with keys 64 bits or fewer are vulnerable to brute force attacks. DES, a well respected symmetric algorithm which uses 56-bit keys, was broken by an EFF project in the late 1990s. They even wrote a book about their exploit—Cracking DES, O'Reilly and Assoc. The EFF is a non-profit cyberspace civil rights group; many people feel that well-funded organisations like the NSA can successfully attack a symmetric key cipher with a 64-bit key using brute force. This is surely true, as it has been done publicly.[citation needed] Many observers suggest a minimum key length for symmetric key algorithms of 128 bits, and even then it is important to select a secure algorithm. For instance, many algorithms can be reduced in effective keylength until it is computationally feasible to launch a brute force attack. AES is recommended for use until at least 2030.

The situation with regard to asymmetric algorithms is much more complicated and depends on the individual algorithm. Thus the currently breakable key length for the RSA algorithm is at least 768 bits (broken publicly since 2009), but for most elliptic curve asymmetric algorithms, the largest currently breakable key length is believed to be rather shorter, perhaps as little as 128 bits or so. A message encrypted with a 109 bit key by an elliptic curve encryption algorithm was publicly broken by brute force key search in early 2003.

As of 2015, a minimum key length of 224 bits is recommended for elliptic curve algorithms, and 2048 bits for such other asymmetric key algorithms as RSA (asymmetric key algorithms that rely on complex mathematical problems for their security always will need much larger keyspaces as there are short-cuts to cracking them, as opposed to direct brute-force).[1]

## Common Brute Force Attacks

The term "brute force attacks" is really an umbrella term for all attacks that exhaustively search through all possible (or likely) combinations, or any derivative thereof.

### Dictionary Attack

A dictionary attack is a common password cracking technique, relying largely on the weak passwords selected by average computer users. For instance, if an attacker had somehow accessed the hashed password files through various malicious database manipulations and educated searching on an online store, he would then write a program to hash one at a time all words in a dictionary (of, for example any or all languages and common derivative passwords), and compare these hashes to the real password hashes he had obtained. If the hashes match, he has obtained a password.

#### Pre-Computation Dictionary Attack

The simple dictionary attack method quickly becomes far too time-consuming with any large number of password hashes, such as an online database would yield. Thus, attackers developed the method of pre-computation. In this attack, the attacker has already hashed his entire suite of dictionaries, and all he need do is compare the hashes. Additionally, his task is made easier by the fact that many users will select the same passwords. To prevent this attack, a database administrator must attach unique 32-bit salts to the users passwords before hashing, thus rendering precompution useless.

The Breaking Hash Algorithms chapter of this books goes into more detail on attacks that specifically apply to hashed password files.

## Responses to Brute Force Attacks

There are a number of ways to mitigate brute force attacks. For example:

• Changing a key frequently in response to an attempt to try all possible keys would require an attacker to start over assuming he knew the key was changed or finish attempting all possible keys before starting the attack again from the beginning.
• A system could rely on a time out or lock out of the system after so many attempts at guessing the key. Systems that time out can simply block further access, lock a user account, contact the account owner, or even destroy the clear text information.
• 2 step verification is a method of requiring a second key to enter the system. This complicates a brute force attack since the attacker must not only guess one key but then guess a second possibly equally complex key. The most common implementation of this is to ask for further authentication "What's your first dogs name?". There is a new trend on the horizon for systems to utilize two step verification through a time based key that is emailed or texted and having access to an account or particular electronic device serves as a secondary key.

The Secure Passwords chapter of this book goes into more detail on mitigations and other responses that specifically apply to hashed password files.

# Frequency analysis

In the field of cryptanalysis, frequency analysis is a methodology for "breaking" simple substitution ciphers, not just the Caesar cipher but all monoalphabetic substitution ciphers. These ciphers replace one letter of the plaintext with another to produce the cyphertext, and any particular letter in the plaintext will always, in the simplest and most easily breakable of these cyphers, turn into the same letter in the cypher. For instance, all E's will turn into X's.

Graph of the relative frequency of letters in the English language

Frequency analysis is based on the fact that certain letters, and combinations of letters, appear with characteristic frequency in essentially all texts in a particular language. For instance, in the English language E is very common, while X is not. Likewise, ST, NG, TH, and QU are common combinations, while XT, NZ, and QJ are exceedingly uncommon, or "impossible". Given our example of all E's turning into X's, a cyphertext message containing lots of X's already seems to suggest one pair in the substitution mapping.

In practice the use of frequency analysis consists of first counting the frequency of cypher text letters and then assigning "guessed" plaintext letters to them. Many letters will occur with roughly the same frequency, so a cypher with X's may indeed map X onto R, but could also map X onto G or M. But some letters in every language using letters will occur more frequently; if there are more X's in the cyphertext than anything else, it's a good guess for English plaintext that X stands for E. But T and A are also very common in English text, so X might be either of them. It's very unlikely to be a Z or Q which aren't common in English. Thus the cryptanalyst may need to try several combinations of mappings between cyphertext and plaintext letters. Once the common letters are 'solved', the technique typically moves on to pairs and other patterns. These often have the advantage of linking less commonly used letters in many cases, filling in the gaps in the candidate mapping table being built. For instance, Q and U nearly always travel together in that order in English, but Q is rare.

Frequency analysis is extremely effective against the simpler substitution cyphers and will break astonishingly short ciphertexts with ease. This fact was the basis of Edgar Allan Poe's claim, in his famous newspaper cryptanalysis demonstrations in the middle 1800's, that no cypher devised by man could defeat him. Poe was overconfident in his proclamation, however, for polyalphabetic substitution cyphers (invented by Alberti around 1467) defy simple frequency analysis attacks. The electro-mechanical cypher machines of the first half of the 20th century (e.g., the Hebern? machine, the Enigma, the Japanese Purple machine, the SIGABA, the Typex, ...) were, if properly used, essentially immune to straightforward frequency analysis attack, being fundamentally polyalphabetic cyphers. They were broken using other attacks.

Frequency analysis was first discovered in the Arab world, and is known to have been in use by about 1000 CE. It is thought that close textual study of the Koran first brought to light that Arabic has a characteristic letter frequency which can be used in cryptoanalysis. Its use spread, and was so widely used by European states by the Renaissance that several schemes were invented by cryptographers to defeat it. These included use of several alternatives to the most common letters in otherwise monoalphabetic substitution cyphers (i.e., for English, both X and Y cyphertext might mean plaintext E), use of several alphabets—chosen in assorted, more or less, devious ways (Leon Alberti seems to have been the first to propose this), culminating in such schemes as using only pairs or triplets of plaintext letters as the 'mapping index' to cyphertext letters (e.g., the Playfair cipher invented by Charles Wheatstone in the mid 1800s). The disadvantage of all these attempts to defeat frequency counting attacks is that it increases complication of both encyphering and decyphering, leading to mistakes. Famously, a British Foreign Secretary is said to have rejected the Playfair cipher because, even if school boys could learn it as Wheatstone and Playfair had shown, 'our attaches could never learn it!'.

Frequency analysis requires a basic understanding of the language of the plaintext, as well as tenacity, some problem solving skills, and considerable tolerance for extensive letter bookkeeping. Neat handwriting also helps. During WWII, both the British and Americans recruited codebreakers by placing crossword puzzles in major newspapers and running contests for who could solve them the fastest. Several of the cyphers used by the Axis were breakable using frequency analysis (e.g., the 'consular' cyphers used by the Japanese). Mechanical methods of letter counting and statistical analysis (generally IBM card machinery) were first used in WWII. Today, the hard work of letter counting and analysis has been replaced by the tireless speed of the computer, which can carry out this analysis in seconds. No mere substitution cypher can be thought credibly safe in modern times.

The frequency analysis method is neither necessary nor sufficient to solve ciphers. Historically, cryptanalysts solved substitution ciphers using a variety of other analysis methods long before and after the frequency analysis method became well known. Some people even question why the frequency analysis method was considered useful for such a long time.[2] However, modern cyphers are not simple substitution cyphers in any guise. They are much more complex than WWII cyphers, and are immune to simple frequency analysis, and even to advanced statistical methods. The best of them must be attacked using fundamental mathematical methods not based on the peculiarities of the underlying plaintext language. See Cryptography/Differential cryptanalysis or Cryptography/Linear cryptanalysis as examples of such techniques.

# Index of coincidence

The index of coincidence for a ciphertext is the probability that two letters selected from it are identical. Usually denoted by I, it is a statistical measure of the redundancy of text. The index of coincidence of totally random collection (uniform distribution) of letters is around 0.0385.[1]

## References

This page or section of the Cryptography book is a stub. You can help Wikibooks by expanding it.

# Linear cryptanalysis

In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most widely used attacks on block ciphers; the other being differential cryptanalysis.

The discovery is attributed to Mitsuru Matsui, who first applied the technique to the FEAL cipher (Matsui and Yamagishi, 1992). Subsequently, Matsui published an attack on the Data Encryption Standard (DES), eventually leading to the first experimental cryptanalysis of the cipher reported in the open community (Matsui, 1993; 1994). The attack on DES is not generally practical, requiring 243 known plaintexts.

A variety of refinements to the attack have been suggested, including using multiple linear approximations or incorporating non-linear expressions, leading to a generalized partitioning cryptanalysis. Evidence of security against linear cryptanalysis is usually expected of new cipher designs.

## Overview

There are two parts to linear cryptanalysis. The first is to construct linear equations relating plaintext, ciphertext and key bits that have a high bias; that is, whose probabilities of holding (over the space of all possible values of their variables) are as close as possible to 0 or 1. The second is to use these linear equations in conjunction with known plaintext-ciphertext pairs to derive key bits.

### Constructing linear equations

For the purposes of linear cryptanalysis, a linear equation expresses the equality of two expressions which consist of binary variables combined with the exclusive-or (XOR) operation. For example, the following equation, from a hypothetical cipher, states the XOR sum of the first and third plaintext bits (as in a block cipher's block) and the first ciphertext bit is equal to the second bit of the key:

${\displaystyle P_{1}\oplus P_{3}\oplus C_{1}=K_{2}.}$

In an ideal cipher, any linear equation relating plaintext, ciphertext and key bits would hold with probability 1/2. Since the equations dealt with in linear cryptanalysis will vary in probability, they are more accurately referred to as linear approximations.

The procedure for constructing approximations is different for each cipher. In the most basic type of block cipher, a substitution-permutation network, analysis is concentrated primarily on the S-boxes, the only nonlinear part of the cipher (i.e. the operation of an S-box cannot be encoded in a linear equation). For small enough S-boxes, it is possible to enumerate every possible linear equation relating the S-box's input and output bits, calculate their biases and choose the best ones. Linear approximations for S-boxes then must be combined with the cipher's other actions, such as permutation and key mixing, to arrive at linear approximations for the entire cipher. The piling-up lemma is a useful tool for this combination step. There are also techniques for iteratively improving linear approximations (Matsui 1994).

### Deriving key bits

Having obtained a linear approximation of the form:

${\displaystyle P_{i_{1}}\oplus P_{i_{2}}\oplus \cdots \oplus C_{j_{1}}\oplus C_{j_{2}}\oplus \cdots =K_{k_{1}}\oplus K_{k_{2}}\oplus \cdots }$

we can then apply a straightforward algorithm (Matsui's Algorithm 2), using known plaintext-ciphertext pairs, to guess at the values of the key bits involved in the approximation.

For each set of values of the key bits on the right-hand side (referred to as a partial key), count how many times the approximation holds true over all the known plaintext-ciphertext pairs; call this count T. The partial key whose T has the greatest absolute difference from half the number of plaintext-ciphertext pairs is designated as the most likely set of values for those key bits. This is because it is assumed that the correct partial key will cause the approximation to hold with a high bias. The magnitude of the bias is significant here, as opposed to the magnitude of the probability itself.

This procedure can be repeated with other linear approximations, obtaining guesses at values of key bits, until the number of unknown key bits is low enough that they can be attacked with brute force.

## References

• Matsui, M. and Yamagishi, A. "A new method for known plaintext attack of FEAL cipher". Advances in Cryptology - EUROCRYPT 1992.
• Matsui, M. "Linear cryptanalysis method for DES cipher" (PDF). Advances in Cryptology - EUROCRYPT 1993. Archived from the original on 2006-04-10. Retrieved 2007-02-22.
• Matsui, M. "The first experimental cryptanalysis of the data encryption standard". Advances in Cryptology - CRYPTO 1994.

# Differential cryptanalysis

Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in an input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformations, discovering where the cipher exhibits non-random behaviour, and exploiting such properties to recover the secret key.

## History

The discovery of differential cryptanalysis is generally attributed to Eli Biham and Adi Shamir in the late 1980s, who published a number of attacks against various block ciphers and hash functions, including a theoretical weakness in the Data Encryption Standard (DES). It was noted by Bamford in The Puzzle Palace that DES is surprisingly resilient to differential cryptanalysis, in the sense that even small modifications to the algorithm would make it much more susceptible.

In 1994, a member of the original IBM DES team, Don Coppersmith, published a paper stating that differential cryptanalysis was known to IBM as early as 1974, and that defending against differential cryptanalysis had been a design goal.[1] According to author Steven Levy, IBM had discovered differential cryptanalysis on its own, and the NSA was apparently well aware of the technique.[2] IBM kept some secrets, as Coppersmith explains: "After discussions with NSA, it was decided that disclosure of the design considerations would reveal the technique of differential cryptanalysis, a powerful technique that could be used against many ciphers. This in turn would weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography."[1] Within IBM, differential cryptanalysis was known as the "T-attack"[1], or "Tickle attack".[3]

While DES was designed with resistance to differential cryptanalysis in mind, other contemporary ciphers proved to be vulnerable. An early target for the attack was the FEAL block cipher. The original proposed version with four rounds (FEAL-4) can be broken using only eight chosen plaintexts, and even a 31-round version of FEAL is susceptible to the attack.

## Attack mechanics

Differential cryptanalysis is usually a chosen plaintext attack, meaning that the attacker must be able to obtain encrypted ciphertexts for some set of plaintexts of his choosing. The scheme can successfully cryptanalyze DES with an effort on the order 247 chosen plaintexts. There are, however, extensions that would allow a known plaintext or even a ciphertext-only attack. The basic method uses pairs of plaintext related by a constant difference; difference can be defined in several ways, but the eXclusive OR (XOR) operation is usual. The attacker then computes the differences of the corresponding ciphertexts, hoping to detect statistical patterns in their distribution. The resulting pair of differences is called a differential. Their statistical properties depend upon the nature of the S-boxes used for encryption, so the attacker analyses differentials ${\displaystyle (\Delta _{X},\Delta _{Y})}$, where ${\displaystyle \Delta _{Y}=S(X)\oplus S(X\oplus \Delta _{X})}$ (and ${\displaystyle \oplus }$ denotes exclusive or) for each such S-box ${\displaystyle S}$. In the basic attack, one particular ciphertext difference is expected to be especially frequent; in this way, the cipher can be distinguished from randomness. More sophisticated variations allow the key to be recovered faster than exhaustive search.

In the most basic form of key recovery through differential cryptanalysis, an attacker requests the ciphertexts for a large number of plaintext pairs, then assumes that the differential holds for at least r-1 rounds, where r is the total number of rounds. The attacker then deduces which round keys (for the final round) are possible assuming the difference between the blocks before the final round is fixed. When round keys are short, this can be achieved by simply exhaustively decrypting the ciphertext pairs one round with each possible round key. When one round key has been deemed a potential round key considerably more often than any other key, it is assumed to be the correct round key.

For any particular cipher, the input difference must be carefully selected if the attack is to be successful. An analysis of the algorithm's internals is undertaken; the standard method is to trace a path of highly probable differences through the various stages of encryption, termed a differential characteristic.

Since differential cryptanalysis became public knowledge, it has become a basic concern of cipher designers. New designs are expected to be accompanied by evidence that the algorithm is resistant to this attack, and many, including the Advanced Encryption Standard, have been proven secure against the attack.

## References

1. a b c Coppersmith, Don (May 1994). "The Data Encryption Standard (DES) and its strength against attacks" (PDF). IBM Journal of Research and Development 38 (3): 243.  (subscription required)
2. Levy, Steven (2001). "Crypto: How the Code Rebels Beat the Government — Saving Privacy in the Digital Age. Penguin Books. pp. 55–56. ISBN 0-14-024432-8.
3. Matt Blaze, sci.crypt, 15 August 1996, Re: Reverse engineering and the Clipper chip"
• Eli Biham, Adi Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. ISBN 0-387-97930-1, ISBN 3-540-97930-1.
• Biham, E. and A. Shamir. (1990). Differential Cryptanalysis of DES-like Cryptosystems. Advances in Cryptology — CRYPTO '90. Springer-Verlag. 2–21.
• Eli Biham, Adi Shamir,"Differential Cryptanalysis of the Full 16-Round DES," CS 708, Proceedings of CRYPTO '92, Volume 740 of Lecture Notes in Computer Science, December 1991. (Postscript)
• Eli Biham, slides from "How to Make a Difference: Early History of Differential Cryptanalysis"PDF (850 KB), March 16, 2006, FSE 2006, Graz, Austria

# Meet In The Middle Attack

An extremely specialized attack, meet in the middle is a known plaintext attack that only affects a specific class of encryption methods - those which achieve increased security by using one or more "rounds" of an otherwise normal symmetrical encryption algorithm. An example of such a compound system is 3DES.

However, to explain this attack let us begin with a simpler system defined as follows: Two cryptographic systems denoted ${\displaystyle encrypt_{\alpha }}$ and ${\displaystyle encrypt_{\beta }}$ (with inverse functions ${\displaystyle decrypt_{\alpha }}$ and ${\displaystyle decrypt_{\beta }}$ respectively) are combined simply (by applying one then the other) to give a composite cryptosystem. each accepts a 64 bit key (for values from 0 to 18446744073709551615) which we can call ${\displaystyle key_{\alpha }}$ or ${\displaystyle key_{\beta }}$ as appropriate.

So for a given plaintext, we can calculate a cryptotext as

${\displaystyle cryptotext=encrypt_{\beta }(key_{\beta },encrypt_{\alpha }(key_{\alpha },plaintext))}$

and correspondingly

${\displaystyle plaintext=decrypt_{\alpha }(key_{\alpha },decrypt_{\beta }(key_{\beta },cryptotext))}$

Now, given that each has a 64 bit key, the amount of key needed to encrypt or decrypt is 128 bits, so a simple analysis would assume this is the same as a 128 bit cypher.

However, given sufficient storage, you can reduce the effective key strength of this to a few bits larger than the largest of the two keys employed, as follows.

1. Given a plaintext/cyphertext pair, apply ${\displaystyle encrypt_{\alpha }}$ to the plaintext with each possible key in turn, generating ${\displaystyle 2^{64}}$ intermediate cryptotexts ${\displaystyle cryptotext_{1}}$${\displaystyle \rightarrow }$${\displaystyle cryptotext_{n}}$ where ${\displaystyle n=2^{64}}$
2. Store each of the ${\displaystyle n}$ cryptotexts in a hash table so that each can be referenced by its cryptotext, and give the key used to generate that cryptotext
3. Apply ${\displaystyle decrypt_{\beta }}$ to the ciphertext for each possible key in turn, comparing the intermediate plaintext to the hash table calculated earlier. this gives a pair of keys (one for each of the two algorithms employed, ${\displaystyle \alpha }$ and ${\displaystyle \beta }$)
4. Taking the two keys from stage 3, test each against a second plaintext/cryptotext pair. if this also matches, odds are extremely high you have a valid keypair for the message - not in ${\displaystyle 2^{128}}$ operations, but a "mere" ${\displaystyle 2x2^{64}}$ operations (which nonetheless are significantly longer due to the hash table operations, but not so much as to add more than a couple of extra bits worth of time to the complexity of the task)

The downside to this approach is storage. Assuming you have a 64 bit key, then you will need at least ${\displaystyle 2^{64}}$ units of storage - where each unit is the amount of space used by a single hash record. Even given a minimal implementation (say, 64 bits for the key plus four bits hash collision overhead), if you implemented such a system using 160GB hard drives, you would need close to one billion of them to store the hash table alone.

# Breaking Hash Algorithms

Cryptographic hash functions are one of the more difficult, from a cryptography perspective, things to break.

 To do: How do these apply to hash functions?: Brute Force, Frequency Analysis[citation needed], Social Engineering and Coercion and Birthday Attack.

Cryptographic hash functions are specifically designed to be "one-way": If you have some message, it is easy to go forward to the corresponding hashed value; but if you only have the hashed value, cryptographic hashes are specifically designed to be difficult to calculate the original message that produced that hash value -- or any other message that produces the same hash value.

As we previously mentioned in Hashes, a cryptographically secure hash is designed to have these properties:

• Preimage resistant: Given H it should be hard to find M such that H = hash(M).
• Second preimage resistant: Given an input m1, it should be hard to find another input, m2 (not equal to m1) such that hash(m1) = hash(m2).
• Collision-resistant: it should be hard to find two different messages m1 and m2 such that hash(m1) = hash(m2).

Cryptographers distinguish between three different kinds of attacks on hash functions:

• collision attack: try to find any two different messages m1 and m2 such that hash(m1) = hash(m2).
• preimage attack: Given only the hash value H, try to recover *any* M such that H = hash(M).
• second-preimage attack: Given an input m1, try to find another input, m2 (not equal to m1) such that hash(m1) = hash(m2).
• Some hash functions (MD5, SHA-1, SHA-256, etc.) are vulnerable to a "length extension attack".

 To do: is the length extension attack a special case of one of the above 3 attacks, or is it a distinct 4th type?

(Alas, different cryptographers use different and sometimes use contradictory terms for these three kinds of attacks. Outside of this book, some cryptographers use "collision" to refer to a successful attack of any of these 3 types, and use the term "free collision" for what this book calls a "successful collision attack", or "bound collision" for either one of a "successful preimage attack" or a "successful second-preimage attack".)[1]

When designing a new system that requires some hash function, most cryptographers recommend using hash fuctions that, as far as we know, are resistant to all these attacks (such as SHA-3, BLAKE, Grøstl, Skein, etc.).

 To do: describe the random oracle hash, aka "the ideal hash function"

The collision attack is the easiest kind of attack, and the most difficult to defend against. Because there are an infinite number of possible files, the pigeonhole principle tells us that there are in theory an infinite number of hash collisions, even for the "ideal" random oracle hash. Cryptographic hashes are designed to make it difficult -- using only resources available in our solar system, practically impossible -- to find *any* of those messages that hash to some given hash value.

Some applications require collision resistance. When a possible attacker generates a message and we want to confirm that the message that person shows Alice is the same as the message that person shows Bob, ensuring message integrity, we need a hash that hash collision resistance.

Many applications do not actually require collision resistance. For example, password hashing requires preimage and second-preimage resistance (and a few other special characteristics), but not collision resistance. For example, de-duplicating file systems, host-proof file systems such as IPFS, digital signatures, etc. only require second-preimage resistance, not preimage or collision resistance, because in those applications it is assumed that the attacker already knows the original message that hashes to the given value. For example, message authentication using HMAC does not require collision resistance and is immune to length extension; so as of 2011 cryptographers find using HMAC-MD5 message authentication in existing applications acceptable, although they recommend that new applications use some alternative such as HMAC-SHA256 or AES-CMAC.[2][3]

The MD5 and SHA-1 hash functions, in applications that do not actually require collision resistance, are still considered adequate.

Many people criticise MD5 and SHA1 for the wrong reasons. [4] There is no known practical or almost-practical preimage attack on MD5 or SHA-1, much less second-preimage attacks, only collision attacks.[5][6]

Such collision attacks include:

• Dobbertin announced a collision of the MD5 compression function in 1996 ...
• As of 2009, finding chosen-prefix collisions in MD5 takes about 30 seconds on a laptop.[3]
• Manuel and Peyrin's SHA-0 attack[7]
• Nat McHugh's MD5 collision attacks[8]

In the next chapters we will discuss

## Notes

1. "The difference between being not strongly collision resistant, and not weakly collision resistant?" http://crypto.stackexchange.com/questions/19159/the-difference-between-being-not-strongly-collision-resistant-and-not-weakly-co quote: "Klaus Schmeh apparently made up the "bound collision" and "free collision" terminology for the book "Cryptography and Public Key Infrastructure on the Internet"."
2. a b Nate Lawson. "Stop using unsafe keyed hashes, use HMAC". 2009.
3. "Is my developer's home-brew password security right or wrong, and why?" quote: "criticized MD5 and SHA1 for the wrong rationale ... There's a subtle difference between pre-image and collision attacks ..."
4. "Why We Need to Move to SHA-2". CA Security Council. 2014-01-30.
5.   quote: "All currently known practical or almost-practical attacks on MD5 and SHA-1 are collision attacks."
6. Stéphane Manuel, Thomas Peyrin. "Collisions on SHA-0 in One Hour" [2] [3] [4]

# Collisions

A hash function is said to collide when two distinct inputs to the hash function yield the same output.

For example, when the following blocks are input into the md5 hash function they both yield the same output.

d131dd02c5e6eec4693d9a0698aff95c
2fcab58712467eab4004583eb8fb7f89
085125e8f7cdc99fd91dbdf280373c5b
d8823e3156348f5bae6dacd436c919c6
dd53e2b487da03fd02396306d248cda0
e99f33420f577ee8ce54b67080a80d1e
c69821bcb6a8839396f9652b6ff72a70

d131dd02c5e6eec4693d9a0698aff95c
2fcab50712467eab4004583eb8fb7f89
085125e8f7cdc99fd91dbd7280373c5b
d8823e3156348f5bae6dacd436c919c6
dd53e23487da03fd02396306d248cda0
e99f33420f577ee8ce54b67080280d1e
c69821bcb6a8839396f965ab6ff72a70


## References

"MD5 Collisions, Visualised". Retrieved 2010-03-11.

# Birthday Attack

The "birthday attack" is a method of creating two hash preimages that when hashed have the same output.

# Breaking transposition ciphers

Earlier, we discussed how Permutation cipher and Transposition ciphers work for people who know the secret key. Next, we'll discuss how, in some cases, it is possible for a person who only has the ciphertext -- who doesn't know the secret key -- to recover the plaintext.

The frequency distribution of the letters in any transposition or permutation ciphertext is the same as the frequency distribution for plaintext.

## breaking columnar transposition ciphers

The frequency distribution of digrams can be used to help break columnar transposition ciphers. [1]

## breaking turning grille ciphers

Turning grilles, also called Fleissner grilles, ...

A guess at some sequence of two or more consecutive holes of the grill in one position of the grill (by a "known word" or an expected common digraph) can be "checked" by seeing if those holes, after the grill is rotated a half-turn, produce reasonable digraph.[2][3]

## References

1. Prof. H. Williams. "Transposition Ciphers". section "Analysis of columnar transposition ciphers". Retrieved 2014-05-01.
2. Helen Fouché Gaines. "Cryptanalysis: A Study of Ciphers and Their Solution". 1956. section "The Turning Grille". p. 29 to 36.

# Breaking Caesar cipher

Breaking the Caesar cipher is trivial as it is vulnerable to most forms of attack. The system is so easily broken that it is often faster to perform a brute force attack to discover if this cipher is in use or not. An easy way for humans to decipher it is to examine the letter frequencies of the cipher text and see where they match those found in the underlying language.

## Frequency analysis

By graphing the frequencies of letters in the ciphertext and those in the original language of the plaintext, a human can spot the value of the key but looking at the displacement of particular features of the graph. For example in the English language the frequencies of the letters Q,R,S,T have a particularly distinctive pattern.

Computers can also do this trivially by means of an auto-correlation function.

## Brute force

As the system only has 25 non-trivial keys it is easy even for a human to cycle through all the possible keys until they find one which allows the ciphertext to be converted into plaintext.

## Known plaintext attack

If you have a message in both ciphertext and in plaintext it is trivial to find the key by calculating the difference between them.

# Breaking Vigenère cipher

Plain text is encrypted using the Vigenère cipher by first choosing a keyword consisting of letters from the alphabet of symbols used in the plain text. The keyword is then used to encrypt the text by way of the following example.

Using: Plain text: I Like A Book and choosing: Keyword: cta

1. Map all the plain text to numbers 0-25 or however long your alphabet is

  ilikewikibooks converts to 8 11 8 10 4 22 8 10 8 1 14 14 10 18


2. Map your keyword to numbers the same way

  cta maps to 2 19 0


  8  11  8  10   4  22  8  10  8  1  14  14  10  18
2  19  0   2  19   0  2  19  0  2  19   0   2  19
resulting in
10 30  8  12  23  22 10 29   8  3  33   14  12  37


4. take each resulting number mod 26 ( or for the general case mod the number of characters in your alphabet)

  resulting in
10 4   8  12  23  22 10 3    8  3  7    14  12   11


5. map each number back to a letter to get the resulting cypher text

  keimxwkdidhoml


The message can easily be decrypted with the keyword by reversing the above process. The keyword can be any length equal to or less than that of the plain text.

Without the keyword the primary method of breaking the Vigenère cipher is known as the Kasiski test, after the Prussian major who first published it. The first stage is determining the length of the keyword.

### Determining the key length

Given an enciphered message such as:

Plaintext:  TOBEORNOTTOBE
Keyword:    KEYKEYKEYKEYK
Ciphertext: DSZOSPXSRDSZO


Upon inspection of the ciphertext, we see that there are a few digraphs repeated, namely DS, SZ, and ZO. It is statistically unlikely that all of these would arise by random chance; the odds are that repeated digraphs in the ciphertext correspond to repetitions in the plaintext. If that is the case, the digraphs must be encoded by the same section of the key both times. Therefore, the length of the key is a factor of the distance in the text between the repetitions.

Digraph First Position Second Position Distance Factors
DS 1 10 9 3
SZ 1 10 9 3
ZO 1 10 3 3

The common factors (indeed, the only factors in this simple example) are 3 and 9. This narrows down the possibilities significantly, and the effect is even more pronounced with longer texts and keys.

### Frequency analysis

Once the length of the key is known, a slightly modified frequency analysis technique can be applied. Suppose the length of the key is known to be three. Then every third letter will be encrypted with the same letter of the key. The ciphertext can be split into three segments - one for each key letter—and the procedure described for the Caesar cipher can be used.