Corsello Research Foundation

Cryptography
Concepts of cryptography and computational methods

michael.corsello

3/28/2009
Abstract
Cryptography is the practice of rendering information unintelligible to all but a selected set of recipients.

This practice has been used for over a thousand years in various forms, such as the simple Caesar

ciphers reported to have been used in ancient Rome. Modern cryptography is computer based,

intensely mathematical in nature, and largely infeasible to defeat. Most attacks on modern

cryptographic systems involve weaknesses in the randomness of output generated. This paper will

discuss some of the cryptographic methodologies and attack vectors for these systems.
Michael Corsello Cryptography Paper CSci 283 Computer Security

Introduction
Cryptography is the practice of rendering information unintelligible for all but a selected group. This is

accomplished through the use of shared secrets (keys) or complementary information (key pairs). The

process used in cryptography includes 2 phases: encryption and decryption. Encryption is the process of

converting “plaintext” into unintelligible “ciphertext” through the use of some process involving a “key”

or “keys”. Decryption is the reverse process of converting the “ciphertext” back into the original

“plaintext” through the use of the same “key” or “keys” or via a complementary “key” (as in public key

cryptography).

Types of Ciphers
Early cryptographic systems involved concepts such as substitution where characters of the plaintext

were replaced with corresponding characters in a substitution key or transposition where characters

were “moved around” in conjunction with a key in the form of a rule set. Over time, these manual

forms of cryptographic systems were found to be defeated with minimal effort in excess of the effort

used to encrypt the information. A continual need to maintain the confidentiality of information has

lead to the continual improvement in cryptographic systems ever since.

Substitution Ciphers
A single substitution cipher is the simplest form of cipher and is performed by substituting one character

for another in a consistent manner. For example, the character “a” is substituted with the character

“m” and the character “p” is substituted with the character “g” until each possible character in plaintext

has a single corresponding character in the substitution set (key). This form of cipher is easily broken

using frequency analysis where an expected frequency of each character in plaintext is known (primarily

works for natural language plaintext and not for other forms of plaintext). For example, the relative

frequency of the letter “e” is well known in the English language. By performing this analysis on a

P age |1 Cryptography
Michael Corsello Cryptography Paper CSci 283 Computer Security

ciphertext, the probable substituted character can be ascertained. Since the substitution is one to one,

the frequencies hold and can be built up as individually discovered.

A stronger form of substitution cipher involves the use of multi-substitution, where each plaintext

character maps to more than one ciphertext character in the key. This form of cipher requires the key

to contain more distinct characters than the source alphabet to ensure a reversal is possible. This form

of substitution provides a limited resistance to frequency analysis, but is still broken using these same

techniques over a longer period of time.

Transposition Ciphers
Transposition ciphers perform a permutation of the plaintext to generate ciphertext. This process

involves altering the positions of characters within the plaintext using a key that defines a regular

system for this transposition. This form of cipher often develops the plaintext into a two dimensional

matrix and reads out the ciphertext in the opposing direction to the generation of the matrix. For

example, the key may define a column oriented generation of the matrix of order 5. In this manner, the

plaintext is placed into the 5 columns sequentially character by character until all plaintext is entered.

The ciphertext is then read out in a row oriented manner.

In this form of cipher, the text “Hello, Welcome home you merry gentlemen.” would be generated into

the matrix:

H , c h y e g e

e <sp> o o o r e m

l W m m u r n e

l e e e <sp> y t n

O l <sp> <sp> m <sp> l .

P age |2 Cryptography
Michael Corsello Cryptography Paper CSci 283 Computer Security

This matrix is then read out in a row oriented manner to produce the ciphertext “H,chyegee

oooremlWmmurneleee ytnol m l.”.

There are many form of transposition ciphers, which will transform the plaintext into a matrix based

upon one rule, and read out ciphertext from the matrix based upon a second rule. The combination of

these 2 rules forms the key. While in the example we read out the ciphertext in a row oriented manner,

it is practical to read out the ciphertext in other manners as well, such as radially inward from some

origin position in the matrix, as long as the ciphertext generation method is not the inverse of the matrix

generation method (ciphertext would be equivalent to the plaintext).

For further protection, multiple transpositions may be used in series to further complicate the path and

thus the breaking of the cipher. When used in conjunction with a multi-alphabetic substitution cipher,

the cipher can be quite challenging to break. Unfortunately, with computational assistance, even these

can be broken in short enough times to be largely ineffective at practical protection of information.

Modern Ciphers
In modern cryptography there are 2 basic classes of cryptosystem: symmetric (private key) and

asymmetric (public key). The classic form of cryptography is symmetric, in that the encryption and

decryption of a message both use the same key, which is a shared secret between the sender and

recipients. The creation of asymmetric cryptography was a major breakthrough in which there is a pair

of keys, one private to decrypt and one that is public to encrypt. This permits a recipient of a message

to provide a key freely to the world without fear of compromise. Unfortunately, this also results in a

form of the N-way problem in that each recipient of a message has to provide their individual public key

and the message is repeatedly encrypted to each recipient. This was ameliorated by the use of a hybrid

system in which the actual message is encrypted with a symmetric key, and only that key is encrypted

P age |3 Cryptography
Michael Corsello Cryptography Paper CSci 283 Computer Security

repeatedly for each recipient. In this manner, as long as the number of recipients is small, a single

message can contain the ciphertext and all encrypted copies of the symmetric key.

Operations
The actual operations performed in any cryptosystem is generally an exclusive-or (XOR) in which the

binary data (zeros and ones) are operated on with a simple logic rule: if exactly one of the 2 bits being

compared are a one, then output a one; otherwise, output a zero. In a truth table, the XOR operation

looks like this:

XOR 0 1

0 0 1

1 1 0

In a simple encryption / decryption scheme, the plaintext can be directly bitwise XORed against the key,

and returned to plaintext via the same operation. This is the general backbone operation of most

modern digital cryptographic methodologies.

Randomness
In talking about cryptography, the subject of generating random values for keys and random values for

“starting points” within a process become quite natural. A key for modern cryptography will be at least

256-bits in length and will often be over 1024-bits in length (especially for public key systems).

Additionally, there are other random numbers used within the cryptographic processing in conjunction

with the actual encryption / decryption process. The generation of these random values must be

automatic and therefore, machine generated.

While there are several mechanisms for generating “random” numbers, they are all based upon one

principle governing all computers, they are generated using an algorithm that is by definition

P age |4 Cryptography
Michael Corsello Cryptography Paper CSci 283 Computer Security

deterministic. This means that any computer using the same algorithm for generating the “random”

number will generate the same exact sequence of numbers. This is what is known as “pseudo-random”

and is the basis (and primary weakness) of modern cryptosystems. These pseudo-random numbers

(PRNs) and their generators (PRNGs) are varied in strength, speed and predictability. For instance, many

operating systems (OSes) have multiple random number generators that are used. The primary one

used in applications is a “general purpose random number generator” which is not to be used for

cryptographic purposes. Additionally, these OSes will have multiple cryptographic strength PRNGs

specifically for use in cryptographic implementations.

For specialized cryptosystems, hardware PRNGs are used and in both hardware and software, one

common mechanism for PRNG is the linear feedback shift register (LFSR). This form of PRNG has a

maximum sequence length of PRN generation until a repeating sequence is generated. In other words,

there is a certain number of uniquely pseudo-random bits that are generated until the exact same

sequence of bits repeats. If this sequence length is the maximum possible given the internal register

(memory) size, this is a maximal LFSR. Based upon the needs of the PRNG (and applications using it), the

minimum practical size LFSR (bigger is exponentially more costly) can be selected for use.

Classes of Ciphers
There are generally two broad classes of ciphers: block and stream. Most all modern cryptosystems fall

into one of these two categories, with the majority of strong cryptosystems being of the block type.

Stream Ciphers
A stream cipher is a symmetric key cipher that works like a zipper where the 2 halves of the zipper are

the plaintext and key, with the “zipped” output being the ciphertext. The operation that performs the

union of the streams is generally just an XOR. The operation happens on a bit-by-bit or byte-by-byte

manner throughout the plaintext stream. The primary benefit of a stream cipher is speed and low

P age |5 Cryptography
Michael Corsello Cryptography Paper CSci 283 Computer Security

memory utilization as both inputs and the output are streams that could be mapped to or from any

location (memory, network or disk).

Due to the streaming nature of the key, it must be capable of long non-repeating periods with respect to

the plaintext stream length. Additionally, the starting point of the stream cipher with respect to its state

is of great importance to its security. If the same key sequence is used more than once (or seed to

generate the key sequence), then the cipher can be compromised by temporal analysis. The starting

point of a stream within the keystream also can lead to variation when key reuse or restart is needed.

Block Ciphers
The workhorse of modern ciphers are the block ciphers. A block cipher is a symmetric key cipher that

operates over a block of data of fixed size using a fixed algorithmic transform. The primary

cryptosystems in use in the USA (AES and Triple DES) are both block ciphers. A block cipher works much

like a transposition cipher in that an input block of fixed size is transformed into an internal structure

that is then operated on in conjunction with the key. These operations may be performed in iterations

to further randomize the appearance of the output ciphertext. In many block cryptosystems, not all of

the iterations will utilize the plaintext and the key, instead only performing operations on the plaintext

to increase the randomness and reduce the linearity of the original input.

Perfect Ciphers
There is one theoretically perfect method of cryptography, the onetime pad (OTP). In this form of

cipher, a plaintext message is encrypted using a corresponding key of at least the same length as the

plaintext message. Each character in the plaintext is operated on based upon the corresponding

character in the key. This operation is commonly an XOR operation or summation. The resulting

ciphertext can only be decrypted using the same key, and that key is NEVER REUSED. The problem with

the OTP is the reuse of the key and the exchange of the key with the recipients. Since the key is at least

P age |6 Cryptography
Michael Corsello Cryptography Paper CSci 283 Computer Security

the same length of the message, it requires a minimum of double the transmission space, one for the

ciphertext and one for the key, which must be protected.

The OTP methodology was patented in a device by Gilbert Vernam and named the “Vernam Cipher”

(1917). This device used a paper tape key that is prepared and shared a priori to the exchange of

messages.

The practical use of the OTP is limited, though it is used in part in the RC4 cipher system in use today.

The most common practical use of a OTP cipher is based upon a priori agreement of parties to select a

text (an actual book such as a specific edition and printing of an encyclopedia). Each message to be sent

between parties will indicate an identifier that indicates where in that text to begin the key. The sender

will then encrypt the message based upon the plaintext and the text of the larger key text. In this

manner, the actual text may be reused with different starting points over time. It is believed that such

ciphers are currently in use by covert organizations using internet based text volumes on sites such as

Project Gutenburg (http://www.gutenberg.org).

Conclusions
Cryptography is a branch of mathematics that has far reach in everyday life and has so for over a

thousand years. The history of cryptography is quite rich and has provided us with many ways of

protecting information from prying eyes. Even with all the advances, there is still only one truly

unbreakable (except by luck and brute force) cipher, which is generally one of the more low-tech and

impractical ciphers in existence. Given all of that, the cryptographic mechanisms of today are still

resistant enough to attack that for all but the most sensitive of information, there are no deterministic

methods to break them in a practical timeframe. Overall, we are most vulnerable to defeating modern

cryptosystems due to the inherent difficulty in generating truly random information to use for keys.

P age |7 Cryptography
Michael Corsello Cryptography Paper CSci 283 Computer Security

References

Bishop, M. (2003). Computer Security. Boston: Addison Wesley.

"Block cipher." Wikipedia, The Free Encyclopedia. 19 Mar 2009, 12:46 UTC. 28 Mar 2009
<http://en.wikipedia.org/w/index.php?title=Block_cipher&oldid=278319061>.

"Cryptography." Wikipedia, The Free Encyclopedia. 27 Mar 2009, 13:58 UTC. 28 Mar 2009
<http://en.wikipedia.org/w/index.php?title=Cryptography&oldid=280008317>.

"Gilbert Vernam." Wikipedia, The Free Encyclopedia. 20 Mar 2009, 15:54 UTC. 28 Mar 2009
<http://en.wikipedia.org/w/index.php?title=Gilbert_Vernam&oldid=278551236>.

"Linear feedback shift register." Wikipedia, The Free Encyclopedia. 8 Mar 2009, 02:50 UTC. 28 Mar 2009
<http://en.wikipedia.org/w/index.php?title=Linear_feedback_shift_register&oldid=275728948>.

"Stream cipher." Wikipedia, The Free Encyclopedia. 8 Mar 2009, 10:27 UTC. 28 Mar 2009
<http://en.wikipedia.org/w/index.php?title=Stream_cipher&oldid=275784503>.

"Substitution cipher." Wikipedia, The Free Encyclopedia. 17 Mar 2009, 12:52 UTC. 28 Mar 2009
<http://en.wikipedia.org/w/index.php?title=Substitution_cipher&oldid=277852434>.

"Transposition cipher." Wikipedia, The Free Encyclopedia. 18 Jan 2009, 17:49 UTC. 28 Mar 2009
<http://en.wikipedia.org/w/index.php?title=Transposition_cipher&oldid=264902633>.

P age |8 Cryptography