6 slides per page - the GMU ECE Department
advertisement
ECE 646 - Lecture 6
Required Reading
• W. Stallings, Cryptography and Network Security,
Historical Ciphers
Chapter 2, Classical Encryption Techniques
• A. Menezes et al., Handbook of Applied Cryptography,
Chapter 7.3 Classical ciphers and historical development
Secret Writing
Why (not) to study historical ciphers?
AGAINST
FOR
Not similar to
modern ciphers
Basic components became
a part of modern ciphers
Long abandoned
Under special circumstances
modern ciphers can be
reduced to historical ciphers
Steganography
(hidden messages)
Cryptography
(encrypted messages)
Substitution
Transformations
Influence on world events
The only ciphers you
can break!
Selected world events affected by cryptology
1586 - trial of Mary Queen of Scots - substitution cipher
1917 - Zimmermann telegram, America enters World War I
1939-1945 Battle of England, Battle of Atlantic, D-day ENIGMA machine cipher
1944 – world’s first computer, Colossus German Lorenz machine cipher
1950s – operation Venona – breaking ciphers of soviet spies
stealing secrets of the U.S. atomic bomb
– one-time pad
Codes
(replace
words)
Transposition
Ciphers
(change the order
of letters)
Substitution
Ciphers
(replace
letters)
Mary, Queen of Scots
• Scottish Queen, a cousin of Elisabeth I of England
• Forced to flee Scotland by uprising against
her and her husband
• Treated as a candidate to the throne of England
by many British Catholics unhappy about
a reign of Elisabeth I, a Protestant
• Imprisoned by Elisabeth for 19 years
• Involved in several plots to assassinate Elisabeth
• Put on trial for treason by a court of about
40 noblemen, including Catholics, after being
implicated in the Babington Plot by her own
letters sent from prison to her co-conspirators
in the encrypted form
1
Mary, Queen of Scots – cont.
• cipher used for encryption was broken by codebreakers of Elisabeth I
• it was so called nomenclator – mixture of a code and a substitution
cipher
• Mary was sentenced to death for treachery and executed in 1587
at the age of 44
Zimmermann Telegram
• sent on January 16, 1917 from the Foreign Secretary
of the German Empire, Arthur Zimmermann, to the German
ambassador in Washington
• instructed the ambassador to approach the Mexican government
with a proposal for military alliance against the U.S.
• offered Mexico generous material aid to be
used to reclaim a part of territories lost during
the Mexican-American War of 1846-1848,
specifically Texas, New Mexico, and Arizona
• sent using a telegram cable that touched
British soil
• encrypted with cipher 0075, which
British codebreakers had partly broken
• intercepted and decrypted
Zimmermann Telegram
• British foreign minister passed the ciphertext, the message in German,
and the English translation to the American Secretary of State,
and he has shown it to the President Woodrow Wilson
• A version released to the press was that the decrypted message
was stolen from the German embassy in Mexico
• After publishing in press, initially believed to be a forgery
• On February 1, Germany had resumed "unrestricted"
submarine warfare, which caused many civilian deaths,
including American passengers on British ships
• On March 3, 1917 and later on March 29, 1917, Arthur Zimmermann
was quoted saying "I cannot deny it. It is true.”
• On April 2, 1917, President Wilson asked Congress to declare
war on Germany. On April 6, 1917, Congress complied,
bringing the United States into World War I.
Ciphers used predominantly in the given period(1)
Cryptography
100 B.C.
Cryptanalysis
Shift ciphers
Frequency analysis
al-Kindi, Baghdad
IX c.
Monoalphabetic substitution cipher
1586 Invention of the Vigenère Cipher
Black chambers
Homophonic ciphers
Vigenère cipher
(Simple polyalphabetic substitution ciphers)
1919 Invention of rotor machines
Electromechanical machine ciphers
(Complex polyalphabetic substitution ciphers)
XVIII c.
Kasiski’s method
1863
Index of coincidence
William Friedman
1918
1926 Vernam cipher (one-time pad)
1996
(2nd
ed)
1999
2
Substitution Ciphers (1)
Ciphers used predominantly in the given period(2)
Cryptography
Cryptanalysis
1949 Shennon’s theory
of secret systems
1977 Publication of DES
one-time pad
Stream Ciphers
S-P networks
Reconstructing ENIGMA
Rejewski, Poland
Polish cryptological bombs,
and perforated sheets
British cryptological
bombs, Bletchley Park, UK
Breaking Japanese
“Purple” cipher
DES
1. Monalphabetic (simple) substitution cipher
1932
M = m1
m2
m3
m4 . . . . mN
C = f(m1) f(m2) f(m3) f(m4) . . . . f(mN)
1939
1945
Generally f is a random permutation, e.g.,
1977
f=
Triple DES
1990
a b c d e f g h i j k l m n o p q r s t u v w x y z
s l t a v m c e r u b q p d f k h w y g x z j n i o
DES crackers
2001
2001
AES
Key = f
Number of keys = 26! ≈ 4 ⋅ 1026
Monalphabetic substitution ciphers
Simplifications (1)
A. Caesar Cipher
ci = f(mi) = mi + 3 mod 26
mi = f-1(ci) = ci - 3 mod 26
No key
B. Shift Cipher
ci = f(mi) = mi + k mod 26
mi = f-1(ci) = ci - k mod 26
Key = k
Number of keys = 26
Caesar Cipher: Example
Plaintext:
I CAM E I SAW I
C O N Q U E R E D
8 2 0 12 4 8 18 0 22 8 2 14 13 16 20 4 17 4 3
11 5 3 15 7 11 21 3 25 11 5 17 16 19 23 7 20 7 6
Ciphertext: L F D P H L V D Z L F R Q T X H U H G
Coding characters into numbers
A
B
C
D
E
F
G
H
I
J
K
L
M
⇔
⇔
⇔
⇔
⇔
⇔
⇔
⇔
⇔
⇔
⇔
⇔
⇔
0
1
2
3
4
5
6
7
8
9
10
11
12
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
⇔
⇔
⇔
⇔
⇔
⇔
⇔
⇔
⇔
⇔
⇔
⇔
⇔
13
14
15
16
17
18
19
20
21
22
23
24
25
Monalphabetic substitution ciphers
Simplifications (2)
C. Affine Cipher
ci = f(mi) = k1 ⋅ mi + k2 mod 26
gcd (k1, 26) = 1
mi = f-1(ci) = k1-1 ⋅ (ci - k2) mod 26
Key = (k1, k2)
Number of keys = 12⋅26 = 312
3
Most frequent single letters
Most frequent digrams, and trigrams
Average frequency in a random string of letters:
1
= 0.038 = 3.8%
26
Digrams:
TH, HE, IN, ER, RE, AN, ON, EN, AT
Average frequency in a long English text:
E
T, N, R, I, O, A, S
D, H, L
C, F, P, U, M, Y, G, W, V
B, X, K, Q, J, Z
Trigrams:
THE, ING, AND, HER, ERE, ENT, THA, NTH,
WAS, ETH, FOR, DTH
— 13%
— 6%-9%
— 3.5%-4.5%
— 1.5%-3%
— < 1%
Relative frequency of letters in a long English text
by Stallings
14
6
4
2
9.25
0
8.5
7.75
7.5
7.75
7.25
4.25
3.5
1.25
3.5
3
12
10
3.75
2.75
a b c d e f g h i jk lm n o p q r s tu vw x y z
14
6
6
2
3
2.75
2.25
2
0.5
0.25
1.5 1.5
0.5
0.5
0.25
0 A B C D E F G H I J K LM N O P Q R S T U V W X Y Z
Character frequency
in the corresponding
ciphertext
for a shift cipher
8
6
4
2
0
a b c d e f g h i jk lm n o p q r s tu vw x y z
14
Frequency analysis attack: relevant frequencies
12
10
Character frequency
in a long English
plaintext
8
6
4
2
0
Character frequency
in a long English
plaintext
8
10
4
12
10
12.75
12
8
14
14
14
12
12
10
10
8
8
6
6
4
4
2
0
a b c d e f g h i jk lm n o p q r s tu vw x y z
Long English text T
14
Character frequency
in the corresponding
ciphertext
for a general
monoalphabetic
substitution cipher
12
10
8
6
4
2
0
2
a b c d e f g h i j k lm n o p q r s t u v w x y z
a b c d e f g h i jk lm n o p q r s tu vw x y z
0 a b c d e fg h I j k lm n o p q r s tu v w x y z
Short English message M
14
14
12
12
10
10
8
8
6
6
4
4
2
2
0 a b c d e f g h i j k lm n o p q r s t u v w x y z
0 a b c d e f g h I j k lm n o p q r s t u v w x y z
Ciphertext of the long English text T
Ciphertext of the short English message M
4
Frequency analysis attack (1)
Step 1: Establishing the relative frequency of letters
in the ciphertext
Ciphertext:
FMXVE DKAPH FERBN DKRXR SREFM ORUDS
DKDVS HVUFE DKAPR KDLYE VLRHH RH
Frequency analysis attack (2)
Step 2: Assuming the relative frequency of letters
in the corresponding message, and deriving
the corresponding equations
Assumption: Most frequent letters in the message: E and T
Corresponding equations:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
R
D
E, H, K
-8
-7
-5
Frequency analysis attack (3)
Step 3: Verifying the assumption for the case
of affine cipher
M=
Character frequency
in a long English
plaintext
8
6
m1
m2
… md
md+1 md+2 … m2d
m2d+1 m2d+2 … m3d
…..
f1(m1)
f2(m2)
… fd(md)
f1(md+1)
f2(md+2) … fd(m2d )
f1(m2d+1 ) f2( m2d+2) … fd(m3d )
…..
d is a period of the cipher
Key = d, f1, f2, …, fd
14
10
f(4) = 17
f(19) = 3
Number of keys for a given period d = (26!)d ≈ (4 ⋅ 1026)d
15⋅k1 ≡ 12 (mod 26)
12
4 → 17
19 → 3
Substitution Ciphers (2)
C =
15⋅k1 ≡ -14 (mod 26)
f(E) = R
f(T) = D
2. Polyalphabetic substitution cipher
f(4) = 17
f(19) = 3
4⋅k1 + k2 ≡ 17 (mod 26)
19⋅k1 + k2 ≡ 3 (mod 26)
E→R
T→D
4
Polyalphabetic substitution ciphers
Simplifications (1)
A. Vigenère cipher: polyalphabetic shift cipher
Invented in 1568
2
0
a b c d e f g h i jk lm n o p q r s tu vw x y z
14
12
10
8
Character frequency
in the corresponding
ciphertext
for a polyalphabetic
substitution cipher
6
1
⋅ 100% ≈ 3.8 %
26
4
2
0
ci = fi mod d(mi) = mi + ki mod d mod 26
mi = f-1i mod d(mi) = mi - ki mod d mod 26
Key = k0, k1, … , kd-1
Number of keys for a given period d = (26)d
a b c d e f g h i jk lm n o p q r s tu vw x y z
5
Vigenère Square
plaintext:
Vigenère Cipher - Example
a b c d e f g h i j k l m n o p q r s t u v w x y z
3
Key = “nsa”
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
1
2
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
Determining the period of the polyalphabetic cipher
Kasiski’s method
Ciphertext:
GGBRGRAGTGGBR
Plaintext:
TO BE OR NOT TO BE
Key:
NSA
TOB
EOR
NOT
TOB
E
Encryption:
GGB
RGR
AGT
GGB
R
Ciphertext:
GGBRGRAGTGGBR
Index of coincidence method (1)
ni - number of occurances of the letter i in the ciphertext
i = a .. z
N - length of the ciphertext
Distance = 9
pi = frequency of the letter i for a long ciphertext
Period d is a divisor of the distance between
identical blocks of the ciphertext
pi = lim
N→ ∞
In our example: d = 3 or 9
ni
N
z
∑ pi = 1
i =a
Index of coincidence method (2)
Measure of roughness:
M .R. =
∑
i =a
M.R.
period
Index of coincidence
2
z
Index of coincidence method (3)
⎛ − 1 ⎞ =
⎜ pi
⎟
26 ⎠
⎝
z
z
∑
i =a
The approximation of
1
pi −
26
2
0.028
0.014
0.006
0.003
1
2
5
10
∑p
2
i
i =a
Definition:
Probability that two random elements of the ciphertext
are identical
z
n
i
(ni -1) ⋅ ni
z
Formula:
2
i=a
I .C. =
=
N
(N -1) ⋅ N
i =a
2
∑
∑
6
Index of coincidence method (4)
Measure of roughness
B. Rotor machines used before and during the WWII
z
∑ (n -1) ⋅ n
i
M.R. = I.C. - 1 =
26
M.R.
period
Polyalphabetic substitution ciphers
Simplifications (2)
Country
i
i=a
-
(N -1) ⋅ N
1
26
0.028
0.014
0.006
0.003
1
2
5
10
Military Enigma
Enigma Daily Keys
Machine
Germany:
U.S.A.:
Japan:
UK:
Poland:
Period
Enigma
d=26⋅25⋅26 = 16,900
M-325, Hagelin M-209
“Purple”
Typex
d=26⋅(26-k)⋅26, k=5, 7, 9
Lacida
d=24⋅31⋅35 = 26,040
Functional diagram & dataflow
Order of rotors (Walzenlage)
6 combinations
7
Positions of rings (Ringstellung)
263 combinations
Plugboard Connections
(Steckerverbindung)
~ 0.5 · 1015
combinations
Initial Positions of Rotors
(Grundstellung)
263 combinations
Number of possible internal
connections of Enigma
Estimated number of atoms
in the universe
Total Number of Keys
3 · 10114
1080
Broken by Polish Cryptologists
1932-1940
3.6 · 1022 ≈ 275
Larger number of keys than DES.
Marian Rejewski
(born 1905)
Jerzy Różycki
(born 1909)
Henryk Zygalski
(born 1907)
8
Enigma Timetable: 1939
Jul 25-26, 1939:
A secret meeting takes place in the Kabackie Woods
near the town Pyry (South of Warsaw),
where the Poles hand over to the French and
British Intelligence Service their complete solution
to the German Enigma cipher, and two replicas
of the Enigma machine.
Improvements and new methods
developed by British cryptologists
1939-1945
Alan Turing
(born 1912)
Gordon Welchman
(born 1906)
Enigma Timetable: 1939-1940
1939-1940:
Alan Turing develops an idea of the British
cryptological “Bombe” based on the
known-plaintext attack.
Gordon Welchman develops an improvement
to the Turing’s idea called “diagonal board”.
Harold “Doc” Keen, engineer at
British Tabulating Machines (BTM) becomes
responsible for implementing British “Bombe”.
May, 1940:
First British cryptological bombe developed to
reconstruct daily keys goes into operation.
Over 210 Bombes are used in England throughout
the war.
Each bombe weighed one ton, and was
6.5 feet high, 7 feet long, 2 feet wide.
Machines were operated by members of the Women’s
Royal Naval Service, “Wrens”.
9
Substitution Ciphers (3)
Enigma Timetable: 1943
Apr, 1943:
The production of the American Bombe starts in
the National Cash Register Company (NCR)
in Dayton, Ohio. The engineering design
of the bombe comes from Joseph Desch.
3. Running-key cipher
M=
K =
m1
k1
C =
c1
m2
k2
m3
k3
m4 . . . . mN
k4 . . . . kN
K is a fragment of a book
c2
c3
c4
. . . . cN
ci = mi + ki mod 26
mi = ci - ki mod 26
Key: book (title, edition), position in the book (page, row)
Substitution Ciphers (4)
14
12
Character frequency
in a long English
plaintext
10
8
6
4
2
0
a b c d e f g h i jk lm n o p q r s tu vw x y z
Character frequency
in the corresponding
ciphertext
for a running-key
cipher
14
12
10
8
6
1
⋅ 100% ≈ 3.8 %
26
4
4. Polygram substitution cipher
M=
m1
m2
… md - M1
md+1 md+2 … m2d - M2
m2d+1 m2d+2 … m3d - M3
…..
C =
c1
c2
… cd - C1
cd+1 cd+2 … c2d - C2
c2d+1 c2d+2 … c3d - C3
…..
d is the length of a message block
Ci = f(Mi)
Mi = f-1(Ci)
Key = d, f
2
0
Number of keys for a given block length d = (26d)!
a b c d e fg h i jk lm n o p q r s tu vw x y z
Playfair Cipher
Hill Cipher
1854
1929
Key:
PLAYFAIR IS A DIGRAM CIPHER
P
L
A
Y
F
I
R
S
D
G
M
C
H
E
B
message P O L A N D
ciphertext A K A Y Q R
K
N
O
Q
T
Convention 2 (Handbook)
U
V
W
X
Z
message P O L A N D
ciphertext K A A Y R Q
Convention 1 (Stallings)
Ciphering:
C[1xd] = M[1xd] · K[dxd]
k11, k12, …, k1d
(c1, c2, …, cd) = (m1, m2, …, md)
kd1, kd2, …, kdd
ciphertext block
= message block
·
key matrix
10
Hill Cipher - Known Plaintext Attack (1)
Hill Cipher
Deciphering:
Known:
M[1xd] = C[1xd] · K-1[dxd]
message block
C1 = (c11, c12, …, c1d)
C2 = (c21, c22, …, c2d)
= ciphertext block · inverse key matrix
where
………………………………………………….
Cd = (cd1, cd2, …, cdd)
Md = (md1, md2, …, mdd)
1, 0, …, 0, 0
0, 1, …, 0, 0
……………
0, 0, …, 1, 0
0, 0, …, 0, 1
K[dxd] · K-1[dxd] =
key matrix · inverse key matrix
M1 = (m11, m12, …, m1d)
M2 = (m21, m22, …, m2d)
We know that:
(c11, c12, …, c1d) = (m11, m12, …, m1d) · K[dxd]
(c21, c22, …, c2d) = (m21, m22, …, m2d) · K[dxd]
…………………………………………………
(cd1, cd2, …, cdd) = (md1, md2, …, mdd) · K[dxd]
= identity matrix
Hill Cipher - Known Plaintext Attack (2)
Substitution Ciphers (5)
4. Homophonic substitution cipher
c11, c12, …, c1d
m11, m12, …, m1d
c21, c22, …, c2d = m21, m22, …, m2d
……………….
…………………..
cd1, cd2, …, cdd
md1, md2, …, mdd
k11, k12, …, k1d
M = { A, B, C, …, Z }
C = { 0, 1, 2, 3, …, 99 }
k21, k22, …, k2d
ci = f(mi, random number)
mi = f-1(ci)
kd1, kd2, …, kdd
f:
C[dxd] = M[dxd] · K[dxd]
K[dxd] = M-1[dxd] · C[dxd]
Transposition ciphers
M=
C =
m1
mf(1)
m2
mf(2)
m3
m4 . . . . mN
mf(3) mf(4) . . . . mf(N)
E →
A →
U →
……
X →
17, 19, 27, 48, 64
8, 20, 25, 49
45, 68, 91
33
14
12
10
Character frequency
in a long English
plaintext
8
6
4
2
Letters of the plaintext are rearranged without
changing them
0
a b c d e f g h i jk lm n o p q r s tu vw x y z
14
12
10
Character frequency
in the corresponding
ciphertext
for a transposition cipher
8
6
4
2
0
a b c d e f g h i jk lm n o p q r s tu vw x y z
11
One-time Pad
Vernam Cipher
Transposition cipher
Example
Plaintext: CRYPTANALYST
Key:
Gilbert Vernam, AT&T
Major Joseph Mauborgne
KRIS
Encryption:
23 14
KRI S
CRYP
TANA
LYS T
Ciphertext: YNSCTLRAYPAT
One-time Pad
Equivalent version
ci = mi + ki mod 26
mi
ki
ci
TO BE OR NOT TO BE
AX TC VI URD WM OF
TL UG JZ HFW PK PJ
All letters of the key must be chosen at random
and never reused
Is substitution cipher a perfect cipher?
C = XRZ
P(M=ADD | C=XRZ) = 0
P(M=ADD) ≠ 0
1926
ci = mi ⊕ ki
mi
ki
ci
01110110101001010110101
11011101110110101110110
10101011011111111000011
All bits of the key must be chosen at random
and never reused
Perfect Cipher
Claude Shannon
Communication Theory of Secrecy Systems, 1948
∀
P(M=m | C=c) = P(M = m)
m∈M
c∈C
The cryptanalyst can guess a message with
the same probability without knowing a ciphertext
as with the knowledge of the ciphertext
Is one-time pad a perfect cipher?
C = XRZ
P(M=ADD | C=XRZ) ≠ 0
P(M=ADD) ≠ 0
M might be equal to
CAT, PET, SET, ADD, BBC, AAA, HOT,
HIS, HER, BET, WAS, NOW, etc.
12
S-P Networks
S
S
S
S
P
.
.
.
.
.
.
.
.
.
.
.
.
.
P
S
S
....
....
S
S
Basic operations of S-P networks
S
Substitution
S
S
S
m5
m6
m7
m8
S
S
m9
m10
m11
m12
m61
m62
m63
m64
P
S-box
S
S
S
....
....
S
S
LUCIFER
k1,2
k1,1
m1
m2
m3
m4
m5
m6
m7
m8
S1
S1
k2,1
k2,2
S1
S1
P
K3,2
S0
S0
S1
....
S1
....
k32,1
m125
m126
m127
m128
S0
S0
k3,1
m9
m10
m11
m12
S0
S0
S0
S1
P
k32,2
S0
S1
P-box
Shannon Product Ciphers
.
.
.
.
.
.
.
.
.
.
.
.
.
P
0
1
1
0
0
1
0
0
0
0
1
1
1
0
....
Avalanche effect
m1 → m1
m2
m3
m4
1
1
0
1
1
1
0
0
0
0
1
1
1
0
S
Permutation
S
c1→ c1
c2 → c2
c3
c4
S
c5 → c5
c6
c7 → c7
c8 → c8
S
c9
c10
c11 → c11
c12
....
c61 → c61
c62
c63
c64 → c64
S
Horst Feistel, Walt Tuchman
IBM
k1,16
.
.
.
.
.
.
.
.
.
.
.
.
.
S0
S1
c1
c2
c3
c4
K2,16
S0
S1
c5
c6
c7
c8
k3,16
S0
S1
....
c9
c10
c11
c12
S1
• Confusion
relationship between plaintext and ciphertext is
obscured, e.g. through the use of substitutions
• Diffusion
spreading influence of one plaintext letter to many
ciphertext letters, e.g. through the use of
permutations
LUCIFER- external look
plaintext block
128 bits
LUCIFER
key
512 bits
128 bits
k32,16
S0
• Computationally secure ciphers based on the
idea of diffusion and confusion
c125
c126
c127
c128
ciphertext block
16 rounds
13
