Lecture 5: Enigma Concluded Bletchley Park (June 2004) CS588: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/evans Last Time: Added Plugboard Plaintext B Ciphertext Plugboard L M N R Rotor 1 Rotor 2 Rotor 3 Reflector 6 plugs: (26*25)/2 * (24*23)/2 * … * (16*15/2) / 6! = 1011 times more keys 3 February 2005 University of Virginia CS 588 2 Poster in RAF Museum 3 February 2005 University of Virginia CS 588 3 Operation • Day key (distributed in code book) • Each message begins with message key (“randomly” chosen by sender) encoded using day key • Message key sent twice to check • After receiving message key, re-orient rotors according to key 3 February 2005 University of Virginia CS 588 4 Letter Permutations Symmetry of Enigma: if Epos (x) = y we know Epos (y) = x Given message openings DMQ VBM E1(m1) = D E4(m1) = V E1oE4(D) = V VON PUY => E1(D) = m1 PUC FMQ => E4 (E1 (D)) = V With enough message openings, we can build complete cycles for each position pair: E1oE4 = (DVPFKXGZYO) (EIJMUNQLHT) (BC) (RW) (A) (S) Note: Cycles must come in pairs of equal length 3 February 2005 University of Virginia CS 588 5 Composing Involutions • E1 and E2 are involutions (x y y x) • Without loss of generality, we can write: E1 contains (a1a2) (a3a4) … (a2k-1a2k) E2 contains (a2a3) (a4a5) … (a2ka1) E1 E2 a1 a2 a2 x = a3 or x = a1 a3 a4 a4 x = a5 Why can’t or x = a1 x be a2 or a3? 3 February 2005 University of Virginia CS 588 6 Rejewski’s Theorem E1 contains (a1a2) (a3a4) … (a2k-1a2k) E4 contains (a2a3) (a4a5) … (a2ka1) E1E4 contains (a1a3a5…a2k-1) (a2ka2k-2… a4a2) • The composition of two involutions consists of pairs of cycles of the same length • For cycles of length n, there are n possible factorizations 3 February 2005 University of Virginia CS 588 7 Factoring Permutations E1E4 = (DVPFKXGZYO) (EIJMUNQLHT) (BC) (RW) (A) (S) (A) (S) = (AS) o (SA) (BC) (RW) = (BR)(CW) o (BW)(CR) or = (BW)(RC) o (WC) (BR) (DVPFKXGZYO) (EIJMUNQLHT) = (DE)(VI)… or (DI)(VJ) … or (DJ)(VM) … … (DT)(VE) 10 possibilities 3 February 2005 University of Virginia CS 588 8 How many factorizations? (DVPFKXGZYO) (EIJMUNQLHT) E1 E2 D a2 V a4 a2 V a4 P Once we guess a2 everything else must follow! So, only n possible factorizations for an n-letter cycle Total to try = 2 * 10 = 20 E2E5 and E3E6 likely to have about 20 to try also About 203 (8000) factorizations to try (still too many in pre-computer days) 3 February 2005 University of Virginia CS 588 9 Luckily… • Operators picked message keys (“cillies”) – Identical letters – Easy to type (e.g., QWE) • If we can guess P1 = P2 = P3 (or known relationships) can reduce number of possible factorizations • If we’re lucky – this leads to E1 …E6 3 February 2005 University of Virginia CS 588 10 Solving? E1 = B-1L-1Q LB E2 = B-1L-2QL2B E3 = B-1L-3QL3B E4 = B-1L-4QL4B E5 = B-1L-5QL5B E6 = B-1L-6QL6B 3 February 2005 6 equations, 3 unknowns Not known to be efficiently solvable University of Virginia CS 588 11 Solving? Often, know plugboard E1 = B-1L-1Q LB settings (didn’t change frequently) BE1B-1 = L-1Q L 6 equations, 2 unknowns – solvable 6 possible arrangements of 3 rotors, 263 starting locations = 105,456 possibilities Poles spent a year building a catalog of cycle structures covering all of them (until Nov 1937): 20 mins to break Then Germans changed reflector and they had to start over. 3 February 2005 University of Virginia CS 588 12 1939 • Early 1939 – Germany changes scamblers and adds extra plugboard cables, stop doubletransmissions – Poland unable to cryptanalyze • 25 July 1939 – Rejewski invites French and British cryptographers – Gives England replica Enigma machine constructed from plans, cryptanalysis • 1 Sept 1939 – Germany invades Poland, WWII starts 3 February 2005 University of Virginia CS 588 13 Bletchley Park • Alan Turing leads British effort to crack Enigma • Use cribs (“WETTER” transmitted every day at 6am) to find structure of plugboard settings • Built “bombes” to automate testing • 10,000 people worked at Bletchley Park on breaking Enigma (100,000 for Manhattan Project) 3 February 2005 University of Virginia CS 588 14 Alan Turing’s “Bombe” Steps through all possible rotor positions (263), testing for probable plaintext; couldn’t search all plugboard settings (> 1012); take advantage of loops in cribs 3 February 2005 University of Virginia CS 588 15 Enigma Cryptanalysis • Relied on combination of sheer brilliance, mathematics, espionage, operator errors, and hard work • Huge impact on WWII – Britain knew where German U-boats were – Advance notice of bombing raids – But...keeping code break secret more important than short-term uses • The Coventry bombing story isn’t true, but decoy scouts is 3 February 2005 University of Virginia CS 588 16 Projects • Start thinking about projects and forming teams • Prefer teams of 3 people – In rare circumstances will allow solo projects • Preliminary Proposals due Feb 15 – List of team members • Use web forum to discuss project ideas, find interested teammates – Either: • Short blurbs for at least 3 project ideas • A description of a project idea with some background, convincing argument it will be possible and interesting 3 February 2005 University of Virginia CS 588 17 Project Option 1: Research • Research Projects – Identify an interesting problem related to cryptography/security • Devise an approach for solving it – Analyze security of some system • GET PERMISSION FIRST! • Doesn’t need to be limited to purely computational systems 3 February 2005 University of Virginia CS 588 18 Project Option 2: “Outreach” • Do something relevant to this course that is beneficial to the larger community. Examples include: – Develop and teach a course for K-12 students that uses cryptography to make math interesting – Produce something that conveys important security principles to the general public • Movie screening at end of class today 3 February 2005 University of Virginia CS 588 19 Which should you do? • Grad student, grad-school bound 3rd or 4th year: research project that integrates with your main research • 3rd/4th year looking for a job: something you can talk about on job interviews • 4th year with a job: outreach project • 4th year who doesn’t want a job 3 February 2005 University of Virginia CS 588 20 Modern Symmetric Ciphers A billion billion is a large number, but it's not that large a number. — Whitfield Diffie 3 February 2005 University of Virginia CS 588 21 Goals of Cipher: Diffusion and Confusion • Claude Shannon [1945] • Diffussion: – Small change in plaintext, changes lots of ciphertext – Statistical properties of plaintext hidden in ciphertext • Confusion: – Statistical relationship between key and ciphertext as complex as possible • So, need to design functions that produce output that is diffuse and confused 3 February 2005 University of Virginia CS 588 22 Block Ciphers • Stream Ciphers – Encrypts small (bit or byte) units one at a time • Block Ciphers – Encrypts large chunks (64 bits) at once • Ciphers we have seen so far: – Changing one letter of message only changes one letter of ciphertext – There were classical ciphers that had some diffusion: Vigenère autokey, Hill cipher (2-letter chunks) 3 February 2005 University of Virginia CS 588 23 Ideal Block Cipher • 64 bit blocks • 264 possible plaintext blocks, must have at least 264 corresponding ciphertext blocks – There are 264! possible mappings • Why not just create a random mapping? – Need a 264 * 64-bit table 1021 bits – $14 quadrillion – Need to distribute new table if compromised • Approximate ideal random mapping using components controlled by a key 3 February 2005 University of Virginia CS 588 24 Feistel Cipher Structure Plaintext R0 Substitution L0 K1 F Permutation Round L0 = left half of plaintext R0 = right half of plaintext Li = Ri - 1 Ri = Li - 1 F (Ri - 1, Ki ) C = Rn || Ln L1 3 February 2005 R1 n is number of rounds (undo last permutation) University of Virginia CS 588 25 One Round Feistel Li = Ri - 1 E (L0 || R0): Ri = Li - 1 F (Ri - 1, Ki ) L1 = R0 R1 = L0 F (R0, K1)) C = R1 || L1 = L0 F (R0, K1)) || R0 3 February 2005 University of Virginia CS 588 26 Decryption Ciphertext RD0 LD0 Substitution LD0 = left half of ciphertext RD0 = right half of ciphertext Kn LDi = RDi - 1 RDi = LDi - 1 F Permutation F (RDi - 1, Kn – i + 1) L1 3 February 2005 R1 P = RDn || LDn n is number of rounds University of Virginia CS 588 27 Decryption LDi = RDi - 1 RDi = LDi - 1 F (RDi - 1, Kn – i + 1) D (L0 F (R0, K1)) || R0) LD0 = L0 F (R0, K1) RD0 = R0 LD1 = R0 RD1 = LD0 F (RD0, K1) = L0 F (R0, K1) F (RD0, K1)) = L0 P = RD1 || LD1 = L0 || R0 Yippee! 3 February 2005 University of Virginia CS 588 28 Multiple Rounds • The entire round is a function: fK (L || R) = R || L F (R, K)) swap (L || R) = R || L • E = swap ° swap ° fKr ° swap ° fKr-1 ° ... ° fK2 ° swap ° fK1 • D = fK1 ° swap ° fK2 ° ... ° fKr-1 ° swap ° fKr ° swap ° swap 3 February 2005 University of Virginia CS 588 29 Decryption swap (fK (swap (fK (L || R)) = swap (fK (swap (R || L F (R, K)))) = swap (fK (L F (R, K) || R)) = swap (R || (L F (R, K)) F (R, K)) = swap (R || L) = L || R So swap ° fK its own inverse! 3 February 2005 University of Virginia CS 588 30 F • What are the requirements on F? – For decryption to work: none! – For security: • Hide patterns in plaintext • Hide patterns in key • Coming up with a good F is hard 3 February 2005 University of Virginia CS 588 31 Charge • Start to think of interesting project ideas • Post on discussion forum, find teammates • Next time: – DES: a Feistel cipher – Breaking DES (including Girish Ratanpal) • Movie (if you can stay, otherwise it is on the web) 3 February 2005 University of Virginia CS 588 32