CS588:

Cryptology – Principles and Applications

Lecture 1:
Introduction

CS588: Cryptology
University of Virginia David Evans
Computer Science [Link]
 Menu
• Course Introduction
– Why you should or shouldn’t take this course
– Course Logistics: details on Syllabus
• Introduction to Cryptology
– Terminology
– A simple substitution cipher
– Brief history of 4000 years of Cryptology

Registration survey on web: due Sunday

20 January 2005 University of Virginia CS 588 2
 Resources
• David Evans (call me “Dave” or “Coach”)
evans@[Link]
Office Hours (236A): Tuesday, 2:30-3:30
other times by appointment or open
door
Research: Applications of cryptography,
diversity for security, program analysis
• AC: Matt Spear
CS Lounge: Fridays, 2:30-3:30
• Web: [Link]
20 January 2005 University of Virginia CS 588 3
Why you should take this course?
Reason #1: Fate of Humanity
Cryptology plays a central role in
human history.

More than anything else, survival of

humanity depends on computer
security.

20 January 2005 University of Virginia CS 588 4

Why you should take this course?
Reason #2: Intellectual

Cryptology is about making and

solving puzzles.

Purest form of intellectual endeavor.

20 January 2005 University of Virginia CS 588 5

Why you should take this course?
Reason #3: Be like Tom

Mr. Jefferson would have wanted you to.

20 January 2005 University of Virginia CS 588 6

[Link]

20 January 2005 University of Virginia CS 588 7

 Bad reasons to take this class

• You want to write the ultimate

destructive virus.
• You want to break into (UVA’s | the
CIA’s | your bank’s) computer
systems.

20 January 2005 University of Virginia CS 588 8

 How to get an A in CS588
Problem Sets (40-50%)
4-5 throughout term (1st is due 3 Feb)
Project (30-50%)
Teams of 1 – 4
Can involve design/implementation
Can involve survey/analysis
Exams (30-50%)
Midterm, Final
Class Contribution (0-10%)
20 January 2005 University of Virginia CS 588 9
“Easy ways” to get an A in CS588
• Discover a security flaw important enough to
get reported in the New York Times
• Factor RSA-300 =
2769315567803442139028689061647233092237608363983953254005036722809375824714
9473946190060218756255124317186573105075074546238828817121274630072161346956
4396741836389979086904304472476001839015983033451909174663464663867829125664
459895575157178816900228792711267471958357574416714366499722090015674047

• Break into my grades file (on my home

computer) and change your grade to “Haha”
– Physical attacks on my house, car or office are NOT
eligible! (And NOT encouraged!)
– Don’t try to break into UVA’s grade records:
• Too easy (probably only worth a B, or C- for social
engineering attack)
• Honor code violation

20 January 2005 University of Virginia CS 588 10

 Bonus Points / Demerits
(100 points = 1 problem set)
+(varies) Solving a challenge problem
+50 Posting in RISKS

-100 Send me a virus

-200 Get arrested for computer attack
-1000 Get convicted for computer attack
-100000 I get arrested for something you do

20 January 2005 University of Virginia CS 588 11

 Challenge Problems
• Open until solved or last day of class
• Usually only first satisfactory answer gets
bonus
– Better, later answer might still get bonus
• Solve in groups, each member gets
n / n * value (e.g., 2 people = 2 / 2 = 0.7)

First challenge problem will be posted on

course web page tomorrow: Jefferson wheel
cryptogram
20 January 2005 University of Virginia CS 588 12
 Honor Code
• If the real world followed the honor
code, cryptography would be
unnecessary

• Read and sign the course pledge before

Tuesday’s class

20 January 2005 University of Virginia CS 588 13

 Decrypting the Honor Code
• Learn from your fellow students – they are
your best resource!
– PS1: discuss with whoever you want, but
destroy all written materials from those
discussions before writing your solutions
• Write down who you discussed assignments
with, all external sources you used
• Don’t use answers from previous courses
• Be honest – you know what cheating is
and isn’t
• Don’t “pledge” your assignments, but let me
know if you plan to cheat
20 January 2005 University of Virginia CS 588 14
 Logistics Questions?

20 January 2005 University of Virginia CS 588 15

 What is cryptology?
• Greek: “krypto” = hide
• Cryptology – science of hiding
= cryptography + cryptanalysis + steganography
• Cryptography – secret writing
• Cryptanalysis – analyzing (breaking) secrets
Cryptanalysis is what attacker does
Decipher or Decryption is what legitimate receiver
does
• Kryptonite – breaking ciphers all night?

20 January 2005 University of Virginia CS 588 16

 Cryptology and Security
Cryptology is a branch of
mathematics.

Security is about people.

This course focuses on the mathematics, but always
keep in mind real security is about the people.

20 January 2005 University of Virginia CS 588 17

 Introductions
Insecure Channel
Ciphertext
Plaintext Encrypt Decrypt Plaintext

Eve
Alice Bob
(passive attacker)

20 January 2005 University of Virginia CS 588 18

 Introductions
Insecure Channel
Ciphertext
Plaintext Encrypt Decrypt Plaintext

Alice Malice Bob

(active attacker)

20 January 2005 University of Virginia CS 588 19

 Cryptosystem
Ciphertext = A(Plaintext)
Required property: A must be invertible
Plaintext = A′(Ciphertext)
Desired properties:
Without knowing A′ must be “hard” to invert
A and A′ should be easy to compute
Possible to have lots of different A and A′
Possible to reveal A without revealing A′
20 January 2005 University of Virginia CS 588 20
 Kerckhoff’s Principle
• Cryptography always involves:
– Transformation
– Secret
• Security should depend only on the key
• Don’t assume enemy won’t know algorithm
– Can capture machines, disassemble programs, etc.
– Too expensive to invent new algorithm if it might have
been compromised
• Security through obscurity isn’t
– Look at history of examples
– Better to have scrutiny by open experts
“The enemy knows the system being used.”
Claude Shannon
20 January 2005 University of Virginia CS 588 21
 Symmetric Cryptosystem
C = A(K, M) or { M }K
M = A′(K, C)

Desired properties:
Kerckhoff’s Principle: Secrecy depends only on K
Without knowing A′ must be “hard” to invert
A and A′ should be easy to compute
Possible to reveal A without revealing A′

20 January 2005 University of Virginia CS 588 22

 Asymmetric Cryptosystem
C = A(K, M) or { M }K
M = A′(K′, C)

Desired properties:
Kerckhoff’s Principle: Secrecy depends only on K
Without knowing A′ must be “hard” to invert
A and A′ should be easy to compute
Possible to reveal A without revealing A′

20 January 2005 University of Virginia CS 588 23

 Simple Substitution Cipher
• C = EK(p)
Ci = K[pi]
• Key is alphabet mapping:
a → J, b → L, ...
• Suppose attacker knows algorithm but
not key, how many keys to try? 26!
If every person on earth tried one per second,
it would take 5B years.
20 January 2005 University of Virginia CS 588 24
 Monoalphabetic Cipher
“XBW HGQW XS ACFPSUWG FWPGWXF
CF AWWKZV CDQGJCDWA CD BHYJD
DJXHGW; WUWD XBW ZWJFX
PHGCSHF YCDA CF GSHFWA LV XBW
KGSYCFW SI FBJGCDQ RDSOZWAQW
OCXBBWZA IGSY SXBWGF.”

20 January 2005 University of Virginia CS 588 25

 Frequency Analysis
“XBW HGQW XS ACFPSUWG FWPGWXF CF
AWWKZV CDQGJCDWA CD BHYJD DJXHGW;
WUWD XBW ZWJFX PHGCSHF YCDA CF
GSHFWA LV XBW KGSYCFW SI FBJGCDQ
RDSOZWAQW OCXBBWZA IGSY SXBWGF.”

W: 20 “Normal” English:
C: 11 e 12%
F: 11 t 9%
G: 11 a 8%
20 January 2005 University of Virginia CS 588 26
 Pattern Analysis
“XBe HGQe XS ACFPSUeG FePGeXF CF
AeeKZV CDQGJCDeA CD BHYJD DJXHGe;
eUeD XBe ZeJFX PHGCSHF YCDA CF
GSHFeA LV XBe KGSYCFe SI FBJGCDQ
RDSOZeAQe OCXBBeZA IGSY SXBeGF.”

XBe = “the”
Most common trigrams in English:
the = 6.4%
and = 3.4%

20 January 2005 University of Virginia CS 588 27

 Guessing
“the HGQe tS ACFPSUeG FePGetF CF
AeeKZV CDQGJCDeA CD hHYJD DJtHGe;
eUeD the ZeJFt PHGCSHF YCDA CF
GSHFeA LV the KGSYCFe SI FhJGCDQ
RDSOZeAQe OCthheZA IGSY StheGF.”

S = “o”

20 January 2005 University of Virginia CS 588 28

 Guessing
“the HGQe to ACFPoUeG FePGetF CF
AeeKZV CDQGJCDeA CD hHYJD DJtHGe;
eUeD the ZeJFt PHGCoHF YCDA CF
GoHFeA LV the KGoYCFe oI FhJGCDQ
RDoOZeAQe OCthheZA IGoY otheGF.”

otheGF = “others”

20 January 2005 University of Virginia CS 588 29

 Guessing
“the HrQe to ACsPoUer sePrets Cs
AeeKZV CDQrJCDeA CD hHYJD DJtHre;
eUeD the ZeJst PHrCoHs YCDA Cs
roHseA LV the KroYCse oI shJrCDQ
RDoOZeAQe OCthheZA IroY others.”

“sePrets” = “secrets”

20 January 2005 University of Virginia CS 588 30

 Guessing
“the HrQe to ACscoUer secrets Cs
AeeKZV CDQrJCDeA CD hHYJD DJtHre;
eUeD the ZeJst cHrCoHs YCDA Cs
roHseA LV the KroYCse oI shJrCDQ
RDoOZeAQe OCthheZA IroY others.”

“ACscoUer” = “discover”

20 January 2005 University of Virginia CS 588 31

 Guessing
“the HrQe to discover secrets is
deeKZV iDQrJiDed iD hHYJD DJtHre;
eveD the ZeJst cHrioHs YiDd is
roHsed LV the KroYise oI shJriDQ
RDoOZedQe OithheZd IroY others.”

20 January 2005 University of Virginia CS 588 32

 Monoalphabetic Cipher
“The urge to discover secrets is deeply
ingrained in human nature; even the
least curious mind is roused by the
promise of sharing knowledge withheld
from others.”
- John Chadwick,
The Decipherment of Linear B

20 January 2005 University of Virginia CS 588 33

 Why was it so easy?
• Doesn’t hide statistical properties of
plaintext
• Doesn’t hide relationships in plaintext (EE
cannot match dg)
• English (and all natural languages) is very
redundant: about 1.5 bits of information
per letter (~68% f ltrs r redndnt)
– Compress English with gzip – about 1:6
20 January 2005 University of Virginia CS 588 34
 How to make it harder?
• Cosmetic
• Hide statistical properties:
– Encrypt “e” with 12 different symbols, “t”
with 9 different symbols, etc.
– Add nulls, remove spaces
• Polyalphbetic cipher
– Use different substitutions
• Transposition
– Scramble order of letters
20 January 2005 University of Virginia CS 588 35
 Types of Attacks
• Ciphertext-only - How much Ciphertext?
• Known Plaintext - often “Guessed Plaintext”
• Chosen Plaintext (get ciphertext)
– Not as uncommon as it sounds!
• Chosen Ciphertext (get plaintext)
• Dumpster Diving Not recommended in CS588
• Social Engineering
• “Rubber-hose cryptanalysis”
– Cryptanalyst uses threats, blackmail, torture,
bribery to get the key.

20 January 2005 University of Virginia CS 588 36

 Really Brief History
First 4000 years

Vigenère

Babbage breaks Vigenère;

Kasiski (1863) publishes
Cryptographers
Alberti – first polyalphabetic cipher
monoalphabetics

Cryptanalysts
al-Kindi - frequency analysis

3000BC 900 1460 1854

20 January 2005 University of Virginia CS 588 37

 Really Brief History - last 100 years
Mauborgne – one-time pad Quantum Crypto

Linear, Differential Cryptanalysis

Feistel block cipher, DES

Enigma adds rotors, stops repeated key
Turing’s loop attacks, Public-Key
Colossus
1978

Rejewski repeated
message-key attack
Cryptanalysts

Mechanical ciphers - Enigma

Cryptographers

1854 1918 1939 1945 1973

1895 – Invention of Radio

20 January 2005 University of Virginia CS 588 38
 Themes
• Arms race between cryptographers and
cryptanalysts
– But, often disconnect between two (e.g., Mary Queen of
Scots uses monoalphabetic cipher long after known
breakable)
• Motivated by war (more recently: commerce)
• Driven by advances in technology, mathematics
• Multi-disciplinary field
– Linguists, classicists, mathematicians, computer
scientists, physicists
• Secrecy often means advances rediscovered and
miscredited
20 January 2005 University of Virginia CS 588 39
 Security vs. Pragmatics
• Trade-off between security and effort
– one-time pad: perfect security, but requires
distribution and secrecy of long key
– DES: short key, fast algorithm, but breakable
– quantum cryptography: perfect security,
guaranteed secrecy of key, slow, requires
expensive hardware
• Don’t spend $10M to protect $1M.
• Don’t protect $1B with encryption that can be
broken for $1M.

20 January 2005 University of Virginia CS 588 40

 Perfectly Secure Cipher:
One-Time Pad
• Mauborgne/Vernam [1917]
• XOR ():
00=0 10=1
01=1 11=0
aa=0
a0=a
abb=a
• E(P, K) = P  K
D(C, K) = C  K = (P  K)  K = P

20 January 2005 University of Virginia CS 588 41

 Why perfectly secure?
• For any given ciphertext, all plaintexts are
equally possible.
Ciphertext: 0100111110101
Key1: 1100000100110
Plaintext1: 1000111010011 = “CS”
Key2: 1100010100110
Plaintext2: 1000101010011 = “BS”
• More formal proof next time

20 January 2005 University of Virginia CS 588 42

 Go to the beach?
• Cannot reuse K
– What if receiver has
C1 = P1  K and C2 = P2  K
C1  C2 = P1  K  P2  K
= P1  P2
• Need to generate truly random bit sequence
as long as all messages
• Need to securely distribute key

20 January 2005 University of Virginia CS 588 43

 “One-Time” Pad’s in Practice
• Lorenz Machine –
Nazi high command in WWII
– Pad generated by 12 rotors
– Receiver and sender set up
rotors in same positions
– One operator retransmitted a
message (but abbreviated message header the
second time!)
– Enough for Bletchley Park to figure out key – and
structure of machine that generated it!
– But still had to try all configurations
20 January 2005 University of Virginia CS 588 44
 Colossus – First Electronic
Programmable Computer

Bletchley Park (near London), 1944

Bletchley Park, 2004

20 January 2005 University of Virginia CS 588 45
 Colossus
• Read ciphertext and Lorenz wheel patterns
from tapes
• Tried each alignment, calculated correlation
with German
• Decoded messages (63M letters by 10
Colossus machines) that enabled Allies to
know German troop locations to plan D-Day
• Destroyed in 1960, kept secret until 1970s
20 January 2005 University of Virginia CS 588 46
 Charge
• Send me your registration survey by
Sunday
• Start thinking about projects and teams
(will talk about this Tuesday)
• Subscribe to RISKS and Cryptogram
(instructions on notes)
• Next time:
– Proving Ciphers are Perfect (in Theory)
– Information Theory

20 January 2005 University of Virginia CS 588 47