AN EXAMPLE OF THE INFERENCE PROCESS IN CRYPTANALYSIS

Although statistical characteristics provide information to aid in cryptanalysis, more often internal constraints in the cryptographic system provide a great deal of information. We give an example in this section of theinferenceprocess.

A PUZZLE

Each of the nine symbolsDN M ~;S’†appearing in the array below stands for auniqueencoding of one of the digits 1 through 9. The rightmost column gives the sum

Figure 1.12 Letter frequencies in English andGadsby.

in each row; the bottom row gives the sum in each column. A question mark can stand for any one- or two-digit number and not necessarily the same number in each instance. Find the encoding of the digits 1 through 9!

Solution Therow 2andcolumn 3sums give the equations

(3 ~)þ;¼SS (1:1)

(2;)þ(2

/

As

(2;)þ(2

N

~,;,N, are distinct and each are9, and (3 ~)þ;35, (2;)þ(2N)34, it follows that††¼22 andSS¼11 or 33.

The only integer (diophantine) solution of Equations (1.1) and (1.2) consistent with the uniqueness of the symbols is†¼2 andS¼3 and

Thecolumn 4sum provides the equation

þ(2 ~)þ’¼†S which requires

þ’¼5) ,’[{(1, 4), (2, 3), (3, 2), (1, 4)} (1:3) AsS¼3, it follows that

,’[{(1, 4), (4, 1)}

are the only possible consistent values satisfying Equation (1.3). It follows therefore that D,M [ f7,8gby the uniqueness constraints.

We now test an assumption on the value of M when we impose the constraints on some of the remaining row and column sums and draw the consequences of the assumption:

A1. M ¼7

A1(a) D¼8;

A1(b) Row 4sum: ?4,1þ9þ6þ9¼27¼)?4,1¼3;

A1(c) Column 1sum: 8þ9þ?3,1þ?4,1¼29¼)?3,1¼9 from A1(b);

A1(d) Column 2sum: 8þ9þ?3,2þ9¼33¼)?3,2¼7;

A1(e) Row 3sum: ?3,1þ?3,2þ5þ’¼22¼)’¼1.

S † ~ ; 4

A2. M ¼8 A2(a) D¼7;

A2(b) Row 4sum: ?4,1þ24¼28¼)?4,1¼4;

A2(c) Column 1sum: 7þ9þ?3,1þ?4,1¼29¼)?3,1¼9 from A2(b);

A2(d) Column 2sum: 7þ9þ?3,2þ9¼33¼)?3,2¼5;

A2(e) Row 3sum: ?3,1þ?3,2þ5þ’¼22¼)’¼3, a contradiction!

The complete solution is

1.12 WARNING!

Several examples may illustrate this point.

1. The mechanical ciphering machine invented by Alexander von Kryha in 1924 received the Prize of the Prussian Ministry of the Interior at the 1926 Police Fair and a Diploma from the famous postwar Chancellor of Germany, Konrad Adenauer, at the International Press Exhibition in Cologne two year later. Von Kryha was not only an inventor, but also an astute entrepreneur. To promote his commercial venture Internationale Kryha Machinen Gesellschaft of Hamburg, Kryha turned to the famous mathematician Georg Hamel for an endorsement. Hamel calculated the size of the key space to be 4.571050and concluded that only immortals could cryptanalyze Kryha ciphertext. Not withstanding Hamel’s estimate, a cryptanalysis of the Kryha machine by Friedman did not require as much time and is described in the “2 Hours, 41 Minutes,” a chapter in Machine Cryptography and Modern Cryptanalysis[Devoirs and Ruth, 1985].

2. A U.S. patent [Merkle and Hellman, 1980] accompanied the publication Deavours and Kruh [1985] of the paper by Merkle and Hellman [1978] announcing the first public key cryptosystem (Chapter 10). The inventors wrote in the description of the preferred embodiment of the ’582 patent

But, the eavesdropper trapdoor knapsack problem can be made computationally infeasible to solve, thereby preventing the eavesdropper from recovering the plain- text messageX.

In spite of this pronouncement, Adi Shamir electrified the attendees at ‘CRYPTO’ 82 meetings5 with an analysis of the Merkle – Hellman cryptosystem [Shamir,

The Surgeon General has determined thatlargekey spaces may not truly protect you data!

5

‘CRYPTO’N is an annual workshop on Cryptography held each August since 1981 at UCSB.

1984] (Chapter 11). A program running on an Apple during his lecture illustrated the solution technique.

3. Martin Gardner’s article [Gardner, 1979] appeared a year before the publication of the paper that defined the RSA cryptosystem [Rivest et al., 1998] (Chapter 12). Gardner’s article contained the first of many factoring challenges; RSA-129 is a 129-digit integer, which is the product of two primes. RSA-129 was factored in eight months (April 1991) and did not, as Gardner’s article suggests, “. . .take millions of years. . .,” to factor, claiming the prize of $100 for the first solution.

4. Finally, Certicom markets products using an elliptic curve cryptosystem (Chaper 15). It is stated in one of Certicom’s whitepapers that

A comparison of the three hard mathematical problems on which the well-known public-key cryptosystems are based clearly highlights the fact that none of these are provably intractable. Years of intensive study has resulted in a widely held view that the ECDLP6is significantly more difficult than either the IFP7 or the DLP.8 The general conclusion of leading cryptographers is that the ECDLP in fact requires the full exponential time to solve. Based on this research and their own cryptographic expertise, industry leaders have accepted the Elliptic Curve Cryptosystem as a mature technology and are now implementing it for widespread deployment.

The point of these examples is not to ridicule the judgment of their makers, but to emphasize that

The history of cryptography is littered with encipherment systems thought to offer security, but which on careful reflection and study have failed to provide the advertised protection. Only one cryptographic system offers absolute security and when it was improperly used during World War II (Chapter 4), it failed to secret the transmitted messages.

Claude Shannon’s paper [1948] on the mathematical theory of communication gave birth to information theory. In the sequel [Shannon, 1949], he pointed out the common features of two problems:

. Recovering data transmitted over anoisychannel, and

. Secreting of transmitted information.

Shannon’s model relating communication and secrecy is formulated within a statistical model as follows:

1. The initialstatistical information of plaintext is represented by thea prioriprob- ability of plaintextxnotationally PrPLAINfxg.

2. When the ciphertextyofxis observed, the statistical information about the plaintext changesto thea posterioriprobability of plaintext xgiven that encipherment has resulted in ciphertexty, notationally PrPLAIN/CIPHERfx/yg.

1. Weakness in a cryptosystem is demonstrated by providing a feasible cryptanalytic technique.

2. Proving the strength of a cryptosystem is generally more difficult to effect.

6

ECDLP elliptic curve discrete logarithm problem.

7

IFP, integer factorization problem.

8

DLP, discrete logarithm problem inZþ p.

Shannon defined an encipherment system as providingabsolute secrecyif knowledge of the ciphertext did not give any additional statistical information about the plaintext than was known before the ciphertext was observed; namely,

PrPLAIN=CIPHER{x=y}¼PrPLAIN{x}

whenever PrPLAINfxg.0 and PrCIPHERfyg.0. Shannon further proved that absolute

secrecy for all n-grams requires that there be as many keys as there are plaintext n-grams of positive probability. If the plaintext and ciphertext consist of all n-grams formed from the alphabet f0, 1g, to guarantee the absolute secrecy of plaintext requires one bit of key per plaintext bit. The one-time tape (or pad), a cryptographic system discussed in Chapter 4, is based upon this result from Shannon.