advertisement

Chapter 3 – Linear Cipher In this chapter we will combine the previous two ciphers into one super cipher, the Linear Cipher. We first multiply a plain letter value and afterwards perform an additional Caesar shift. This allows more encryptions thus hampering an eavesdropper’s job. We will be able to use our knowledge of the two previous chapters to discover the number of possible unique encryptions for the Linear Cipher. The Linear Cipher turns out to be an insecure cipher as well. However, it offers the opportunity to study the “Euclidean Algorithm” to find the good encoding keys and the “Extended Euclidean Algorithm” to find the corresponding decoding keys. Furthermore, we will learn a very important aspect of cryptography: How to use letter frequency analysis in order to crack ciphers. After learning how to crack the Linear Cipher we will extend this technique to crack any Monoalphabetic Cipher, even the Random Substitution Cipher. 3.1 Encryption using the Linear Cipher The Caesar and the Multiplication Cipher are not secure ciphers. To improve the security of an encrypted document we combine the Caesar and the Multiplication Cipher: we first multiply each plain letter by an integer a as done in the Multiplication Cipher and consequently shift it by b positions. We therefore obtain the following Definition of the Linear Cipher: The Linear Cipher encodes each plain letter P to a cipher letter C using the following encoding function: C = a*P + b MOD M where the encoding key consists of the pair of integers (a,b). We call a the factor key and b the shift key. Let us first investigate how many possible encryptions the Linear Cipher offers. Certainly more than the two previous ciphers, but how many exactly? Therefore, we have to first answer the following question: Does the Linear Cipher yield unique encryptions for any key pair (a,b)? Take a moment and come up with your guess. Let’s start by checking the factor key a=2 and the shift key b=4. Thus, we use the encryption function C= 2*P + 4 MOD 26 to encode the virus carrier message as follows: 1 PLAIN TEXT P 2*P C=2*P+4 MOD 26 Cipher text A 0 N 13 T 19 I 8 S 18 T 19 H 7 E 4 C 2 A 0 R 17 R 17 I 8 E 4 R 17 0 4 0 4 12 16 16 20 10 14 12 16 14 18 8 12 4 8 0 4 8 12 8 12 16 20 8 12 8 12 e e q u o q s m i e m m u m m We observe that this encryption does not produce the desired unique encryption. I.e. both the A and the N encode to the cipher letter e, also both R and E encode to m. The recipient does not know for sure how to decode the cipher letters e and m resulting in ambiguous messages. What causes the ambiguity? Is it the factor key a=2? Or the shift b=4? The answer is easy. Shifting each letter never causes ambiguity. However, the factor key a=2 turns A = 0 and N = 13 into a = 0 making the cipher code not unique. The same will happen for any other factor key that was a bad key in the Multiplication Cipher. Vice versa, a good key in the Multiplication Cipher must be a good factor key here since the final shift does not change the uniqueness of the encryption. Thus, the uniqueness solely depends on the chosen factor key a and not at all on the shift. This becomes even more evident if we choose the bad factor key a=13 and the shift key b=4. The corresponding encoding function is C= 13*P + 4 MOD 26. PLAIN TEXT A 0 N 13 T 19 I 8 S 18 T 19 H 7 E 4 C 2 A 0 R 17 R 17 I 8 E 4 R 17 13*P C=13*P + 4 Cipher text 0 4 e 13 17 r 13 17 r 0 4 e 0 4 e 13 17 r 13 17 r 0 4 e 0 4 e 0 4 e 13 17 r 13 17 r 0 4 e 0 4 e 13 17 r The multiplication with the factor key a=13 only yields 0 and 13. The final shift of 4 then produces the two cipher letters 4=e and the 17=r which makes the Cipher Code impossible to decode. 2 Recall that a=3 was a good key for the Multiplication Cipher MOD 26, so that we now encode the virus message using the good factor key a=3 and the final shift b=4. Thus, using the encoding function C= 3*P + 4 MOD 26 we obtain the following: PLAIN TEXT 3*P C=3*P+4 Cipher text A 0 N 13 T 19 I 8 S 18 T 19 H 7 E 4 C 2 A 0 R 17 R 17 I 8 E 4 R 17 0 4 e 13 17 r 5 9 j 24 2 c 2 6 g 5 9 j 21 25 z 12 16 q 6 10 k 0 4 e 25 3 d 25 3 d 24 2 c 12 16 q 25 3 d Exercise1: Identify the key pairs (a,b) that produce unique encryptions. Exercise2: Can you guess a decoding function for any encoding function? Hint: it will be again a Linear Cipher. Further questions to investigate: 1. The good keys of the Multiplication Cipher serve as good factor keys for the Linear Cipher. Does this implies that there are again (M) good factor keys for a given alphabet length M? 2. How many encryptions does the Linear Cipher therefore allow? Do they make the Linear Cipher a secure cipher? 3. We have to set up the decoding function so that the recipient can decode the encrypted message. 4. How could an eavesdropper possibly crack Linear Cipher-encoded message? We will answer these questions in the following sections. 3 3.1.1 The Linear Cipher offers 12 Good Factor Keys and 26 Good Shift Keys for M=26 To validate his conjecture that there are again (M) good factor keys for a given alphabet length M recall the multiplication table of the Multiplication Cipher for an alphabet of length M=26: PLAIN LETTER 0 Factor Key a a 0 A 0 B 0 C 0 0 D 0 0 E 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 F G H I J K L M N O P Q R S T U V W X Y Z 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 2 3 4 5 2 0 2 4 6 8 10 12 14 16 18 20 22 24 3 0 3 6 9 12 15 18 21 24 4 0 4 8 12 16 20 24 5 0 5 10 15 20 25 6 0 6 12 18 24 4 10 16 22 7 0 7 14 21 2 9 16 23 8 0 8 16 24 6 14 22 9 0 6 4 7 2 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 1 4 2 3 9 18 1 10 19 2 11 20 10 0 10 20 4 14 24 8 18 11 0 11 22 7 18 12 0 12 24 10 22 13 0 13 0 13 0 13 0 13 0 13 14 0 14 2 16 4 18 6 20 8 22 10 24 12 15 0 15 4 19 8 23 12 16 0 16 6 22 12 2 18 17 0 17 8 25 16 7 24 15 18 0 18 10 2 20 12 19 0 19 12 5 24 17 10 20 0 20 14 8 21 0 21 16 11 3 14 25 10 21 8 20 6 18 1 16 8 8 4 8 0 22 18 14 10 24 0 24 22 20 18 16 14 12 10 25 0 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 8 6 4 2 8 18 7 16 25 2 12 22 1 12 23 8 17 6 16 8 19 4 15 4 16 2 14 0 13 0 13 0 13 6 20 8 22 10 24 12 3 18 7 22 11 8 24 14 4 20 10 3 20 11 2 19 10 4 22 14 4 23 16 2 22 16 10 0 22 18 14 10 4 2 10 18 6 18 3 24 19 14 7 4 12 20 0 13 2 20 12 0 23 20 17 14 11 2 25 22 19 16 13 10 8 14 20 5 12 19 2 18 6 25 18 11 0 20 14 6 11 16 21 2 6 21 10 25 14 4 21 12 6 10 14 18 22 1 8 20 4 18 6 22 12 22 5 8 2 17 2 6 15 24 5 16 0 13 2 16 8 11 14 17 20 23 3 10 17 24 6 14 22 4 14 24 9 20 0 13 8 5 4 10 16 22 8 15 22 5 14 23 0 18 10 2 23 18 13 2 24 20 16 12 1 8 16 24 0 16 2 7 12 17 22 6 12 18 24 0 14 1 20 13 6 2 23 8 8 10 12 14 16 18 20 22 24 0 12 24 10 22 5 22 13 4 24 18 12 7 6 8 12 16 20 24 0 10 20 9 24 13 6 24 16 3 22 15 0 0 13 4 20 10 6 23 14 4 22 14 1 22 17 12 6 5 20 0 2 13 24 2 14 0 13 4 4 13 22 6 16 6 17 4 16 8 24 14 2 22 16 10 6 3 12 21 0 6 13 20 2 10 18 2 12 22 4 8 13 18 23 8 14 20 4 11 18 25 4 12 20 2 7 10 13 16 19 22 25 6 10 14 18 22 9 14 19 24 0 6 9 9 1 18 9 6 24 16 8 2 21 14 7 4 24 18 12 6 4 25 20 15 10 5 2 24 20 16 12 8 4 9 6 3 8 6 4 2 4 3 2 1 1 24 21 18 15 12 0 24 22 20 18 16 14 12 10 9 8 7 6 5 The bold rows display the factor keys that produce unique encryptions as every row contains every integer from 0 to 25 exactly once. If we consider the factor key a=3 for a moment and varying the key shifts between b=0 and b=25 we obtain the following encryption table: 4 PLAIN LETTERS Key pairs a=3 , b=0 a=3 , b=1 a=3 , b=2 a=3 , b=3 a=3 , b=4 a=3 , b=5 a=3 , b=6 a=3 , b=7 a=3 , b=8 a=3 , b=10 a=3 , b=11 a=3 , b=12 a=3 , b=13 a=3 , b=14 a=3 , b=15 a=3 , b=16 a=3 , b=17 a=3 , b=18 a=3 , b=19 a=3 , b=20 a=3 , b=21 a=3 , b=22 a=3 , b=23 a=3 , b=24 a=3 , b=25 A B C D 0 0 1 3 2 6 3 4 5 6 7 8 9 12 15 18 21 24 1 4 7 10 2 5 8 11 3 6 9 12 4 7 10 13 5 8 11 14 6 9 12 15 7 10 13 16 8 11 14 17 9 12 15 18 10 13 16 19 11 14 17 20 12 15 18 21 13 16 19 22 14 17 20 23 15 18 21 24 16 19 22 25 17 20 23 0 18 21 24 1 19 22 25 2 20 23 0 3 21 24 1 4 22 25 2 5 23 0 3 6 24 1 4 7 E F G H I J K L M N O P Q R S T U V W X Y Z 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 1 4 7 10 13 16 19 22 25 2 5 8 11 14 17 20 23 13 16 19 22 25 2 5 8 11 14 17 20 23 0 3 6 9 12 15 18 21 24 1 4 7 10 13 16 19 22 25 2 5 8 11 14 17 20 23 0 3 6 9 12 15 18 21 24 1 4 7 10 13 16 19 22 25 2 5 8 11 14 17 20 23 0 3 6 9 12 15 18 21 24 1 4 7 10 13 16 19 22 25 2 5 8 11 14 17 20 23 0 3 6 9 12 15 18 21 24 1 4 7 10 13 16 19 22 25 2 5 8 11 14 17 20 23 0 3 6 9 12 15 18 21 24 1 4 7 10 13 16 19 22 25 2 5 8 11 14 17 20 23 0 3 6 9 12 15 18 21 24 1 4 7 10 13 16 19 22 25 2 5 8 11 14 17 20 23 0 3 6 9 12 15 18 21 24 1 4 7 10 13 16 19 22 25 2 5 8 11 14 17 20 23 0 3 6 9 12 15 18 21 24 1 4 7 10 13 16 19 22 25 2 5 8 14 17 20 23 0 3 6 9 12 15 18 21 24 15 18 21 24 1 4 7 10 13 16 19 22 25 16 19 22 25 2 5 8 11 14 17 20 23 0 17 20 23 0 3 6 9 12 15 18 21 24 1 18 21 24 1 4 7 10 13 16 19 22 25 2 19 22 25 2 5 8 11 14 17 20 23 0 3 20 23 0 3 6 9 12 15 18 21 24 1 4 21 24 1 4 7 10 13 16 19 22 25 2 5 22 25 2 5 8 11 14 17 20 23 0 3 6 23 0 3 6 9 12 15 18 21 24 1 4 7 24 1 4 7 10 13 16 19 22 25 2 5 8 25 2 5 8 11 14 17 20 23 0 3 6 9 0 3 6 9 12 15 18 21 24 1 4 7 10 1 4 7 10 13 16 19 22 25 2 5 8 11 2 5 8 11 14 17 20 23 0 3 6 9 12 3 6 9 12 15 18 21 24 1 4 7 10 13 4 7 10 13 16 19 22 25 2 5 8 11 14 5 8 11 14 17 20 23 0 3 6 9 12 15 6 9 12 15 18 21 24 1 4 7 10 13 16 7 10 13 16 19 22 25 2 5 8 11 14 17 8 11 14 17 20 23 0 3 6 9 12 15 18 9 12 15 18 21 24 1 4 7 10 13 16 19 10 13 16 19 22 25 2 5 8 11 14 17 20 11 14 17 20 23 0 3 6 9 12 15 18 21 This table shows that each row shows contains each integer between 0 and 25 exactly once thus yielding 26 unique encryptions for the factor key a=3. The 26 shifts don’t spoil the uniqueness, they rather offer 26 different ways to uniquely encode our message. Certainly, tables holding this uniqueness property can be generated for the 12 good key factors a=1,3,5,7,9,11,15,17,19,21,23,25 yielding a total of 12*26=312 unique encryptions for the Linear Cipher. There are two special cases to consider: 1. If we choose a=1 and vary b the resulting encryption is just the familiar Caesar Shift. The factor key a=1 has no effect, it leaves each plain letter unchanged. Nevertheless, for completeness, we count it as a good factor key. 2. If we choose b=0 and vary a the resulting encryption turns out to be the familiar Multiplication Cipher. Here, the shift key b=0 has no effect. Nevertheless, for completeness, we also count b=0 as a good shift key. 5 3.1.2 The Linear Cipher produces (M)*M unique Encryptions We can expect to vary the number of unique encryptions when varying the alphabet length M. How many unique encryptions do we obtain for an alphabet of length M? We obtained 12*26=312 unique encryptions when M=26. How about for M=27? Here again, multiply the 18=(27) good factor keys for M=27 by the 27 possible shift keys to obtain 18*27=486. It is your turn: An alphabet of length M=28 has (28)=__ good factor keys and therefore allows __ * __ = ___ unique encryptions. What strategy should we pursue to further increase the number of unique encryptions and to thus make life more difficult for an eavesdropper? The strategy for the Multiplication Cipher to choose a prime alphabet length M works here aswell. In that case each of the M-1 factor keys less than M is a good factor key. If we choose i.e. M=29 we multiply the (29)=28 good factor keys by the 29 possible shifts to obtain 28*29=812 unique encryptions. Let’s generalize our observations to determine the number of unique encryptions for a given alphabet length M: The number of unique encryptions for the Linear Cipher The number of possible unique encryptions for the Linear Cipher with alphabet length M is (M)*M . In particular, if we choose M to be a prime number p then (p) = p-1 and we thus obtain (p-1) * p = p2 - p unique encryptions. Example1: If M=3 we can choose among (3)*3 = (3-1)*3 = 6 unique encryptions. Namely among the key pairs (a,b): (1,0), (1,1), (1,2), (2,0), (2,1), (2,2). Example2: If M=5 we can choose among (5)*5 = (5-1)*5 = 20 unique encryptions. Namely among the key pairs (a,b): (1,0), (1,1), (1,2), (1,3), (1,4), (2,0), (2,1), (2,2), (2,3), (2,4), (3,0), (3,1), (3,2), (3,3), (3,4), (4,0), (4,1), (4,2), (4,3), (4,4). Example3: If M=6 we can choose among (6)*6 = 2*6 = 12 unique encryptions. Example4: If M=7 we can choose among (7)*7 = __*__ = ___ unique encryptions. Example5: If M=23 we can choose among (23)*23 = __ *__ = __ unique encryptions. Example6: If M=24 we can choose among (24)*24 = ____ = ___ unique encryptions. 6 Example7: If M=25 we can choose among (25)*25 = ____ = ___ unique encryptions. Exercise: Say you want to use an alphabet consisting of no more than 50 symbols. a) What length would you choose for a maximum safety? b) How many possible encryptions do you therefore obtain? Another option to increase the number of unique encryptions is to encode pairs of letters. The 262 pairs of letters AA, AB, AC, …, ZZ increase the alphabet length M to 676 allowing (676)*676 unique encryptions. Encoding three letters at a time would increase the alphabet length M to 263 allowing (263)*263 unique encryptions. 3.2 Decryption of the Linear Cipher How shall we go about decoding a Linear Cipher-encoded message? Try to answer it for yourself, then continue reading. In order to decode messages that were encrypted with the Linear Cipher we have to solve the encryption equation for the plain letter P. C= a*P + b MOD M We first subtract b on both sides. This undoes the final shift when encrypting. C-b= a*P MOD M We now have to isolate P. Remember that we can not just multiply by the reciprocal of a, namely 1/a, since we are doing MOD arithmetic and thus dealing with integers. We have to multiply by that integer that turns a into 1, namely by the inverse a-1. a-1 *(C-b )= (a-1 *a)*P MOD M Since a-1 * a =1 we now have. a-1 (C-b)= 1 * P = P MOD M Or similarly. P = a-1 *(C-b) MOD M which is the desired decoding function. How to decode the Linear Cipher Messages that were encrypted with the Linear Cipher using C = a*P + b MOD M, have to be decrypted using the decoding function P = a-1 *(C-b) MOD M . Remark: Obtaining the decoding equation requires again the 4 properties of the group G=(Z M*, *): the existence of an inverse and of an unit element, the closure and the associative property. We are guaranteed to solve the first equation for P since the set of good factor keys a forms a group with respect to multiplication MOD M as we learned in the previous chapter. 7 Our decoding function P = a-1 *(C-b) MOD M dictates to first subtract b from each cipher number to then multiply by the inverse of the encoding factor key, namely by the decoding factor key a-1 MOD M. Thus, the recipient has to possess the decoding key pair (a-1, b) which the encoding person has to transfer in some secure manner. Encoding and Decoding Keys: When encrypting using the Linear Cipher, the encoding key consists of the pair of integers (a,b), whereas the secret decoding key is the pair of integers (a-1,b). Example1: Say, a virus-carrier message was encoded using the key pair (3,9). Therefore, the decoding key (a-1, b)=(9,4) is used in the decoding function P = 9*(C-4) MOD 26 to decode the following cipher text as follows: Cipher text C C-4 P = 9*(C-4) PLAIN TEXT e 4 r 17 j 9 c 2 g 6 j 9 z 25 q 16 k 10 e 4 d 3 d 3 c 2 q 16 d 3 0 0 A 13 13 N 5 19 T 24 8 I 2 18 S 5 19 T 21 7 H 12 4 E 6 2 C 0 0 A 25 17 R 25 17 R 24 8 I 12 4 E 25 17 R Let’s verify how we obtained i.e. the plain letters T and I from the cipher letters j and c. We first have to subtract 4 from each cipher letter value to undo the final encoding shift. Subtracting 4 from the cipher letter j=9 yields 5. We then multiply by the inverse a-1 = 9 to undo the original encoding multiplication performed by the factor key a=3. Thus, 9 * 5 = 45. Since we compute MOD 26, we obtain 45 –26 = 19 MOD 26. 19=T turns out to be the plain letter of the cipher letter j. I will briefly verify how c turns into I and leave two other cipher letters for you to verify. Subtracting 4 from the letter c=2 yields –2 which equals 24 MOD 26. Consequently, 9 * 24 = 216 which again equals 8 since 216 – 8*26 = 8 and finally yields the plain letter I=8. Exercise: Verify that g turns into S and that d turns into R? The decoding function is itself a Linear Cipher I want to demonstrate to you that the decoding function is itself a Linear Cipher which simply means that we can rewrite the decoding function P = a-1*(C-b) MOD M so that it acquires the format P = a*C + b MOD M for some integers (a,b). I will first demonstrate it for the decoding function used in the previous example and afterwards show you the general decoding function as a Linear Cipher. 8 Consider the decoding function P = 9*(C-4) MOD 26 P = 9*C - 36 MOD 26 P = 9*C + 16 MOD 26 We distribute the 9 yielding You can recognize already the linear form, however, we want to use keys that are between 0 and M. Thus, we replace the –36 by its positive equivalent between 0 and 26, namely by 16. (Why 16 ?) Done we are. Hence, the decoding function P = 9*(C-4) MOD 26 with the decoding key pair (9,4) can be rewritten as the Linear Cipher P = 9*C + 16 MOD 26 with the decoding key pair (9,16). The advantage of being able to rewrite the decoding function as a Linear Cipher of the the form P = A-1 * C + B MOD M becomes more evident when programming the decoding function of the Linear Cipher. Instead of writing extra code for a new decoding function we may use the same function used to encode the plain text. The only task remaining is to determine the correct decoding key pair (A-1, B). Notice in our example that the decoding factor key A-1 = 9 is simply the inverse of the encoding factor key a=3. Thus, A-1 = a-1. That was easy. Computing B is a bit more tricky: The decoding function is P = a-1 *(C-b) MOD M. Distributing a-1 yields a-1 *C - (a-1 * b) MOD M. Therefore, we choose B to be that positive integer between 0 and M that is congruent to the negative integer – (a-1 * b). We may write this as: B - (a-1 * b) MOD M. The Decoding Function as a Linear Cipher: Messages that were encrypted with the encoding function of the Linear Cipher, C = a*P + b MOD M, have to be decrypted using the decoding function P = a-1 *(C-b) MOD M. Alternatively, we may express the decoding function as the Linear Cipher P = A *C + B MOD M with the decoding key pair (A,B) = (a-1, - (a-1 * b) MOD M) Exercise1: Find the decoding key pair (A,B) for a message that was encoded with C = 5*P +17 MOD 26. Exercise2: If we add a blank to the 26 letters in the previous exercise yielding an alphabet length of M=27. Therefore, a message is encoded with C = 5*P +17 MOD 27. Find the decoding pair (A,B). 9 How to determine the decoding key a-1 To find a decoding key a-1, we could just do it the fast way that I demonstrated to you in the previous chapter: Just look at the 26x26 multiplication table, find the only 1 in the row of the key a used and finally go up that column to obtain a-1. I.e. if a=3, then a-1=9 since the only 1 in the 3-row is in the 9-column. That works fine, no problem. However, what if we choose a large alphabet length M? It would be inefficient to use the same procedure as it gives more information than needed. The good news are that there exists a shortcut that finds the inverse a-1 for any key a and for any alphabet length M in an efficient manner. The procedure is called Extended Euclidean Algorithm. It computes a-1 in two steps: Firstly, it computes the greatest common divisor (gcd) of a and M. This part of the whole procedure used is called Euclidean Algorithm. Secondly, extending the Euclidean Algorithm finds the desired inverse a-1 of a MOD M. In the following section you will learn how the Euclidean Algorithm finds the gcd of a and M. Thereafter, I will show you how the Extended Euclidean Algorithm computes the inverse a-1 by making use of the computations used to find the gcd of a and M. 3.2.1 The Euclidean Algorithm quickly finds the Greatest Common Divisor of two Integers As you can imagine, the Euclidean Algorithm goes back to the Geek Philosopher and Mathematician Euclid. He described the algorithm in the 7th chapter of his book Elements written around 300 B.C. However, he did not invent it. This algorithm may be 300 years older. It is not known who invented it. The word algorithm is derived from the name of the Persian Mathematician Mûsâ AlChowârizmi. In 825 A.D., he was the first to publish a book that describes procedures to solve mathematical problems (such as the Euclidean Algorithm). Let’s study the Euclidean Algorithm. How does it find the greatest common divisor of two integers? I will explain the idea graphically. Picture the even divisors of one integer as divisor-lines. Example1: The integer 5 has the divisors 1 and 5. Therefore, 5 can be reached by 1 jump of length 5 or by 5 jumps each of length 1. Graphically: 1 5 10 Example2: The integer 6 has the divisors 1,2,3 and 6. Thus, the 6 can be reached by 1 jump of length 6 or by 2 jumps of length 3 or by 3 jumps of length 2 or by 6 jumps of length 1. Graphically: 1 6 To now find a common divisor of two integers all we have to do is to compare the divisor-lines of both integers to find matching lengths. Our goal is to find the greatest common divisor of two integers. Thus, just find the longest line among those that match in length. Example1: Consider the two integers 6 and 8. Their divisor lines look as follows: 1 2 3 4 5 6 1 2 3 4 5 6 7 8 We see that the lines of length 2 (in blue) are the longest among those that both have in common. Thus, 2 is the greatest common divisor of 6 and 8: gcd(6,8)=2. 11 Example2: Consider the two integers 12 and 8. 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 9 10 11 12 We observe that among the matching lines of length 1, 2 and 4, 4 is the longest and thus is the greatest common divisor of 12 and 8: gcd(12,8)=4. Graphically, the concept is easy: to find the greatest common divisor of two integers just find the divisors of both integers and find the greatest divisor among those they have in common. The concept is easy, however, it can not be executed for large integers. I mentioned to you already earlier that there are no procedures devised (yet) that are guaranteed to produce the divisors of an arbitrary integer consisting of 100 digits and more. This is the caliber of integers to deal with in the RSA encryption. Here is where the Euclidean Algorithm comes in very handy. Although devised over 2000 years ago, it has proven to be a very efficient procedure to compute the greatest common divisor of two integers without knowing the divisors of both integers. Here is how: We now picture the two integers using two dimensions: We draw the divisor line of the larger integer, here M=4, horizontally and the shorter one, a=2, vertically: 4 2 Instead of finding the longest common lines I now find the greatest common square that fills the rectangle perfectly. This reflects the fact that two integers urge us to work in 2 dimensions. In our example, two 2x2 squares fill the rectangle as the greatest square. Therefore, the greatest common divisor of 4 and 2 is the side of the greatest squares that fill the rectangle perfectly. It is 2. Certainly, any rectangle with integer-dimensions may be filled with 1x1 squares (just as any integer can be divided by 1). However, we want to find the greatest common divisor. Therefore, we want to find the greatest square that fills the rectangle. 12 Let’s look at further examples: Example1: The greatest common divisor of 6 and 2 is 2 since the 6x2 rectangle can be filled with 2x2 squares: Example2: The greatest common divisor of 6 and 3 is 3 since the 6x3 rectangle can be filled with 3x3 squares: Example3: The greatest common divisor of 5 and 2 is 1 since the 5x2 rectangle can only be filled with 1x1 squares: Although two 2x2 squares fit into the rectangle they don’t fill the whole rectangle. Two rectangles each of size 1x1 are needed to cover the remainder. Example4: The greatest common divisor of 5 and 3 is 1 since the 5x3 rectangle can only be filled with 1x1 squares: Although one 3x3 and one 2x2 square fit in the rectangle they don’t suffice to fill the whole rectangle. Two rectangles each of size 1x1 are needed to cover the remainder. Let’s use this gcd(5,3)=1 example to demonstrate the filling-the-rectangle-with-squares idea in the Euclidean Algorithm: The rectangle with longer side 5 holds one 5 = 1 * 3 + 2. square with sides 3 and leaves a remainder of 2. The remaining rectangle with longer side 3 3 = 1 * 2 + 1 holds one square with sides 2 and leaves a remainder of 1. The remaining rectangle with longer side 2 2 = 2 * 1 holds two squares with sides 1 and leaves no remainder. Visual example1 of the Euclidean Algorithm: Architecturally, the greatest common divisor can be computed by finding the greatest square tiles that yet fill a rectangular room perfectly. Say, we have a 26 by 21 ft2 room that is to be tiled. What are the largest square-shaped tiles that will do the job? 13 21 11 1 11 26=1*21+5 21=4*5+1 5=5*1 5 21 5 5 5 21 5 26 We start off with a huge 21x21 tile. Apparently it doesn’t fill the room perfectly. Now the 21 x 5 remainder of the room can be filled with four 5x5 tiles leaving a 5 x 1 remainder. That remainder can only be filled using 5 1x1 tiles. Thus, to fill the room completely we have to use the smallest square tiles possible that have integer sides: 546(=21*26) 1x1 tiles will cover the 26x21 room perfectly. This shows that gcd(26,21)=1. Notice that we did not have to compute all divisors of 26 and 21 in order find their greatest common divisor. Visual example2 of the Euclidean Algorithm: Goal: Find the greatest common divisor of 25 and 5: 25=1*20+5 20=4*5+0 5 20 5 5 5 20 5 25 14 The 20x20 tile does not fill the room, it leaves a 20 x 5 remainder that can be perfectly filled using four 5x5 tiles. Why does that show that the gcd(25,20)=5? With other words: how do we know that the sixteen 5x5 tiles fill the big 20x20 perfectly? The reason is that the four 5x5 tiles don’t leave a remainder in the 20 x 5 rectangular area as we had in the first example. In both examples we had a horizontal fit of the 5x5 tiles, however, the vertical mattered. We could only fill the 20x20 or the 21x21 area perfectly with the 5x5 tiles if they additionally produce a perfect vertical fit. This is the case for the 20x20 but not for the 21x21 area. Thus, gcd(25,20)=5. However, besides forming a perfect horizontal fit, the 1x1 tiles also produce a perfect vertical fit in the 5x1 area which in turn shows that they fill the four 5x5 area and the 21x21 area perfectly. We are now in a position to state the working principle of the Euclidean Algorithm: The search for the gcd of 26 and 21 can be reduced by finding that of 21 and 5. As an equation: gcd(26,21)=gcd(5,21). This reduction principle continues until the room can be perfectly tiled with tiles whose length yield the gcd. As an equation: gcd(5,21)=gcd(5,1)=1. Altogether, we have the chain: gcd(26,21)=gcd(5,21) =gcd(5,1)=1. Example7: The Euclidean Algorithm becomes really helpful when finding the gcd of two large integers. Say, we want to find the gcd of M=2322 and a=654. Would the answer be 2 or 3 or 4 or 6 or 7 or 8? We can’t really tell right away that the answer is 6. Here is why: 2322 = 654*3 + 360 654 = 360*1 + 294 360 = 294*1 + 66 294 = 66*4 + 30 66 = 30*2 + 6 30 = 6*5 Therefore, gcd(2322,654) = 6. gcd(2322,654) = gcd(654,360) gcd(654,360) = gcd(360,294) gcd(360,294) = gcd(294,66) gcd(294,66) = gcd(66,30) gcd(66,30) = gcd(30,6) gcd(30,6) = 6 Exercise: Find the gcd of 2546 and 1728. Before doing it out, guess what it could be? 3.2.2 Proof of the Euclidean Algorithm How can we prove that the Euclidean Algorithm yields the greatest common divisor of two integers. It worked fine in our tiling example. The foregoing made sense - intuitively. But how can we mathematically prove that the Euclidean Algorithm works correctly and 15 will always yield the proper greatest common divisor. In other words, how can we transfer our intuitive understanding into sober mathematical equations? Now, this is a wonderful opportunity for you to learn the formal process to prove the correctness of the Euclidean Algorithm. What we really have to prove is that the chain of equations eventually yields the greatest common divisor. How do we bridge two equations? In other words: Why is the equal sign correct? If we manage to bridge the first two equations we bridge all equations since the setup of the subsequent equations is identical. This would mean for the above example that we have to prove that the gcd of 2322 and 654 equals the gcd of 654 and 360: gcd(2322,654) = gcd(654,360). We would therefore also prove that gcd(654,360) = gcd(360,294) which bridges the next two equations. Continuing in this manner we eventually end up with the last equation that has a remainder of 0. Here, the smaller integer as a divisor of the larger integer turns out to be the gcd of the two integers we started with. In the example, the last equation is 30 = 5 * 6 so that the gcd(30,6) = 6 turns out to be the gcd of 2322 and 654. Therefore, to prove the Euclidean Algorithm we will consider two cases. In both cases we assume that the integer b is greater than the integer a: b>a. In this case, Mathematicians use the standard clause “without a loss of generality” since the restriction that b>a is not at the cost of any generality. We just assign the greater of the two original integers to b and the smaller to a. (Why would it not make any sense to try to find the gcd of two equal integers, that is when a=b?) Proof of the Euclidean Algorithm: 1. case: In case a is a divisor of b such that b=k*a for some integer k. Then gcd(b,a) = a because a’s greatest divisor is a which is also a divisor of b. 2. case: Starting with b = q0*a + r1 and if r1 0 we then obtain the following chain of equations: a = q1*r1 + r2 r1 = q2*r2 + r3 r2 = q3*r3 + r4 : : rn-2 = qn-1*rn-1 + rn rn-1 = qn*rn + 0 until the first equation yields a remainder of 0. We are guaranteed to end up with an equation that contains a remainder of 0 since the integers in the left column are in decreasing order: 16 b > a > r1 > r2 > …. > rn-1 . In the above example: 2322 > 654 > 360 > 294 > 66 > 30. Since these integers get smaller and smaller but never become negative one of the equations must yield a remainder of 0. Then, the gcd(b,a) can be read off as the fifth remainder r5 (in the above example gcd(2322,654) = rn = 6) from the second to last equation (i.e. 66=30*2+6) or last equation (i.e. 30=6*5). I will now prove in general that gcd(b,a)=rn if the (n+1)st equation yields a remainder of 0 by proving the two inequalities I) gcd(b,a) < rn and II) rn < gcd(b,a) which when both proved to be true yield nothing but the equality. Proof that gcd(b,a) < rn : In b = q0*a + r1, the greatest common divisor of b and a (unknown so far) also divides r1. (I.e. the gcd(36,28) = 4 also divides r1 = b – q0*a = 36 – 2*14 = 8). Therefore, the gcd(b,a) is a common divisor of a and r1 and we thus are guaranteed that the gcd(a, r1) cannot be greater than the gcd(b,a): gcd(b,a) < gcd(a,r1). For the same reason, the second equation yields gcd(a, r1) < gcd(r1, r2), the third yields gcd(r1, r2) < gcd(r2, r3), etc. Finally, the next-to-last equation yields gcd(rn-2, rn-1) < gcd(rn-1, rn) = rn. The equality is what we just proved in the 1. case: Since the last equation rn-1 = qn*rn leaves no remainder, rn-1 is a divisor of rn so that gcd(rn-1, rn) = rn. The chain of inequalities yields: gcd(b,a) < rn. Proof that rn < gcd(a,b): The converse is also true. Starting from the last equation and working our way up we obtain the following chain of inequalities: rn is a divisor of rn-1 ( from the last equation), Therefore, rn also divides rn-2 which we obtain from the next-to-last equation using the same reasoning as in part I. Continuing going from bottom to top, rn also divides rn-3, …., r2, r1, a and b. We see that rn is a common divisor of a and b and altogether we therefore obtain that rn < gcd(a,b). This completes the proof. The two inequalities now prove that rn = gcd(a,b) Exercise: Go through the two cases of the proof one more time. Check that the gcd(72,56) = 8. In that way you make the proof more concrete and thus more tangible. Remember: Any abstraction has its origin in a sufficient repertoire of concrete examples. 17 The C++ implementation of the Euclidean Algorithm Devising the Euclidean Algorithm can be accomplished quite easily as we just have to inspect the steps and then formalize them. Let’s take a closer look at the example7 when we found the gcd of L=2322 and S=654. We started off by dividing the larger integer L by S yielding the quotient Q and the remainder R as follows: We will just use the values S and R for the next step (see the L =Q*S + R arrow). However, we won’t need Q and L anymore. 2322 = 3 *654 + 360 654 = 1* 360 + 294 I first compute R in the above equation from L and S as follows: R = L MOD S, here 360. It becomes the new value of S. In terms of programming this procedure, we have to be aware of a technicality: Before assigning it to S, we have to assign the value of S to the new L. Otherwise, we would lose the value of S, here 654. Thus, the order of the three computer statements here has to be: R = L MOD S, L=S, S=R. 360 = 1* 294 + 66 Similarly, we have to perform the same computations here: R = L MOD S, L=S, S=R. 294 = 4* 66 + 30 Similarly, R = L MOD S, L=S, S=R. 66 = 2* 30 + 6 Again: R = L MOD S, L=S, S=R. 30 = 5 * 6 Finally here: R = L MOD S, L=S, S=R. Since the new remainder equals 0 for the first time, we are done now. The desired gcd is the remainder of the second last equation (in bold), here 6, which is the value of S in the last equation. Hence, gcd(2322,654)=6. We can translate the pseudo-code of the Euclidean Algorithm (to the left) into C++ code as follows: As pseudo-code: As long as R is not 0 do the following: As C++ code: While(R!=0) { R=L%S; L=S; S=R; } cout<< "gcd = "<< L; R=L MOD S; L=S; S=R; Finally, output the gcd of L and S Attention: You might wonder why the gcd of L and S equals L and not S in the bottom equation. This has technical reasons. When you execute the C++ code in your head you notice that the last while-loop is executed for the last equation (30=5*6 as you see above) where – for the first time – the remainder R equals 0 (in R=L%S). However, because the 18 same three statements are executed in this last while loop, S gets assigned the value of the remainder, 0, in S=R. Thus, both R and S end the loop with a value of 0. Fortunately, the value of L holds the correct gcd-value since it was assigned the value of S before it got assigned 0 (in L=S). Now, follow the arrow of the proper remainder in the second to last equation, namely 6. You see that the value of S in the last equation gets assigned the value of the remainder R in the previous step. This shows us how the remainders R are passed over: R becomes S in the next run to become L in the following run of the while loop. Observe this in the example by following the arrows starting with the 360 in the top equation. Now, it is easy to implement the C++ program that determines the gcd of two integers. #include <iostream.h> #include <conio.h> void main() { unsigned long L,S,R=1; clrscr(); cout << "Enter the larger integer: L = "; cin >> L; cout << "Enter the smaller integer: S = "; cin >> S; while(R!=0) { R=L%S; L=S; S=R; } cout<< "gcd = "<< L; getch(); } Notice two more technicalities in the program below: 1) I assigned R a value different from 0 (in R=1;) so that the while-loop is entered in its first run. 2) I used unsigned long instead of int as an integer data type that enables us to use integers up to 4,294,967,295 instead of up to 32,767. Programmer’s Remarks: The Euclidean Algorithm is a great example for the usage of the while-loop and is thus discussed in many introductory programming lectures. You will learn that a while-loop just as a do-while-loop are examples of indefinite loops which just means that number of runs is indefinite. (A for-loop, on the contrary, is a definite loop since the number of runs are definite.) The two while loops differ as follows: The while-loop checks the loop-condition before entering the loop, 19 the do-while-loop, however, checks after the loop. Consequently, the while-loop might never be entered whereas a do-while will at least be entered once since the condition check is at the end of the loop. Often times, algorithms can be devised using either the while-loop or the do-while-loop, sometimes even the for-loop. Exercise: Try to revise the above Euclidean Algorithm using a do-while-loop. You will not have to use the initial R=1 assignment to enter the loop at least once. The more elegant recursive implementation of the Euclidean Algorithm The implementation of the Euclidean Algorithm becomes really elegant if we translate the original idea of finding the gcd of two integers by reducing the size of the rectangles until there is no more rectangle left. Let’s investigate this idea when finding the gcd of 26 and 21: 21 11 1 11 26=1*21+5 21=4*5+1 5=5*1 5 21 5 5 5 21 5 26 Instead of considering the original 26x21 rectangle, we could reduce the problem of finding the gcd of 26 and 21 by considering the smaller 5x21 rectangle since we proved that gcd(26,21)=gcd(21,5). Continuing to reduce the rectangles to consider we have altogether: gcd(26,21)=gcd(21,5)=gcd(5,1)=1. Doesn’t that chain of equations strongly suggest to implement a gcd-function that keeps calling itself with 2 varying integers as inputs? And when doing so when do we end this loop? (Finding the base case to exit is always the main question to answer when programming a recursive function.) 20 Well, geometrically speaking, when the last rectangle can be filled perfectly with squareshaped tiles. I.e. the 5x1 rectangle can be filled with 1x1 tiles. When do these tiles do such a wonderful job? Precisely when the longer side is evenly divisible by the shorter side for the first time (i.e. 5 is divisible by 1). Thus, we have to check if 26%21 or 21%5 or 5%1 yields 0. The first time we obtain a remainder of 0 we stop our recursion and return the value of the shorter side as the gcd. In our example, we obtain the first 0 for our 5x1 rectangle and the shorter side, 1, yields the gcd of 26 and 21. The idea is simple and useful. Here is how we translate this idea into workable C++ code: In pseudo-code: Find the gcd of the L by S rectangle. If S equals 0 then return L as the gcd Otherwise find the gcd of the Smaller S by L%S rectangle. In C++ code: int gcd(int L, int S) { if(S==0) return L; else return gcd(S,L%S); } A technical remark: The reason why I checked if S equals 0 instead of checking if L%S equals 0 is a technical one. First of all it is based on the assumption that nobody really wants to find the gcd if S equals 0 (In that case the gcd function would yield the improper answer L as the gcd). Secondly, the actual reason is that when we are trying to find the gcd of the smaller rectangle of dimensions S by (L%S) then these two dimensions are read in as L and S in the next call of the gcd-function as the dimensions of the smaller rectangle to be checked. Now enjoy the brief and effective C++ code for the Euclidean Algorithm. #include <iostream.h> #include <conio.h> unsigned long gcd(unsigned long L, unsigned long S) { if(S==0) return L; else return gcd(S,L%S); } void main() { unsigned long L,S; clrscr(); cout << "Enter the larger integer: L = "; cin >> L; cout << "Enter the smaller integer: S = "; cin >> S; cout<< "gcd = "<< gcd(L,S); getch(); } 21 Programmer’s Remarks: I changed the data type from int in the C++ code (listed next to the pseudo-code) to unsigned long in order to find the gcd of integers up to 4,294,967,295 instead of up to 32,767. Exercise1: Integrate an input check in the above program such that the user has to reenter a value for L or S if the original input was 0. Exercise2: How would you modify the above code if a or b or both are negative integers? Or does this program even handle these cases aswell? Try it 3.2.3 The Extended Euclidean Algorithm quickly finds the Modular Inverse a-1 Finding the gcd of two given integers is a keystone in Cryptography as it allows us to find the good keys in a constructive manner (as done in the C++ program in the previous section). Our objective in this section is to find the corresponding decoding key a-1. Mathematically, this translates into finding the modular inverse a-1 of an integer a. To do so, we first execute the Euclidean Algorithm. Finding the gcd of the integers M and a does all the preparatory work to compute the inverse a-1 as it enables us to express the gcd as a linear combination of M and a: Theorem of Bachet The greatest common divisor of a and M can be expressed as follows: gcd(M,a) = x*a + y*M for some integers x and y. The French Mathematician and Philosopher Gaspar Bachet de Meziriac (1581-1638) posed the problem of expressing the gcd of two integers as a linear combination of those two integers in his book “Problem plaisants et detectables, qui sont fait par les nombres”, Lyon 1612. He solved the problem himself in the second edition of this book in 1624. Let’s take a look at some examples of the Theorem of Bachet. Example1: The gcd of 27 and 14 is 1: gcd(27,14)=1. We can easily see that 1=2*14 + (-1)*27 with x=2 and y=-1. Example2: The gcd of 26 and 12 is 2: gcd(26,12)=2. We can see again that 2=1*26 + (-2)*12 with x=1 and y=-2. Example3: The gcd of 26 and 3 is 1: gcd(26,3)=1. Again , we easily see that 1=9*3 + (-1)*26 with x=3 and y=-1. 22 Example4: The gcd of 26 and 5 is 1: gcd(26,5)=1 and 1=1*26 + (-5)*5 with x=1 and y=-5. Example5: The gcd of 26 and 11 is 1: gcd(26,11)=1. Trial and error yields 1=3*26 + (-7)*11 with x=3 and y=-7. It is not a surprise that x and y have to be of opposite sign. Here is why: The gcd is always a number that is smaller than a and M. If x and y were both positive, we could only form integers greater than a+M. If both were negative we could only form numbers smaller than –(a+M). However, our desired number, the gcd(M,a), is certainly between those two bounds so that x and y have to be of opposite sign. These examples give you an understanding what is meant by Bachet’s Theorem. The used trial and error method to find the integers x and y is feasible when a and M are fairly small numbers. This approach would be not efficient for larger numbers used in Cryptography. Instead, we use Bachet’s Theorem and reverse the Euclidean Algorithm to find x and y. In order to express the gcd(26,21)=1 in terms of 21 and 26 in the form stated in Bachet’s Theorem 1 = x*21+y*26 we have to find the unknown integers x and y we recall the 3 steps to find the gcd: 26=1*21 + 5 21=4* 5 + 1 5=5* 1 + 0 We do not need the 3rd equation (in gray) to determine the gcd. Since the last equation has a remainder of 0, the remainder of the second to last equation, here 1, yielded the gcd. Thus, I can simply express the gcd in terms of 26 and 21 by isolating it in that second to last equation: 1=21 – 4*5 I am half way done since 1 is already expressed in terms of 21. It is also expressed in terms of 5, however, not in terms of 26 yet. To do so, I just solve the first of our three equations for 5, yielding 5 = 26 - 1*21 and insert that for the 5 in 1=21 – 4*5 as follows: 1=21 – 4*(26 – 1*21) Resolving the parentheses yields 1=21 – 4*26 + 4*21 Combining the terms that involve 21 yields 1=5*21 + (-4)*26 23 Check: 1=105-104. Correct. We accomplished to express the gcd(26,21)=1 in terms of 26 and 21 with x=5 and y=-4. We learned how to express the gcd(a,M)=1 in terms of a and M. How does that help to find the inverse of a, namely a-1? The answer is as simple as x. In our example a-1 = x = 5 is the inverse of a=21 since a * a-1 = 21*5 = 1 MOD 26. To understand why x is the inverse of a we just have to take a look at the equation 1=x*21+y*26 and remember that we are computing MOD 26. Thus, our equation turns out to be 1=x*21 MOD 26 where x is exactly that number that multiplied by a=21 yields 1 which is exactly the definition of the inverse a-1. In conclusion: The value of x in Bachet’s Theorem is the desired decoding factor key a-1 for a given alphabet length M. Example1: Let’s find the inverse of a=3 MOD 26. First we have to execute the Euclidean Algorithm: 26=8*3+2 2= 26 - 8*3 3=1*2+1 1= 3 - 2 2=2*1 Secondly, we make use of the above steps to express the gcd(26,3)=1 in terms of 26 and 3: 1= 3 - 2 = 3 - (26 - 8*3) = 3 – 26 + 8 * 3 = 9*3 – 26 1 = 9*3+(-1)*26 so that 9 is the inverse of 3 Mod 26. Check:3*9 = 1 MOD 26. Correct. Example2: Let’s find the inverse of a=23 MOD 26. First we have to execute the Euclidean Algorithm. 26=1*23+3 3= 26 – 23. 23=7*3+2 2= 23 – 7*3. 3=2*1+1 1= 3 – 2. 2=2*1 Secondly, we make use of the above steps in the Euclidean Algorithm to express the gcd(23,26)=1 in terms of 26 and 23: 1=3-2 1 = 3 - (23 - 7*3) = (-1)*23 + 8*3 1 = (-1)*23 + 8*(26-23) 1 = (-9)*23 + 8*26 so that -9 is the inverse of 23 Mod 26. However, we don’t want any negative integers. In that case we just have to add the modulus M, here 26, to get the positive integer that is congruent to –9 and between 0 and 26: a-1 =(-9) + 26 = 15. Check: 15*23=1 MOD 26. Correct. 24 How do we deal with negative inverses? Certainly, (-9) * 23 also yields 1 MOD 26 since –9 and 15 are congruent MOD 26 which shows that –9 and therefore all integers that are congruent to 15 MOD 26 are inverse to 23. However, we desire to obtain that representative of the inverses that is between 0 and the modulus, here 26. Here is another example. Example3: Let’s find the inverse of a=11 MOD 26. First we have to execute the Euclidean Algorithm. 26 = 2*11 + 4 4 = 26 – 2*11 11 = 2*4 + 3 3 = 11 – 2*4 4 = 1*3 + 1 1= 4 –3 3 = 3*1 + 0 Secondly, we make use of the above steps in the Euclidean Algorithm to express the gcd(26,11)=1 in terms of 26 and 11: 1=4-3 1 = 4 - (11 - 2*4) = (-1)*11 + 3*4 1 = (-1)*11 + 3*(26 - 2*11) 1 = 3*26 + (-7)*11 so that -7 is the inverse of 11 Mod 26. Since we don’t want any negative integers we just have to add the modulus M, here 26, to obtain that positive integer that is congruent to –7 and less than 26: a-1 =(-7) + 26 = 19. Check: 19*11 = 209 = 1 MOD 26 which is correct. The C++ implementation of the Extended Euclidean Algorithm The above method is a little tedious to program. Rather, I will show you a graphical procedure to determine the x and y in order to express the gcd as follows: gcd(a,M)=x*a+y*M. This procedure is much more handy and will help to easily design a C++ program for the Extended Euclidean Algorithm. Let me introduce you to a graphical intuitive procedure by finding the multiplicative inverse of 21 MOD 26 in the introductory example. 25 Example1: Step 1: Set up three columns and place the greater integer, 26, on top of the smaller one, 21, in the left column: A Q X 26 21 Step 2: Fill the first column with the remainders when dividing the two above integers until you reach 0. I.e. 26 MOD 21 = 5, 21 MOD 5 = 1, 5 MOD 1 = 0. In the middle column place the quotients (Q) when dividing two consecutive integers. I.e. 26 / 21 = 1, 21 / 5 = 4, 5 / 1 = 5. A 26 21 5 1 0 Q X 1 4 5 Step 3: The bottom two entries in the X column (same height as the q values) are always 0 and 1. Place them as follows: A Q X 26 21 1 5 4 1 1 5 0 0 26 Step 4a: After this preliminary work, we now compute the integers in the third Xcolumn. As we work our way from the bottom to the top, the two top numbers yield the desired x and y coefficients in Bachet’s Theorem. Here is the computation rule: the entries in the X column are computed by multiplying the neighboring entry in the Q by the x-entry underneath and adding the x-entry that is two rows underneath. Here, 4 = 4*1 + 0, or graphically: 4= 4 * 1 + 0 A Q X 26 21 1 4 5 4 * 1 1 5 +0 0 Step 4b: The top entry in the x-column is found in the same manner: 1 * + A 26 21 5 1 0 Q 5= 4 1 X 1 4 5 5 4 +1 0 * Step 5: We are done. The greatest common divisor of 26 and 21, namely 1, can now be expressed by subtracting the crosswise product of the two top values in the A and Xcolumn: A 26 21 Q X 5 4 1 1 = 5 * 21 – 4 * 26 which shows that 5 is the inverse of 21 MOD 26. WARNING: The crosswise subtraction will always yield the gcd, however, the order of subtraction may differ. Instead of subtracting the product of the black line numbers from the product of the gray line numbers, we may obtain the opposite subtraction as shown in the next example: 27 Example2: Let’s express the greatest common divisor of 26 and 23, namely 1, in terms of 26 and 23. Moreover, find the inverse of 23 MOD 26. A Q X 26 9 23 1 8 3 7 1 2 1 1 1 0 1 = 8 * 26 – 9 * 23. Correct. So what is the inverse of 23? No, it is not 9 since 9*23 = 207 which yields –1 MOD 26 and not 1. Rather, instead of subtracting 9*23 in the above equation, we add (-9)*23 so that we correctly obtain: 1 = 8 * 26 + (- 9) * 23 This shows that 9 is not the inverse, but rather –9. Since the inverse of 23, our decoding factor key, shall be a positive integer between 0 and 26 we just have to add 26 to –9 which yields 17 as the correct inverse of 23 MOD 26. Check: 17*23 = 391 = 1 MOD 26. Correct. Example3: We just found that 17 is inverse to 23, let’s now verify that consequently 23 must be the inverse of 17 MOD 26 using again the Extended Euclidean Algorithm. Again, verify all table entries. A Q X 26 3 17 1 2 9 1 1 8 1 1 1 8 0 1 = 2 * 26 – 3 * 17. = 2 * 26 + (- 3) * 17 Since –3 is congruent to 23 MOD 26 we obtain 23 as the inverse of 17 MOD 26. 28 Example4 is your Exercise1: Show that the greatest common divisor of 26 and 19, namely 1, can be expressed in terms of 26 and 19 as follows: 1 = 11 * 19 – 8 * 26. Moreover, this shows that 11 is the inverse of 19 MOD 26. A Q X 26 19 1 0 Exercise2: a) Show that the greatest common divisor of 15 and 28 is 1 using the Euclidean Algorithm. b) Find the inverse of 15 MOD 28 using the Extended Euclidean Algorithm. I wrote the C++ program exactly the way I explained the Extended Euclidean Algorithm to you: it first computes the gcd, it then expresses it in terms of the two entered integers L and S and finally gives the desired inverse of S MOD L. Programmers Remarks: Here, the trick is how to label the integers in one column. Consider the A-column in Example4: the numbers appear listed as: 26, 19, 7,5,2,1. I want to store them as a0=26, a1=19, a2=7, etc. Storing a list of integers can be done in C++ using arrays as follows: I first declare one array per column in: unsigned long a[100],q[100],x[100]; This allows us to store 100 values in each of the three columns. I assume here that the Euclidean Algorithm finds the gcd of two integers in 98 steps or less since the entered two integers are the first entries on the list. Warning: the computer starts storing the 100 entries with a[0]=26, then a[1]=19, then a[2]=7. a[99] would hold the last entry. I will store the entries of the other two columns similarly in the q and in the x array. The entries in example4 will thus be stored as follows: A Q X a[0]=26 x[0]=11 a[1]=19 q[1]=1 x[1]=8 a[2]=7 q[2]=2 x[2]=3 a[3]=5 q[3]=1 x[3]=2 a[4]=2 q[4]=2 x[4]=1 a[5]=1 x[5]=0 29 Yes, you noticed correctly that the top and the bottom entry in the Q-column have no values. They are not needed to compute the gcd. Thus, nothing will be stored in their spots in the arrays. So, the first and the last entry in the Q-column, here q[0] and q[5], will never have a value. In the program below, I fill the columns exactly the same way I explained it to you in the 5 steps above: after assigning L to a[0] and S to a[1], I simultaneously compute the A- and the Q-columns row by row until the division of two consecutive integers in the A-column leaves a remainder of 0 in: a[0]=L; a[1]=S; i=0; while(a[i]%a[i+1]!=0) //compute the A and the Q column { a[i+2]=a[i]%a[i+1]; q[i+1]=a[i]/a[i+1]; i++; } After determining the length of the X-column, n=i+1 (Why not n=i?), I assign 0 to x[n] and 1 to x[n-1] and then compute the remaining entries of the x-column in: n=i+1; x[n]=0; x[n-1]=1; for(j=n-2;j>=0;j--) x[j]=x[j+1]*q[j+1] + x[j+2];//compute X column Notice that as I work bottom-up the index j starts for n-2 and goes down to 0. The previous while-loop, on the contrary, started at i=0 and went up to n reflecting the top-down design. To finally display the gcd in terms of x[1], a[0], x[0] and a[1] I have to check which of the 2 possible subtractions I have to use. Among the many possible ways of determining the proper subtraction, I simply identify the greater of the two products to then display the gcd as follows: if((x[1]*a[0])>(x[0]*a[1])) {cout << x[1]<< " * " <<a[0]<< " - " <<x[0]<< " * " << a[1]; x[0]=L-x[0];} else cout << x[0]<< " * " <<a[1]<< " - " <<x[1]<< " * " << a[0]; Notice that if x[1]*a[0] is greater than x[0]*a[1] then L – x[0] is the inverse of a[1]=S MOD L=a[0]. In that case I want to display that inverse as a positive integer between 0 and L and not as a negative integer. I, thus, add the modulus L=a[0] to the negative x[0] and assign it to x[0] 30 again. Therefore, at the end of the program x[0] doesn’t hold its original proper value anymore, which is fine since we don’t need it anymore. Here is the Code: //Author: Nils Hahnfeld - 3/11/00 //Program computes gcd, expresses it as gcd=y*L+x*S //and gives inverse of S MOD L #include <iostream.h> #include <conio.h> void main() { unsigned long L,S,a[100],q[100],x[100]; int n,i,j; clrscr(); cout << "Enter the larger integer: L = cin >> L; cout << "Enter the smaller integer: S = cin >> S; a[0]=L; a[1]=S; i=0; while(a[i]%a[i+1]!=0) //compute the a { a[i+2]=a[i]%a[i+1]; q[i+1]=a[i]/a[i+1]; i++; } n=i+1; x[n]=0; x[n-1]=1; for(j=n-2;j>=0;j--) x[j]=x[j+1]*q[j+1] cout << endl; " ; "; and the q column + x[j+2];//compute x column //display the three columns cout << "\t a \t q \t x "<<endl; cout << "\t==================="<<endl; cout << "\t" << a[0] <<"\t\t"<<x[0]<<endl; for(i=1;i<n;i++) { cout << "\t" <<a[i]<<"\t"<<q[i]<<"\t"<<x[i]<<endl;} cout << "\t" << a[n] <<"\t\t"<<x[n]<<endl<<endl; //express gcd in terms of L and S cout<< "gcd = "<< a[n] << " = " ; if((x[1]*a[0])>(x[0]*a[1])) {cout << x[1]<< " * " <<a[0]<< " - " <<x[0]<< " * " << a[1]; x[0]=L-x[0];} else cout << x[0]<< " * " <<a[1]<< " - " <<x[1]<< " * " << a[0]; cout<<endl<<endl; //give the inverse of S MOD L if their gcd(S,L)=1 31 if(a[n]==1) {cout << x[0]<<" is inverse to "<<S<<" MOD " <<L<<endl; cout << "Check: "<<x[0]<<"*"<<S<<" = "<<(x[0]*S)%L<<" MOD "<<L<<endl; } getch(); } There are two major criticisms about this program: 1) Choosing the array length to be 100 might be insufficient when finding the gcd of two very big integers. The proper way for using a non-static list length in C++ are either Linked Lists or Vectors whose sizes can be varied. If you are familiar with such C++ structures, please go ahead and refine the above version. 2) I am wasting a lot of memory when choosing the arrays of type unsigned long. Thus, each of the 300 array entries – if used or not – take up 32 bits (= 4 bytes) of memory. This is not memory-efficient and should also be refined using vectors or linked lists. Final remark: The above program will also work if you enter the smaller number for L and the bigger one for S. Thus, you can also find the multiplicative inverse of L MOD S. Try in example S=26 and L=15 or S=26 and L=19. 32 3.3 Cryptoanalysis: Cracking the Linear Cipher Great, we have learned how to encode and decode the Linear Cipher. Now we pretend we are Mr. X and study how to crack the Linear Cipher. Even though the Linear Cipher is harder to crack than the two previous Ciphers that we discussed, it can be cracked. In this section I am going to demonstrate to you how the Linear Cipher can be cracked in 3 steps. How to Crack a Linear Cipher in 3 Steps: Step1: Eavesdropping Mr. X has to find two corresponding plain and cipher letters since the key pair of the Linear Cipher consists of the two integers (a,b). Again, with the aid of frequency analysis on the intercepted cipher text he will be able to identify two such correspondences. Step2: Using the two letter correspondences he can set up two congruences using the encoding function. Solving this 2 by 2 system of congruences for the two integers a and b yields the encoding key pair (a,b). Step3: Finally, he harvests the fruits. Having cracked the decoding key pair (a-1, b) he is now ready to decode the remaining cipher letters of the encoded message by employing the decoding function P = a-1 *(C-b) MOD 26. Step1: In this step Mr. X has to set up 2 letter correspondences. This is accomplished by finding the most frequent cipher letters assuming that they correspond to the most frequent plain letters e and t. I will explain this step in detail further down. Say we found the following two letter correspondences: a) the cipher letter v=21 corresponds to the plain letter F=5 and b) the cipher letter a=0 corresponds to the plain letter I=8: Step2: Setting up and solving a 2x2 system of congruences yields the key pair as follows: Mr. X inserts both letter information into the encoding function C = a * P + b MOD 26: 21 = a*5+b MOD 26 (1) 0 = a*8+b MOD 26 (2) How does he solve this 2x2 system of congruences? Similar to solving two equations with two variables, he solves the two congruences with respect to a and b. In the first step he subtracts the first equation from the second equation 33 in order to get rid of b and thus reducing the 2 x 2 system to one equation with one variable (a 1x1 system). This yields (2) – (1) -21 = a*3 MOD 26 since –21 = 5 MOD 26 we write: 5 = a*3 MOD 26 (3) Instead of dividing both sides by 3, we have to multiply by the inverse of 3 since we are performing MOD-arithmetic and thus exclusively deal with whole numbers. The inverse of 3 MOD 26 can be obtained via the Extended Euclidean Algorithm as I showed you in the previous section. Clever guessing is sufficient in this case: 3-1=9 since 3*9=1 MOD 26. Multiplying both sides of equation (3) by 9 yields: 45 = a MOD 26 Since 45 = 19 MOD 26, we find that a=19. To find b, we replace 19 for a in (1) yielding: 13 = 95+b MOD 26 Subtracting 13 yields: 82 = b MOD 26 Since 82 = 4 MOD 26 we eventually find that b = 4. Mr. X successfully cracked the encoding key pair: a=19 and b=4. He is going to harvest the fruits of his work in the following step. Step3: To decode the remaining cipher letters and therefore to read the whole decoded message, he first has to use the Extended Euclidean Algorithm to compute a-1. We find that a-1 = 11 is the inverse of a = 19 MOD 26. Secondly, we insert a-1 = 11 and b = 4 into the decryption function P = a-1 *(C-b) MOD 26 yielding P = 11 *(C-4) MOD 26 Eventually, he has to convert each cipher letter back to its plain letter by inserting each cipher letter integers C into the equation. With the aid of i.e. MS Excel, he obtains the following conversion table: Cipher letter a b c d e C P=11*(C-4) Plain letter 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 8 19 4 15 0 11 22 7 18 3 14 25 10 21 6 17 2 13 24 9 20 5 16 1 12 23 I T E P A L W H S D O Z K V G R C N Y J U F Q B M X f g h i j k i m n o p q 34 r s t u v w x y z Let me help refine your Excel knowledge. I computed the next-to-last row in Excel as follows: The decoding function P=11*(C-4) MOD 26 turns into the Excel-formula =MOD(11*(B2-4),26) with B2 containing the cipher letter integer. For instance, if B2=0 (=letter a) the formula yields the correct plain letter 8 (= letter I) since 11*(0-4)= -44 = -18 = 8 MOD 26. The last row is a simple integer to letter conversion. Recall that A is stored as 65, B as 66, …, Z as 90 implying that we have to add 65 to any integer that has to be computed. Thus, to convert the first integer 8 into letter I we write: =CHAR(65+B3) with B3 containing the 8: CHAR(65+8)=CHAR(73)=I. 3.3.1 Letter Frequency Analysis as a Tool to Crack Ciphers Remember that steps 2 and 3 can only be executed if Mr. X finds how 2 cipher letters translate into their respective plain letters first. But how can he find what two cipher letters translate into? Consider the following cipher text and try to translate two cipher letters into plain letters! Remember your answer, we will unscramble this message soon. hxo rboexmop fbapu c jahhjo gpsqjoluo ap cpl hxo eopasbe hcgo pspo skh es ah ciikmkjchoe hxbskux hxo wocbe jsqojj vboealoph sr xcbncbl What is meant by letter frequency? It is the relative occurrence of each letter expressed in percent. We find these percentages by simply adding each letter’s number of occurrence divided by the total number of letters in a sentence. On average, letters in English sentences occur as follows: 35 13% 0.14 0.12 9% 0.1 7% 0.08 7% 0.06 4% 3% 0.04 4% 3% 2% 1% 0.02 8%7% 4% 3% 8% 6% 3% 0%0% 3% 2% 1%2% 1% 0% 0% 0 a b c d e f g h I j k l m n o p q r s t u v w x y How does this help finding two letter correspondences? Recall that the Linear Cipher is the combination of the Caesar Cipher and the Multiplication Cipher. Thus, in order to break the Linear Cipher using letter frequencies, we have to understand how a) the Caesar Cipher and b) the Multiplication Cipher letter frequencies of the plain letters are transferred to the cipher letters. This is the objective of the following two sections. You learn you how to crack the Caesar and the Multiplication Cipher easily with the aid of letter frequencies. This knowledge - in turn teaches us how to crack the above example of the Linear Cipher. Don’t forget your guess on the two letter correspondences, we will get back to it. 3.3.2 Cracking the Caesar Cipher with the Aid of Letter Frequency Analysis Let’s encode the following revelation with the Caesar Cipher: T A S L HE ND O I O WE F RESH T HE S T ACC L L PR M E N B R I N G A L I T T L E K N O WL E D G E E NI ORS T A K E NONE OUT U MU L A T E S OV E R T H E Y E A R S E S I DE NT OF HA RV A RD 36 I N z Shifting each letter 3 positions to the right yields: wk h i u h v k d q g wk h v v r l w df f or z hoo s u p h x h h q p v q eul qj d l r u v wd n h x o d wh v r y h l ghqw r i k o l wwo h n q r z o h g j h qr qh r x w u wk h b h d u v duy dug l q What happens to the letter frequencies when shifting the plain letters 3 positions to the right? Of course, they are shifted too! Observe this on the two following bar graphs: Letter frequencies in the message by Harvard President Lowell 18% 16% 16% 14% 12% 10% 8% 8% 7% 6% 5% 4% 4% 1% 2% 2% 6% 6% 2% 2% 2% 9% 7% 7% 6% 3% 2% 1% 0% 2% 2% 0% 0% 1% 0% 0% A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Letter frequencies of the cipher letters: 18% 16% 16% 14% 12% 10% 8% 7% 8% 6% 2% 5% 4% 4% 0% 1% 1% 0% 2% 6% 6% 2% 2% 2% 9% 7% 7% 6% 3% 2% 1% 0% 2% 2% 0% 0% a b c d e f g h I j k l m n 37 o p q r s t u v w x y z Notice that the bars of the second graph displaying the letter frequencies of the cipher letters are shifted by 3 positions to the right. To crack the Caesar Cipher, we just have to find the most frequent cipher letter, here h=7 with 16%, and equal it to the plain letter E=4 in the encryption function: 7 = 4 + b MOD 26. This yields the encoding key b=3 and we can decode the remaining message easily. We observe: In a Caesar Cipher: As the plain letters are shifted so are the letter frequencies 3.3.3 Cracking the Multiplication Cipher with the Aid of Letter Frequency Analysis Are the letter frequencies shifted in the Multiplication Cipher as well? No, because the plain letters are not shifted but multiplied by the good key a. Say we encrypt the original Harvard message using a=3 as our key. We obtain: F A C H V M P Z MC V N J F V M C Q Y F A GG QOMH H T Z K M I M M N K C N D Z Y N S A Y QZ C F A E M I H A F MC QL M Y J MN F QP V H Y F F H M E N QOH MJ S M N QN M QI F Z F V M U MA Z C A Z L A Z J Y N Letter frequencies in the message by Harvard President Lowell 18% 16% 16% 14% 12% 10% 8% 8% 7% 6% 4% 4% 2% 5% 1% 2% 6% 6% 2% 2% 2% 9% 7% 7% 6% 3% 2% 1% 0% 0% 2% 2% 0% 1% 0% 0% A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Follow the translation of the plain letters and their frequencies caused by the multiplication with the key a=3. 38 Plain Letters A - I 20% 16% 15% 10% 7% 5% 1% 2% B C 4% 2% 2% F G 5% 6% H I 0% A D E 18% 16% 16% 14% 12% 9% 10% 8% 7% 8% 6% 6% 4% 1% 2% 7% 6% 2% 3% 2% 7% 6% 5% 4% 2% 2% 2% 2% 2% 0% 1% 1% 0% 0% 0% a b c d e f g h I j k l 39 m n o p q r s t u v w x y z Similarly, observe this for the plain letters from J through R: Plain Letters J - R 20% 15% 10% 8% 6% 5% 2% 0% 7% 7% 2% 1% 0% P Q 0% J K L M N 18% O R 16% 16% 14% 12% 9% 10% 8% 7% 8% 6% 6% 4% 1% 2% 7% 6% 2% 3% 2% 7% 6% 5% 4% 2% 2% 2% 2% 2% 0% 1% 1% 0% 0% 0% a b c d e f g h I j k l m n o 40 p q r s t u v w x y z And finally for the plain letters from S through Z: Plain Letters S-Z 20% 15% 10% 9% 6% 3% 5% 2% 2% V W 0% 1% 0% X Y Z 0% S T U 18% 16% 16% 14% 12% 9% 10% 8% 7% 6% 8% 6% 4% 2% 2% 1% 7% 6% 2% 4% 3% 2%2% 7% 5% 2%2% 0% 2% 1%1% 6% 0%0% 0% a b c d e f g h I j k l m n o p q r s t u v w x y z Again the translation of the letters and its frequencies is easy to observe: the bars of the original frequency distribution are not just shifted to the right but placed to the right in steps of 3 yielding the frequency distribution of the cipher letters. Again, cracking the Multiplication Cipher is accomplished by determining the most frequent cipher letter (that one with the highest bar), here it is the cipher letter m. Setting the value of m, 12, equal to the value of the plain letter E, 4, in the encryption function 12 = a*4 MOD 26. This yields the key a=3. Finding the decoding key a-1 =9 MOD 26 enables us to decode the remaining cipher letters easily. 41 We observed for the Multiplication Cipher: Encoding with the Multiplication Cipher leaves the underlying letter frequencies unchanged as any plain letter is encoded with the same cipher letter. The letter frequencies of the same plain letters are transferred to their corresponding cipher letters in steps of length a which is the encoding key. 3.3.4 Cracking the Linear Cipher with the Aid of Letter Frequency Analysis We could easily see that the underlying letter frequencies remain unchanged in the Caesar and Multiplication Cipher. Does this therefore hold true for the Linear Cipher aswell? Let’s take a look at the encryption function: C = a*P + b MOD 26. The Linear Cipher first encodes with the Multiplication Cipher and we just observed that it leaves the underlying letter frequencies unchanged. The subsequent Caesar Shift simply shifts the frequency bars to the right, again without changing the underlying frequencies. Consequently, encrypting with a Linear Cipher leaves the underlying letter frequency unchanged. Let’s apply the learned to our introductory example: hxo rboexmop fbapu c jahhjo gpsqjoluo ap cpl hxo eopasbe hcgo pspo skh es ah ciikmkjchoe hxbskux hxo wocbe jsqojj vboealoph sr xcbncbl Computing the letter frequencies of the cipher text yields the following frequency chart: 16% 14% 14% 12% 10% 10% 8% 6% 7%7% 5% 8% 6% 7% 4%4% 4% 2% 6% 0% 2% 1% 2% 2% 1% 2%2% 6% 3% 0% 1%1% 0%0% 0% a b c d e f g h I j k l m n o p q r s t u v w x y z 42 This frequency chart is a result of the combination of the frequency bar translations caused by the Caesar Cipher and the Multiplication Cipher. The original plain letter frequencies were first translated in steps of the factor key a=2. Subsequently, the letter frequencies were shifted by b=3 positions to the right yielding the final letter frequencies. Imagine Mr. X does not know how the key par used to encrypt the message. How could he crack the encrypted message? He can generate the frequency graphs off the intercepted cipher text: He observes that the most frequent cipher letter o=14 which most likely corresponds to the plain letter E=4. Hence, the unknown key pair (a,b) has to fulfill the encoding equation 14 = a * 4 + b MOD 26. There are two options to crack the Cipher. Cracking option A: Either he further exploits letter frequencies. Testing other possible letter correspondences allows him to solve two linear equations in two variables which yields the desired key pair (a,b). or Cracking option B: He simply tests all possible key pair combinations (a,b). This is a brute force attack. I will first show you option A and afterwards option B. Cracking option A: What is the second most common letter? T, N, O, R, I, A, S are the most likely candidates as you can see in the above letter frequency chart of English letters. Any flashbacks of the TV-show “Wheel Of Fortune”? It is no coincidence that those letters are bought during the game since they are the most frequent ones. The above chart reveals the second most frequent cipher letter is h with 10%. Assuming that the cipher letter h=7 translates into plain letter T=19, Mr. X can therefore set up the following equation: 7 = a * 19 + b MOD 26 14 = a * 4 + b MOD 26 The top minus the bottom equation yields: -7 = a * 15 MOD 26 Since -7 = 19 MOD 26 we have: 43 19 = a * 15 MOD 26 In order to solve this congruence for a he has to multiply both sides by the inverse of 15 MOD 26, namely 15-1 = 7. This yields: 19 * 7 = a MOD 26 Since 19 * 7 = 133 = 3 MOD 26, we finally obtain 3 = a MOD 26 To find b he inserts a=3 in the second equation and obtain: 14 = 3 * 4 + b = 12 + b MOD 26 Thus, he obtains the key pair: a=3 and b=2. In order to decrypt the Cipher Code he proceeds as usual: he first finds the decoding factor key, namely a-1 = 9, and then determines the following plain/cipher letter correspondences by using the decoding function P = 9*(C-2) MOD 26. Cipher Letter Plain Letter a b c d e f g h i j k l m n o p q I R A J S B K T C L U D M V E N W r s F O t u v w x y z X G P Y H Q Z Replacing each cipher letter in the Cipher Code by its plain letter equivalent yields again the correct Harvard statement. He was lucky. His first attempt to crack the Cipher Code was already successful. The reason for that is that the 2nd most frequent cipher letter happened to be the expected one, namely the t. This is even more likely to happen if the encoded message is longer. Because in that case we can expect the cipher letter frequencies to converge to the letter frequencies for English sentences. This statistical property is known as the “Law for Large Numbers”. Exercise1 for option A: Crack a different Linear Cipher using letter frequency analysis. Your job is to fill in the blanks. C = a*P+b MOD 26 Say, we found that the cipher letter n=13 corresponds to F=5: and s=18 corresponds to I=8: 13 = a*5+b MOD 26 __= a*_+b MOD 26 Subtracting the first from the second yields __= a*_ MOD 26 To isolate a we have to multiply both sides by the inverse of the integer right of a, namely 9. (Why?) __* 9 = a MOD 26 Since 45 = 19 = a MOD 26, we find that a=19. Replacing the 19 for a in the first of our two original equations we obtain: 13=__+b MOD 26 44 Subtracting 95 on both sides yields: __ = b MOD 26 Since –82 = __ MOD 26 we find b to be: __ = b MOD 26 Hence, we successfully cracked the key: a=19 and b=22. To decode the remaining cipher letters and therefore to read the whole encoded message, we just have to insert a-1 = 11 and b=4 into the decryption function P = a-1 *(C-b) MOD 26. Our decryption function turns out to be: P = 11 *(C-22) MOD 26 Which can be rewritten as P = 11 *C – 11*22 MOD 26 P = 11 *C – 242 MOD 26 P = 11 *C + 18 MOD 26 Check: Inserting the cipher letter n=13 should yield the plain letter F=5: P = 11 *13 + 18 MOD 26 P = 143 + 18 MOD 26 P = 161 MOD 26 P = 5 MOD 26 Correct. Cracking option B: Let’s break the Harvard message using brute force. Which values of a and b fulfill the encoding function? Mr. X assumes that an alphabet length M=26 was used. Therefore, there are only 12 good encoding factor keys a, namely those that are relative prime to 26. Assuming that the most frequent cipher letter o corresponds to the plain letter E, what values could b attain? Well, only those that fulfill the equation 14=a*4+b MOD 26. Here is a list of the possible key pairs (a,b): a b 0 1 14 10 2 6 3 4 5 6 7 2 24 20 16 12 8 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 4 0 22 18 14 10 6 2 24 20 16 12 8 4 0 22 18 We compute the inverse a-1 of each a MOD 26 to be: a-1 0 1 2 9 4 21 6 15 8 3 10 19 12 13 14 7 16 23 18 19 20 5 22 17 24 25 We can test each of the above 12 key pairs by using a-1 and b in the decoding equation 45 P = a-1 *(C-b) MOD 26. I.e. testing a-1=9 and b=2 yields the following table of letter correspondences: Cipher Letter Plain Letter a b c d e f g h i j k l m n o p q I R A J S B K T C L U D M V E N W r s F O t u v w x y z X G P Y H Q Z Bingo. Replacing the cipher letters by the corresponding plain letters yields the correct Harvard statement. Verify this. Reflection on Cracking Option B: In the above example, eavesdropping Mr. X assumed an alphabet length of 26. What if that assumption is not correct? Mr. X would just have to test (M) key pairs for each used an alphabet length M: 12 for M=26, 18 for M=27, 12 for M=29, etc. The reason why he just has to test (M) as opposed to all the possible (M) * M key pairs is due to the fact that he can identify the cipher e by using letter frequency. This allows him to set up one equation mod M which yields a unique shift key b for a given factor key a. Finding the inverse a-1 depends on the alphabet length M. I.e. the inverse of a=3 MOD 26 is a-1=9, however, it would be a-1=10 MOD 29. In conclusion: With computer assistance, Mr. X is able to crack any Linear Cipher easily using Cracking Option B. However, Cracking Option A turns out to be even faster. The longer a cipher text, the more likely it is to find two correct letter correspondences that are sufficient to compute the key pair (a,b). 3.4 Random Substitution Ciphers The fact that the underlying letter frequencies remain unchanged is not only true when cracking Caesar Ciphers, Multiplication Ciphers or Linear Ciphers. It is actually true for those ciphers where a same plain letters are encrypted to the same cipher letter. Such ciphers are called Monoalphabetic Substitution Ciphers. Definition: In Monoalphabetic Substitution Ciphers same plain letters are encrypted to the same cipher letters. You can imagine that the underlying letter frequencies help eavesdroppers a lot to crack such ciphers. Cracking becomes particularly easy if the intercepted message consists of many letters. In that case, the cipher letter frequencies approach the letter frequencies of the English language. 46 Warning for Monoalphabetic Encryptions: The longer the intercepted cipher text the more will the cipher letter frequencies converge to the letter frequencies of the English language. 3.4.1 The Art of Cracking Random Substitution Ciphers In this last section, we are going to study the art of how to crack a “Random Substitution Cipher”: that is a cipher where each plain letter is assigned to each cipher letter in a random manner. You find such ciphers as “cryptograms” in newspapers. For example, using the following random letter assignment Plain letter Cipher letter A B C D E F G q a z w s x H I J K L M e d c r f v the virus carrier message encodes to: PLAIN TEXT A N T I S Cipher text q g j c u T j H d N O P Q R S t g b Y h n u E s C z A q T U j m R n R n V W i X k o I c Y Z l p E s R n The key to crack the Random Substitution Cipher is that the underlying letter frequencies of the original plain text don’t change. This fact makes the Random Substitution Cipher very susceptible to Cipher attacks. An eavesdropper literally just has to count the letter frequencies of the Cipher letters, create a chart displaying the relative letter frequencies and match it with the letter frequencies of the English language. Recall that the most frequent letters in the English language are ETNORIA which – except for the O - occur even as the most frequent letters in the brief virus carrier message. Surely, the longer the messages are the more do the relative frequencies of the cipher letters approach the expected frequencies. Let’s break the following random-substituted encrypted message: q q a j v v j d s i s n q e s l j d s d q g q j q e b u s q t i z o s s b s n n g u c z t s w y q c q g g j w a q n s c g l j d s u y s g j v s u u How could we go about breaking this message? Certainly, we shall take advantage of the known letter frequencies. Additionally, we can take advantage of the blanks between two 47 words, certainly a helpful hint for eavesdroppers. Since a sender does not want to give such hints to eavesdroppers he would not use blanks in the encrypted message. Blanks could be encoded as a certain letter (i.e. X) or a number combination in the cipher text. If they are left out the Cipher message reads as follows: qvvjdsjqosuyqcwaljdsqisnqesqtsnczqgqnsuysgjaljdsebisntsgjcgvsuujdq gquszbgw Certainly, this appears to be a more challenging task, however, letter frequency will eventually yield the correct plain text. It is just more challenging. Before trying to crack such a cipher text, let’s first crack the version with the blanks: Step 1: We first find the cipher E. Finding the most frequent letter yields s. So, let’s assume that s is E. Step 2: Secondly, we try to detect the most common English 3-letter word “THE”. We, therefore, have to look for repetitive 3-letter-sequences ending in s. We observe - even without the help of the blank spaces - that jds occurs three times, more than any other trigram. It is very likely, that we revealed the two correspondences j=T and d=H yielding T H E j d s q v v q I E E s n q e s a l T H E j d s T H j d q g q T E j q o s U q t e b I y q c w a l E s n c z q g E q n s E s n t c g E s g j T H E j d s E T u y s g J E v s u u E u s z b g w The knowledge of the letters T, H and E reveals words like there, this, than, thus, that, etc. So, let’s look for them. We find jdqg which could be this or thus, however, it could not be that. Why not? Checking the frequency of q shows that it is likely to be one of the most common letters ETNORIA, and since it is a vowel (why?) we may reduce the possible choices for q to O, I or A. I or A are more likely to follow TH and may form the second to last 1-letter-words q. Step 3: We now form possible words of the given letters and test if the found letters make sense in other words. Say, we choose q to be A. What word could the first word qvv be? ALL and ADD are possible, ARE is not. If q would be I then ILL is possible. A seems to be the more reasonable choice. Substituting A for q yields THA_ for jdqg. We know it can not be THAT, therefore, THAN makes more sense. It makes sense that g is N since the g is one of the most frequent letters. Thus, using altogether the correspondences A=q, N=g L=v yields 48 A L L q v v T H E j d s A q I E A E s n q e s a l T H E j d s T H A N j d q g A q T A E j q o s u A q t e b I A y q c w a l E A N s n c z q g A E q n s E s n t N c g E N T s g j T H E j d s E N T u y s g j L E v s u u E N u s z b g w Step 4: Now, words will appear. vsuu looks very much like LESS, then S_ENT in uysgj should be SPENT. A_E in qns seems to be ARE. This is very likely since the encrypted R, the n, appears frequently. We now have: A L L q v v T H E j d S A q I E R A E s n q e s a l T H E j d s T H A N j d q g A q T A E S j q o s u A q t e b I P A y q c w a l E R A N s n c z q g A R E q n s E R s n t N c g E N T s g j T H E j d s S P E N T u y s g j L E S S v s u u S E N u s z b g w Continuing to detect words, we see that A_ERA_E in qlsnqes looks like AVERAGE, and A_ER__AN in qtsnczqg looks very much like AMERICAN. What other words can you find? Try to finish it by yourself. Replacing these letters yields A L L q v v T H E j d s A V E R A G E q I s n q e s a l T H E j d s T H A N j d q g A q T A E S j q o s u P A I y q c w A M E R I C A N q t s n c z q g G V E R M E N T e b I s n t s g j a l A R E q n s I N c g T H E j d s S P E N T u y s g j L E S S v s u u S E C N u s z b g w And we finally have: ALL THE TAXES PAID BY THE AVERAGE AMERICAN ARE SPENT BY THE GOVERNMENT IN LESS THAN A SECOND 49 Resumee: Cracking Random Substitution Ciphers can be accomplished by a combination of finding most frequent letters and trigrams as well as clever guessing and testing missing letters. The more Random Substitution Ciphers you will crack the more experienced you will become. As a side effect: You will be able to solve the “cryptograms” in the newspapers easily. Exercise1: You now have the opportunity to practice the art of cracking such Random Substitution Ciphers. Crack the following cipher text: yxdy pq yjc xzpvpyw ya icqdepzc ayjceq xq yjcw qcc yjcuqcvrcq. xzexjxu vpsdavs Exercise2: Crack the following “Cryptoclip” found in the “Daily News of the Virgin Islands” on March 21, 2001. vkbj v avpq bphvu baj hfj bahjk vy yjxbjxfjq bc bdjxbr rjvpy hx baj fccujp. 50 3.5 An Inventory of the learned Monoalphabetic Substitution Ciphers In this section we will analyze and compare the ciphers that we have studied thus far. They are all Monoalphabetic Substitution Ciphers since each translates same plain letters into the same cipher letter. However, the rule to assign letters varies. For the Caesar, the Multiplication and the Linear Cipher, we are using encoding functions. This functional relationship between plain and cipher letters made these ciphers very susceptible to eavesdroppers. In order to crack the first two Ciphers, it is sufficient to determine the most frequent cipher letter and set it equal to E. The Linear Cipher uses a key pair and thus requires two plain/cipher letter correspondences. On the contrary, the Random Substitution Cipher does not use an encoding function. It simply uses a plain/cipher letter assignment table to encode the original messages. This non-functional encryption allows many more possible unique encryptions and makes it therefore harder to crack. It is not sufficient to simply find two plain/cipher lettercorrespondences. Rather, each cipher/plain letter correspondence has to figured out. Nevertheless, since it is still a Mono-substitution Cipher the underlying letter frequencies were passed over to the cipher text so that we could use frequency analysis to crack the cipher. Let’s summarize these facts in a table: Cipher MonoSubstituti on Caesar Cipher Yes Multiplication Cipher Linear Cipher Yes Yes Random Sub. Yes Cipher Encoding function, (Encoding key is bold) C=P+b MOD M C=a*P MOD M C=a*P+b MOD M Assignment Table Decoding function (Decoding key is bold) P=C-b MOD M P=a-1*C MOD M P= a-1*(C-b) MOD M Assignment Table Cracking Method Number of Unique Encryption s Requires 1 M letter corresp. Requires 1 (M) letter corresp. Requires 2 M * (M) letter corresp. Frequency ? Analysis How many unique Random Substitution Ciphers are there? Let’s figure out the only ? in the table by determining how many unique Random Substitution Ciphers there are. The way of going about it is to start with an alphabet length of M=1, then M=2, etc. In that way can gain insight how an additional letter changes the number of possible unique Ciphers. 51 M=1: A 1-letter alphabet allows 1 possible Cipher: A. M=2: The 2-letters A and B may be encrypted to A A B B B A Surely, encryption using only two symbols is rather difficult. Nevertheless, the Morse Code would work. M=3: The 3-letters A, B and C may be encrypted to: A A A B B C C B B C A C A B C C B C A B A We thus have 2*3=6, possible Random Substitutions. M=4: For a 4-letter alphabet we may place the fourth letter D in one of four positions: before the first, between the first and the second, between the second and the third or after the third letter. Since we can choose among the six above 3-letter combinations, we obtain a total of 4*6=24 possible 4-letter combinations. Since 6 =3*2 we may just write 24 = 4 * 3 * 2 *1. Or simply 4! . M=5: Now guess how many 5-letter combinations you can form? 5! = 5 * 4 * 3 * 2 * 1 = 120 are there. Explain why we had to multiply the 24 possible 4-letter-words by 5 to obtain the number of possible 5-letter words. M=26: Continuing adding letter by letter to the existing words we obtain 26! possible Ciphers for 26 letters: 26! = 26 * 25 * 24 * … * 3 * 2 * 1 which turns out to be a huge number, namely 403291461126605635584000000. In scientific notation this is approximately 4.0 * 1026 which appears on calculators as 4.0 * E+26 Let’s summarize our results: #letters 1 2 3 #words 1 2!=2 3!=6 4 4!=24 5 5!=120 52 6 6!=720 … 26 26! … M M! How can we increase the security of the Random Substitution Cipher? We can increase the security of the Random Substitution Cipher by increasing the number of possible Ciphers. We just learned how: Increasing the alphabet length M increases the number of possible ciphers. In example we could use the 52 upper and lower case plain letter. To avoid any patterns we would assign upper case plain letters not only to upper but also to lower case cipher letters and vice versa. This allows us to choose among 52! possible Ciphers. Check with your windows calculator how many these are. Is it just double of 26! ? 52! = __________________________ In order to increase the security of our cipher, would it help to use a different cipher letter alphabet? I.e. we could encode every plain letter using symbols as follows: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z What does the following Cipher therefore translate to? Exactly. It was the earlier sentence on the taxes spent by the government. Now, does this translation in MS WinWord from the Times New Roman to the Wingdings Font increase the security of the Random Substitution Cipher? Certainly not since each of the 26 plain letters is still encoded with the same Cipher symbol. Therefore, the underlying plain letter frequency is maintained and can be used again on this Cipher to first detect the cipher e, then the cipher word the to eventually crack the entire Cipher. Exercise1: The following Cipher was created with the Font “Marlett”. Decode it. Exercise2: Create your own Cipher using the Help Cyrillic Font. Exercise3: Find out if MS WinWord allows some other simple cipher codes. 53