CHAPTER 4 Cryptology
4.2. THE CAESAR CIPHER AND ITS VARIANTS 63 Exercises for §
EXERCISE 4.2.1. ROT13 was supposedly nice because it reduced the amount of coding which needed to be done: the same program would decrypt as the one which encrypts, since doing ROT13 a second time undoes the first ROT13’s transformation.
Is this true for other keyed Caesar ciphers? Make a conjecture about whether, given a Caesar cipher keyk ∈Zand a messagem, there always exists ann∈Nsuch that
ntimes
z }| {
eCk ◦ · · · ◦eCk(m) =m
where eC
k is the function which does the Caesar encryption with key k. If so, find an
expression for the smallest suchn, which depends (if necessary) onk,m, and the size of the alphabet in whichmis written.
EXERCISE 4.2.2. Continuing the previous exercise: Suppose now~k = (k1, . . . , kℓ)is
anℓ-tuple, forℓ∈N, of integersk1, . . . , kℓ ∈ZandeV~k is the Vigen`ere encryption function
with key~k. Find if for all messagesm, there exists ann ∈Nsuch that
ntimes
z }| {
e~kV ◦ · · · ◦eV~k(m) =m
and, if so, find an expression for the smallest such n, which depends (if necessary) on~k,
m, and the size of the alphabet in whichmis written.
EXERCISE 4.2.3. Suppose Eve has a twin Vev, and they are both looking at an inter- cepted ciphertextcsent by Alice to Bob. They think that those crazy lovebirds Alice and Bob have used a one-time pad to encrypt their communications, but Eve and Vev both do lots of calculations and think they have managed to correctly decryptc. Unfortunately, they have different (non-gibberish!) valuesme andmv which Eve and Vev, respectively, think
were the plaintext that Alice meant to send to Bob.
What must have been the one-time padspeandpvwhich they were somehow calculating
(or guessing) that Alice used for their respective encryptions?
Could they have come up with arbitrary proposed decryptionsme and mv, or is there
some relationship between the proposed decryptions, the proposed padspeandpv, the true
plaintext, and Alice’s actual one-time pad?
Work out a particular, concrete example: if Alice’s original cleartext messagem was
aardvark, would it be possible for Eve to think the message was me = iloveyou
while Vev thinks it is mv =ihateyou? If so, give an example of what would be the
corresponding ciphertextc, Alice and Bob’s one-time padpAB, the proposed decryptsme
4.3. First Steps into Cryptanalysis: Frequency Analysis
The Caesar cipher seems very weak. But looking at a ciphertext, such as
wrehruqrwwrehwkdwlvwkhtxhvwlrq zkhwkhuwlvqreohulqwkhplqgwrvxiihu wkhvolqjvdqgduurzvrirxwudjhrxviruwxqh ruwrwdnhdupvdjdlqvwdvhdriwurxeohv dqgebrssrvlqjhqgwkhp
it is hard to know where to start – this hardly seems to be English at all.
Perhaps we should start with the Caesar cipher itself, assuming (anachronistically) that Caesar was following Kerckhoff’s Principle, or that (more chronistically) spies had deter- mined the cryptosystem but not the key.
One thing we notice right away is that what we do not know, that key, is such a small thing to be giving us such trouble. In fact, if we tried a random choice of key, nearly four times out of 100 (using the modern “Latin alphabet” of 26 letters – in Caesar’s time, the actual Latin alphabet had only 23, so even better!) would, purely by dumb luck, give us a correct decryption. Formally, we are talking about
DEFINITION4.3.1. The set of all valid keys for some cryptosystem is called itskeyspace. EXAMPLE4.3.2. The keyspace of the Caesar cipher cryptosystem is the alphabet. EXAMPLE 4.3.3. The keyspace of the Vigen`ere cipher cryptosystem with a key length ofℓis all sequences ofℓletters in the alphabet; therefore, it hasNℓelements, if the alphabet
is of sizeN. If the precise key length is not known, but it is known to be less than or equal to some boundL∈N, then there arePLj=1Nj possible keys.
EXAMPLE4.3.4. Any sequence of letters of lengthM is a possible key (pad) for a one- time pad encryption of a message of lengthM. Therefore there areNM possible one-time
pads for a message of lengthM over an alphabet of sizeN.
We computed the sizes of these various keyspaces because one thing that seemed weak about the Caesar cipher was how small was its keyspace. In fact, a better strategy than simply guessing at random would be to try all possible keys – there are only 26 (or 23 in Julius’s time)! – and see which one gives the correct decryption. Such an approach is called a brute-force attack [or exhaustive search]. Even in Caesar’s time, the Caesar cipher keyspace is so small that Eve could check all possible keys and see which yielded the cleartext of a message from Alice to Bob.
Things are a little more difficult for the Vigen`ere cipher. For example, there are nearly 12 million keys to try if the key length is known to be five. Before the computer age, this would have been completely intractable. Even in the21stcentury, where it would be nearly instantaneous to human eyes for a computer to generate all of those possible decryption,