Historical ciphers

Historical ciphers: overview

• General definitions

• Monoalphabetic (simple substitution)

ciphers: each letter of alphabet replaced
by another

– Additive ciphers

– Affine ciphers

– Key phrase ciphers

• Polyalphabetic ciphers: each letter of al-

phabet may be replaced one of many oth-
ers

– Vigenère ciphers

1
 Cryptosystem: definitions

• Symmetric cryptosystem: 5-tuple

(P, C, K, E, D)

– P: Plaintext space

– C: Ciphertext space

– K: key space

– E: set of encryption functions

– D: set of decryption functions

– For every key k ∈ K there is an encryp-

tion function ek ∈ E and a decryption
function dk ∈ D such that dk (ek (x)) = x
for each x ∈ P.

• Encryption functions must be injective.

2
 Cryptosystem: process

• Alice and Bob agree on a key k

– Key k must be kept secret

• To transmit message x securely

– Alice calculates y = ek (x)

– Alice sends y to Bob

– Bob calculates x = dk (y)

3
 Monoalphabetic ciphers

• Also known as simple substitution ciphers.

• Each plaintext letter replaced by another

to give ciphertext

• Convention: plaintext in lowercase, cipher-

text in uppercase.

• Set up correspondence between alphabet

and Z26.

A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12

N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25

4
 Additive ciphers: Caesar
cipher

• Replace letter of alphabet by one three

later:
a → D, b → E, . . ., w → Z, x → A, y → B,
z → C

• caesar becomes FDHVDU

• Mathematical description:

– correspondence between alphabet and

Z26

– a → 0, b → 1, . . ., y → 24, z → 25

– encryption: y = e(x) = x + 3 mod 26

• Caesar Cipher is an example of additive ci-

phers

5
Review: modular arithmetic

• Congruences:

– a≡b (mod m) if m | b − a.

– Integer m is the modulus.

– a mod m denotes remainder of a when

divided by m.

– If we replace a by a mod m then a is

reduced modulo m.

• Arithmetic modulo m:

– Zm defined to be {0, . . . , m − 1} with op-

erations +, ×.

– +, × work like integer + and ×, except

that the results are reduced modulo m.

6
 More modular arithmetic

• Greatest common divisor (gcd) of a, b,

written (a, b) = d:

– d | a and d | b,

– if c | a and c | b then c | d.

• a, b are relatively prime (coprime) if (a, b) =

1.

• Multiplicative inverse of a is a−1:

aa−1 = a−1a = 1 (mod m).

• a has mult. inverse ⇐⇒ (a, m) = 1.

• Theorem: Congruence ax ≡ b (mod m)

has unique solution x ∈ Zm for every b ∈ Zm
if and only if (a, m) = 1.

7
Additive ciphers: definition

• Plaintext, ciphertext and key spaces are

Z26

• For any 0 ≤ k ≤ 25,

– encryption: ek (x) = x + k mod 26

for all x ∈ Z26

– decryption: dk (y) = y − k mod 26

for all y ∈ Z26

8
 Additive ciphers: example

The case k = 3 is the Caesar cipher described

above. However, the term Caesar cipher is
often used to refer to an additive cipher for
any key.

To use the additive cipher with k = 10 we have

Plaintext: c a e s a r
2 0 4 18 0 17
+10 mod 26 12 10 14 2 10 1
Ciphertext: M K O C K B

9
 Additive ciphers: security

• Intercept NKPPAJ WLLHA

• Successively try decryption keys k = 0, k =

1, . . ., k = 25

– nkppaj wllha, olqqbk xmmib, pmrrcl yn-

njc, qnssdm zookd, rotten apple, . . .

– Plaintext is rotten apple and k = 4.

• Plaintext obtained on average after 13 tri-

als.

– Key space of 26 is too small

– Vulnerable to exhaustive key search at-

tack

10
 Affine ciphers: definitions

• Extend additive cipher to affine function :

f (x) = ax + b mod 26, a, b ∈ Z26.

– a must be coprime to 26.

• Plaintext and ciphertext space are Z26

• Key space
K = {(a, b) ∈ Z26 × Z26 | (a, 26) = 1}

– |K| = 12 × 26 = 312

• For any k = (a, b) ∈ K,

– Encryption: ek (x) = ax + b mod 26

– Decryption: dk (y) = a−1(y − b) mod 26

11
 Affine ciphers: example

• Consider k = (7, 3):

– ek (x) = 7x + 3 mod 26

– dk (y) = 7−1(y − 3) = 15y − 19 mod 26

• Plaintext wombat is (22, 14, 12, 1, 0, 19)

– To encrypt:
ek (22) = 7 × 22 + 3 = 1 mod 26 etc

– Ciphertext is (1, 23, 9, 10, 3, 6)

ie BXJKDG.

– To decrypt:
dk (1) = 15 × 1 − 19 = 22 mod 26 etc

12
 Affine ciphers: security

• Vulnerable to known plaintext attack

• Ciphertext IZONBAZGV ZD EBK ONPD

– Third word is bad, so:

a × 1 + b = 4 mod 26
a × 0 + b = 1 mod 26.

– a = 3, b = 1, so k = (3, 1),

e(x) = 3x + 1 mod 26
d(x) = 9(x − 1) mod 26

• Plaintext linearity is bad news

13
 Key phrase ciphers

• Key is a phrase and a letter

• Example:

– Key phrase is “MY LITTLE FINGER”,

letter “d”:

P: a b c d e f g h i j k l m n o ... z
C: M Y L I T E F N G R

• cipher system → ZECTYH JUJKYR

• Key may be any phrase, so large number

of keys

• Exhaustive search impossible

• Secure?

14
 Substitution ciphers:
definition

• P = C = Z26

• K = Sym(26)

– All permutations on 26 objects

– |K| = 26! > 4 × 1026 ≈ 288

• For any key π ∈ K,

eπ (x) = π(x)
dπ (y) = π −1(y)

• Example:

abcdefghijklmnopqrstuvwxyz
QUGRAHCKBTEINJDYFPMWXSLZOV

15
 Substitution ciphers:
weakness

• Weakness: preserves language statistics

– merely interchanges letters

– different letter and groupings occur with

differing frequencies
Probability Letters
0.12 e
0.06–0.09 t a o i n s h r
0.04 d l
0.015–0.023 c u m w f g y p b
< 0.01 v k j x q z

– most popular bigrams: th, he, in, er, an

– popular trigrams: the, ing, and, her, ere

16
 Substitution ciphers:
cryptanalysis

• Ciphertext only attack

– Intercept ciphertext

– Establish single letter frequencies of ci-

phertext

– Guess most frequent ciphertext letters

correspond to most frequent plaintext
letters

– May also use frequencies of bigrams, tri-

grams, for more guesses

• Example ciphertext (Stinson Eg 1.11): 168

characters, full analysis given

17
 Substitution ciphers:
example cryptanlysis
HNZ MZKXZ AG U GHUKYAKE TBWZ
LAHN UIGHFUOAUK FUVVAHG. A UR
XZFHUAK HNUH AG XOZUF AK GQYKZQ.

• Most likely guess for first word is the:

H → t, N → h, Z → e

the *e**e ** * *t****** ****

**th ********** *******. * **
*e*t*** th*t ** **e** ** ****e*.

• 4th word of 2nd sentence is th*t: guess

U → a (also single-letter word in 1st sen-
tence).

• Other single letter word is A: guess A → i

18
 Substitution ciphers:
example cryptanlysis

HNZ MZKXZ AG U GHUKYAKE TBWZ

LAHN UIGHFUOAUK FUVVAHG. A UR
XZFHUAK HNUH AG XOZUF AK GQYKZQ.

the *e**e i* a *ta**i** ****

*ith a****a*ia* *a**i**. i a*
*e*tai* that i* **ea* i* ****e*.

• Analyse other two-letter words AG, UR and

AK: guess G → s, R → m, K → n

• Guess plaintext *ith is probably with: guess

L → w

19
 Substitution ciphers:
example cryptanlysis

HNZ MZKXZ AG U GHUKYAKE TBWZ

LAHN UIGHFUOAUK FUVVAHG. A UR
XZFHUAK HNUH AG XOZUF AK GQYKZQ.

the *en*e is a stan*in* ***e

with a*st*a*ian *a**its. i am
*e*tain that is **ea* in s**ne*.

• Some longer words are almost complete:

– standing, australian and certain.

– Y,E,I,F,O,X are d, g, u, r, l respectively.

20
 Substitution ciphers:
example cryptanlysis

HNZ MZKXZ AG U GHUKYAKE TBWZ

LAHN UIGHFUOAUK FUVVAHG. A UR
XZFHUAK HNUH AG XOZUF AK GQYKZQ.

the *ence is a standing ***e

with australian ra**its. i am
certain that is clear in s**ne*.

• Plaintext can now be completed as

the fence is a standing joke

with australian rabbits. i am
certain that is clear in sydney.

21
 Substitution ciphers:
example cryptanlysis

Key Phrase Cipher: “men at work” and letter

“f”

a b c d e f g h i j k l m
U V X Y Z M E N A T W O R

n o p q r s t u v w x y z
K B C D F G H I J L P Q S

• Did not even use knowledge of key phrase

cipher in cryptanalysis

22
 Polyalphabetic ciphers

• Monoalphabetic ciphers cannot be secure

– preserve language statistics

• Polyalphabetic cipher

– Plaintext letter sent to many ciphertext

letters

– Flattens letter frequency graph

– Key must define unique plaintext

23
Vigenère ciphers: definitions

• Keyword of m letters

• Encrypts m plaintext letters at a time

• P = C = K = (Z26)m

• For a key (keyword) k = (k1, . . . , km),

ek (x1, . . . , xm) = (x1 + k1, . . . , xm + km)
dk (y1, . . . , ym) = (y1 − k1, . . . , ym − km)

• |K| = 26m

• If m = 20, key space has 2620 ≈ 1028 keys,

about 94 bits

• Exhaustive search infeasible

24
 Vigenère ciphers: example

Example: Plaintext meet me at midnight, key-

word “emu”, k = (4, 12, 20)

Plaintext m e e t a t
12 4 4 19 0 19
Keystream 4 12 20 4 12 20
16 16 24 23 12 13
Ciphertext Q Q Y X M N

m i d n i g h t
12 8 3 13 8 6 7 19
4 12 20 4 12 20 4 12
16 20 23 17 20 0 11 5
Q U X R U A L F

25
 Vigenère ciphers: some
insight

• Suppose DCXWR occurs 5 times in text,

say positions 43, 120, 183, 225, 281 in 300
letters

– Unlikely to happen by chance

– Probably same word encrypted “in phase”

– DCXWR occurs at gaps of 77, 63, 42,

56

– Keystream repeats after 77, 63, 42, 56

– Keyword length likely to be 7

26
 Vigenère ciphers:
cryptanalysis

• Determine the length m of the keyword

– Kasiski test

– Index of coincidence

• Determine a shift of the keyword

• Determine the keyword

27
 Vigenère ciphers: Kasiski
test

• More widespread use of previous insight

• Ad hoc technique:

– Find pairs of identical ciphertext strings,

length at least 3

– Record distances d1, d2, . . ., between

such strings

– Keyword length likely to be

gcd(d1, d2, . . .)

28
Vigenère ciphers: index of
coincidence

• More formalised approach to insight

• Definition of index of coincidence Ic(x):

– x = x1x2 . . . xn is a string of n characters

– Ic(x) is the probability that two random

elements of x are identical

• English text: p0, p1, . . . , p25 are frequencies

of letters a, b, . . ., z
25
X
Ic(x) = p2
i ≈ 0.065
i=0

• Random text:
Ic(x) = 26(1/26)2 ≈ 0.038

29
 Vigenère ciphers: index of
coincidence

For a given string x of letters, Ic(x) can be

calculated from the letter frequencies:

• Let f0, f1, . . . , f25 be the letter frequencies

of A, B, . . ., Z in the x

³ ´
• There are n
2 pairs of letters

³ ´
• There are f2i pairs of letter i

• Index of coincidence
P25 ³fi´ P25
i=0 2 i=0 fi(fi − 1)
Ic(x) = ³
n
´ =
n(n − 1)
2

30
Vigenère ciphers: determine
m
n
• Write ciphertext y = y1y2 . . . yn as m × m
array (assuming m divides n)
Row y1 y1 ym+1 . . . y( n −1)m+1
m
Row y2 y2 ym+2 . . . y( n −1)m+2
m
... ... ... ...
Row ym ym y2m . . . y( n −1)m+m
m

• Two letters in the same row yi have been

encrypted using the same additive cipher

– Probability of two positions having iden-

tical letters is 0.065

• Two letters from different rows have been

encrypted using different additive ciphers

– Probability of two positions having iden-

tical letters is 0.038.

31
Vigenère ciphers: determine
m

Count the number of pairs of identical letters:

• Pairs in same row:

– pairs of positions in one row

³n´ µ ¶
m = 1 n n
−1
2 2m m
– pairs of positions in the same row overall
³n´ µ ¶
1 n
m m = n −1
2 2 m

• Pairs in different rows

µ ¶
1 n
n n−
2 m

32
Vigenère ciphers: determine
m

Count expected number of identical pairs two

ways:

• Expected number of identical pairs:

³n´ 1
Ic(y) = n(n − 1)Ic(y)
2 2

• Expected number of identical pairs:

– Same row:
µ ¶
1 n
n − 1 × 0.065
2 m
– Different rows:
µ ¶
1 n
n n− × 0.038
2 m

33
Vigenère ciphers: determine
m
Equation for keyword length m:

µ ¶
1 1 n
n(n − 1)Ic = n − 1 × 0.065
2 2 m
µ ¶
1 n
+ n n− × 0.038
2 m

0.027n
m≈
Ic(n − 1) − 0.038n + 0.065

• Check value for m with Kasiski test etc

• Once m is determined, treat each row y1,

. . ., ym as individual ciphertext encrypted
using additive cipher.

34
Vigenère ciphers: determine
keyword shift
Suppose y1 and y2 were obtained using k1 and
k2

0
• Encrypt y2 using k1 − k2 to get y2

0 are ciphertext obtained us-

• Then y1 and y2
ing k1

0 should have high index of coinci-

– y1 y2
dence

• Try encrypt y2 using all 26 possible k1 − k2

– correct one has highest index of coinci-

dence

• Repeat for other rows

35
Vigenère ciphers: determine
keyword
Suppose keyword shifts are known:

• Key is (k1, k1 + k20 , . . . , k1 + km

0 )

0 are known shifts

• k1 is unknown and k20 . . . , km

• Try all 26 possibilities for k1

If ciphertext is long directly determine key let-

ters:

• yi is a ciphertext using simple substitution

• obtain ki by frequency analysis

See Stinson Eg 1.12 for detailed worked exam-

ple.
36
Summary: lessons from early
ciphers

• Additive cipher:

– must have large key space.

• Affine cipher:

– must not be linear.

• Simple substitution cipher:

– cannot be monoalphabetic (?)

• Vigenère cipher

– polyalphabetic, harder to break

– still vulnerable to ciphexrtext only at-

tacks!

37